Microsoft 70-297 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure ersion !

9"0 70 - 297 The correct order of operations would be to 1. Upgrade the Atlanta Domain, 2. Restructure the Atlanta Domain, 3. Use ADMT to migrate accounts. The Atlanta domain is currentl a !indows 2""" domain, so it must be upgraded# this is a $er%er 2""3 en%ironment, after all. &t must be restructured to include 'Us for the branch offices including $eattle. (inall , since $eattle will not be a separate Domain, the ob)ects must be migrated to the new domain using ADMT. Acti%e Director Migration Tool *ADMT+ 2." allows migration of users and passwords from !indows ,T -." domains or !indows 2""" domains to !indows 2""3 domains. QUESTION NO: 2 You are designing a DNS strategy to meet the business and technical requirements !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a d namic re%erse loo/up 0one for each subnet. 1. .reate a d namic forward loo/up for each domain. 70 - 297 .. &nstall caching2onl D,$ ser%ers in the branch offices. D. 3nable the 1&,D secondaries option for each D,$ ser%er. )ns"er: )* + QUESTION NO: , You are designing the -rou# .olicy settings to meet the business and technical requirements You are re/ie"ing a #ossible logical structure $or the com#any as sho"n in the diagram in the "or0 area The Domain 'ontrollers OU and the Seattle OU are created at the domain le/el The Instructor OU and Student OU are children o$ the Seattle OU The diagram does not co/er all organi1ational requirements +ased on this diagram* ho" should you design the -rou# .olicy settings% To ans"er* drag the a##ro#riate -rou# .olicy ob2ect &-.O( o#tion or o#tions to the correct location or locations in the "or0 area )ns"er: E3#lanation: Account 4oc/out threshold and 5assword Re6uirements are both Account 5olicies and must be placed at the domain le%el. 7The account polic must be defined in the Default Domain 5olic or in a new polic that is lin/ed to the root of the domain and gi%en precedence o%er the Default Domain 5olic , which is enforced b the domain controllers that ma/e up the domain.8 The case states9 8&nstructors will need the new scheduling application to be installed both on their office and home computers that are members of the domain.8 This tells us that the scheduling program must be assigned to 8their8 computers not all computers that the use or login into. 8Their8 computers would be members of the domain and would be placed into 8&nstructor 'U8 within the domain. :uestion ; also %erifies this. QUESTION NO: 4 You need to ensure that only authori1ed #ersonnel are able to modi$y student grades !hich des0to# en/ironment or en/ironments should you use% &'hoose all that a##ly( A. !indows <5 5rofessional 1. !indows 2""" 5rofessional .. !indows => with Acti%e Director client installed D. !indows ,T !or/station -." with the latest ser%ice pac/ and Acti%e Director client installed )ns"er: )* + QUESTION NO: 5 You need to ensure that the sales re#resentati/es are #ro/ided "ith adequate Net+IOS name resolution !hat should you do% A. &nstall !&,$ on the 5D. emulator. 1. &nstall !&,$ on ser%ers in Atlanta and $eattle. .. 3nable !&,$ loo/up on the D,$ ser%er in Atlanta. D. 3nable !&,$ on one domain controller in each office. )ns"er: D QUESTION NO: 6 You are designing a strategy to install the ne" scheduling a##lication !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Assign the scheduling application pac/age to the &nstructor 'U. 1. 5ublish the scheduling application pac/age to the &nstructor 'U. .. 3nsure that the scheduling application can install across slow !A, lin/s. D. 5re%ent the scheduling application from installing across slow !A, lin/s. )ns"er: )* ' QUESTION NO: 7 You are designing a 8.N authentication strategy to meet the business and technical requirements !hat should you do% A. &mplement the RAD&U$ ser%ice in Atlanta.

1. &mplement the RAD&U$ ser%ice in each branch office. .. .onfigure networ/ address translation *,AT+ on all ?5, ser%ers. D. .onfigure the .onnection Manager Administration @it *.MA@+ on the 5D.. )ns"er: ) QUESTION NO: 9 You are designing a D:'. strategy $or the ne" )cti/e Directory en/ironment !hich t"o grou#s ha/e the necessary rights to authori1e the D:'. ser/ers% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. &T staff in Atlanta 1. &T staff in $eattle .. DA.5 administrators in all offices D. DA.5 administrators in Atlanta onl 3. Members of the 3nterprise Admins group )ns"er: )* E QUESTION NO: ; You are designing the #lacement o$ o#erations master roles in the ne" en/ironment In "hich location or locations should a .D' emulator be designated% &'hoose all that a##ly( A. Atlanta 1. .hicago .. Dallas D. $eattle )ns"er: ) QUESTION NO: <= You are designing a DNS and D:'. im#lementation strategy to su##ort the ne" en/ironment !hat should you do% A. .reate a !&,$ resource record in the Acti%e Director D,$ 0one. 1. .reate a !&,$ referral 0one in the D,$ 0one that supports Acti%e Director . .. .onfigure a D,$ domain name on the DA.5 ser%er. D. .onfigure the DA.5 ser%er to update D,$ for DA.5 clients that do not support d namic updates. )ns"er: D Net"or0 In$rastructure Each o$$ice uses a s"itched <==>?b#s Ethernet net"or0 )ll client com#uters run !indo"s @. .ro$essional The com#any uses its o"n #ri/ate leased lines to connect the branch o$$ices and most o$ the satellite o$$ices Some satellite o$$ices are connected to the nearest branch o$$ice by using ISDN lines The com#any "ants to reduce tele#hone costs o$ these satellite o$$ices by minimi1ing net"or0 tra$$ic through the ISDN lines The com#any uses 8.N connections o/er the Internet as a bac0u# to connect the di$$erent o$$ices .roblem Statements The $ollo"ing business #roblems must be considered: # ) ser/ice>le/el agreement states that the com#any must resol/e #o"er $ailures "ithin one day 'urrently* the com#any cannot guarantee this requirement Aast year* there "ere more than ,= #o"er $ailures that could not be resol/ed "ithin one day The #rimary cause o$ the delay in resolution "as that the com#any could not identi$y "here the #roblem occurred # )nother ser/ice>le/el agreement states that the IT de#artment must guarantee an a/ailable band"idth o$ 29 Bb#s to ensure adequate band"idth $or )##< 'urrently* the a/ailable band"idth decreases e/ery month* and it is uncertain ho" long the com#any can continue to guarantee this requirement The a/ailable band"idth is sho"n in the )/ailable +and"idth e3hibit # The com#any is e3#eriencing #roblems "ith the con$identiality o$ customer in$ormation This is occurring because the data is not centrally managed and the security settings are inadequate 'hie$ E3ecuti/e O$$icer To ensure that customers o$ 'ity .o"er C Aight recei/e the most reliable ser/ice #ossible* "e "ant to in/est in u#grading )##< to a ne" a##lication named Ne")## .o"er $ailures are ine/itable* but i$ "e quic0ly detect the #roblem and identi$y the source* "e can restore #o"er more quic0ly 'hie$ In$ormation O$$icer Data $rom )##< is no" sa/ed in di$$erent locations I am concerned about "ho has access to the data and ho" to reconstruct the data in the e/ent o$ a disaster Net"or0 )dministrator 'urrently* "e #er$orm our o"n administration at each o$$ice )ll net"or0 administrators "ill "or0 together to re#lace )##< "ith Ne")## +ecause Ne")## "ill be centrali1ed* "e are concerned that a $ailure at the )msterdam o$$ice "ill a$$ect the a/ailability o$ our monitoring in$rastructure ?ost im#ortant to us is the ability to monitor the state o$ the #o"er net"or0 !hen a $ailure occurs in the #o"er net"or0* "e must detect it immediately 'ustomer Ser/ice De#resentati/e Sometimes customers call in to re#ort a #o"er $ailure t"o or three times $or the same $ailure Each time "e ha/e to as0 the customer $or the same in$ormation about the #o"er $ailure I "ant to be able to /ie" "hat the customer re#orted the $irst time* and not ha/e to as0 $or the same in$ormation each time the customer calls in +usiness Dri/ers

The $ollo"ing business requirements must be considered: # )s 'ity .o"er C Aight changes its in$rastructure* all o$$ices must share a common names#ace: c#andl com # )/ailability o$ the monitoring in$rastructure and customer su##ort must be im#ro/ed # The com#any "ill re#lace )##< "ith a ne" a##lication named Ne")## Ne")## is a multitier a##lication a sho"n in the Ne")## )rchitecture e3hibit # The com#any "ants customers to be able to recei/e detailed in$ormation about #o"er $ailures by using the tele#hone 'ustomer ser/ice re#resentati/es need to ha/e detailed real>time in$ormation about the #o"er $ailures* so they can in$orm customers about the duration o$ #o"er $ailures # Each branch o$$ice must be able to maintain account #olicies that meet its unique national legal requirements Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # U#grades o$ band"idth are discouraged :o"e/er* u#grades o$ band"idth can be #ermitted i$ 2usti$ied # There are no #lans to o#en more o$$ices in the near $uture :o"e/er* the ne" en/ironment must allo" $or $uture com#any gro"th # The com#any antici#ates a 5=>#ercent increase in the number o$ customers o/er the ne3t t"o years Security The $ollo"ing security requirements must be considered: # Security o$ Ne")## must be )cti/e Directory integrated # DNS ser/ers "ill be administered only by net"or0 administrators $rom the )msterdam o$$ice # Net"or0 administrators must ha/e Eull 'ontrol #ermissions $or Ne")## # Internal users must be able to access in$ormation about customers and #o"er $ailures 'ustomers must be allo"ed to access only #ublic in$ormation # ) com#lete #o"er $ailure in one location must not a$$ect other locations # Net"or0 administrators should only be allo"ed to access Ne")## database ser/ers by using smart card authentication :o"e/er* net"or0 administrators must be able to log on to usersF com#uters to $i3 #roblems "ithout using a smart card # 'om#uters that ha/e smart card readers installed must automatically get the Ne")## management tools installed 'ustomer Dequirements The $ollo"ing customer requirements must be considered: # Ne")## must be a/ailable 24 hours a day* se/en days a "ee0 # 'lient a##lications that connect directly to Ne")## must use the Net+IOS name o$ Ne")## # To minimi1e !)N tra$$ic* the branch o$$ices need to use their local resources as much as #ossible # !ind>energy #ro/iders must be able to see ho" much electricity they ha/e deli/ered These #ro/iders should be able to connect to Ne")## by using the Internet )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # 'ity .o"er C Aight must achie/e better control o$ resources # The com#any must ensure that data can be reco/ered in the e/ent o$ a disaster # De#lication latency bet"een sites must be minimi1ed Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: # To im#ro/e customer ser/ice* in$ormation $rom )##< databases in all locations must be consolidated in the Ne")## database # The number o$ ser/ices at the satellite o$$ices must be 0e#t to the absolute minimum # 'lient com#uters must al"ays obtain a /alid I. address* e/en "hen a D:'. ser/er is not a/ailable $or 24 hours # Eield technicians must be able to connect directly to the Ne")## database $rom their #ortable com#uters by using a remote connection They "ill connect to the nearest branch o$$ice "hen they ha/e to ma0e a remote connection Users The $ollo"ing user requirements must be considered: # )ll users must ha/e ?icroso$t O$$ice and Ne")## automatically de#loyed on their des0to# com#uters Net"or0 administrators at the branch o$$ices must be able to decide "hich com#onents o$ O$$ice get installed at their locations # Desetting user #ass"ords "ill be delegated to each userFs manager )ll customer ser/ice re#resentati/es need to be able to reset the #ass"ords o$ the "ind>energy #ro/iders 'ase Study G2* 'ity .o"er C Aight &; Questions( QUESTION NO: < You need to e/aluate "hether the currently a/ailable net"or0 band"idth is adequate to run Ne")## !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. Use a debug %ersion of ,ewApp to collect information about ,ewApp. 1. Use 5erformance Monitor to collect data about the saturation of each !A, lin/. .. Use ,etwor/ Monitor to anal 0e the data that is transmitted o%er the networ/ for App1. D. &nstall $,M5 on all computers that are connected to App1 to obtain information about App1.

3. 1uild a test en%ironment for ,ewApp to anal 0e how much bandwidth is re6uired for ,ewApp. )ns"er: +* '* E E3#lanation9 5erformance Monitor, which is replaced b $ stem Monitor in !indows $er%er 2""3, allows us to obtain stats on total bandwidth used. The $ stem Monitor is designed for real2time reporting of data to a console interface, and can be reported in graph, histogram, or numeric form. $,M5 allows for the monitoring the status of networ/ components. A test en%ironment would be ideal in this case to pre%ent disruption of the acti%e networ/. QUESTION NO: 2 You need to ensure that there is adequate band"idth a/ailable to meet the ser/ice>le/el agreement requirements !hich action or actions should you #er$orm% &'hoose all that a##ly( A. Upgrade all !A, lines in siB months. 1. Upgrade all !A, lines prior to implementing ,ewApp. .. Anal 0e the cause of a pea/ in networ/ usage in (ebruar . D. Anal 0e networ/ usage characteristics for ,ewApp. 1ased on these results, create an upgrade plan for the !A, lines. )ns"er: '* D QUESTION NO: , You need to ensure that the net"or0 administrators are able to administer the Ne")## database ser/ers !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate an organi0ational unit *'U+ for all users who log on to an of the ,ewApp ser%ers. 1. .reate an organi0ational unit *'U+ named ,ewApp Users for the ,ewApp users. .. .reate an organi0ational unit *'U+ named ,ewApp $er%ers for the ,ewApp ser%ers. D. .reate a Croup 5olic ob)ect *C5'+ for the ,ewApp Users 'U to enforce the use of &5$ec. 3. .reate a global group for all ,ewApp ser%ers. Add this group to the ,ewApp $er%ers 'U. (. .reate a Croup 5olic ob)ect *C5'+ for the ,ewApp $er%ers 'U to enforce the use of smart cards. C. Use the account properties to force all users who ha%e to log on to the ,ewApp ser%ers to use smart cards. )ns"er: '* E E3#lanation9 The case stud sa s 7Net"or0 )dministrators should only be allo"ed to access Ne")## database ser/er by using smart card authentication :o"e/er* net"or0 administrator must be able to log on to users com#uters to $i3 #roblems "ithout using a smart cardD. cards are portable, tamper2resistant hardware de%ices that store uni6ue identification information for a user. The are inserted into a card reader attached to a computer and pro%ide an additional ph sical identification component to the authentication process. QUESTION NO: 4 You are designing a strategy $or migrating the UNI@ user accounts to )cti/e Directory !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. &mport the user accounts as inet'rg5erson ob)ects. 1. &mport the user accounts into Acti%e Director b using the Adi$de command2line tool. .. 3Bport all user accounts from the U,&< ser%ers to a teBt file. D. 3Bport all user accounts and their passwords from the U,&< ser%ers to a teBt file. 3ncr pt this file to achie%e eBtra securit . 3. Assign random passwords to each user ob)ect, and securel distribute the password to the users. (. .reate the same strong password for each user ob)ect, and re6uire users to change their passwords at first logon. C. &nstruct users to use the same name and password as the used on the U,&< ser%ers. )ns"er: +* '* E A strong password is a password that pro%ides an effecti%e defense against unauthori0ed access to a resource. Incorrect O#tions: ): &net'rg5erson is an ob)ectEsimilar to a user ob)ectEthat is used to migrate users from other 4ightweight Director Access 5rotocol *4DA5+ director ser%ices to Acti%e Director , not from one '$ to another. D: 5asswords cannot be added using 4D&(D3 upon ob)ect creation. E: -: This cannot be done, since the password attribute for U,&< and Acti%e Director is different. QUESTION NO: 5 You are designing a site to#ology to meet the business and technical requirements !hat should you do% A. &ncrease the replication inter%al between sites, 1. Use $MT5 as the transport protocol for replication. .. .reate site lin/s to represent the ph sical topolog . D. Disable the @nowledge .onsistenc .hec/er *@..+ and manuall configure site replication. )ns"er: ' QUESTION NO: 6 You are designing a Net+IOS name resolution strategy $or all com#uters in all o$$ices !hat should you do% To ans"er* drag the a##ro#riate name resolution com#onent or com#onents to the correct location or

locations in the "or0 area )ns"er: QUESTION NO: 7 You are designing a strategy to o#timi1e the DNS name resolution $or the satellite o$$ices that connect to the branch o$$ices by using ISDN lines !hat should you do% A. Use caching2onl D,$ ser%ers at these satellite offices. 1. .onfigure a Aosts file for all client computers at these satellite offices. .. .onfigure a D,$ ser%er to use !&,$ forward loo/up at these satellite offices. D. 5lace a D,$ ser%er with secondar 0ones of all domains at these satellite offices. )ns"er: ) QUESTION NO: 9 You are designing the )cti/e Directory in$rastructure to meet the business and technical requirements You run )DSi1er* and $ind that it #ro/ides a solution that contains only one domain controller $or )msterdam !hat should you do% A. 5lace at least two domain controllers in Amsterdam. 1. .onfigure the domain controller as a bridgehead ser%er. .. .onfigure the domain controller as a global catalog ser%er. D. Distribute the users among sites in AD$i0er and recalculate the number of domain controllers. )ns"er: ) QUESTION NO: ; You are designing a D:'. solution to meet the business and technical requirements !hat should you do% A. &ncrease the default lease time on all DA.5 ser%ers. 1. $plit all address ranges across multiple DA.5 ser%ers. .. .onfigure duplicate scopes on at least two DA.5 ser%ers. D. (orce client computers to obtain an &5 address from Automatic 5ri%ate &5 Addressing *A5&5A+. )ns"er: + ) !indo"s NT Ser/er 4 = com#uter named Ser/er< in the Aos )ngeles o$$ice hosts a mission>critical a##lication This a##lication is accessed by users $rom all de#artments and o$$ices in the com#any The a##lication /endor currently does not su##ort running other than !indo"s NT Ser/er 4 = this a##lication on any o#erating system Directory Ser/ices The com#any has three !indo"s NT 4 = domains con$igured in a single master domain model as sho"n in the E3isting Domain ?odel e3hibit )ll user accounts are maintained in the coho/ineyard domain 'lient com#uter accounts are managed locally in each regional domain IT res#onsibilities $or the com#any are sho"n in the $ollo"ing table Hob title O$$ice Des#onsibilities .hief information officer 4os Angeles '%ersees all &T operations for all offices. ,etwor/ Administrator 4os Angeles Manages all aspects of the networ/ for all offices. Aelp des/ staff 4os Angeles $upports all users in all offices. 5erforms tas/s such as resetting user account passwords. Regional networ/ administrator, 4os Angeles 4os Angeles Manages user and computer accounts for the 4os Angeles office. Regional networ/ administrator, 5ars 5aris Manages user and computer accounts for the 5aris office. Regional networ/ administrator, $ dne $ dne Manages and maintains user and computer accounts for the $ dne office. The e3isting net"or0 in$rastructure is sho"n in the E3isting Net"or0 In$rastructure e3hibit 'urrently* all o$$ices connect to the Internet directly through !indo"s 2=== Ser/er com#uters that #er$orm net"or0 address translation &N)T( These ser/ers also #ro/ide a ..T. tunnel bet"een all o$$ices The e3isting ser/er hard"are is sho"n in the $ollo"ing table Ser/er name

Dole Domain Aocation O#erating system .rocessor Descri#tion and additional $unctions D.1 5D. coho%ine ard 4os Angeles !indows ,T $er%er -." 5entium &&& >;; MA0 D.2 1D. coho%ine ard 4os Angeles !indows ,T $er%er -." 5entium &&& >;; MA0 !&,$, DA.5 D.3 1D. coho%ine ard 5aris !indows ,T $er%er -." 5entium &&& >"" MA0 !&,$, DA.5 D.- 1D. coho%ine ard $ dne !indows ,T $er%er -." 5entium &&& >"" MA0 !&,$, DA.5 D.F 5D. 5aris 5aris !indows ,T $er%er -." Dual R&$. 2F" MA0 (ile ser%er for 5aris D.; 5D. $ dne $ dne !indows ,T $er%er -." R&$. 2F" MA0 (ile ser%er for $ dne $er%er1 Member ser%er coho%ine ard 4os Angeles !indows ,T $er%er -." Dual R&$. 2F" MA0 Mission2critical application ser%er 'lient 'om#uters and Users The current user #o#ulation $or each o$$ice and de#artment is sho"n in the $ollo"ing table De#artment Aos )ngeles .aris Sydney Total Accounting 1" 2 2 1Distribution F" F F ;" AR F 1 1 G &T F 2 2 = Mar/eting 1" 1 1 12 5urchasing 3" 2" 2" G" $ales F" F F ;" Total number o$ users 1;" 3; 3; 232 The current o#erating systems installed on the client com#uters are sho"n in the $ollo"ing table O#erating system Aos )ngeles .aris Sydney Total !indows ,T -." !or/station, with latest ser%ice pac/ 1"" " " 1"" !indows 2""" 5rofessional 2" 2F 2= G!indows <5 5rofessional 3" F 1 3; Total client com#uters 1F" 3" 3" 21" .roblem Statements

The $ollo"ing business #roblems must be considered: # +ecause o$ security limitations o$ !indo"s NT Ser/er 4 =* all IT sta$$ has been added to the )dministrators grou# o$ the coho/ineyard domain IT sta$$ should be allo"ed administrati/e rights only to their s#eci$ic areas o$ res#onsibility # Aac0 o$ control o/er IT #rocedures and #rocesses ha/e made the current en/ironment costly to maintain 'hie$ E3ecuti/e O$$icer The current IT in$rastructure at 'oho 8ineyard is negati/ely a$$ecting business o#erations IT o#erations need to be streamlined to accommodate the antici#ated gro"th 'hie$ In$ormation O$$icer The current IT en/ironment needs to be reorgani1ed 'or#orate standards need to be im#lemented Users currently install unauthori1ed and unlicensed so$t"are These installations need to be im#lemented )dministrati/e roles ha/e been clearly de$ined* but no" need to be en$orced The IT budget $or the ne3t year has already been allocated No ne" ser/er hard"are is to be #urchased $or the e3isting o$$ices Ne" ser/er hard"are has been budgeted $or the ne" o$$ices )$ter the de#loyment o$ )cti/e Directory is com#lete* e>mail ser/ices "ill be im#lemented by using ?icroso$t E3change Ser/er 2==, The E3change Ser/er 2==, in$rastructure "ill be maintained by the internal IT sta$$ )lso "e "ant to #ro/ide all users 8.N access to the net"or0 Net"or0 )dministrator There is a need to #ro/ide standardi1ed settings $or all users and com#uters The current IT administration #ractices need to be ree/aluated* and ne" #ractices that are more e$$ecti/e need to be en$orced O$$ice !or0er The current en/ironment is di$$icult to use In$ormation is scattered on the net"or0* ma0ing it di$$icult to $ind There does not seem to be any clear de$inition as to "ho is res#onsible $or res#onding to net"or0 and com#uter #roblems +ecause o$ this con$usion* most users manage their o"n com#uters )lso* "e "ant to be able to connect to the net"or0 "hen "or0ing remotely +usiness Dri/ers The $ollo"ing business requirements must be considered: # The current names#ace used $or the e3ternally hosted e>mail in$rastructure is coho/ineyard com This names#ace "ill be used "hen e>mail ser/ices are im#lemented internally # The ne" en/ironment must #ro/ide $ault tolerance in the e/ent o$ a single domain controller $ailure # The IS. #ro/ides e3tremely reliable ser/ice $or each location No #lans are being made to #ro/ide $or redundant lin0s The current le/el o$ net"or0 outages caused by !)N lin0 $ailures is considered to be acce#table # To im#ro/e net"or0 su##ort* !indo"s Ser/er 2==, "ill become the cor#orate standard $or all ser/er com#uters "here/er #ossible 'lient com#uters "ill be standardi1ed o/er the ne3t t"o years to run !indo"s @. .ro$essional Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # +ranch o$$ices in Aisbon and +arcelona "ill be im#lemented in the ne3t year The Aisbon branch o$$ice is e3#ected to ha/e 65 users and client com#uters The +arcelona branch o$$ice "ill ha/e no more than <= users and client com#uters # +ecause o$ the small si1e o$ the +arcelona branch o$$ice* it "ill ha/e no IT sta$$ and no ser/ers The Aisbon IT sta$$ "ill manage users and com#uters $or both the Aisbon and +arcelona branch o$$ices # T"o ser/ers ha/e been #urchased $or the Aisbon branch o$$ice One "ill be designated as a domain controller The other ser/er "ill be a 8.N ser/er and "ill also #ro/ide N)T ser/ices Security The $ollo"ing security requirements must be considered: # Degional net"or0 administrators must ha/e only limited control o/er the )cti/e Directory ser/ice They "ill be res#onsible $or managing user and com#uter accounts $or their regions They "ill also manage local ser/ers # The net"or0 administrator in the Aos )ngeles o$$ice "ill manage all domain controllers* con$igure sites* and #er$orm other high>le/el administrati/e tas0s # Users "ill ha/e limited access to their com#uters They "ill be allo"ed to modi$y only certain des0to# settings* and they "ill not be allo"ed to install unauthori1ed a##lications # Some users currently ha/e blan0 #ass"ords .ass"ord security standards must be im#lemented # Security auditing must be im#lemented to trac0 all unauthori1ed logon attem#ts to the domain )uditing must not be enabled on any client com#uters )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # 'entrali1ed control o/er )cti/e Directory must be maintained by the net"or0 administrator in the Aos )ngeles o$$ice Aimited access to )cti/e Directory "ill be gi/en to the hel# des0 sta$$ and the regional net"or0 administrators # )lthough band"idth is not currently an issue* incremental increase in band"idth usage is antici#ated To accommodate this #ro2ected gro"th* all designs should minimi1e !)N tra$$ic # De#artments "ithin 'oho 8ineyard ha/e their o"n unique needs* "hich include* but are not

limited to* s#eciali1ed de#artmental a##lications Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: # Demote access security and restrictions $or all o$$ices must be im#lemented and managed centrally by the net"or0 administrator in the Aos )ngeles o$$ice Only one set o$ remote access #olicies must e3ist $or the com#any # ) domain>naming strategy must be identi$ied that reduces administrati/e com#le3ity and is intuiti/e to the users # One domain controller in each o$ the current o$$ices "ill ha/e the DNS ser/ice installed DNS name resolution tra$$ic must be minimi1ed o/er all !)N lin0s QUESTION NO: < )s #art o$ your design* you are e/aluating "hether to u#grade all domains to !indo"s Ser/er 2==, +ased on current con$igurations* "hich ser/er or ser/ers #re/ent you $rom achie/ing this goal% &'hoose all that a##ly( A. D.2 1. D.3 .. D.D. D.F 3. D.; (. $er%er1 )ns"er: D* E QUESTION NO: 2 You are designing the !indo"s Ser/er 2==, )cti/e Directory $orest structure to meet the business and technical requirements !hich $orest structure should you use% A. 'ne Acti%e Director forest with one domain. 1. 'ne Acti%e Director forest with three domains. .. 'ne Acti%e Director forest with four domains. D. Two Acti%e Director forests with one domain in each forest. 3. Three Acti%e Director forests with one domain in each forest. )ns"er: ) QUESTION NO: , You are designing the to#>le/el organi1ational unit &OU( structure to meet the business and technical requirements Your design must accommodate the antici#ated gro"th o$ the com#any !hich to#>le/el OU structure should you use% A. 5aris 'U, $ dne 'U, 4os Angeles 'U, 4isbon21arcelona 'U 1. &T Administration 'U, All .oho?ine ard Departments 'U, All .oho?ine ard 'ffices 'U .. $ales 'U, 5urchasing 'U, Mar/eting 'U, Accounting 'U, Distribution 'U, Auman Resources 'U D. .oho?ine ard Users 'U, .oho?ine ard .omputers 'U, .oho?ine ard $er%ers 'U, .oho?ine ard Applications 'U )ns"er: ) QUESTION NO: 4 You are designing a #lan $or a##lying the security #olicy settings to meet the business and technical requirements !here should you im#lement the auditing #ass"ord #olicy settings% To ans"er* drag the a##ro#riate #olicy setting or settings to the correct location or locations in the "or0 area )ns"er: QUESTION NO: 5 )s #art o$ your design* you are e/aluating "hether a second>le/el organi1ational unit &OU( structure is required !hich $actor necessitates the need $or a second>le/el OU structure% A. Audit polic settings 1. $oftware deplo ment needs .. .lient operating s stems in use D. Delegation of administrati%e authorit )ns"er: + You are designing a DNS name resolution strategy to meet the business and technical requirements !hich action or actions should you #er$orm% &'hoose all that a##ly( A. .reate an Acti%e Director 2integrated 0one named coho%ine ard.com on a domain controller in 4os Angeles. 1. .reate an Acti%e Director 2integrated 0one named paris.coho%ine ard.com on a domain controller in 5aris. .. .reate an Acti%e Director 2integrated 0one named s dne .coho%ine ard.com on a domain controller in $ dne . D. 'n a domain controller in 4os Angeles, delegate paris.coho%ine ard.com to a domain controller in 5aris. 3. 'n a domain controller in 4os Angeles, delegate s dne .coho%ine ard.com to a domain controller in $ dne . )ns"er: ) QUESTION NO: 7 You are designing a #lan $or maintaining the !INS in$rastructure on the ne" !indo"s Ser/er 2==,

)cti/e Directory en/ironment !hich $actor or $actors necessitate the need to maintain the !INS in$rastructure% &'hoose all that a##ly( A. .lient operating s stems in use. 1. $er%er operating s stems in use. .. ?5, client access b using 55T5. D. &nstallation of Acti%e Director client software. )ns"er: )* + QUESTION NO: 9 You are designing a DNS im#lementation strategy $or the .aris o$$ice !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate an Acti%e Director 2integrated 0one named coho%ine ard.com. 1. .reate an Acti%e Director 2integrated 0one named paris.coho%ine ard.com. .. .reate a standard primar 0one named paris.coho%ine ard.com. D. .onfigure all computers in 5aris to use D.3 as their D,$ ser%er. 3. .onfigure all computers in 5aris to use D.; as their D,$ ser%er. )ns"er: )* D QUESTION NO: ; You are designing a strategy $or im#lementing Internet )uthentication Ser/ice &I)S( to meet the business and technical requirements !hat should you do% A. &nstall &A$ on ?5,1, ?5,2, and ?5,3. 1. &nstall &A$, on ?5,1. .onfigure ?5,2 and ?5,3 as RAD&U$ clients. .. &nstall &A$ on ?5,1. .onfigure ?5,1, ?5,2, and ?5,3 as RAD&U$ clients. D. &nstall &A$ on D.1. .onfigure ?5,2 and ?5,3 as RAD&U$ clients. .reate all remote access policies on ?5,1. 3. &nstall &A$ on D.2. .onfigure ?5,2 and ?5,3 as RAD&U$ clients. .onfigure remote access logging on ?5,1. )ns"er: ' QUESTION NO: <= You are designing a DNS in$rastructure to meet the Internet name resolution requirements !hat should you do% A. .reate a standard primar 0one named 7.D on all D,$ ser%ers. 1. .reate an Acti%e Director 2integrated 0one named 7.D on a D,$ ser%er on 4os Angeles. .. .onfigure all D,$ ser%ers to use forwarders. $pecif the &5 address of the D,$ ser%er at the local &$5. D. 3nable default root hints on all D,$ ser%ers. 3. Disable recursion on all D,$ ser%ers. )ns"er: ' QUESTION NO: << You are designing the #lacement o$ the .D' emulator role to meet the business and technical requirements In "hich location should you #lace the .D' emulator role% &'hoose all that a##ly( A. 4os Angeles 1. 5aris .. $ dne D. 4isbon 3. 1arcelona )ns"er: ) QUESTION NO: <2 You are designing the I. addressing scheme $or the ne" +arcelona o$$ice !hich net"or0 address or addresses are /alid $or your design% &'hoose all that a##ly( A. 1".1".1"."H2> 1. 1".1".2FF."H2.. 131.1F."."H2D. 1F1.1".1"."H23. 1=2.1;>.11."H2F )ns"er: )* +* E 1=2.1;>."." 1=2.1;>.2FF.2FIncorrect O#tions: ' and D: The case stud sa s that the &T staff in the 4isbon office will manage users in the 1arcelona office because 1arcelona will not ha%e an ser%ers installed. &t also sa s that a ?5, ser%er will pro%ide ,AT ser%ices, which enables a local2area networ/ *4A,+ to use one set of &nternet 5rotocol *&5+ addresses for internal traffic and a second set of addresses for eBternal traffic. and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, .hapter 2, pp. 22G to 22>. QUESTION NO: <, You are designing the migration strategy to meet the business and technical requirements You need to

identi$y the actions that you should #er$orm to achie/e this goal !hat should you do% ?o/e the a##ro#riate actions $rom the list o$ actions to the ans"er area* and arrange them in the a##ro#riate order )ns"er: 'ase Study G4* Ait"are* Inc O/er/ie" Ait"are* Inc * is a cor#orate management com#any that manages the internal o#erations $or its business customers Internal o#erations include sales* accounting* and #ayroll .hysical Aocations Ait"are* Inc * has t"o main o$$ices in the $ollo"ing locations: # Ne" Yor0 # 'hicago Each o$$ice has a##ro3imately ,== users The Ne" Yor0 o$$ice has a branch o$$ice in +oston The +oston o$$ice has a##ro3imately <== users Sta$$ in the +oston e3clusi/ely o$$ice "or0 on #ro2ects $or customers in the Ne" Yor0 o$$ice The +oston o$$ice has no customers o$ its o"n .lanned 'hanges )s #art o$ its initiati/e to streamline the IT en/ironment and increase net"or0 security* the com#any has decided to im#lement a !indo"s Ser/er 2==, )cti/e Directory en/ironment The Ne" Yor0 o$$ice is currently in negotiations to secure 'ontoso* Atd * as a ne" customer +usiness .rocesses Ait"are* Inc * manages the business o#erations $or eight business customers Eor each customer* Ait"are* Inc has a dedicated sta$$ that "or0s e3clusi/ely "ith that customer Users require access only to #ro2ect data $or the customers to "hich they ha/e been directly assigned The Ne" Yor0 and 'hicago o$$ices are res#onsible $or their o"n customers and maintain them se#arately Each indi/idual customer #ro2ect is listed in the $ollo"ing table 'ustomers name ?anaged by Alpine $/i Aouse ,ew Ior/ 1aldwin Museum of $cience .hicago .oho ?ine ard ,ew Ior/ (abri/am, &nc. ,ew Ior/ Aumongous &nsurance .hicago 4ucerne 5ublishing ,ew Ior/ !ingtip To s .hicago !oodgro%e 1an/ .hicago The chie$ in$ormation o$$icer is the only #erson "ho is authori1ed to im#lement any changes that "ill im#act the entire com#any Doles and res#onsibilities in the IT de#artment are sho"n in the $ollo"ing table Hob title Des#onsibilities O$$ice .hief information officer Appro%es all ma)or &T decisions, manages the &T budget, functions as liaison between networ/ administrators in the ,ew Ior/ and .hicago offices. ,ew Ior/ ,etwor/ administrator, ,ew Ior/ Manages the da 2to2da operations of the ,ew Ior/ and 1oston networ/s. &nstalls and manages ser%ers and domain controllers ,ew Ior/ ,etwor/ administrator, .hicago Manages the da 2to2da operations of the .hicago networ/. &nstalls and manages ser%ers and domain controllers. .hicago &T support 5ro%ides da 2to2da troubleshooting and maintenance of the networ/. This includes the installation of operating s stems for end users and some ser%er configuration. 3ach office has its own it support staff

,ew Ior/, .hicago, 1oston Aelp des/ 5ro%ides telephone support for all users in all offices. ,ew Ior/ Directory Ser/ices 'urrently* Ait"are* Inc * has t"o !indo"s NT 4 = domains con$igured a sho"n in the E3isting Domain ?odel e3hibit The Ne" Yor0 domain contains user and com#uter accounts $or both the Ne" Yor0 and +oston o$$ices The 'hicago domain contains user and com#uter accounts $or the 'hicago o$$ice Ait"are* Inc * users require access only to #ro2ect data $or the customers to "hich they ha/e been directly assigned They also require access to internal com#any resources* such as a time>building a##lication that is hosted in the Ne" Yor0 o$$ice )ccounting auditors and e3ecuti/es require access to data $rom all customer #ro2ects to #er$orm quarterly re#orts* account re/ie"s* and billing /eri$ications )ccount auditors and e3ecuti/es are located in both Ne" Yor0 and 'hicago o$$ices* and $requently tra/el bet"een o$$ices Net"or0 In$rastructure The e3isting net"or0 in$rastructure is sho"n in the E3isting Net"or0 In$rastructure e3hibit )ll Internet access is #ro/ided through a #ro3y ser/er located in the Ne" Yor0 o$$ice The #ro3y ser/er #ro/ides Internet name resolution on behal$ o$ the client com#uters 'urrently* all ser/ers run !indo"s NT Ser/er 4 = "ith the latest ser/ice #ac0 installed ) time>billing a##lication is installed on a ?icroso$t SQA Ser/er com#uter named SQA< SQA< is managed by the net"or0 administrators in the Ne" Yor0 o$$ice* and is accessed by all Ait"are* Inc * users The com#anyFs ser/ers* including their domain membershi#* #hysical locations* and net"or0 $unctions* are sho"n in the $ollo"ing table Ser/er name Domain O$$ice Eunctions D.1 ,ew Ior/ ,ew Ior/ 5D., DA.5 ser%er D.2 ,ew Ior/ ,ew Ior/ 1D., !&,$ ser%er D.3 ,ew Ior/ 1oston 1D., DA.5 ser%er, !&,$ ser%er (ileser%er1 ,ew Ior/ ,ew Ior/ Member ser%er, DA.5 ser%er, file ser%er (ileser%er2 ,ew Ior/ ,ew Ior/ Member ser%er, !&,$ ser%er, file ser%er (ileser%er3 .hicago .hicago Member ser%er DA.5 ser%er, file ser%er (ileser%er- .hicago .hicago Member ser%er, !&,$ ser%er, file ser%er $:41 ,ew Ior/ ,ew Ior/ Member ser%er, $:4 $er%er computer, timebilling application ser%er ?ost required net"or0 resources are a/ailable locally )ll client com#uters in the com#any run !indo"s 2=== .ro$essional .roblem Statements The $ollo"ing business #roblems must be considered: # 'ontoso* Atd * requires that the ne" )cti/e Directory in$rastructure is com#letely in #lace #rior to obtaining the contract # )dministrati/e authority $or net"or0 administrators in the Ne" Yor0 and 'hicago o$$ices must remain equal 'hie$ E3ecuti/e O$$icer The addition o$ 'ontoso* Atd * as a customer "ill li0ely increase annual re/enue by 5= #ercent )dditional $unds and resources ha/e been allocated to secure this contract )ll e$$orts should be made to demonstrate to the 'ontoso* Atd * re#resentati/es that "e "ill address all o$ their security concerns This "ill be done on #art though a migration to the !indo"s Ser/er 2==, )cti/e Directory en/ironment )ny short>term costs associated "ith a technology de#loyment are acce#table i$ they allo" $or gro"th and $le3ibility in the $uture 'hie$ In$ormation O$$icer ) !eb>based inter$ace $or the time>billing a##lication "ill be im#lemented in the near $uture The

current net"or0 administrators in the Ne" Yor0 and 'hicago o$$ices #er$orm their 2obs "ell To reduce the burden on IT sta$$* trusted indi/iduals "ithin the organi1ation should be identi$ied to hel# reduce the IT administrati/e burden O$$ice !or0er !e "ant to be able to access the internal net"or0 $rom our home com#uters +usiness Dri/ers The $ollo"ing business requirements must be considered: # The com#any "ants access to the net"or0 to remain easy and intuiti/e ) com#any #olicy no" states that user logon names and e>mail addresses should be identical 'urrently* each user has an e>mail address made u# o$ that userFs $irst initial and last name* and an additional domain name indicating the region that manages that userFs account Eor e3am#le* the user Nicole 'aron $rom the Ne" Yor0 o$$ice has the e>mail address o$ ncaronIny lit"areinc com The user Auis +oni$a1 $rom 'hicago has the e>mail address o$ lboni$a1Ichi lit"areinc com # The domain name lit"areinc com has been registered # To ensure reliability in the e/ent o$ a single !)N lin0 $ailure* users should continue to authenticate on the net"or0 )dditionally* all domains should be $ault tolerant in the e/ent o$ a single domain controller $ailure # 8.N access "ill be #ro/ided to enable user access to customer data outside o$ regular business hours 8.N connections "ill be assigned through the Ne" Yor0 o$$ice Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # )s #art o$ the negotiations bet"een 'ontoso* Atd * and the Ne" Yor0 o$$ice* Ait"are* Inc * has agreed to ensure that all users "ho require access to 'ontoso* Atd * data must ha/e com#le3 #ass"ords that are a minimum o$ <= characters in length # The com#any has also agreed that management o$ 'ontoso* Atd * data must be com#letely isolated $rom all other Ait"are* Inc * data This included the ability to manage security o$ 'ontoso* Atd * resources There "ill be no e3ce#tions # .lanning $or other as#ects o$ ho" 'ontoso* Atd * "ill integrate "ith the Ait"are* Inc * en/ironment is #remature at this #oint :o"e/er* a quic0 migration solution $or the e3isting en/ironment must be identi$ied to allo" $or this antici#ated gro"th # Ait"are* Inc * account auditors and e3ecuti/es $rom the Ne" Yor0 and 'hicago o$$ices "ill require limited access to 'ontoso* Atd * data Security The $ollo"ing security requirements must be considered: # ) ne" !eb>based inter$ace "ill be im#lemented $or the time>billing a##lication running on SQA< This a##lication "ill use IIS* and "ill require the use o$ I. $iltering that uses com#uter host names $or security #ur#oses # Only authori1ed com#uters "ithin the internal Ait"are* Inc * net"or0 "ill be gi/en access to the time>billing a##lication )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # The net"or0 administrators in the 'hicago and Ne" Yor0 o$$ices "ill retain their current res#onsibilities* such as the management o$ user accounts* ser/ers* and domain controllers $or their regions There should be no o/erla# bet"een their administrati/e authority # There is a need to allo" trusted indi/iduals res#onsible $or each customer #ro2ect to manage user account in$ormation Des#onsibilities "ill include the ability to reset #ass"ords and de$ine #ersonal user in$ormation on user accounts* such as #hone numbers and addresses The trusted indi/iduals "ill be allo"ed to manage only user accounts "ithin the customer #ro2ect to "hich they ha/e been assigned Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: # Users in the 'hicago o$$ice access Internet>based resources $requently This Internet>related tra$$ic accounts $or most o$ the band"idth used bet"een the 'hicago and Ne" Yor0 o$$ices +and"idth utili1ation bet"een these t"o o$$ices is currently a cause $or concern Net"or0 tra$$ic bet"een the 'hicago and Ne" Yor0 o$$ices must be minimi1ed "hene/er #ossible # +ecause o$ the +oston o$$iceFs data access requirements* a high le/el o$ a/ailability and reduced latency bet"een the Ne" Yor0 and +oston o$$ices is required +and"idth utili1ation bet"een the +oston and Ne" Yor0 o$$ices is minimal and is not a concern in the $oreseeable $uture # ) !indo"s Ser/er 2==, com#uter "ill #ro/ide 8.N access to the net"or0 by using both A2T. and ..T. Usage statistics "ill be gathered o/er time to identi$y "hich users establish 8.N connections to the net"or0* and the duration o$ their connections These usage statistics "ill hel# the com#any trac0 trends and #lan $or $uture gro"th # The net"or0 administrator in 'hicago has e3tensi/e 0no"ledge o$ DNS* and "ill manage the im#lementation o$ the DNS in$rastructure $or the Ait"are Inc * net"or0 # The DNS structure must be secured against any unauthori1ed modi$ications* but also must be easy to maintain and manage 'ase Study G4 Ait"are* Inc &; Questions( QUESTION NO: < You are designing a $orest and domain structure to address the concerns o$ 'ontoso* Atd * and to meet

the business and technical requirements You "ant to use the minimum number o$ domains and $orests that are required !hich domain structure should you use% A. 'ne forest and two domains. 1. 'ne forest and three domains. .. 'ne forest and four domains. D. Two forests and three domains. 3. Two forests and four domains. )ns"er: E QUESTION NO: 2 You are designing the to#>le/el organi1ation unit &OU( structure to meet the administrati/e requirements !hat should you do% A. .reate a top2le%el 'U named ,ew Ior/. 5lace all user and computer accounts from ,ew Ior/ in the ,ew Ior/ 'U. 1. .reate a top2le%el 'U named .hicago. 5lace all user and computer accounts from .hicago in the .hicago 'U. .. .reate a top2le%el 'U named .oho. 5lace all user and computer accounts that are assigned to the .oho ?ine ard customer pro)ect in the .oho 'U. D. .reate a top2le%el 'U named $ales. 5lace all user and computer accounts from the sales department in the $ales 'U. )ns"er: ' QUESTION NO: , You are designing a security grou# strategy to meet the business and technical requirements !hat should you do% A. .reate one global group named CJ3Becuti%es. Ma/e all eBecuti%es user accounts members of that group. 1. .reate two global groups named CJ3Becuti%es and one uni%ersal group named UJ3Becuti%es. Ma/e the two global members of UJ3Becuti%es. Ma/e the eBecuti%e user accounts members of the appropriate global group. .. .reate three global groups named CJ,IJ3Becuti%es and CJ.hiJ3Becuti%es and CJ3Becuti%es. Ma/e CJ,IJ3Becuti%es and CJ.hiJ3Becuti%es members of CJ3Becuti%es. Ma/e the eBecuti%e user accounts members of the appropriate global group. D. .reate one domain local group named D4J3Becuti%es. Ma/e all eBecuti%e user accounts members of that group. )ns"er: + QUESTION NO: 4 You are designing an )cti/e Directory im#lementation strategy to #resent to e3ecuti/es $rom your com#any and $rom 'ontoso* Atd !hich im#lementation strategy should you use% A. Upgrade the ,ew Ior/ domain. Upgrade the .hicago domain. .reate a pristine forest for .ontoso, 4td. 1. .reate a pristine forest. Upgrade the ,ew Ior/ domain. Upgrade the .hicago domain. Do nothing further. .. .reate pristine forest. Upgrade the ,ew Ior/ domain. Upgrade the .hicago domain. .reate a pristine forest for .ontoso, 4td. D. .reate a pristine forest. Upgrade the ,ew Ior/ domain. Upgrade the .hicago domain. .reate a new child domain for .ontoso, 4td. )ns"er: ' QUESTION NO: 5 You are designing the DNS in$rastructure to meet the business and technical requirements !hat should you do% A. .reate an Acti%e Director 2integrated 0one on D.-. $et the replication scope to all D,$ ser%ers in the domain. 1. .reate an Acti%e Director 2integrated 0one on D.F. $et the replications scope to all D,$ ser%ers in the forest. .. .reate an Acti%e Director 2integrated 0one on an domain controller in the forest root domain. $et the replication scope to all domain controllers in the domain. D. .reate a standard primar 0one on D.3. .reate a standard primar 0one on an domain controller in the forest root domain. )ns"er: + QUESTION NO: 6 You are designing a DNS im#lementation strategy $or the net"or0

!hich t"o 1one ty#es should you use% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Re%erse loo/up 0ones 1. $tandard primar 0ones .. $tandard secondar 0ones D. Acti%e Director 2integrated 0ones )ns"er: )* D QUESTION NO: 7 You are designing a strategy to u#grade the D:'. ser/ers a$ter the ne" )cti/e Directory structure is in #lace !ho can authori1e the D:'. ser/ers% &'hoose all that a##ly( A. .hief information officer 1. &T support staff in 1oston .. &T support staff in ,ew Ior/ D. ,etwor/ administrator in .hicago 3. ,etwor/ administrator in ,ew Ior/ )ns"er: ) The case stud states9 7The chie$ in$ormation o$$icer is the only #erson "ho is authori1ed to im#lement any changes that "ill im#act the entire com#any D QUESTION NO: 9 You are designing the #lacement o$ the global catalog ser/ers You "ant to use the minimum number o$ global catalog ser/ers that are required !hich design should you use% A. 'ne global catalog ser%er in ,ew Ior/. 1. Two global catalog ser%ers in ,ew Ior/. .. 'ne global catalog ser%er in .hicago and one global catalog ser%er in ,ew Ior/. D. Two global catalog ser%ers in .hicago and two global catalog ser%ers in ,ew Ior/. 3. 'ne global catalog ser%er in .hicago, one global catalog ser%er in ,ew Ior/, and one global catalog ser%er in 1oston. )ns"er: E QUESTION NO: ; You are designing an I. addressing strategy $or your 8.N solution :o" many #ublic addresses should you use% A. 1 1. 2F .. F" D. 2FF )ns"er: ) 'ase Study G5 TestBing com O/er/ie" TestBing com is a ne" -o/ernment>$unded organi1ation* established to consolidate medical research #er$ormed at uni/ersities in to a single electronic library The 'om#any has been allocated a large budget to start the #ro2ect* and more $unds "ill be made a/ailable as more uni/ersities integrate their research "ith TestBing com .hysical Aocation The 'om#any has one o$$ice located in Dallas The O$$ice currently has <== users .lanned 'hanges ) Ne" O$$ice in Seattle "ill be o#ened soon The Seattle o$$ice "ill ha/e <== users "hen it o#ens )n additional <== users "ill be hired in the Dallas o$$ice o/er the ne3t year The number o$ users is e3#ected to gro" by 6= #ercent o/er the ne3t $i/e years )n e3ternal Net"or0 "ill be established to allo" uni/ersities to share medical research )t launch* the user #o#ulation "ill be minimal It is e3#ected that the e3ternal net"or0 "ill ha/e more that <=*=== acti/e users in the ne3t t"o years +usiness .rocesses TestBing com "ill reorgani1e its internal sta$$ to include the $ollo"ing de#artments: # )ccounting # )dministration # In$ormation Technology&IT( # Bno"ledge ?anagement # ?ar0eting # .ro2ects The .ro2ect de#artment "ill "or0 directly "ith uni/ersities to hel# them integrate data "ith TestBing com ) se#arate #ro2ect team "ill be dedicated to each uni/ersity that #artners "ith the 'om#any This #ro2ect team is in charge o$ ma0ing e3ternal security a/ailable* creating user accounts* and establishing security $or the uni/ersity "hose resources are made a/ailable through the 'om#anyJs e3ternal net"or0 The 'om#any has a small internal IT sta$$ that manages internal resources $or internal users The internal IT sta$$ includes a net"or0 administrator and technical su##ort team The e3ternal net"or0 "ill ha/e its o"n IT sta$$ This IT sta$$ "ill include a net"or0 administrator* a technical su##ort team* and a de/elo#ment team E3ternal and internal resources "ill be managed inde#endently

Internal users "ill require access to data located on both the internal net"or0 and the e3ternal net"or0 E3ternal users and #artners $rom uni/ersities "ill ha/e access only to e3ternal resources Under no circumstances "ill e3ternal users be gi/en access to internal resources This includes the e3ternal IT sta$$ In$rastructure Directory Ser/ices To #ro/ide a quic0 solution to allo" $or in$ormation sharing* an un#lanned !indo"s 2=== net"or0 "as established "hen the com#any "as $irst established ) !indo"s 2=== )cti/e Directory En/ironment "as im#lemented "ith the domain name o$ research com and the Net+IOS domain name o$ research The domain name research com has been registered by another organi1ation and this name is not a/ailable to the com#any The domain contains t"o domain controllers ) single $ile ser/er e3ists on the net"or0 to store shared data $or the internal users Net"or0 In$rastructure The com#any has a <=>?b#s Internet connection The use o$ the Internet connection is minimal at #resent* but is e3#ected to gro" once e3ternal resources are made a/ailable to uni/ersities .roblem Statements The Eollo"ing business #roblem must be considered: # The 'urrent internal net"or0 "as not #ro#erly #lanned and need to be com#letely redesigned # In$ormation such as user accounts must be migrated $rom the current en/ironment to a ne" !indo"s Ser/er 2==, )cti/e Directory En/ironment # ) clean se#aration must e3ist bet"een e3ternal and internal resources 'hie$ E3ecuti/e O$$icer Eunding $or TestBing com has been $inali1ed and it is time to mo/e $or"ard "ith the design and im#lementation o$ the internal and e3ternal net"or0 ) stable en/ironment that has the ability to gro" is o$ at most im#ortance $or the e3ternal net"or0 'hie$ In$ormation O$$icer The internal and e3ternal net"or0s "ill ha/e /ery di$$erent needs and audiences Eor that reason* "e ha/e decided to ha/e a se#arate IT sta$$ to manage each net"or0 )ccess to internal resources "ill be made a/ailable to internal users only .lanned 8.N access "ill allo" internal users access to internal data "hile tra/eling ) ?icroso$t E3change ser/er 2==, de#loyment "ill be im#lemented $or internal users "ith a dedicated E3change Ser/er 2==, com#uter in each o$$ice To a/oid con$usion* all internal users need to be able to gain access to both internal C e3ternal resources by using a single set o$ credentials Internal users should not be #rom#ted $or alternate credentials "hen accessing e3ternal resources During the migration* internal users must ha/e access to resources in the e3isting domain !e do not "ant to manually rede$ine the security on e3isting resources Net"or0 )dministrator I "ill manage ser/er de#loyment and con$iguration $or all e3ternal resources Technology decisions and im#lementation done $or the internal net"or0 should not a$$ect me ?y technical su##ort team "ill manage day>to>day ser/er maintenance The de/elo#ment team "ill de#loy a 0no"ledge management #atrol to streamline in$ormation sharing "ith e3ternal #artners .ro2ect teams $or the internal net"or0 "ill hel# in the management o$ security and "ill be gi/en strict security areas in "hich they "ill be able to manage security $or their s#eci$ic uni/ersity The #ro2ect teams "ill manage the data security and create user accounts $or the uni/ersity they are managing +usiness Dequirements +usiness Dri/ers The $ollo"ing business requirements must be considered: # TestBing com has registered the domain name treyresearch com Internal and E3ternal naming needs to be intuiti/e and easy to manage Internal and e3ternal naming "ill be managed inde#endently # No ne" domain names "ill be registered* and naming decisions must not cause con$licts "ith any Internet hosts # The naming strategy $or the e3ternal resources must be as short as #ossible to ma0e it easy $or e3ternal #artners to access # The com#any already has a small "eb site accessible at """ treyresearch com # The com#any "ill require t"o domain controllers in each o$$ice ) single domain controller $ailure or !)N lin0 $ailure bet"een the Dallas and Seattle o$$ices must not a$$ect the o#erations o$ the E3change Ser/er 2==, en/ironment Organi1ational -oals The $ollo"ing Organi1ational requirements must be considered: # E3ternal users "ill only require access to a ser/er named "eb< !eb< "ill #ro/ide a "eb inter$ace to the e3ternal users and retrie/e resources $rom other e3ternal ser/ers E3ternal resources $or uni/ersities "ill be #ro/ided by using :TT.S # )ll e3ternal users "ho require access to resources "ill require a username and #ass"ord to gain access to the e3ternal resources # !eb< "ill also host the inter$ace $or the #ublic "eb site )nonymous access "ill be #ro/ided $or the #ublic "eb site # Internal users "ill be granted 8.N access by connecting to 8.N< # Domain based DES ser/ers "ill be im#lemented in the Dallas and Seattle o$$ices DES re#lication must not occur during regular business o#eration DES re#lication must occur bet"een the hours

o$ ;:== . ? and 5:== ) ? 'entral Time # Users in each o$$ice should automatically be redirected to the DES ser/er in their current #hysical location In the e/ent o$ a single DES ser/er $ailure* users should be automatically redirected to an a/ailable DES ser/er Security The $ollo"ing security requirements must be considered: # To maintain the security o$ both the internal net"or0 and the e3ternal net"or0* only tra$$ic that is required by the com#any to meet its goal "ill be allo"ed to #ass through the #erimeter $ire"all # )ll other tra$$ic must be bloc0ed Technical Dequirements )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # E3ternal and Internal resources must be managed inde#endently This includes high>le/el modi$ications to the directory ser/ice* such as the installation o$ E3change Ser/er 2==, or other directory a"are a##lications # During the $irst t"o years* many ne" users "ill be added to the net"or0 To #ro/ide a consistent en/ironment* the re#lication o$ internal domain user accounts must occur "ithin a ma3imum time delay o$ one hour bet"een the Dallas and Seattle o$$ices Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: The net"or0 in$rastructure "ill be con$igured as sho"n in the #lanned net"or0 in$rastructure e3hibit # The internal DNS structure must be secured to #re/ent unauthori1ed systems $rom registering their names "ith DNS # To reduce the im#act that name resolution o$ Internet based resources might ha/e on !)N lin0s* a solution must be identi$ied that allo"s name resolution to occur "ithout generating e3cessi/e and unnecessary tra$$ic ) single domain controller in each o$$ice "ill be con$igured as a DNS ser/er # ) single D:'. ser/er "ill be #resent at each o$$ice The D:'. ser/er "ill con$igure local client com#uters to ha/e the a##ro#riate I. settings* including the address o$ a local DNS ser/er )ll users accessing the internal net"or0 must recei/e their I. con$igurations $rom one o$ these D:'. ser/ers # )n e3ternal DNS ser/er "ill be required to #er$orm only name resolution $or the names#ace treyresearch com It "ill not be allo"ed to resol/e any other name $or e3ternal users* including names o$ other Internet based hosts 'ase Study G5 TestBing com &<4 Questions( QUESTION NO: < You need to identi$y the $eatures that "ill be a/ailable immediately a$ter the domain migration to the ne" en/ironment is com#lete !hich $eature or $eatures "ill be a/ailable% &'hoose all that a##ly( A. Clobal group nesting. 1. Uni%ersal group nesting. .. Domain local group nesting. D. Uni%ersal securit groups. 3. $id histor attributes. )ns"er: )* +* '* D* E The all will be a%ailable. QUESTION NO: 2 You are designing a Net+IOS naming strategy $or the internal domain !hat are t"o #ossible Net+IOS domain names you can use to achie/e your goal% &Each correct ans"er #resents a com#lete solution ( &'hoose t"o( A. ad 1. dallas .. internal D. eBternal 3. Research )ns"er: '* D QUESTION NO: , You are designing a strategy $or #er$orming the migration o$ the internal net"or0 You need to identi$y the actions that you should #er$orm to achie/e this goal !hat should you do% To ans"er* mo/e the a##ro#riate actions $rom the list o$ actions to the ans"er area and arrange them in the a##ro#riate order &Use only actions that a##ly ( )ns"er: E3#lanation: A migration is accomplished b creating a new pristine Acti%e Director on a new ser%er. Then, ou use a migration tool to cop the domain information from our old domain to our new one. Aere are some of the ad%antages of this method9 1. Migration is gradual. Iou can migrate one department at a time. QUESTION NO: 4 You are designing the site to#ology $or the internal domain !hich action or actions should you #er$orm% &'hoose all that a##ly ( A. .reate a $ingle $ite.

1. .reate a site for each ph sical location. .. $et the replication inter%al on the default &5 site lin/ to ;" Minutes. D. .onfigure the schedule of the default &5 site lin/ to onl allow replication between the hours of =9"" 5.M and F9"" A.M 3. .onfigure the schedule of the default &5 site lin/ to onl allow replication between the hours of 39"" A.M and 119"" A.M )ns"er: +* D QUESTION NO: 5 You are designing the DNS name resolution strategy $or the internal net"or0 !hat should you do% A. .onfigure all internal D,$ ser%ers to use the default root hints. 1. Disable recursion on the D,$ ser%er in $eattle. .onfigure the $eattle D,$ to use Dallas D,$ ser%er as a forwarder. .. .reate a root 0one on the D,$ ser%er in Dallas. .onfigure the $eattle D,$ ser%er to use the Dallas D,$ ser%er as a forwarder. D. .reate a root 0one on the D,$ ser%er in both Dallas and $eattle. )ns"er: + E3#lanation: QUESTION NO: 6 You are designing a strategy to allo" users to gain 8.N access to the internal net"or0 !hat should you do% A. Allow all inbound ?5, traffic to pass through the internal firewall and the perimeter firewall. 1. Allow all inbound ?5, traffic to pass through the perimeter firewall onl . .. Allow all ?5, traffic from the source &5 address of 131.1"G.1.1- to pass through the internal firewall. D. Allow all ?5, traffic from the source &5 address of 1=1.1;>.1."H2- to pass through the perimeter firewall. )ns"er: + E3#lanation: The case stud states9 7.lanned 8.N access "ill allo" internal users access to internal data "hile tra/eling D &t also states9 7Internal users "ill be granted 8.N access by connecting to 8.N< D According to the planned networ/ infrastructure eBhibit, ?5,1 is located inside the perimeter firewall and outside the internal firewall. $o, for the internal users to access ?5,1 while tra%eling, ?5, traffic has to be allowed through the perimeter firewall onl . QUESTION NO: 7 You are designing a strategy to allo" internal users in Dallas to resol/e domain names !hat are three #ossible "ays to achie/e the goal% &Each correct ans"er #resents a com#lete solution 'hoose three( A. .onfigure the internal D,$ ser%er to ha%e a root 0one. 1. .onfigure the Dallas D,$ ser%er to use the default root hints. .. .onfigure the Dallas D,$ ser%er to forward all re6uest for the eBternal namespace to the eBternal D,$ ser%er. D. .reate a caching2onl D,$ ser%er on the perimeter networ/. 3. .reate a stub 0one for the eBternal namespace on the Dallas D,$ ser%er. )ns"er: +* '* E QUESTION NO: 9 You are designing the I. address assignment strategy $or the 8.N users !hich t"o actions should you #er$orm &Each correct ans"er #resents #art o$ the solution &'hoose t"o( A. .onfigure ?5,1 as a DA.5 Rela Agent. 1. .onfigure ?5,1 to assign &5 Address b using DA.5 ser%er. .. .onfigure ?5,1 to ha%e a static pool of &5 Address from the networ/ address of 131.1"G.1."H2-. D. .onfigure ?5,1 to ha%e a static pool of &5 Address from the networ/ address of 1=2.1;>.1."H2-. 3. .onfigure the perimeter firewall to allow inbound DA.5 traffic to be passed to ?5,1. (. .onfigure the inter%al firewall to allow DA.5 broadcasts to be forwarded from the eBternal networ/ to the internal networ/. )ns"er: )* + QUESTION NO: ; You are designing the con$iguration o$ the e3ternal DNS ser/er to meet the business and technical requirements !hat should you do% A. .onfigure a root 0one on the eBternal D,$ ser%er. 1. .onfigure a stub 0one for.com on the eBternal dns ser%er. .. .onfigure the eBternal D,$ ser%er to use the default root hints. D. .onfigure the 3Bternal D,$ ser%er to use the &$5K$ D,$ ser%er as a forwarder. )ns"er: ) QUESTION NO: <= You need to identi$y the ty#es o$ inbound tra$$ic that should #ass through the #erimeter $ire"all "hile maintaining the security o$ the net"or0 !hich inbound tra$$ic should be allo"ed% &'hoose all that a##ly%( A. ?5, Traffic 1. D,$ Traffic .. 4DA5 Traffic D. ATT5 Traffic 3. ATT5$ Traffic

(. Traffic from the networ/ address of 1=2.1;>.1"H2)ns"er: )* '* D* E QUESTION NO: << You are designing a strategy to ensure that 8.N users are able to access all internal resources !hat should you do% A. $pecif a static routing table entr on ?5,1 for the Dallas networ/. 1. $pecif a static routing table entr on ?5,1 for the $eattle networ/. .. &mplement &nternet Authentication $er%ice *&A$+ on ?5,1. D. Define a User .lass option for Routing L Remote Access .lients on the DA.5 $er%er. )ns"er: ' QUESTION NO: <2 You are designing a strategy to migrate user accounts !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. .hange the functional le%el. 1. .reate an eBternal trust relationship. .. Run ad#re# to prepare the research.com forest. D. Run ad#re# to prepare the research.com domain. )ns"er: )* + You are designing a naming strategy $or the ne" internal and e3ternal domains You need to identi$y the a##ro#riate domain name $or each domain !hat should you do% To ans"er* drag the a##ro#riate domain name or names to the correct location or locations in the "or0 area )ns"er: E3#lanation: The case states9 8A .lean separation must eBist between eBternal and internal resources.8 As well as, 8Under no circumstances will eBternal users be gi%en access to internal resources. This includes the eBternal &T staff.8 This would indicate &solation separate forest is the securit boundar , therefore separate root domains are a must as is stated in the deplo ment guide. The case also states9 8During the migration, internal users must ha%e access to resources in the eBisting domain. !e do not want to manuall redefine the securit on eBisting resources.8 Therefore we must maintain research.com. 5ro%iding access for internal users to eBternal resources can be done with eBternal trusts. QUESTION NO: <4 You are designing the to#>le/el OU structure $or the e3ternal domain On "hich $actorKs should you base the to#>le/el OU structure% A. 5h sical locations 1. 3Bternal partners and uni%ersities .. The compan Ms internal departments D. The compan Ms software deplo ment needs )ns"er: + E3#lanation: The case stud states9 7E3ternal users and #artners $rom uni/ersities "ill ha/e access only to e3ternal resources D 'ase Study G6 Eourth 'o$$ee O/er/ie" Eourth 'o$$ee is com#any that s#eciali1es in the retail sale o$ #ac0aged co$$ee The 'om#any has more than 5== retails outlets throughout the United States .hysical Aocation The 'om#anyJs main o$$ice is located in )tlanta The 'om#any has si3 branch o$$ices in the $ollo"ing locations: # +oston # 'hicago # Dallas # Den/er # Aos>)ngeles # Seattle Each +ranch o$$ice manages at least 6= retail outlets .lanned 'hanges The com#any #lans to u#grade the net"or0 to ma0e #ro/ision $or $uture e3#ansion o$ the com#any #roduct line This "ill be the $irst u#grade in si3 years +usiness .rocesses The )tlanta o$$ice manages the si3 branch o$$ices* as "ell as the retail outlets in the )tlanta area The branch o$$ices manage the retail outlets in their res#ecti/e cities and regions Some o$ the /ery large retail outlets ha/e managers "ho are res#onsible $or daily re#orting Each o$ those managers has a des0to# com#uter $or the #ur#ose o$ creating re#orts ) single grou# o$ net"or0 administrators* located in the )tlanta o$$ice* controls all net"or0 resources and access T"o em#loyees #er branch o$$ice ha/e been trained to assist the administrati/e grou# by #er$orming tas0s $rom the branch o$$ice "hene/er necessary In each branch o$$ice a #oint>o$>sale a##lication* named the retail outlet em#loyees o$ sale a##lication* is installed on ser/ers that run !indo"s NT 4 = Terminal Ser/er Edition The Detail outlet em#loyees

currently do not ha/e access to any other a##lications Em#loyees in the )tlanta o$$ice and the branch o$$ices "or0 bet"een the hours o$ 9:== ) ? and 5:== . ?* ?onday through Eriday The net"or0 administrators are required to "or0 on "ee0ends to su##ort the retail outlets Em#loyees in the retail outlets "or0 in t"o shi$ts bet"een the hours o$ 6:== ) ? and << == . ? In$rastructure Directory Ser/ices 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 >2 2 The net"or0 consists o$ a single !indo"s NT 4 = Domain named Eourth co$$ee One .D' and Three +D'Fs are located in the )tlanta O$$ice Each branch o$$ice has a +D' The Domain 'ontrollers are not used $or any other net"or0 ser/ice Each grou# has been named $or the $unction o$ the -rou# Eor e3am#le* the grou# name o$ the users in the $inance de#artment o$ the )tlanta o$$ice is )tlanta Einance Users Net"or0 In$rastructure The net"or0 connections bet"een the )tlanta o$$ice and the branch o$$ices are sho"n in the E3isting Net"or0 In$rastructure e3hibit The )tlanta o$$ice and the branch o$$ices ha/e <==>?b#s Ethernet net"or0s Each retail outlet connects to the associated branch o$$ice by using a $ractional T< line "ith a committed rate o$ 256 0b#s or greater )ll !)N lin0s are reliable There is an agreement bet"een Eourth 'o$$ee and its telecommunications #ro/ider to ha/e any !)N $ailure resol/ed "ithin one hour The amount o$ band"idth currently seems to be su$$icient during business hours The )tlanta o$$ice and the branch o$$ices ha/e ser/ers running !indo"s NT Ser/er 4 =* Terminal Ser/er Edition The number o$ ser/ers #er o$$ice is based on the number o$ retail outlets that connect to the )tlanta o$$ice or branch o$$ices* and the number o$ terminals at the retail outlets The distribution o$ ser/ers is sho"n in the $ollo"ing table Only one o$ the terminal ser/ers in )tlanta* running !indo"s NT Ser/er 4 =* is dedicated to the $inance de#artment The other si3 terminal ser/ers are a/ailable to be used by the retails outlets No other ser/ers or o#erating systems are in use )ll com#any so$t"are has been success$ully tested on com#uters that run !indo"s Ser/er 2==, and !indo"s @. .ro$essional The 'om#anyJs e3isting hard"are is sho"n in the $ollo"ing table .roblem Statements The $ollo"ing business #roblems must be considered: # Em#loyees in the branch o$$ices o$ten log on to install so$t"are by using local com#uter accounts rather than domain accounts # I. addresses are con$igured manually This leads to incorrectly con$igured or du#licate addresses on the net"or0 # Em#loyees in the retail outlets ha/e been re#orting that net"or0 #er$ormance is slo" # Em#loyees "ith des0to# com#uters do not "ant to lose their installed a##lication* data and #ro$iles during the changeo/er E3ecuti/es 'hie$ E3ecuti/e O$$icer Eourth 'o$$eeFs E3#ansion "ill occur as a #hased #rocess o/er the ne3t three years* and "e need to use some o$ our accumulated #ro$its to achie/e this ) ne" com#any #olicy must be en$orced to ensure that all com#any em#loyees ha/e access to similar net"or0 ser/ices "hen they are at "or0 ) mar0et sur/ey has sho"n that "e need to establish a "eb #resence to remain com#etiti/e !e need to #ro/ide in$ormation about "hat "e do* "here "e are located and "hat our business hours are 'hie$ In$ormation O$$icer The e3isting net"or0 "as designed and im#lemented almost si3 years ago Only minor changes ha/e ta0en #lace since that time* the only thing that has changed is an u#grade to our !)N lin0s last year This u#grade did not sol/e the #er$ormance #roblems e3#erienced by the retail outlets It has since been established that the #er$ormance #roblems are related to hard"are !ith the changes in our #roduct line* "e antici#ate a gro"th in the number o$ customers This ensures that terminals must be u#graded to #ro/ide $or the increased connection to our ser/ers $rom the retail outlets !e do not e3#ect to add a /ast number o$ terminals Substantial $unds are a/ailable $or this #ro2ect !e ho#e to once again ha/e a net"or0 that "ill last si3 years "ithout ma2or changes Net"or0 )dministrator !e ha/e noticed in System ?onitor that most ser/ers are running high #rocessor and memory utili1ation !e currently instruct the retail outlets on "hich terminal ser/er to connect to* to achie/e manual load balancing The indi/idual users in the retail outlets must ha/e access to #ersonal data in the ne" en/ironment !e currently do not ha/e any DNS ser/ers or Internet access a/ailable E/en though I am a ne"ly a##ointed net"or0 administrator* I $ound that the current management o$ our grou#s is incorrect !e use only local grou#s $or the assignment o$ #ermissions This is done by using grou#s that contain all the users located in the branch o$$ices Sometimes "e may be more s#eci$ic and

$ocus on the $unction o$ the grou# "ithin the o$$ice Users can also be managed /ery easily* because "e 0no" that almost all o$ the #ass"ords are L#ass"ordL Only a $e" users change their #ass"ords 'om#le3 #ass"ords need to be im#lemented The users at the retail outlets sometimes lea/e the terminal connected to the a##lication $or "ee0s "ithout disconnecting This results in $ailed bac0u#s o$ the a##lication data )ll o$ the users in the branch o$$ices also lea/e their com#uters on $or long #eriods o$ time !e #lan to im#lement a naming strategy that "ill identi$y users by $irst name* $ollo"ed by the $irst character o$ their surname -rou# names "ill indicate the de#artment* as "ell as L--L $or global grou#s or LU-L $or uni/ersal grou#s Domain local grou#s "ill be identi$ied by the ty#e o$ access they "ill recei/e Detail ?anager !e ha/e noticed that the net"or0 is gradually becoming slo"er No one in the retail outlets has access to e>mail and "e do not ha/e Internet access )ll em#loyees in our retail outlet use the same username and #ass"ord to connect to the terminal ser/er )s a result* "e do not ha/e any #ri/acy and cannot e/en ha/e our o"n des0to# bac0ground Em#loyees in the branch o$$ices ha/e /ery nice games and other so$t"are on their com#uters that "e are not able to access +usiness Dequirements +usiness Dri/ers The $ollo"ing business requirements must be considered: # ) !eb site* named """ $ourthco$$ee com* must be established to enable customers to search $or the retail outlet nearest to them # )n online ordering system must be established* "hich "ill allo" customers to order com#any merchandise online Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # Detail outlets "ill be e3#anded o/er the ne3t three years to #ro/ide seating and to allo" $or increased business Euture e3#ansion might include #ro/iding customers "ith Internet access "hile they are ha/ing their co$$ee in the store # ) manager "ill be a##ointed in each retail outlet "ith the tas0 o$ im#ro/ing customer ser/ice The managerFs des0to# com#uter "ill be used by other sta$$ members to access the Internet and their e>mail by using their o"n usernames and #ass"ords Security The $ollo"ing security requirements must be considered: # )ll security settings must be equal to or more restricti/e than the de$ault !indo"s Ser/er 2==, settings # )s a #art o$ these requirements* all users must be $orced to change their #ass"ords at least once a month # Users "ith des0to# com#uters should no longer be allo"ed to log on to the local com#uter as an administrator # The duration o$ logon hours must be strictly en$orced # Users must not be allo"ed to shutdo"n the terminal ser/ers Technical Dequirements )cti/e Directory The $ollo"ing acti/e directory requirements must be considered: # The )cti/e Directory design must s#eci$y ho" the management o$ user and grou# #ermissions "ill be established and maintained # The ne" design must o/ercome the e3isting #er$ormance issues and also #ro/ide all em#loyees "ith e>mail and Internet access Em#loyees in the retail outlets "ill be allo"ed to use these ser/ices only "hile they are on their lunch or co$$ee brea0s Em#loyees "ill be able to use only their o"n user accounts $or net"or0 access # The design must also $acilitate the use o$ -rou# .olicy to control all user accounts "ithin a branch o$$ice -rou# .olicy settings $or users in the branch o$$ices must be di$$erent $rom the -rou# .olicy settings $or users in the retail outlets # User accounts $or users in the $inance de#artment must be managed se#arately Net"or0 In$rastructure The $ollo"ing net"or0 in$rastructure requirements must be considered: # ) ne" T< !)N lin0 $rom the )tlanta o$$ice to the IS. "ill be installed # )ll ser/er com#uters must ha/e !indo"s Ser/er 2==, installed )ll des0to# com#uters must ha/e !indo"s @. #ro$essional installed This must be achie/ed as quic0ly as #ossible # )ll terminal ser/ers in a single o$$ice must be con$igured to use Net"or0 Aoad +alancing )ll users must use roaming #ro$iles to ensure that they ha/e a consistent des0to# a##earance and access to a##lications Terminal ser/er user #ro$iles must be stored on a net"or0 shared $older Dedundancy $or all other ser/ers is required 'ase Study G6 Eourth 'o$$ee &<< Questions( QUESTION NO: < You are designing a strategy $or con$iguring a ne"ly installed !indo"s Ser/er 2==, com#uter to meet the )cti/e Directory DNS requirements :o" should you con$igure the com#uter% A. As a caching2onl D,$ ser%ers 1. As the primar D,$ ser%er for the fourthcoffee.com D,$ 0one

.. !ith a stub 0one for the fourthcoffee.com D,$ 0one hosted b the &$5 D. As a secondar D,$ ser%er for the fourthcoffee.com D,$ 0one hosted b the &$5 )ns"er: + E3#lanation: 5rimar D,$ ser%ers store original source data for 0ones. !ith !indows $er%er 2""3, ou can implement primar 0ones in one of two wa s9 as standard primar 0ones, in which 0one data is stored in a teBt file, or as an Acti%e Director Nintegrated 0one, in which 0one data is stored in the Acti%e Director database Incorrect O#tions: ): A caching2onl ser%er does not host a 0one, its onl purpose is to cache 6ueries so that future re6uests for the same resource record are done instantl because the results of the pre%ious 6uer are alread in cache. ': A stub 0one is a cop of a 0one that contains onl the resource records needed to identif an authoritati%e D,$ ser%er. D: $econdar D,$ ser%ers are authoritati%e bac/up ser%ers for the primar ser%er. The ser%ers from which secondar ser%ers ac6uire 0one information are called masters. A master can be the primar ser%er or another secondar ser%er. De$erence: Dan Aolme, and 'rin Thomas9 M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft, .hapter >, pp. >22F. !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter ;, pp. ;22; and ;231. QUESTION NO: 2 You are designing the $orest and domain structure to meet the business and technical requirements !hich structure should you use% A. A single forest with one tree, and one domain 1. A single forest with one tree two domain .. A single forest with two trees, each with a single domain D. Two forests, each with a single tree and a single domain 3. Two forests, each with two trees, with a single domain in each tree. )ns"er: ) E3#lanation: The case stud states9 7)ll security settings must be e6ual to or more restricti%e than the default !indows $er%er 2""3 settings.D &t also states9 7...users must be $orced to change their #ass"ords at least once a month D &n a single2domain model, all ob)ects are located within the same securit boundaries, so ou wonMt ha%e to worr about planning trust relationships with other domains or implementing cross2domain authentication and permissions. !hen using a single2domain model, user and group planning is simpler, as is the implementation of group polic . &n fact, almost all management functions are simplerEand simpler means less planning, less administration, less troubleshooting, and a lower total cost in the end. Acti%e Director domains are scalable and can grow much larger than !indows ,T domains, which remo%es a significant obstacle that pre%ented the use of single2domain networ/s in structures based on !indows ,T, in which the $ecurit Accounts Manager *$AM+ could support onl up to -",""" ob)ects in a domain. 1 contrast, an Acti%e Director domain can hold more than one million ob)ects. Incorrect O#tions: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 >> 2 ): Multiple domains are necessar when ou need to implement different domain2le%el securit policies. .ertain policies can onl be controlled at the domain le%el. (or eBample, one department ma enforce tighter password policies or account loc/out policies than another department. ' and D: Iou might need to implement multiple forests in situations where ou are lin/ing two eBisting separate organi0ations, creating an autonomous unit or creating an isolated unit. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 3, pp. 322 to 3212. QUESTION NO: , You are designing a grou# management strategy $or users in the $inance de#artment You need to identi$y the a##ro#riate changes that need to be made to the current grou# management strategy You "ant to accom#lish this goal by using the minimum number o$ grou#s !hat should you do% A. Add the finance users to the financeData group to which the necessar permissions ha%e been assigned. 1. Add the finance users to the financeCC group to which the necessar permissions ha%e been assigned. .. Add the finance users to the financeCC group. Then add the financeCC group to the financeData group to which the necessar permissions ha%e been assigned. D. Add the finance users to the financeCC group. Add the financeCC group to the financeUC group to the financeDat group to which the necessar permissions ha%e been assigned. )ns"er: + E3#lanation: The 6uestion specifies that the minimum number of groups must be used to accomplish this goal, and 7 +D conforms to it.

QUESTION NO: 4 You are designing a strategy o$ en$orce the cor#orate security #olicy !hich action or actions should you #er$orm% &'hoose all that a##ly ( A. .onfigure a password polic that re6uires strong passwords 1. .onfigure a password polic that re6uires all users to change their passwords once a month. .. Allow users in the branch offices to log on between the hours of >9"" A.M and F9"" 5.M., Monda through (rida . D. Allow users in the retail outlets to log on between the hours of ;9"" A.M and 119"" 5.M., dail . 3. 3nable a polic that forces users to log off when their logon hours eBpire. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 >= 2 )ns"er: ) +* '* D* E E3#lanation: The case stud as/s for compleB passwords to be implemented, and in the process of designing a strong password polic ou can select the 7Dequire the use o$ com#le3 #ass"ordsD option. According to the case stud , users must be forced to change their passwords at least once a month. The case stud sa s9 7The users at the retail outlets sometimes lea/e the terminal connected to the a##lication $or "ee0s "ithout disconnecting This results in $ailed bac0u#s o$ the a##lication data )ll o$ the users in the branch o$$ices also lea/e their com#uters on $or long #eriods o$ time D &t also sa s 7The duration o$ logon hours must be strictly en$orced D Therefore, all actions should be performed. QUESTION NO: 5 You are designing a migration strategy to meet the business and technical requirements !hat should you do% A. Upgrade the fourthcoffee 1D. to !indows $er%er 2""3. Then upgrade the 5D. to !indows $er%er 2""3 1. Upgrade an eBisting domain controller to !indows $er%er 2""3. 3stablish a two2wa trust relationship with the fourthcoffee domain. .. &nstall and configure a new !indows ,T -." 1D.. 5romote the 1D. to a 5D.. Then upgrade the 5D. to !indows $er%er 2""3 D. .reate a new !indows 2""" $er%er Acti%e Director domain. 3stablish a two2wa trust relationship with the fourthcoffee domain. Use the Acti%e Director Migration Tool *ADMT+ to migrate all user and computer accounts. )ns"er: ' E3#lanation: (irst, spec out the hardware for a ser%er that is ade6uate for our domain controller needs. Do a test installation of !indows $er%er 2""3 on this ser%er )ust to ma/e sure ou ha%e no compatibilit issues. Ma/e sure ou test all the $.$& channels and dri%es that ou will e%entuall use to store Acti%e Director files. ,ow, wipe the operating s stem dri%e on the new ser%er and install ,T- as a 1D. in our eBisting ,T domain. Ma/e sure ou %erif that ou get stead replication between this ser%er and the 5D.. 4ea%e the new ser%er on the wire for a da or two to chec/ for complications prior to upgrading. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =" 2 5romote the new ser%er to 5D. with User Manager. This automaticall demotes the eBisting 5D. to a 1D.. Again, let the s stem ba/e for a couple of da s to ma/e sure e%er thing wor/s as ou would eBpect. !hen ouKre read to upgrade the domain, start b upgrading the new 5D. to !indows $er%er 2""3. De$erence: !illiam 1oswell9 &nside !indowsO $er%er 2""3, Addison !esle , .hapter =. QUESTION NO: 6 You are designing $or im#lementing -rou# .olicy ob2ects &-.Os( to meet the business and technical requirement !hat should you do% A. .reate one new C5' to enforce software restriction policies. 4in/ this C5' to the domain. 1. .reate one new C5' to enforce software restriction policies. 4in/ this C5' to the appropriate organi0ational unit *'U+. .. .reate one new C5' to enforce software restriction policies. 4in/ this C5' to all organi0ational units *'Us+. D. .reate new C5's to match the number of organi0ational units *'Us+.configure these C5's to enforce software restriction policies. 4in/ this C5' to its respecti%e 'U. )ns"er: ) E3#lanation: &n the problem statements, it states9 7Em#loyees in the branch o$$ices o$ten log on to install so$t"are by using local com#uter accounts rather than domain accounts D Microsoft uses the term Croup 5olic 'b)ect as an umbrella to identif the two components of a group polic 9 the Croup 5olic .ontainer and the Croup 5olic Template. .ontainer ob)ects in Acti%e Director such as sites, domains, and organi0ational units *'Us+ can be lin/ed to a C5'. This applies the C5' settings to user and computer ob)ects under that container. A C5. is an Acti%e Director ob)ect that lists the names of the C5Ts associated with a particular C5'. !indows clients use the information in a C5. to determine which C5Ts to download and process. *Microsoft

documentation sometimes uses the terms C5' and C5. interchangeabl .+ A C5T is the set of instructions that implements a set of policies. (or eBample, policies that update the Registr are stored in a C5T file called Registr .pol. (ile2based C5Ts are stored in polic folders under the Sysvol folder on each domain controller. De$erence: !illiam 1oswell9 &nside !indowsO $er%er 2""3, Addison !esle , .hapter 12. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =1 2 QUESTION NO: 7 You are designing a DNS name resolution strategy to allo" all users access to internal and e3ternal "eb sites !hat should you do% A. Allow 0one transfers to an D,$ ser%er. 1. .reate a new stub 0one for the D,$ 0one on the D,$ ser%er. .. .onfigure the D,$ ser%er to forward all unanswered 6ueries to a D,$ ser%er located at the &$5 D. Add the D,$ ser%er located at the &$5 to the list of name ser%ers for the fourthcoffee.com D,$ 0one )ns"er: ' E3#lanation: The 6uestion states9 7Pallow all users access to internal and e3ternal web sites.D !hen a D,$ ser%er recei%es a 6uer , it will first chec/ to see whether it can answer the 6uer authoritati%el E that is, on the basis of information contained in a locall configured 0one on the ser%er. &f it cannot, it will 6uer other D,$ ser%ers on the networ/. &n this case it will be a D,$ ser%er at the &$5, which is authoritati%e for eBternal 6ueries. The process of a D,$ ser%er 6uer ing other D,$ ser%ers on behalf of an original 6uer ing client is /nown as recursion. De$erence: Q... Mac/in, and &an Mc4ean9 M.$AHM.$3 self2paced training /it *eBam G"22=1+9implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft, .hapter -, pp. -21= to -2 1;. QUESTION NO: 9 You are designing a strategy to assign the I. addresses to meet the business and technical requirement !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution choose t"o( A. &nstall and .onfigure one DA.5 ser%er in Atlanta and one DA.5 ser%er in each branch office. 1. &nstall and .onfigure two DA.5 ser%ers in Atlanta and two DA.5 ser%ers in each branch office. .. .reate one scope on each DA.5 ser%er. $pecif one DA.5 ser%er to alwa s update D,$ records. .onfigure the scope to assign half of the &5 addresses a%ailable to each office. D. .reate two scopes on each DA.5 ser%er. $pecif one DA.5 ser%er to update D,$ records onl for client computers that re6uest it. $pecif a second DA.5 ser%er to ne%er update D,$ records. )ns"er: +* ' E3#lanation: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =2 2 D namic Aost .onfiguration 5rotocol *DA.5+ is an industr standard protocol that lets a ser%er automaticall assign &5 addresses to clients. This would the one of the problem statements, which sa s9 7I. addresses are con$igured manually This leads to incorrectly con$igured or du#licate addresses on the net"or0 D !hen ou install !indows $er%er 2""3 DA.5 ser%ice, ou can enable the DA.5 ser%er to perform updates on behalf of DA.5 clients to an D,$ ser%er that supports d namic updates. &n other words, DA.5 can register the A *host+ records and 5TR records for all DA.52enabled clients. DA.5 clients can pro%ide their (:D, to the DA.5 ser%er, as well as instructions on how it would li/e the ser%er to process D,$ d namic updates. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 1, pp. 123=, ;213. QUESTION NO: ; You are designing a name resolution strategy $or the retail outlets to ensure that the e3isting band"idth is used e$$iciently !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three ( A. .onfigure the D,$ ser%er ser%ice on the terminal ser%ers as caching2onl ser%ers. 1. .onfigure multiple sites to ha%e site lin/s and set up a specific replication schedule. .. .onfigure the default site to ha%e the subnets of Atlanta and the branch offices. D. .reate a new D,$ 0one and configure 0one transfers to name ser%ers onl . 3. .reate an application partition to be used for D,$ (. $pecif the scope of replication to be used for D,$ )ns"er: D* E* E E3#lanation: &n an incremental 0one transfer *&<(R+, ser%ers /eep trac/ of, and transfer onl , changes that are made to resource records in a particular 0one, the ad%antage being that less traffic is sent o%er the networ/. The application partition can be configured to replicate ob)ects to an set of domain controllers in the forest, not necessaril all in the same domain. This partition pro%ides the capabilit to host data in Acti%e Director without significantl impacting networ/ performance b pro%iding control o%er the scope of replication and

placement of replicas. Therefore, d namic data from networ/ ser%ices such as Remote Access $er%ice *RA$+, RAD&U$, D namic Aost .onfiguration 5rotocol *DA.5+, and .ommon 'pen 5olic $er%ice *.'5$+ can reside in a director , allowing applications to access them uniforml with one access methodolog . De$erence: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =3 2 Qill $pealman, @urt Audson, and Melissa .raft9 M.$3 $elf25aced Training @it *3Bam G"22=-+# 5lanning, &mplementing, and Maintaining a Microsoft !indows $er%er 2""3 Acti%e Director &nfrastructure, .hapter F, pp. F2-. QUESTION NO: <= You are designing a strategy $or installing !indo"s ser/er 2==, on the ne" domain controllers !hich method should you use% A. Unattended installation 1. Remote &nstallation $er%ices *R&$+ .. Automated Deplo ment $er%ices *AD$+ D. Microsoft $ stems Management $er%er *$M$+ )ns"er: ) Note: Uncertaint E3#lanation: Although we would not automate install for onl 1" D.Ks *based on the case stud + from the a%ailable answers . does ma/e cense$ so a multiple answer could be correct. $ince we ha%e alread decided on automation *since there is no manual installs+, lets eliminate the ob%ious ones *D and 1+ $M$ does not automate installations, R&$ does but there is no support for installing Domain .ontrollers. That lea%es us with both A and ., which both can be done. Answer A would be the old answer *for 2""" test+ but since AD$ is relati%el new for 2""3 this is what M$ is going to recommend e%en though it would ta/e a considerable time to setup and perfect *more than the time it would )ust ta/e to manuall install the 1" ser%ers+. Microsoft recommends using AD$ for deplo ment of !indows $er%er 2""3 D.Ms. &f installation is pro%ided %ia networ/ practice, such as b using Remote &nstallation $er%ices *R&$+ or Automated Deplo ment $er%ices *AD$+, a separate networ/ should be pro%idedEone that has no connection with the production networ/ and absolutel no connection with the &nternet. The ser%er should not be ph sicall mo%ed until ou ha%e completed the initial installation and additional hardening. De$erence: Roberta 1ragg9 M.$3 $elf25aced Training @it *3Bam G"22=>+ 9 Designing $ecurit for a Microsoft !indows $er%er 2""3 ,etwor/, Microsoft, .hapter -, pp. -212. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =- 2 %tt&'((www")icrosoft"co)(resources(docu)entation(WindowsServ(2003(a**(tec%ref(enus( Defau*t"as&+ur*,(-esources(Docu)entation(windowsserv(2003(a**(tec%ref(en-us(W2.3/-0ris0w%at"as& Read the 8Technologies Related to Remote &nstallation $er%ices8 QUESTION NO: << You are designing a strategy to ensure that all em#loyees ha/e Internet access Eor each branch o$$ice* "hat should you do% A. .onfigure a D,$ ser%er to function as caching2onl ser%ers 1. .onfigure &nternet .onnection sharing on terminal ser%ers. .. &nstall and configure an &nternet $ecurit and Acceleration *&$A+ $er%er .omputer D. &nstall and configure a ser%er running Routing and Remote Acess to function as a ?5, ser%er )ns"er: ' E3#lanation: .ro3y ser%ers, such as IS) $er%er 2""", client computers can access &nternet resources through the proB ser%er, which will perform name resolution on their behalf. The proB ser%er and computers that cannot use the proB client software need to be configured to use separate, internal D,$ forwarders or other D,$ ser%ers for &nternet name resolution. A proB ser%er is a firewall component that manages &nternet traffic to and from a local area networ/ *4A,+ and that can pro%ide other features, such as document caching and access control. A proB ser%er can impro%e performance b suppl ing fre6uentl re6uested data, such as a popular !eb page, and it can filter and discard re6uests that the owner does not consider appropriate, such as re6uests for unauthori0ed access to proprietar files. De$erence: Q. .. Mac/in, &an Mc4ean9 M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft, Clossar , pp. C22;. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =F 2 'ase Study G7 'onsolidated ?essenger O/er/ie" 'onsolidated ?essenger is a trans#ortation and e3#ress deli/ery com#any ser/ing the continental United

States The com#any maintains a commitment to its customers to e3#edite deli/eries "ithin contracted guidelines and o$$ers a <== #ercent re$und to the customers i$ the contract is not $ul$illed .hysical Aocations The com#anyJs main o$$ice is in 'hicago The com#any has t"o branch o$$ices in the $ollo"ing locations: # +oston # San Diego .lanned 'hanges The com#any is e3#anding its business into the )sian mar0et by acquiring 'ontoso* ltd * "hich is an )sian im#ort com#any located in San Erancisco 'ontoso* Atd has established relationshi#s "ith shi##ing com#anies and /arious retail $irms in 'hina Eurthermore* 'ontoso* Atd has a strong bac0ground in "or0ing "ith the go/ernmental trade #rotocol in china 'onsolidated ?essenger is also #lanning changes to enable the o$$ice and the branch o$$ice to "or0 together more e$$ecti/ely +usiness .rocesses 'onsolidated ?essenger consists o$ the $ollo"ing #rimary de#artments: # )ccounting # 'ustomer ser/ice # Deli/ery # :uman Desources &:D( # In$ormation Technology &IT( # ?anagement The com#any has a decentrali1ed IT structure The 'hicago o$$ice and each branch o$$ice ha/e its o"n IT sta$$ Each o$$ice maintains its resources se#arately Each o$$ice is using the same deli/ery trac0ing database* named Deli/eries* but in$ormation is not shared bet"een the three o$$ices Each o$$ice uses an a##lication named Trac0ing)## to u#date the trac0ing database 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =; 2 E/ery morning* deli/ery #ersonnel recei/e a #rinted list o$ deli/eries to be made $or the day They can contact the a##ro#riate o$$ice $or additional in$ormation* as needed In$rastructure Directory Ser/ices The e3isting domain model is sho"n in the E3isting Domain ?odel e3hibit 'onsolidated ?essenger has !indo"s NT 4 = domains in the branch o$$ices The 'hicago o$$ice has a !indo"s 2=== )cti/e Directory domain named ad consolidatedmessenger com The domain $or the 'hicago o$$ice contains $our to#le/el organi1ational units &OUs( named )ccounting* 'ustomer Ser/ice* :uman Desources* and Deli/ery The net"or0 consists o$ a single )cti/e Directory site 'ontoso* Atd * has a !indo"s NT4 = domain in its San Erancisco o$$ice Net"or0 In$rastructure: The com#anyJs e3isting net"or0 in$rastructure is sho"n in the E3isting Net"or0 In$rastructure e3hibit 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 =G 2 'lient com#uters in the accounting* IT and management de#artments* at 'onsolidated ?essenger* run either !indo"s 2=== #ro$essional or !indo"s @. #ro$essional 'lient com#uters in the customer ser/ice de#artment run "indo"s ;9 'lient com#uters at 'ontoso* Atd runs either !indo"s ;9 or !indo"s NT "or0station 4 = 'onsolidated ?essenger has a "eb site hosted by an IS. in 'hicago The "eb site* named """ consolidatedmessenger com* is a/ailable $or Internet customers to #lace orders or trac0 deli/eries 'ontoso* Atd * also has a "eb site* named """ contoso com* "hich #ro/ides in$ormation to users about 'ontoso* Atd It is hosted by an IS. in San Erancisco The IS. in San Erancisco has DNS on a Uni3 Ser/er The I. address in use $or 'onsolidated ?essenger is sho"n in the Net"or0 addresses e3hibit 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 => 2 .roblem Statements The $ollo"ing business #roblems must be considered: # 'onsolidated ?essenger needs to create a better deli/ery trac0ing mechanism $or the e3isting o$$ices 'urrently* each o$$ice #ro/ides #oint>to>#oint deli/ery as orders come in # They are $unctioning adequately* but there is room $or im#ro/ed o#erational e$$iciency Eor e3am#le* the 'hicago o$$ice sometimes deli/ers into the northeast* "hich o/erla#s "ith the territory o$ the +oston o$$ice +oth the 'hicago o$$ice and the +oston o$$ice might deli/er to the "est coast* "hich is the territory o$ the San Diego o$$ice ) centrali1ed database is required to ma0e trac0ing deli/ers more e$$icient # !hen 'onsolidated ?essenger im#lements a centrali1ed /ersion o$ the Deli/ers database* there must be a "ay to ensure continuous access to u# to date deli/ery data* regardless o$ !)N status

# 'onsolidated ?essenger "ants to #ro/ide a better solution $or deli/ery #ersonnel to access in$ormation about scheduled deli/eries* than #rinted deli/ery lists # 'onsolidated ?essenger "ill need to bring 'ontoso* ltd* u# to its technology standards 'ontoso* ltd * does not use much technology )lthough there is a !indo"s NT 4 = domain #resent* there is a net"or0 administrator and there has been a great deal o$ turno/er in this 2ob )s a result* there is not adequate security $or its com#uters It does not adequately trac0 Shi#ments* In/entory* .ayable* or Decei/able )lthough 'ontoso* ltd uses a s#readsheet a##lication $or its in/entory listings it is still #rimarily a #a#erbased com#any 'hie$ E3ecuti/e O$$ice !ith the acquisition o$ 'ontoso* ltd * by 'onsolidated ?essenger* I am concerned that it should be a #art o$ our o/erall business model* yet remain se#arate because it is a ne" /enture This is a #ositi/e addition 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 == 2 to our current line o$ business I "ant to be sure that ha/e a method $or clearly trac0ing the contributions that 'ontoso* ltd * ma0es to our business 'hie$ In$ormation O$$icer I ha/e t"o ma2or goals $or our Deli/eries database Eirst* I "ant a method $or integrating the data bet"een the o$$ices Second* I "ant a directory ser/ices structure that #ro/ides a more straight $or"ard model $or maintenance I also "ant an im#ro/ed user e3#erience "hen accessing centrali1ed resources in the 'hicago o$$ice )dditionally* I ha/e strong reser/ations regarding the ine3#erience o$ the ne" IT sta$$ to be hired in the San Erancisco o$$ice I "ant to ma0e sure that "e are monitoring their acti/ities I $oresee substantial e3#enditure $or u#grading des0to# com#uters* and salaries $or a ne" IT sta$$ in the 'ontoso* Atd * di/ision !e need to #ro/ide su$$icient access to 'ontoso* Atd M ho"e/er* "e need to s#end only the money necessary to achie/e this goal ?anagers* 'ontoso* Atd I am unsure i$ the restrictions im#osed by our ne" #arent com#any "ill bene$it the business o$ 'ontoso* Atd On the other hand* I $ully recogni1e that being #art o$ a larger com#any can #ro/ide us "ith more $inancial stability +usiness Dequirements The $ollo"ing business requirement must be considered: # 'ontoso* Atd * "ill be a se#arate di/ision "ithin 'onsolidated ?essenger* maintaining its line o$ business because 'ontoso Atd * is a ne" endea/or* 'onsolidated ?essenger has elected to 0ee# the names#ace se#arate so that the internal sta$$ "ill not be con$used # The du#lication o$ e$$ort in maintaining the Deli/eries database bet"een 'onsolidated ?essenger branch o$$ices must be reduced # 'ontoso needs to re#lace s#readsheets The database* to be named In/entory* "ill be created and administered in the 'hicago o$$ice The IT sta$$ in the 'hicago o$$ice "ill be res#onsible $or the maintenance o$ this database* and "ill be re#licated $rom the San Erancisco o$$ice to the 'hicago o$$ice It is antici#ated that database re#lication "ill e3ceed the a/ailable band"idth #ro/ided by the 8.N connection bet"een the San Erancisco o$$ice and the 'hicago o$$ice Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # Integrating the se#arate database into a single nation"ide database is e3tremely im#ortant to the business # Deli/ery "or0ers "ill begin using .D)s to do"nload deli/ery in$ormation $rom the Deli/eries database )s a result* they "ill discontinue tele#hone chec0 in $or deli/ery in$ormation )s each deli/ery is com#leted* the customer "ill sign the .D) )t the end o$ each day* the deli/ery 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"" 2 in$ormation "ill be batch u#loaded $rom each .D) to the Deli/eries database either $rom a com#any o$$ice or* i$ deli/ery #ersonnel are too $ar a"ay $rom a com#any o$$ice* a remote connection # Each o$$ice must su##ort "ireless access $or .D)s Security The $ollo"ing security requirements must be considered: # )##ro#riate #ermissions to trac0inga##* the Deli/eries database* and other resources "ill need to be established $or users based on that userJs 2ob $unction Hob $unctions include customer ser/ice* deli/ery #ersonnel* accounting* and management # The IT sta$$ in the 'hicago o$$ice "ill audit administrati/e acti/ity in all domains* #articulary in 'ontoso*Atd * domain* this includes interacti/e logonsM shutdo"ns and restarts o$ domain controllersM changes to security loggingM and changes to user and grou# accounts Technical Dequirements )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # Enter#rise )cti/e Directory administration "ill ta0e #lace in the 'hicago o$$ice )dditionally* the IT sta$$ in the 'hicago o$$ice has the #rimary res#onsibilities $or administration o$ the Deli/eries database

# Each current 'onsolidated ?essenger domain "ill undergo an in #lace u#grade 'ontoso* Atd * "ill be added to the $orest* but "ill maintain its se#arate names#ace The 'ontoso* Atd * domain "ill be named ad contoso com Their "ill be a single $orest design "ith a minimum number o$ domains # U#grading the !indo"s NT 4 = domains in the +oston and San Diego o$$ices must be o#timi1ed to reduce the need $or net"or0 administrators to tra/el bet"een o$$ices # .ermissions must be maintained )dditional grou#s can be created $or the Deli/eries database* as needed # User and grou# accounts $or 'ontoso* Atd "ill be recreated :o"e/er* des0to# settings $or 'ontoso* Atd * users must be #reser/ed Net"or0 In$rastructure The $ollo"ing In$rastructure requirements must be considered: # )ll 'ontoso* Atd * client com#uters "ill run !indo"s @. .ro$essional 'onsolidated ?essenger has decided to migrate the user settings $rom the e3isting 'ontoso* Atd * client com#uters to ease the transition # The Deli/eries database is a missioncritical resource $or 'onsolidated ?essenger Database access $or the Deli/eries databases must be maintained in the e/ent that !)N connecti/ity is lost # )ll domain controllers "ill be con$igured as DNS ser/ers 'lient com#uters "ill be con$igured to #oint to the local DNS ser/er 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"1 2 # DNS 1ones must be secured # 8.Ns "ill be im#lemented in all locations to su##ort remote access $or "ireless de/ices # Demote access #olicies "ill be centrali1ed # ) single D:'. ser/er "ill be con$igured in each o$$ice In the e/ent o$ a D:'. ser/er $ailure* client com#uters must be able to obtain an I. address 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"2 2 'ase Study G7 'onsolidated ?essenger &; Questions( QUESTION NO: < You are designing the DNS 1one to su##ort the )cti/e Directory domain $or 'ontoso Atd !hich t"o actions should you #er$orm% &Each 'orrect ans"er #resents #art o$ the solution 'hoose t"o( A. .reate ad.contoso.com as a standard primar D,$ Rone. 1. .reate ad.contoso.com as an Acti%e Director &ntegrated D,$ Rone. .. 3nable onl authori0ed client computers to update D,$. D. .onfigure a 0one transfer between the D,$ ser%er at the &$5 and the D,$ ser%ers at .ontoso.4td. )ns"er: +* ' E3#lanation: The case stud specificall states that all Domain .ontrollers are D,$ ser%ers and that 0ones must be secured. !hen ou are running the D,$ ser%er ser%ice on a computer that is an Acti%e Director domain controller and ou select the $tore The Rone &n Acti%e Director *A%ailable 'nl &f D,$ $er%er &s A Domain .ontroller+ chec/ boB while creating a 0one in the ,ew Rone !i0ard, the ser%er does not create a 0one database file. &nstead, the ser%er stores the D,$ resource records for the 0one in the Acti%e Director database. $toring the D,$ database in Acti%e Director pro%ides a number of ad%antages, including ease of administration, conser%ation of networ/ bandwidth, and increased securit . Note: D does not ma/e an sense. Incorrect O#tions: ): This t pe of 0one can be modified, which is not secure. ': The 6uestion spea/s about designing a 0one, not updates. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"2=G Training @it Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 1, pp. 12-. .raig Rac/er# M.$3 $elf5aced Training @it *3Bam G"2=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter -, pp. -3;. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"3 2 QUESTION NO: 2 E3hibit You are designing the )cti/e Directory In$rastructure $or the ne" $orest to meet the business and technical requirements !hat should you do% A. .hoose forest model A. 1. .hoose forest model 1. .. .hoose forest model .. D. .hoose forest model D. )ns"er: ' E3#lanation: 70 - 297

Leading the way in IT testing and certification tools, www.testking.com 2 1"- 2 According to the Acti%e director section of the case stud .ontoso, 4td., will be added to the forest, but will maintain its separate namespace. This means that the .ontoso domain is a domain tree in the single Acti%e Director forest. The other two represents the $andiego and 1oston domains. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"2=G Training @it Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 3, pp. 3>. QUESTION NO: , You are designing a strategy $or adding the additional hard"are necessary to su##ort 'ontoso* Atd !hat should you do% A. Add a T1 !an 4in/ 1etween .hicago and $an (rancisco. 1. Add a T3 !an 4in/ 1etween .hicago and $an (rancisco. .. Add a 1asic &$D, .onnection between .hicago and $an (rancisco. D. .onfigure Aigh$peed modems in .hicago and $an (rancisco to support demand2dial routing. )ns"er: ) QUESTION NO: 4 You are designing a client com#uter u#grade strategy $or 'ontoso Atd !hat should you do% A. Use the ldifde command to migrate user settings. 1. Use the User $tate Migration Tool *U$MT+ to Migrate user settings. .. .reate trust relationships between the .hicago domain and the $an (rancisco domain. Use the Acti%e Director Migration Tool *ADMT+ to migrate user settings. D. .reate trust relationships between the forest root domain and the $an (rancisco domain. Use the Acti%e Director Migration Tool *ADMT+ to migrate user settings. )ns"er: + E3#lanation: This command line tool is used to collect a userMs documents and settings before an operating s stem migration to !indows <5 from an earlier %ersion of !indows and to restore them after the installation. Incorrect O#tions: ): This command line tool facilitates the importing and eBporting of larger numbers of securit principals, including groups. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"F 2 '* and D: Acti%e Director Migration Tool *ADMT+ 2.", which allows migration of users and passwords from !indows ,T -." domains or !indows 2""" domains to !indows 2""3 domains. De$erence: !illiam Cruber, $andra (aucett, Creg Cille, Qim 1e%an, Deborah R. Qa , and .hris Mc@itteric/# MicrosoftO !indowsO $er%er 2""3 Deplo ment @it Automating and .ustomi0ing &nstallations, A Resource @it 5ublication, .hapter F, pp. 321. QUESTION NO: 5 You are designing a DNS Name resolution strategy $or the client com#uter in the customer ser/ice de#artment !hat are the t"o #ossible "ays to achie/e the goal% &Each 'orrect ans"er #resents a com#lete solution &'hoose t"o( A. .reate a re%erse loo/up 0one in D,$ for each new Domain. 1. Add a !&,$ loo/up record to the D,$ forward loo/up 0one. .. Add a !&,$ re%erse record to the D,$ re%erse loo/up 0one. D. 3nable D namic updates for Down4e%el client computers on each DA.5 ser%er. 3. &nstall the Acti%e Director .lient on All .omputers in the .ustomer ser%ice department. )ns"er: +* D E3#lanation: The !&,$ resource record instructs the D,$ ser%ice to use !&,$ to loo/ up and forward 6ueries for host names not found in the 0one database. 7Pthe D namicall update D,$ A and 5TR records for DA.5 clients that do not re6uest updates *for eBample, clients running !indows ,T -."+ chec/ boB must also be selected before DA.5 will update the A and 5TR records for these clients automaticall . The chec/ boB is not chec/ed b default. Incorrect O#tions: ): The re%erse loo/up 0one will handle those few 6ueries where the client /nows the &5 address and wants a host name. Iou can get b without creating re%erse loo/up 0ones ': A !&,$ re%erse loo/up 0one is of no use. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"2=G Training @it Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter ;, pp.;1-. Deborah 4ittle)ohn $hinder, and Dr. Thomas !. $hinder# 3Bam G"2=19 M.$AHM.$3 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress, .hapter 3 2, pp. 1G. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"; 2

!illiam 1oswell# &nside !indowsO $er%er 2""3, Addison !esle , .hapter F. QUESTION NO: 6 You are designing DNS im#lemetation Strategy $or the ne" In$rastruce !hich t"o actions should you #er$orm% &Each correct ans"er re#resents #art o$ the solution 'hoose t"o( A. .reate a $tub Rone in each domain of the root 0one. 1. .reate a Jmsdcs subdomain in a new 0one on the root domain. .. Replicate the Jmsdcs subdomain across the roor domain. D. Replicate the Jmsdcs subdomain to the (orestD,$ 0one applciation partition. 3. .onfigure a 0one transfer of the Jmsdcs subdomain to secondar 0one on all D,$ ser%ers in the forest. )ns"er: +* D QUESTION NO: 7 You are designing a remote access strategy to meet the business and technical Dequirement !hat should you do% A. .onfigure each ser%er running Routing and Remote Access as a RAD&U$ .lient. 1. Add a Remote Access polic to each ser%er running Routing and Remote Access. .onfigure the Access method as ?5, access. .. Add a Remote Access polic to each ser%er running Routing and Remote Access. .onfigure the Access method as dialup access. D. Add a Remote Access polic to each ser%er running Routing and Remote Access. .onfigure the Access method as wireless access. )ns"er: ) E3#lanation: &A$ is the Microsoft implementation of a RAD&U$ ser%er and proB . The basic purpose of a RAD&U$ ser%er is to centrali1e remote access authentication, authori0ation, and logging. RAD&U$ is useful, for eBample, in large organi0ations such as &$5s that need to manage man remote access connections to separate remote access ser%ers. (or basic RAD&U$ scenarios in which no RAD&U$ proB is implemented, deplo ing &A$ as a RAD&U$ ser%er re6uires configuration both at the client running Routing And Remote Access and at the ser%er running &A$. Incorrect O#tions: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"G 2 +* ' and D: The case stud specifies that Remote Access policies will be centrali0ed. De$erence: Q. .. Mac/in, and &an Mc4ean# M.$AHM.$3 selfpaced training /it *eBam G"2=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, .hapter 1", pp. 1";= to 1"G-. QUESTION NO: 9 You are designing a DNS im#lementing strategy to meet the business and technical requirement !hich ty#e o$ 1one should you use% A. $ub Rones 1. $tandard 5rimar Rones .. $econdar Rones D. Acti%e Director &ntegrated Rones )ns"er: D E3#lanation: The case stud specificall states that all Domain .ontrollers are D,$ ser%ers and that 0ones must be secured. !hen ou are running the D,$ ser%er ser%ice on a computer that is an Acti%e Director domain controller and ou select the $tore The Rone &n Acti%e Director *A%ailable 'nl &f D,$ $er%er &s A Domain .ontroller+ chec/ boB while creating a 0one in the ,ew Rone !i0ard, the ser%er does not create a 0one database file. &nstead, the ser%er stores the D,$ resource records for the 0one in the Acti%e Director database. $toring the D,$ database in Acti%e Director pro%ides a number of ad%antages, including ease of administration, conser%ation of networ/ bandwidth, and increased securit . Incorrect O#tions: ): $tub 0ones are most fre6uentl used to /eep trac/ of the name ser%ers authoritati%e for delegated 0ones. +: (or standard primar 0ones, onl a single ser%er can host and load the master cop of the 0one. &f ou create a 0one and /eep it as a standard primar 0one, no additional primar ser%ers for the 0one are permitted. ': $econdar 0ones can increase fault tolerance and a%ailabilit , but 0one transfer traffic can consume unacceptable amounts of bandwidth in some circumstances. De$erence: Q. .. Mac/in, and &an Mc4ean# M.$AHM.$3 selfpaced training /it *eBam G"2=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, .hapter -, pp. -3", F;;. .raig Rac/er# M.$3 $elf5aced Training @it *3Bam G"2=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter -, pp. -3;. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"> 2 QUESTION NO: ; You are designing a strategy to #er$orm in#lace u#grade o$ domain controller in +oston and San Diego !hich method should you use% A. adprep

1. s sprep .. Answer (ile D. Remote &nstalltion $er%ices *R&$+ )ns"er: ' E3#lanation: An inplace domain upgrade is useful in the following circumstances9 # The current domain structure translates well to !indows $er%er 2""3. # Iou are limited in the amount of design and deplo ment time ou are gi%en. # Iou want to minimi0e changes to the current administrati%e structure or flow of information on the networ/. # Iou want to minimi0e the effect that users and administrators eBperience during the migration. Incorrect: ans"er: ): 5repares !indows 2""" domains and forests for an upgrade to !indows $er%er 2""3. !e ha%e !indows ,T -." domains, not !indows 2""" domains. +: $ sprep is used for clean installations not upgrades. D: R&$ cannot perform domain controller upgrades De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"2=G Training @it Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter F, pp. F3-. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1"= 2 'ase Study G9* !oodgro/e +an0 O/er/ie" !oodgro/e +an0 is a $inancial institution that o#erates in the Netherlands The com#anyFs #rimary business is #ro/iding residential and commercial mortgages The 'om#any "ants to o$$er its customers secure Internet access to a mortgage management a##lication .hysical Aocation The 'om#anyJs main o$$ice is located in )msterdam The 'om#any has t"o branch o$$ices in the $ollo"ing Aocations: # Utrecht # The :ague The 'om#any has 2== local ban0s that are located throughout the Netherlands The number o$ users in each location is sho"n in the $ollo"ing table: Aocation Number o$ Users < )msterdam 2*5== 2 Utrecht 65= , The :ague 9== 4 Each Aocal +an0 <=><== .lanned 'hanges The 'om#any "ants to con/ert its mortgage management a##lication to a multitier a##lication named Ne")## To su##ort this ne" en/ironment* the com#any "ill u#grade its ser/ers to !indo"s Ser/er 2==, +usiness .rocesses The )msterdam o$$ice and each branch o$$ice has its o"n IT sta$$ in addition* most o$ the larger local ban0s ha/e their o"n IT sta$$ 'urrently* Aocal ban0 em#loyees ha/e access to their local resources and to resources at the )msterdam o$$ice Each o$$ice uses it o"n instance o$ a business>critical mortgage a##lication The IT sta$$ at the )msterdam o$$ice includes a de/elo#ment team The de/elo#ment team is res#onsible $or de/elo#ing and testing Ne")## In$rastructure Directory Ser/ices 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11" 2 The Dele/ant #ortion o$ current domain structure is sho"n in the E3isting Domain ?odel e3hibit E3isting Domain ?odel E3hibits The 'om#any has a !indo"s NT 4 = en/ironment that has more that 2== domainsM each domain has a t"o>"ay trust relationshi# "ith the domain at )msterdam o$$ice 'urrently* Domain administrators manage their o"n domains Each Aocation that has a local administrator currently manages its o"n users and resources In addition* these administrators share res#onsibility $or administrating ring locations that do not ha/e an IT sta$$ Net"or0 In$rastructure The Dele/ant #ortion o$ the e3isting net"or0 in$rastructure e3hibit NN ?ISSIN- NNN Domain 'ontrollers /ary $rom single #rocessor ser/ers at 7==?h1 to #rocessor Quad ser/er at < 5 -:1 'lient 'om#uters run !indo"s ;9* !indo"s NT !or0station 4 = and !indo"s 2=== #ro$essional There are also some Uni3 'lient 'om#uters ?anagers are issued #ortable 'om#uters that contain con$idential business in$ormation These #ortable com#uters are equi##ed "ith smart card readers ?anagers use #ortable com#uters to establish 8.N

connections to the )msterdam o$$ice "hen they tra/el .roblem Statements The $ollo"ing business #roblems must be considered: Em#loyees at local ban0s are o$ten unable to ser/e customers because o$ $ailure o$ the mortgage a##lication The $ailure sometimes lasts many hours because there is nobody a/ailable to $i3 it 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 111 2 The De/elo#ment team has access to the occasionally* una##ro/ed changes that are made to the a##lication* resulting in unnecessary do"ntime De#loyment o$ ne" o#erating systems ta0es a long time because net"or0 administrators ha/e to each local ban0 'hie$ E3ecuti/e O$$icer I "ant !oodgroo/e ban0 to be /isible on the Internet I "ant Ne")## to be easily accessible to our customers by using the Internet The ne"ly designed en/ironment "ill hel# to minimi1e the amount o$ administrati/e e$$ort $or all ITrelated o#erational tas0s Eor business reasons* I "ill not allo" domain u#grades O$$icer !or0er 'urrently* it is sometimes di$$icult to access the in$ormation I need Eor di$$erent in$ormation* I ha/e to remember di$$erent #ass"ords In the ne" en/ironment* I "ant to ha/e one account and one #ass"ord +usiness Dequirements +usiness Dri/ers The $ollo"ing business requirements must be considered: !oodgroo/e +an0 "ants their com#any name to be /isible on the Internet "ith 'ustomers must be able to access mortgage in$ormation 24 hours a day* se/en days a "ee0 The 'om#any "ants to reduce the costs o$ managing branch o$$ices Organi1ational -oals The $ollo"ing organi1ational requirement must be considered +an0 em#loyees need to be able to ma0e a secure connection $rom their homes to the cor#orate net"or0 The com#any currently has < million customers )bout hal$ o$ them ha/e mortgages In the ne3t 5 years* the in$rastructure must be able to accommodate at least 2 million customers* "ith about < million customers ha/ing mortgages Security The $ollo"ing security requirement must be considered +an0 em#loyees must ha/e access to resources at the )msterdam o$$ice* their local ban0s* and Ne")## 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 112 2 The 'om#any must ensure that ser/ers can be easily restored "hen one or more ser/ers $ail* "ith minimum loss o$ data and minimum do"ntime The 'om#any needs the highest #ossible secure authentication method $or all com#uters that contain con$idential in$ormation Ne")## Dequirements The $ollo"ing Ne")## requirement must be considered Ne")## is a "eb>based a##lication that contains tools that are used by customers and tools that are used by em#loyees Em#loyees $rom all locations "ill connect to the "eb ser/ers to access Ne")## Ne")## stores customer in$ormation in )cti/e Directory by using custom classes and attributes Ne")## stores mortgage in$ormation in the Ne")## database De/elo#ers need to be able to test the Ne")## schema modi$ications "ithout a$$ecting any other ser/ers Ne")## must be a/ailable 24 hours a day* se/en days a "ee0 +ecause o$ national legal requirements* the ser/er that contains mortgage in$ormation requires se/eral security settings that are di$$erent $rom those on the Ne")## a##lication ser/ers Technical Dequirements )cti/e Directory The $ollo"ing )cti/e Directory requirement must be considered )cti/e Directory must be de#loyed to su##ort Ne")## )ll domain controllers in the ne" en/ironment must run !indo"s Ser/er 2==, )dministration o$ )cti/e Directory "ill not be #er$ormed at the local ban0s Each user should be authenticated locally "hen #ossible Domain 'ontrollers "ill be #laced in all locations that su##ort more than 5= users Net"or0 In$rastructure The $ollo"ing Net"or0 In$rastructure requirement must be considered 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 113 2 The #lanned net"or0 is sho"n in the #lanned Net"or0 In$rastructure e3hibit Net"or0 In$rastructure E3hibit: .lanned E3hibit:

+and"idth bet"een the )msterdam o$$ice and the branch o$$ices is not an issue :o"e/er* some local ban0s re#ort that there are slo" res#onse times to the branch o$$ices or to the )msterdam o$$ice The com#any uses some legacy a##lications that are hea/ily de#endent on Net+ios name resolution These a##lications "ill also be used a$ter the migration 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11- 2 The 'om#any needs to use the smallest subnets #ossible in each location because o$ #lanned $uture e3#ansion to include many additional branch o$$ices 8.N ser/ers "ill be #laced at the )msterdam o$$ice only It is crucial to ensure 24>hour a/ailability o$ the 8.N ser/ers Dial>u# ser/ers e3ist in each branch o$$ice to allo" net"or0 administrators to administer each branch o$$ice in the e/ent o$ !)N lin0 $ailure ?anagement o$ all remote access must be centrali1ed 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11F 2 'ase Study G9* !oodgro/e +an0 &; Questions( QUESTION NO <: You are designing a $orest structure to meet the business and technical requirements :o" many $orests should you create% A. 'ne 1. Two .. Three D. (our )ns"er: + E3#lanation9 Using more than one forest re6uires administrators to maintain multiple schemas, configuration containers, global catalogs, and trusts, and re6uires users to ta/e compleB steps to use the director . Aow2e%er, ou might need to consider using multiple forests in the following situations9 # ,etwor/ administration is separated into autonomous groups that do not trust each other. # 1usiness units are politicall separated into autonomous groups. # 1usiness units must be maintained separatel . # There is a need to isolate the schema, configuration container, or global catalog. # There is a need to limit the scope of the trust relationship between domains or domain trees. The case states9 7De/elo#ers need to be able to test the Ne")## schema modi$ications "ithout a$$ecting any other ser/ers 8 (or this reason ou would need a different forest. De$erence: Qill $pealman, @urt Audson, and Melissa .raft# M.$3 $elf25aced Training @it *3Bam G"22=-+# 5lanning, &mplementing, and Maintaining a Microsoft !indows $er%er 2""3 Acti%e Director &nfrastructure, Microsoft 5ress, .hapter 1, pp. 123> to pp. 123=. QUESTION NO 2 You are designing an organi1ational unit &OU( structure to manage the Ne" )## ser/ers !hat should you do% A. .reate one 'U that includes both the web ser%ers and the database ser%ers. 1. .reate one 'U that includes the web ser%ers and one 'U that includes the database ser%ers. .. .reate one 'U that includes the web ser%ers. Then 5lace the database ser%ers in the .omputer .ontainers. D. 5lace the web ser%er and the database ser%ers in the Domain .ontroller 'U. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11; 2 )ns"er: + E3#lanation: 'rgani0ational Units *'Us+ pro%ide a wa to create administrati%e boundaries within a domain. 5rimaril , this allows ou to delegate administrati%e tas/s within the domain. 'Us ser%e as containers into which the resources of a domain can be placed. Iou can then assign administrati%e permissions on the 'U itself. 'Us are containers within a domain that allow ou to grou# ob)ects that share common administration or con$iguration De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 1, pp. 121". Dan Aolme, and 'rin Thomas# M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter 1.pp. 1212. QUESTION NO , You are designing a ne" NET+IOS naming strategy $or the cor#orate en/ironment !hich domain name should you use% A. ad 1. woodgro%ead .. woodgro%eban/ D. woodgro%eban/.com

)ns"er: + The name 7woodgro%eadD conforms to the ,et1&'$ domain naming rules. Incorrect )ns"ers: ): The name 7adD is not descripti%e enough ': The compan alread has 2"" !indows ,T -." domains. The possibilit that woodgro%eban/ is alread in use is thus high. D: A ,et1&'$ name can onl b 1F characters long. !oodgro%eban/.com is 1G characters long and is therefore not %alid. &n addition, the use of a dot in the ,et1&'$ name is not recommended. QUESTION NO 4 You need to con$igure the security settings $or the ne" a## ser/ers !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solutions &'hoose t"o( 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11G 2 A. .reate a Croup polic ob)ect *C5'+ for the web ser%ers. 1. .reate a Croup polic ob)ect *C5'+ for the database ser%ers. .. Modif the Default Domain 5olic . D. Modif the Default Domain .ontrollers 5olic . )ns"er: )* + QUESTION NO 5 You are designing an )cti/e Directory site in$rastructure to meet the bussiness and technical requirements !hat should you do% A. .reate one site for each office and each local ban/. 1. .reate one site for all offices. .reate one site for all local ban/s. .. .reate one site for Amsterdam. .reate one site for all branch office and all local ban/s. D. .reate one site for Amsterdam. .reate one site for the Utercht brach office. .reate one site for that Aague branch office. 5lace half the local ban/s in the utercht site and half the local ban/s in the Aague site. 3. .reate one site for Amsterdam. .reate one site for the Utercht brach office. .reate one site for each local ban/ that has more than F" users. 5lace all the other local ban/s in the Amsterdam $ite. )ns"er: E E3#lanation9 (or the Main and branch office ou should create a site for each one, since the number of user on each is mandator to do so, and ou need local authentication. Iou should also create a site for each local ban/ that has more than F" users, since ou need to do local %alidation *Technical Re6uirements 9 8Domain controllers will be placed in all locations that supports more than F" users8+. Regarding the rest of local ban/ locations, since the do not ha%e so man users, ou should point all of them to the Amsterdam site. The networ/ topolog is in a 8star mode8, so all the communications ha%e a central point which is Amsterdam. QUESTION NO 6 You are designing a strategy to ensure that DNS queries al"ays ta0e the most e$$icient route to get resol/ed !hich action or actions should you #er$orm% &'hoose all that a##ly( A. .onfigure conditional forwarding on the corporate D,$ ser%ers to point the de%elopment D,$ ser%ers. 1. .onfigure conditional forwarding on the de%elopment D,$ ser%ers to point the corporate D,$ ser%ers. .. .onfigure conditional forwarding on the perimeter networ/ D,$ ser%ers to point the corporate and de%elopment D,$ ser%ers. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11> 2 D. .onfigure forwarding on the corporate and de%elopment D,$ ser%ers to point the perimeter networ/ D,$ ser%ers. 3. Disable root hints on the perimeter networ/ D,$ $er%ers. )ns"er: )* +* D E3#lanation9 $ince ou ha%e created two separate forest infrastructures, ou should configure forwarding on the De%elopment D,$ $er%ers to point to corporate D,$ $er%ers, since these are the ones that would be in the production en%ironment.Iou should also configure forwarding on the corporate and de%elopment D,$ ser%ers to point to the perimeter networ/ D,$ ser%ers, since this should be the ones that would communicate with the internet. The (orwarders tab allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. Using this tab, ou can specif the &5 addresses of the upstream forwarders, and ou can specif the domain names of 6ueries that should be forwarded. The process of forwarding selected 6ueries in this wa is /nown as conditional forwarding. De$erence: Q. .. Mac/in, and &an Mc4ean# M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, .hapter F, pp. F2-. QUESTION NO 7 You are designing a remote access strategy to meet the business C technical requirements !hich authentication mechanism should you use% A. M$2.AA5 %2. 1. &nternet Authentication ser%ice *&A$+. .. Multilin/ L 1andwidth Allocation 5rotocol *1A5+.

D. Remote access policies on all ser%ers running Routing L Remote Access. )ns"er: + E3#lanation: &A$ performs the following for dial2up, ?5,, and wireless connections9 # 'entrali1ed accounting: &A$ collects usage or accounting information from all networ/ access ser%ers. # 'entrali1ed authentication: &A$ supports man of the standard authentication methods such as .hallenge Aandsha/e Authentication 5rotocol *.AA5+, Microsoft .hallenge Aandsha/e Authentication 5rotocol *M$2.AA5 %ersions 1 and 2+, and 3Btensible Authentication 5rotocol *3A5+. &A$ interoperates with networ/ access de%ices from different %endors regardless of the access method used. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 11= 2 &f &A$ is configured as a member of an Acti%e Director domain, the user account database is used to authenticate and authori0e access to the networ/. # 'entrali1ed auditing: &A$ logs all authentication Accepts and Re)ects, as well as usage information such as logon and logoff records. &nstead of ha%ing our dial2up ser%er or ?5, ser%er performing these tas/s and storing accounting and auditing information, ou can configure them to be RAD&U$ clients, each forwarding all connection re6uests to our &A$ ser%er. An remote access policies stored on these RAD&U$ clients are no longer used. &nstead, these policies, which are stored on the &A$ ser%er, will be used. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 1", pp. 1"22> to 1"22=. QUESTION NO 9 You are designing the T'.KI. addressing scheme $or the com#any !hat should you do% To )ns"er* Drag the )##ro#riate subnet mas0 or mas0s to the correct location or locations in the "or0 area )ns"er: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12" 2 E3#lanation: The case stud states9 7The 'om#any needs to use the smallest subnets #ossible in each location because o$ #lanned $uture e3#ansion to include many additional branch o$$ices D QUESTION NO ; You are designing a 8.N Ser/er strategy to meet the business and technical requirement !hat should you do% A. .onfigure all client computers to point to a ?5, ser%er in Amsterdam. 1. .onfigure all client computers to use Multilin/ 1andwidth Allocation 5rotocol *1A5+. .. .reate a networ/ 4oad 1alancing cluster of ?5, ser%ers. D. .reate a shutdown script for the ?5, ser%ers to delete the host*A+ resource record of the ?5, se%er from the D,$ database when the ?5, ser%er are shutdown. )ns"er: ' E3#lanation: 'lustering is a group of machines acting as a single entit to pro%ide resources and ser%ices to the networ/. &n time of failure, a failo%er will occur to a s stem in that group that will maintain a%ailabilit of those resources to the networ/. Aoad balancing is using a de%ice, which can be a ser%er or an appliance, to balance the load of traffic across multiple ser%ers waiting to recei%e that traffic. The de%ice sends incoming traffic based on an algorithm to the most underused machine or spreads the traffic out e%enl among all machines that are on at the time. :igh )/ailability is the essence of mission2critical applications being pro%ided 6uic/l and reliabl to clients loo/ing for our ser%ices. Ei/e Nines is the term for sa ing a ser%ice or s stem will be up almost 1"" percent of the time. To achie%e this le%el of a%ailabilit , ou need to deplo s stems that can sur%i%e failure. The wa s to perform this are through clustering and load balancing. De$erence: Robert Q. $himons/i# !indows $er%er 2""3 .lustering L 4oad 1alancing, 'sborneHMcCraw2Aill, .hapter 1. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 121 2 'ase Study G;* +lue Yonder )irlines E3isting Domain model E3hibit 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 122 2 E3isting Net"or0 In$rastructure E3hibit .lanned Net"or0 In$rastructure E3hibit 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 123 2 O/er/ie"

+lue Yonder )irlines #ro/ides air trans#ortation ser/ices to locations throughout )ustralia Ser/ices include e3ecuti/e>class tra/el and cargo deli/ery .hysical Aocations The com#anyFs main o$$ice is located in Sydney The com#any has t"o branch o$$ices in the $ollo"ing locations: # ?elbourne # .erth The main o$$ice location consists o$ the main o$$ice in Sydney and t"o satellite o$$ices located near the Sydney air#ort )ll three locations are connected by $iber>o#tic lin0s .lanned changes The com#any "ill o#en Euro#ean branch o$$ices in the $ollo"ing locations: # +erlin # .aris 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12- 2 The +erlin o$$ice "ill ser/e as the regional o$$ice $or Euro#e In addition* the com#any #lans to establish a ne" #artnershi# "ith an a##lication ser/ice #ro/ider &)S.( named 'ontoso* Atd * "hich "ill be used to host the com#anyFs air tra$$ic control &)T'( a##lication The )T' a##lication is an @ 5== directory>enabled a##lication that runs on !indo"s NT Ser/er 4 = com#uters in the Sydney o$$ice The com#any #lans to use a ne" /ersion o$ the )T' a##lication that "ill run on a !indo"s Ser/er 2==, com#uter hosted by 'ontoso* Atd Only s#eci$ied users "ill ha/e access to this a##lication Users connect to this a##lication by querying DNS $or the a##licationFs ser/ice record This record is stored on a UNI@ DNS ser/er running the latest /ersion o$ +IND 'ontoso* Atd * "ill create the required users in the domain that hosts the a##lication and "ill #ro/ide this in$ormation as a $ile to +lue Yonder )irlines No other connections to the 'ontoso* Atd * net"or0 "ill be allo"ed e3ce#t $or access to the a##lication itsel$ E3isting En/ironment +usiness .rocesses +lue Yonder )irlines consists o$ the $ollo"ing #rimary de#artments: # Einance # :uman resources &:D( # In$ormation Technology &IT( # )ir Tra$$ic &)T'( # Elight o#erations The IT de#artment manages the entire net"or0 $rom the Sydney o$$ice or by tra/eling to the branch o$$ices )ll resources are located at the Sydney o$$ice and are accessed across the !)N lin0s by users in the branch o$$ices )lthough the )T' de#artment "or0s closely "ith $light o#erations* it is still a se#arate de#artment The $light o#erations de#artment consists o$ the $ollo"ing grou#s: # Elight o$$icers # ?ani$est # 'atering Users in the ?ani$est grou# use an a##lication named ?ani$est The ?ani$est a##lication consists o$ t"o /ersions: o .assenger ?ani$est* "hich contains .assenger in$ormation o 'argo ?ani$est* "hich contains 'argo in$ormation 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12F 2 Users in the Sydney o$$ice use only .assenger ?ani$est Users in the branch o$$ices use only 'argo ?ani$est 'urrently* access to the ?ani$est a##lication is limited only by using NTES #ermissions .assenger ?ani$est runs on a ser/er in the Sydney o$$ice The in$ormation in .assenger must be current "ithin the hour and must be a/ailable at all times to all users in the ?ani$est grou# The in$ormation contained in the .assenger ?ani$est must ne/er become #ublicly a/ailable In$rastructure Directory Ser/ices The e3isting domains and trusts are dis#layed in the E3isting Domain model e3hibit The A)N in each o$$ice consists o$ a <==>?b#s Ethernet net"or0 No ser/er com#uters are located in the branch o$$ices )ll I. addresses are statically con$igured $or com#uters located in the branch o$$ices ) ?icroso$t E3change Ser/er 2=== en/ironment #ro/ides Outloo0 !eb )ccess &O!)( to all users ) single E3change Ser/er 2=== $ront>end ser/er com#uter in the Sydney o$$ice is allocated $or O!) 'urrently* the com#any does not ha/e a #ublic !eb site ) ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter in the Sydney o$$ice is con$igured as a $ire"all and #ro3y ser/er The IS) Ser/er com#uter is also used $or #ublishing O!) to $light o$$icers "ho connect to the net"or0 $rom outside the $ire"all Elight o$$icers use #ortable com#uters to access O!) /ia an IS. No other intranet a##lications are currently a/ailable 'om#any #olicy states that client com#uters should run only !indo"s 2=== .ro$essional or !indo"s @. .ro$essional :o"e/er* this #olicy is currently not en$orced

The e3isting hard"are is sho"n in the $ollo"ing table .rocessor :ard dis0 dri/e ?emory Doles .entium III>9== ?:1 dual T!O ;>-+ S'SI 256 ?+ T"o domain controllers $or !indo"s 2=== cor#orate domainM one domain controller $or !indo"s 2=== root domain .entium III>9== ?:1 T!O ;>-+ S'SI 256 ?+ .D' $or !indo"s NT 4 = domain .entium III>75= ?:1 T!O ;>-+ S'SI 256 ?+ E3change Ser/er 2=== com#uter as member o$ !indo"s 2=== cor#orate domain .roblem Statements The $ollo"ing business #roblems must be considered: # The )T' a##lication uses the inetOrg.erson class "hen authenticating to the @ 5== directoryenabled database that the a##lication uses $or authentication 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12; 2 # The e3isting -.Os result in e3tremely lengthy logon times $or users in the branch o$$ices ?embers o$ the )dministrators grou# are currently e3cluded $rom the -.O that $orces #ass"ord changes # The current dial>u# solution results in e3#ensi/e long>distance calls and only su##orts O!) 'urrently* an on>site user must send the in$ormation to $light o$$icers /ia an e>mail message because the ?ani$est a##lication requires that users ma# to dri/e T to o#erate # E3isting airline security requirements s#eci$y that only smart card authentication should be used $or the administration o$ ser/ers by net"or0 administration Inter/ie"s 'hie$ E3ecute O$$icer +lue Yonder )irlines has e3#erienced consistent gro"th since its startu# in <;;7 :o"e/er* this year the mar0et has le/eled o$$ and "e need to e3#and our ser/ices to Euro#e !e antici#ate substantial gro"th o/er the ne3t t"o years Our current o$$ices are located near the ma2or air#orts in )ustralia Each o$$ice #ro/ides all airlinerelated administrati/e $eatures $or its res#ecti/e location The only e3ce#tion is net"or0 administration* "hich is #ro/ided by the Sydney o$$ice I$ net"or0 administrators are needed in one o$ the branch o$$ices* they are #ro/ided air trans#ortation by our com#any 'hie$ In$ormation O$$icer Our com#any #lans to establish a !eb site named """ blueyonderairlines com that "ill include an online boo0ing system $or our customers +lueyonderairlines com is already registered to the com#any and is used $or e>mail addresses This must not change I am concerned about security ris0s o$ the ne" !eb site Our DNS in$ormation must remain secure The ?ani$est grou# must still remain a se#arate grou# $or security #ur#oses )ll ser/ers must be u#graded to !indo"s Ser/er 2==, to meet the ne" airline security requirements and to ease the management concerns "e are currently $acing !e are #lanning a hard"are re$resh "ithin the ne3t year to u#grade all com#uters to a minimum o$ < -+ o$ D)? and se/en S'SI hard dis0 dri/ers #er ser/er I antici#ate that ,== ne" de/ices "ill be added to the net"or0 in the Sydney o$$ice o/er the ne3t t"o years Net"or0 administrator The !)N lin0s are unreliable and can $ail $or hours at a time !e cannot co#y large $iles because o$ this* and there are band"idth #roblems related to slo" lin0s and unreliability Eault tolerance $or the domains "ill be required $or instances "hen the !)N lin0s are do"n or "hen a single ser/er $ails 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12G 2 !e ha/e adequate hard"are* but #er$ormance $or our e3isting !indo"s 2=== Ser/er com#uter is inadequate The E3change 2=== Ser/er com#uter has e3cessi/ely high #rocessor utili1ation once a day The high utili1ation lasts $or almost an hour and users re#ort that #rocessing is /ery slo" during this time There cannot be ser/ers in branch o$$ices because o$ smart card authentication requirement ) se#arate net"or0 administrator "ill be a##ointed to manage the ?ani$est a##lication The Net+IOS name o$ the cor# bloueyonderairlines com domain is )irlines Some a##lications still rely on this Net+IOS name to o#erate 'urrently* i$ ser/ice #ac0s or ne" a##lications need to be installed on com#uters in the branch o$$ices* a net"or0 administrator has to $ly to that location !e do this because users do not ha/e #ermissions to install so$t"are on their com#uters Elight O$$icer Our net"or0 is generally #er$orming adequately :o"e/er* I $requently ha/e to ma0e long>distance calls to the o$$ice to establish a dial>u# connection O$ten I do not get a connection because o$ a busy tone* and "hen I do get a connection I $requently get disconnected O$$ice !or0er

It ta0es more than $i/e minutes to log on to the net"or0* and "hen I $inally log on to the net"or0* my com#uter tries to automatically install so$t"are that e/entually $ails :o"e/er* I ha/e noticed that my com#uter seems to res#ond better a$ter this occurs I ha/e to remember too many #ass"ords 'urrently* there are three: one $or the domain* one $or access to the )T' a##lication* and one $or access to the ?ani$est a##lication +usiness requirements +usiness Dri/ers The $ollo"ing business requirements must be considered: # +lue Yonder )irlines "ants to establish a #ublic !eb site that is a/ailable 24 hours a day* se/en days a "ee0 Ne" customers must be able to access this !eb site by using a single UDA # Internal users must be able to access resources by #ro/iding their res#ecti/e user names and #ass"ords once #er session # ?anagers in the $inance de#artment are dissatis$ied "ith the high number o$ e3#ense claims they recei/e $rom $light o$$icers $or dial>u# connections to the IS. Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12> 2 # The ne" branch o$$ices "ill be established in +erlin and .aris # The ne" o$$ices "ill connect to each other by means o$ a #ermanent !)N lin0 # The ne" o$$ices "ill share a ne" !)N lin0 to the Sydney o$$ice # The e3#ected number o$ ne" users in these o$$ices is <== # ) ne" Euro#ean administrati/e grou# "ill be established to manage these users and their resources Security The $ollo"ing security requirements must be considered: # Elight o$$icers must be able to access secure data $rom any com#any o$$ice or $rom any remote location # Elight o$$icers and users o$ the ?ani$est a##lication must be able to access ?ani$est data 'ustomer Dequirements The $ollo"ing customer requirements must be considered # User accounts must be created correctly in )cti/e Directory and must be able to use all $eatures o$ )cti/e Directory and the )T' a##lication simultaneously # Easter name resolution is required "hen connecting to internal ser/ers and e3ternal !eb sites Technical requirements )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # The ?ani$est a##lication requires administration to meet Euro#ean legal requirements # So$t"are de#loyment and security settings are di$$erent $or users in each de#artment )s users tra/el bet"een locations* their user in$ormation must al"ays be a/ailable locally # Each branch o$$ice needs to resol/e all Net+IOS names e/en i$ a !)N lin0 goes do"n # The bro"ser settings must be distributed to com#uters by using -.Os # The com#anyFs administrati/e model "ill change to a decentrali1ed model "ith the addition o$ a second administrati/e grou# in Euro#e +oth administrati/e grou#s require smart card authentication $or ser/er administration # 8.N access is required $or $light o$$icers only Net"or0 in$rastructure The $ollo"ing in$rastructure requirements must be considered: # The #lanned net"or0 is sho"n in the .lanned Net"or0 In$rastructure e3hibit # Dedundancy $or any ser/ice must be #ro/ided i$ a single ser/ice $ails # ) !)N lin0 $rom the ne"ly established +erlin o$$ice "ill connect to the Sydney o$$ice )nother !)N lin0 "ill connect the .aris o$$ice "ith the +erlin o$$ice # UserFs re#orts o$ lengthy logon times must be resol/ed 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 12= 2 # Dail updates of anti%irus software must be eBecuted for all des/top computers. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13" 2 'ase Study G;* +lue Yonder )irlines &<< Questions( QUESTION NO: < You are designing a strategy $or the #lacement o$ ser/ers to meet the business and technical requirements !hat should you do% 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 131 2 )ns"er: E3#lanation:

A global catalog ser%er is a domain controller that maintains a subset of Acti%e Director ob)ect attributes that are most commonl searched for b users or client computers, such as a userMs logon name. Clobal catalog ser%ers pro%ide two important functions. The allow users to log on to the networ/, and the allow users to locate Acti%e Director ob)ects an where in a forest without referring to specific domain controllers that store the ob)ects. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter F, pp. F21F. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 132 2 QUESTION NO: 2 You are designing a to#>le/el OU structure to meet the business and technical requirements !hich to#e/el OU or OUs should you use% &'hoose all that a##ly ( A. AT. 1. 5aris .. 1erlin D. $ dne 3. Manifast (. Auman Resources )ns"er: )* + QUESTION NO: , You are designing an authentication solution to meet the security needs o$ the net"or0 administrators You install an enter#rise certi$ication authority &')( !hich three additional actions should you ta0e% &Each correct ans"er #resents #art o$ the solution Select three( A. 3nroll each administrati%e account for a smart card authentication certificate. 1. .onfigure autoenrollment for computer authentication certificates. .. &nstall a smart card reader on each ser%er computer. D. &nstall a smart card reader on each networ/ administratorMs computer. 3. .onfigure each administrati%e account to re6uire a smart card for interacti%e logon. (. .onfigure the Default Domain 5olic C5' to re6uire smart cards for interacti%e login. )ns"er: )* D* E E3#lanation: The case stud states9 7E3isting airline security requirements s#eci$y that only smart card authentication should be used $or the administration o$ ser/ers by net"or0 administration D Enrollment can occur automaticall , for eBample, when an application sends a certificate re6uest to an enterprise .A and immediatel recei%es a certificate in return, or manuall , when a user eBplicitl re6uests a certificate from a .A. To send enrollment re6uests to an enterprise .A, ou use the .ertificates snap2in for Microsoft Management .onsole. 1ecause smart card logons are intended onl for internal users with access to Acti%e Director , onl enterprise .As can issue smart card certificates. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 133 2 A smart card is a credit card2si0e de%ice used to securel store public and pri%ate /e s, passwords, and other t pes of personal information. To use a smart card, ou need a smart card reader attached to the computer and a personal identification number for the smart card. &n Microsoft !indows $er%er 2""3, smart cards can be used to enable certificate2based authentication and single sign2on to the enterprise. Smart card is required $or interacti/e logon, found in the Account options section of the Account tab, disables logging on without a smart card. De$erence: .raig Rac/er# M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, .hapter 1=, pp. 1=21" and Clossar , pp. C2F1. Deborah 4ittle)ohn $hinder, and Dr. Thomas !. $hinder# M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress, .hapter -, pp. 2>3. QUESTION NO: 4 You are designing a domain naming strategy $or the ne" en/ironment !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Register airlines.com as a new domain name. 1. Register manifest.airlines.com as a new domain name. .. Register manifest.blue onderairlines.com as a new domain name. D. Maintain the eBisting blue onderairlines.com registered domain name. 3. Use the U5, suffiB of airlines.com for all new users. (. Use the U5, suffiB of blue onderairlines.com for all new users. )ns"er: D* E E3#lanation: &n the case stud , the .hief &nformation 'fficer states9 7+lueyonderairlines com is already registered to the com#any and is used $or e>mail addresses This must not change D &t also states that the ,et1&'$ name of the corp.bloue onderairlines.com domain is Airlines and that some applications still rel on this ,et1&'$ name to operate. &t goes further, sa ing9 7Ne" customers must be able to access this !eb site by using a single

UDA D Users logging on using !indows 2""" or later platforms ma log on the same wa , or the ma log on using the more efficient U5,. The U5, ta/es the format SUser4ogon,ameTUSU5, $uffiBT, where the U5, suffiB is, b default, the D,$ domain name in which the user ob)ect resides. Iou should plan names that fit both D,$ and ,et1&'$ name re6uirements. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13- 2 De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 3, pp 322G. QUESTION NO: 5 You are designing a site to#ology $or the ne" )cti/e Directory en/ironment !hat should you do% A. .reate one site for all offices. 5lace the subnets for the four branch offices and the $ dne main office in this site. 1. .reate two sites9 one site for the four branch offices and one site for the $ dne main office. 5lace the subnets for the branch offices in one site. 5lace the subnet for the $ dne main office in the other site. .. .reate three sites9 one site for the four branch offices, one site for the $ dne main office, and one site for the $ dne satellite offices. D. .reate four sites9 one for the Melbourne and 5erth branch offices, one site for the 1erlin and 5aris branch offices, one site for the $ dne main office, and one site for the $ dne satellite offices. 3. .reate fi%e sites# one site for the Melbourne branch office, one site for the 5erth branch office, one site for the 1erlin branch office, one site for the 5aris branch office, and one site for the $ dne main office. 5lace the subnets for each branch office and the $ dne main office in their respecti%e sites. )ns"er: E E3#lanation: The answer should be 3 since ou are deplo ing a separate D.HC. to a site. Users complain that logon times and C5 installation ta/es fore%er. &f ou onl create 2 sites *1+, then ou will continue to ha%e logon problems because site affinit will find an of the remote D.Ms to authenticate. 1 ha%ing a site in each location, site affinit will use the local D.HC. for authentication and C5 processing. QUESTION NO: 6 You are designing a strategy to enable the )T' a##lication to success$ully resol/e com#uter names !hich name resolution method should you use% A. D,$ 1. !&,$ .. Aosts file D. 4mhosts file )ns"er: ) E3#lanation: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13F 2 The case stud states9 7The AT. application is an <.F"" director 2enabled application that runs on !indows ,T $er%er -." computers in the $ dne office. The compan plans to use a ne" /ersion of the AT. application that will run on a !indo"s Ser/er 2==, computer hosted b .ontoso, 4td. 'nl specified users will ha%e access to this application. Users connect to this application b 6uer ing D,$ for the applicationMs ser%ice record. This record is stored on a UNI@ DNS ser%er running the latest %ersion of +IND.D +er0eley Internet Name Domain &+IND( is an implementation of the Domain ,ame $ stem *D,$+ written and ported to most a%ailable %ersions of the U,&< operating s stem. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Clossar , pp C22. QUESTION NO: 7 You are designing a DNS im#lementation strategy to meet the business and technical requirements !hat should you do% A. .onfigure a domain controller in each branch office to contain a secondar 0one of the contoso.com domain. 1. .onfigure the D,$ $er%er ser%ice on a domain controller in each office. .onfigure an Acti%e Director integrated 0one to replicate to all D,$ ser%ers. .. .onfigure an Acti%e Director 2integrated 0one on a domain controller in $ dne . .onfigure this 0one to replicate to all domain controllers. D. .onfigure a primar 0one for blue onderairlines.com on a domain controller in $ dne . .onfigure a secondar 0one on another D,$ ser%er in $ dne . )ns"er: + E3#lanation: !hen ou are running the D,$ ser%er ser%ice on a computer that is an Acti%e Director domain controller and ou select the $tore The Rone &n Acti%e Director *A%ailable 'nl &f D,$ $er%er &s A Domain .ontroller+ chec/ boB while creating a 0one in the ,ew Rone !i0ard, the ser%er does not create a 0one database file. &nstead, the ser%er stores the D,$ resource records for the 0one in the Acti%e Director database. $toring the D,$ database in Acti%e Director pro%ides a number of ad%antages, including ease of administration,

conser%ation of networ/ bandwidth, and increased securit . &n Acti%e Director 2integrated 0ones, the 0one database is replicated automaticall , along with all other Acti%e Director data. Acti%e Director uses a multiple master replication s stem so that copies of the database are updated on all domain controllers in the domain. Iou donMt ha%e to create secondar 0ones or manuall configure 0one transfers, because Acti%e Director performs the database replication automaticall . 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13; 2 This solution satisfies the re6uirements of the case stud , which states9 7 Our DNS in$ormation must remain secure D As well as 7Easter name resolution is required "hen connecting to internal ser/ers and e3ternal !eb sitesD. (urthermore, it also states9 7Dedundancy $or any ser/ice must be #ro/ided i$ a single ser/ice $ails D .ro/iding redundancy:>(or a networ/ that relies hea%il on D,$ name resolution, ha%ing a single D,$ ser%er means ha%ing a single point of failure. Iou should deplo a sufficient number of D,$ ser%ers so that at least two copies of e%er 0one are alwa s online. De$erence: .raig Rac/er# M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, .hapter -, pp. -22> to -23G. QUESTION NO: 9 You are designing a strategy to meet the security and $inancial requirements related to the ?ani$est a##lication !hat should you do% A. .onfigure a ?5, ser%er in $ dne . 1. .onfigure a ?5, ser%er in each branch office. .. .onfigure a dial2up ser%er in $ dne D. .onfigure a dial2up ser%er in each branch office. )ns"er: ) ?irtual pri%ate networ/ing *?5,+ pro%ides a wa of ma/ing a secured, pri%ate connection from the client to the ser%er o%er a public networ/ such as the &nternet. Unli/e dial2up networ/ing, in which a connection is made directl between client and ser%er, a ?5, connection is logical and tunneled through another t pe of connection. T picall , a remote user would connect to an &nternet ser%ice pro%ider *&$5+ using a form of dial2up networ/ing *particularl good for users with high2speed connections+. The Routing And Remote Access ser%er would also be connected to the &nternet *probabl %ia a persistent, or permanent, connection+ and would be configured to accept ?5, connections. 'nce the client is connected to the &nternet, it then establishes a ?5, connection o%er that dial2up connection to the Routing And Remote Access ser%er. The reason for configuring it in the $ dne office is that the 5assenger Manifest runs on a ser%er in the $ dne office, and the information contained in it must ne%er become publicl a%ailable. .urrentl , an on2site user must send the information to flight officers %ia an e2mail message, so ?5, would ma/e it easier for the flight officers to access it. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13G 2 De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 1, pp. 12-3. QUESTION NO: ; You are designing the #lacement o$ the .D' emulator o#erations master role In "hich location or locations should you #lace the role% &'hoose all that a##ly ( A. $ dne 1. Melbourne .. 5erth D. 1erlin 3. 5aris )ns"er: ) E3#lanation: &n a nati%e mode !indows $er%er 2""3 en%ironment, the 5D. 3mulator recei%es preference in the replication of user account passwords. The reason for it being placed in $ dne is, OThe IT de#artment manages the entire net"or0 $rom the Sydney o$$ice or by tra/eling to the branch o$$ices )ll resources are located at the Sydney o$$ice and are accessed across the !)N lin0s by users in the branch o$$ices D De$erence: Robert !illiams, and Mar/ !alla9 The Ultimate !indows $er%er 2""3 $ stem AdministratorKs Cuide, Addison2!esle , .hapter F. QUESTION NO: <= You are designing a strategy to im#ro/e the #er$ormance and reliability o$ the domain controllers !hat should you do% A. .reate one RA&D2F %olume. 1. .reate two RA&D2F %olumes. .. .reate one mirrored %olume and two RA&D2F %olumes. D. .reate two mirrored %olumes and one RA&D2F %olume.

)ns"er: D 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13> 2 E3#lanation: De$erence: A mirrored /olume pro%ides good performance along with eBcellent fault tolerance. Two dis/s participate in a mirrored %olume, and all data is written to both %olumes. As with all RA&D configurations, use separate controllers *b adding a controller, ou create a configuration called 7dupleBingD+ for maBimum performance. A D)ID>5 /olume uses three or more ph sical dis/s to pro%ide fault tolerance and eBcellent read performance while reducing the cost of fault tolerance in terms of dis/ capacit . Data is written to all but one dis/ in a RA&D2F. That %olume recei%es a chun/ of data, called parit , which acts as a chec/sum and pro%ides fault tolerance for the stripe. The calculation of parit during a write operation means that RA&D2F is 6uite intensi%e on the ser%erMs processor for a %olume that is not read2onl . RA&D2F pro%ides impro%ed read performance, howe%er, as data is retrie%ed from multiple spindles simultaneousl . De$erence: Dan Aolme, and 'rin Thomas9 M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, .hapter 11, 1123F to 1123G. QUESTION NO: << You are designing an I. address management strategy to address the antici#ated gro"th o$ the com#any and to meet the business and technical requirements !hat should you do% A. &nstall one DA.5 ser%er in each branch office and in $ dne . 'n each ser%er, create duplicate scopes that contain the necessar scope options. .onfigure the scopes to assign all of the a%ailable &5 addresses to each office. 1. &nstall one DA.5 ser%er in each branch office and in $ dne . 'n each ser%er, create duplicate scopes that contain the necessar scope options. .onfigure the scopes to assign half of the a%ailable &5 addresses to each office. .. &nstall two DA.5 ser%ers in each branch office and in $ dne . Authori0e one ser%er in each office. 'n each ser%er, create duplicate scopes that contain the necessar scope options. .onfigure the scope to assign half of the a%ailable &5 addresses to each office. D. &nstall two DA.5 ser%ers in each branch office and in $ dne . Authori0e both ser%ers in each office. 'n each ser%er, create duplicate scopes that contain the necessar scope options. .onfigure the scope to assign half of the a%ailable &5 addresses to each office. )ns"er: D 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 13= 2 'ase Study G<=* North"ind Traders E3isting Net"or0 In$rastructure E3hibit O/er/ie" North"ind Traders is a stoc0bro0er com#any in Northern Euro#e The com#any #ro/ides ad/ice and the resources to buy and sell stoc0s $or indi/idual in/estors 'urrently* the com#any o#erates bet"een the hours o$ 9:== ) ? and 6:== . ? :o"e/er* "ith the u#coming changes* business hours "ill be e3#anded .hysical locations 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-" 2 The com#anyFs main o$$ice is located in Stoc0holm The com#any has t"o branch o$$ices in the $ollo"ing locations: # :elsin0i # 'o#enhagen The com#any #lans to establish a ne" branch o$$ice in Oslo The number o$ users in each location is sho"n in the $ollo"ing table Aocation Number o$ users Stoc0holm ,5= :elsin0i <== 'o#enhagen <5= Oslo <5 .lanned 'hanges )ll stoc0 trading is currently done by tele#hone or $a3 The com#any "ants to #ro/ide a !eb site to allo" customers to trade directly by using the Internet It is also #ro/iding a ne" !eb a##lication named Ne")## to trade stoc0s To su##ort this ne" en/ironment* the com#any "ill u#grade its ser/ers to !indo"s Ser/er 2==, E3isting En/ironment +usiness .rocesses Each o$$ice o$ North"ind Traders has its o"n IT sta$$ The com#any currently hosts a main$rame a##lication that trac0s customersF stoc0 traders Each o$$ice uses its o"n instance o$ this a##lication Stoc0 trades that ha/e been initiated by tele#hone must be recorded "ithin t"o hours o$ the call

In$rastructure Directory Ser/ices 'urrently* the com#any is using a !indo"s NT 4 = domain in$rastructure consisting o$ three domains* one $or each o$$ice The in$ormation about these domains is not "ell documented )ll lin0s bet"een o$$ices are highly reliable )ll IT sta$$ is members o$ the Domain )dmins grou# in their o"n domain 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-1 2 )ll domain controllers run !indo"s NT Ser/er 4 = "ith the latest ser/ice #ac0 and security $i3es installed Net"or0 In$rastructure The e3isting net"or0 in$rastructure is sho"n in the E3isting Net"or0 In$rastructure E3hibit The local net"or0 in each o$$ice is a <=K<==>?b#s Ethernet net"or0 'lient com#uters run !indo"s NT !or0station 4 = and !indo"s ;9 There are also NNN missing NNN .roblem Statements The $ollo"ing business #roblems must be considered: # 'urrently* em#loyees need to remember di$$erent user names and #ass"ord $or di$$erent com#uters and o$$ices The com#any "ants a single sign>on #rocess in the ne" en/ironment* "hich "ill also hel# to im#ro/e security # In the last year* the com#any had some instances o$ data being com#romised The com#any "ants to be able to trace "hich com#uter used "hich I. address at the time that the com#romise occurred The com#any "ants to be able to store this in$ormation $or at least one month 'hie$ E3ecuti/e O$$icer I "ant customers o$ North"ind Traders to be able to trade stoc0s more directly +ecause migration can ta0e months* "e need our em#loyees to be able to access both the current en/ironment and the ne" en/ironment during migration :o"e/er* a$ter the migration is com#leted* em#loyees should not be allo"ed to log on to the current en/ironment 'hie$ In$ormation O$$icer I "ant to introduce a ne" a##lication named Ne")## Ne")## is multitier a##lication that "ill run on the !indo"s Ser/er 2==, com#uters Ne")## "ill enable us to #ro/ide our customers "ith a tool to trade stoc0s online Ne")## "ill be hosted on com#uters in the Stoc0holm and Oslo o$$ices The Ne")## !eb ser/ers "ill be accessible $rom the Internet The Ne")## database ser/ers "ill be accessible $rom all sites +usiness requirements +usiness Dri/ers The $ollo"ing business requirements must be considered: # North"ind Trders "ill use an Internet !eb site hosted as """ north"indtraders com # Eor the internal DNS name* the com#any "ants to use a contiguous names#ace # Eor internal name resolution* all com#uters are required to $irst use a local DNS ser/er # Ne")## needs to be highly a/ailable ?a3imum do"ntime o$ this a##lication and its ser/ices "ill be one hour #er month 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-2 2 # +ecause the customer transactions are increasing* the com#any "ants to increase #roducti/ity and ser/ice le/els "ithout em#loying more traders # The com#any "ants to test the disaster reco/ery model at least once a year # During this test* only the #ass"ord changes and resource access "ill be tested Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: 'urrently there is no in$ormation about ho" much band"idth is needed $orP NNN ?ISSIN- NNN Security The $ollo"ing security requirements must be considered: # Em#loyees need access to customer data The com#any needs to secure the customer data # )ll IT sta$$ is trusted :o"e/er* only a selected grou# o$ IT sta$$ "ill ha/e access to customer data # To secure the stoc0 transactions as much as #ossible* "e need all customers to use client certi$icates $or all !eb>based stoc0 trading # The com#any "ants to be able to grant and re/o0e certi$icates # )ll Ne")## database ser/ers need a common set o$ security settings # The ma3imum do"ntime o$ Ne")## ser/ices is s#eci$ied $or one hour I$ a do"ntime o$ Ne")## ser/ices in Stoc0holm o$ more than one hour is antici#ated* administrators must reco/er Ne")## at the disaster reco/ery location Technical requirements )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # Em#loyee accounts and resources must be securely se#arated $rom the customer account and resources # !eb ser/ers "ill not be #art o$ a domain

# The com#any "ill use centrali1ed authentication $or Douting and Demote access # IT management has decided to use a common names#ace $or all domains # To ma0e com#any>"ide )cti/e Directory changes* administrators $rom both the customer en/ironment and the cor#orate en/ironment must agree # Ne" hard"are "ill be #urchased $or all !indo"s Ser/er 2==, domain controllers # The OU structure must align "ith the ne" administrati/e model Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: # Eront>end ser/ers o$ Ne")## "ill be a Net"or0 Aoad +alancing array o$ single #rocessor ser/ers # +ac0>end ser/ers o$ Ne")## "ill be a cluster o$ eight>"ay 64>bit ser/ers 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-3 2 # The com#anyFs IS. does not allo" u#dates to DNS made by customers The com#any "ants to manage its o"n names#ace # The com#any has only a limited number o$ #ublic I. addresses It can use these addresses only "hen needed # Aogon tra$$ic across !)N lin0s needs to be minimi1ed # )ll client com#uters "ill be u#graded to !indo"s @. .ro$essional # The com#any "ants to create a disaster reco/ery location in the Oslo O$$ice # Em#loyees "ho ha/e remote access "ill be allo"ed to access only the Ne")## ser/ers "hen they connect $rom outside the o$$ice The di$$erent remote access requirements are sho"n in the $ollo"ing table Demote access Idle>timeout Dial>in schedule )uthentication NN?ISSIN- NNN NN?ISSIN- NNN NN?ISSIN- NNN NN?ISSIN- NNN 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-- 2 'ase Study G<=* North"ind Traders &7 Questions( QUESTION NO: < You are designing a strategy $or migrating to the ne" en/ironment !hich t"o $actions $rom your current en/ironment "ill a$$ect your migration strategy% &Each correct ans"er #resents #art o$ the solution &'hoose t"o ( A. Trusts between domains 1. ,umber of 1D. s in each domain .. Users and resources in each domain D. .urrent hardware for domain controllers 3. .urrent amount of replication traffic o%er !A, lin/s )ns"er: )* ' QUESTION NO: 2 You are designing an OU structure $or IT sta$$ at the branch o$$ices !hat should you do% A. .reate an 'U for the ,ewApp !eb ser%ers. Assign the &T staff at the branch offices user rights to this 'U. 1. .reate an 'U for the ,ewApp data ser%ers. Assign the &T staff at the branch offices user rights to this 'U. .. .reate an 'U for the &T staff at each branch office. 5lace networ/ administrators at the branch offices in these 'Us. D. .reate an 'U for each branch office. 5lace local ser%ers in the 'U for their respecti%e office. Assign the &T staff at the branch offices user rights to these 'Us. )ns"er: D E3#lanation: The case stud states9 7Each o$$ice o$ North"ind Traders has its o"n IT sta$$ D 'rgani0ational Units *'Us+ pro%ide a wa to create administrati%e boundaries within a domain. 5rimaril , this allows ou to delegate administrati%e tas/s within the domain. 5rior to the introduction of the Acti%e Director , the domain was the smallest container to which ou could assign administrati%e permissions. This meant that gi%ing a group of administrators administrati%e control o%er particular resources was difficult or impossible to do without gi%ing them sweeping permissions throughout the domain. 'Us ser%e as containers into which the resources of a domain can be placed. Iou can then assign administrati%e permissions on the 'U itself. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-F 2 De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft, .hapter 1, pp. 12=. QUESTION NO: , You are designing the )cti/e Directory domain structure $or the com#any You need to create a diagram that sho"s the a##ro#riate structure !hat should you do% ?o/e the a##ro#riate domains to the correction location in the ans"er tree )ns"er: 70 - 297

Leading the way in IT testing and certification tools, www.testking.com 2 1-; 2 Note: Uncertaint QUESTION NO: 4 You are designing a migration strategy to create user IDs $or all com#any users in the ne" en/ironment !hat should you do% A. .reate a script that uses Acti%e Director $er%ices &nterfaces *AD$&+ to import all user account into the new en%ironment. 1. .reate new accounts for all users. .reate a trust relationship between the eBisting en%ironment and the new en%ironment to enable access to resources in the eBisting en%ironment. .. &mport all user accounts into the new en%ironment b using the Acti%e Director Migration Tool *ADMT+. D. &mport all user accounts into the new en%ironment. &nstruct users to no change their passwords during the migration phase so that the can access resources in the eBisting en%ironment. )ns"er: ) QUESTION NO: 5 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-G 2 You are designing a security strategy $or users "ho need remote access to the cor#orate net"or0 !hat should you do% A. .onfigure &nternet Authentication $er%ice *&A$+ for accounting. 1. .onfigure the ser%er running Routing and Remote Access to support 42T5. .. .onfigure the ser%er running Routing and Remote Access to restrict dial2in traffic to the ,ewApp ser%ers onl . D. .reate a separate account for remote access users. .onfigure these accounts to access the ,ewApp ser%er onl . )ns"er: ' E3#lanation: Internet )uthentication Ser/ice &I)S( is the Microsoft implementation of Remote Authentication Dial2&n User $er%ice *RAD&U$+, an authentication and accounting s stem used b man &nternet $er%ice 5ro%iders *&$5s+. !hen a user connects to an &$5 using a username and password, the information is passed to a RAD&U$ ser%er, which chec/s that the information is correct, and then authori0es access to the &$5 s stem. De$erence: Dan Aolme, and 'rin Thomas9 M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft, Clossar , pp. C211. QUESTION NO: 6 You need to test your disaster reco/ery solution !hich role should you trans$er to the disaster reco/ery location during the test% A. R&D master 1. $chema master .. 5D. emulator master D. Domain naming master )ns"er: ' QUESTION NO: 7 You are designing a strategy to ensure that the !eb ser/ers "ill be accessible $rom the Internet You need to identi$y the a##ro#riate I. con$iguration com#onents that need to be used !hat should you do% Drag and Dro# 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-> 2 )ns"er: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1-= 2 'ase Study G<< -ra#hic Design Institute E3hibit* E3isting Domain ?odel E3hibit* E3isting Net"or0 In$rastructure 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F" 2 O/er/ie" -ra#hic Design Institute is a gra#hical design com#any that creates animated gra#hics $or se/eral ad/ertising com#anies and mo/e theaters The hours o$ o#eration are 9:== ) ? to 5:== . ? * ?onday through Eriday .hysical Aocations The com#anyFs main o$$ice is located in Aos )ngeles The com#any has $i/e branch o$$ices in the $ollo"ing locations: # )tlanta # Dallas

# Den/er # Ne" Yor0 # San Erancisco The number o$ users in each o$$ice is sho"n in the $ollo"ing table O$$ice Number o$ users Aos )ngeles 55= )tlanta ,== Dallas ,= Den/er 2<= .lanned 'hanges To meet ne" security and customer requirements* the com#any "ants to im#lement a !indo"s Ser/er 2==, )cti/e Directory en/ironment E3isting En/ironment +usiness .rocesses -ra#hic Design Institute consists o$ the $ollo"ing #rimary de#artments: # :uman Desources &:D( # Einance # In$ormation Technology &IT( # )d/ertising # ?o/ies # )nimation The IT de#artment is res#onsible $or all net"or0 management Users o$ten "or0 on multi#le #ro2ects at the same time ) strong administrati/e structure based on each userFs o$$ice location and de#artment is being used 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F1 2 In$rastructure Directory Ser/ices The e3isting domains and trust relationshi#s are sho"n in the E3isting Domain ?odel e3hibit The com#any has one !indo"s 2=== domain located in the Aos )ngeles o$$ice The name o$ the domain is gra#hicdesigninstitute com The domain is a !indo"s 2==== mi3ed>mode domain that contains !indo"s 2=== Ser/er com#uters con$igured as domain controllers* !indo"s NT Ser/er 4 = com#uters con$igured as +D's* and !indo"s 2=== Ser/er com#uters con$igured as member ser/ers 'urrently* this domain is the only )cti/e Directory domain The domain consists o$ the $ollo"ing three to#>le/el OUs: # ?o/ies # )nimation # )d/ertising The de$ault site con$iguration has been im#lemented in the e3isting )cti/e Directory en/ironment .roblem statements The $ollo"ing business #roblems must be considered: # There is currently no en$orcement o$ $requent #ass"ord changes and logon hours # The IS. can only su##ly a single subnet* "hich consists o$ ,2 I. addresses* $or the Internet lin0 # It is /ery di$$icult to manage users and grou#s and their necessary #ermissions # The $inance and :D de#artment cannot agree on a mutual security #olicy to im#lement # Net+IOS name resolution is saturating the !)N lin0s Inter/ie"s 'hie$ E3ecute O$$ices -ra#hic Design Institute has lost a number o$ contracts due to deadlines that ha/e not been met Decreasing the amount o$ time "e s#end administering the net"or0* along "ith increasing the amount o$ time "e s#end on customers* is my #rimary reason $or requesting the u#grade o$ the entire net"or0 Eunds are a/ailable $or critical hard"are requirements I do not "ant any do"ntime $or users I also "ant strict business hours en$orced Em#loyees should not be at the o$$ice or "or0 $rom home outside normal business hours 'hie$ In$ormation O$$icer 'urrently* "e ha/e #roblems as a result o$ all the merges and acquisitions I "ant all the ser/ers to be installed "ith !indo"s Ser/er 2==, to resol/e these #roblems I also "ant all client com#uters u#graded to !indo"s @. .ro$essional o/er the ne3t t"o years 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F2 2 The current IT res#onse le/el is leading to a lot o$ lost #roduction hours Each o$$ice "ill continue to manage its o"n users and com#uters* "ith the e3ce#tion o$ the $inance and :D de#artments* "hich ha/e their o"n requirements !e need to ensure that no #roduction time is lost as a result o$ an interru#tion in the net"or0 connecti/ity Net"or0 )dministrator !e are currently e3#ected to resol/e issues "ithin 24 hours* although this sometimes is not achie/ed +ecause most high>le/el administrati/e "or0 can only be done "hen users are not in the o$$ice* net"or0 administrators o$ten "or0 a$ter hours or on "ee0ends

Domain administrators are res#onsible $or managing the #ri/ate I. addresses o$ e/ery com#uter that belongs to their res#ecti/e domains :el# des0 sta$$ e3ists in each branch o$$ice to assist users "ith so$t"are>related #roblems* as "ell as "ith basic net"or0 #roblems Each domain has its o"n hel# des0 sta$$ "ith #ersonnel located in each o$$ice In the $uture* the hel# des0 sta$$ "ill be res#onsible $or resetting #ass"ords i$ users $orget them O$$ice !or0er Only selected users ha/e Internet access This #re/ents us $rom remaining com#etiti/e because "e cannot #er$orm the necessary research about ne" technologies or so$t"are a/ailable +usiness Dequirements +usiness Dri/ers The $ollo"ing business requirements must be considered: # ) single internal names#ace is required to minimi1e administrati/e e$$ort # ) !eb site e3ists outside the $ire"all to #ro/ide com#any contact in$ormation Organi1ational -oals The $ollo"ing organi1ational requirements must be considered: # The ne" design must accommodate the $inance and :D de#artments* "hich ha/e requirements not addressed by the com#anyFs #lanned #ass"ord #olicy # )ll com#uters must ha/e the latest ser/ice #ac0s and hot $i3es installed In addition* com#uters in the ad/ertising de#artment must be u#dated to ha/e the latest /ersions o$ gra#hics and audio dri/ers installed Security The $ollo"ing security requirements must be considered: # S#eci$ic security grou#s must be set u# to address security requirements # Security must be based on de#artments and grou#s o$ indi/iduals "ithin the de#artments 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F3 2 # Users in the $inance de#artment need access to #ayroll in$ormation on a ser/er named .ayroll* "hich is located in the :D de#artment 'ustomer Dequirements The $ollo"ing customer requirements must be considered: # ) ne" ser/ice>le/el agreement that requires a res#onse $rom the IT de#artment to users "ithin one hour must go into e$$ect # .ersonal in$ormation about em#loyees must remain secure # )ll client com#uters* regardless o$ o$$ice location* must be able to access all other com#uters Technical Dequirements )cti/e Directory The $ollo"ing )cti/e Directory requirements must be considered: # The com#any requires a ne" )cti/e Directory en/ironment that enables the security requirements o$ /arious de#artments to be met This must be accom#lished by installing a !indo"s Ser/er 2==, on all domain controllers # ) com#letely decentrali1ed administrati/e a##roach "ill be used Each grou# o$ administrators "ill be res#onsible $or its o"n de#artmental en/ironment # Only one o#erations master role "ill be allo"ed #er domain controller This is required $or $ault tolerance # DNS re#lication o$ the $orest root domain must be limited to $orest domain controllers only Net"or0 In$rastructure The $ollo"ing in$rastructure requirements must be considered: # ) ne" Douting and Demote )ccess solution must be installed: # ) D:'. solution that is $ault tolerant "ithin each o$$ice must be im#lemented # )ll !)N lin0s must be $ault tolerant # Name resolution must be locali1ed on the local net"or0 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F- 2 'ase Study G<< -ra#hic Design Institute &<= Questions( QUESTION NO: < You are designing a strategy to address the requirements o$ the ad/ertising de#artment !hat should you do% A. .reate a C5' and lin/ it to the Den%er site. 1. .reate a C5' and lin/ it to the Ad%ertising 'U. .. .reate a C5' and lin/ it to the graphicdesigninstitute.com domain. D. .onfigure the Default Domain 5olic to ha%e the No O/erride option. 3. Use bloc/ inheritance to pre%ent the C5' from appl ing to members of the ad%ertising department. )ns"er: + E3#lanation: The case stud states9 7Each grou# o$ administrators "ill be res#onsible $or its o"n de#artmental en/ironment D Iou can use Croup 5olic to define user settings such as password restrictions or computer settings. &t is much better to create a Croup 5olic plan that applies C5's efficientl from the outset, and lin/ing C5's to 'Us

pro%ides a wa to bring such a plan into effect. .reating C5's for 'Us gi%es ou much better control o%er the application of Croup 5olic , because it eliminates the need to filter Croup 5olic settings. Incorrect O#tions: ): This would appl the C5' to the entire Den%er site, but the 6uestion refers to the ad%ertising department. ': This would appl the C5' to the entire graphicdesigninstitute.com domain, but the 6uestion refers to the ad%ertising department. D: The Default Domain 5olic applies at the domain le%el, but the 6uestion refers to a department. E: De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter -, pp. -21". QUESTION NO: 2 You are de#loying a Net+IOS name resolution strategy to meet the business and technical requirements !hat should you do% 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1FF 2 A. &nstall one !&,$ ser%er in each branch office. .onfigure the !&,$ ser%ers to use pushHpull replication with the !&,$ ser%er in 4os Angeles. .onfigure all computers to ha%e the &5 address of the local !&,$ ser%er. 1. &nstall two additional !&,$ ser%ers in 4os Angeles. .onfigure the !&,$ ser%ers to use pushHpull replication. .onfigure all computers to ha%e the &5 addresses of the !&,$ ser%ers. .. &nstall the D,$ $er%er ser%ice on one domain controller on each branch office. .onfigure the D,$ ser%er to forward all unanswered 6ueries to the !&,$ ser%er. .onfigure all computers to ha%e the &5 address of the D,$ ser%ers. D. .onfigure the D,$ ser%ers in each branch office to forward all unanswered 6ueries to a local !&,$ ser%er. .onfigure all computers to ha%e the &5 addresses of the D,$ ser%er in graphicdesigninstitute.com forest root. )ns"er: ) E3#lanation: The 6uestion as/s for ,et1&'$ name resolution, which means we must use !&,$. Iour goal, when designing a !&,$ strateg for our networ/ infrastructure, is to ha%e the !&,$ ser%ice a%ailable to client wor/stations when the need it. A%ailabilit is at ris/ when there is onl one !&,$ ser%er configured to support a large number of users. &f that ser%er should fail, all of the users will now need to resol%e ,et1&'$ names using one of the other methods, namel 9 4mhosts files or broadcasts. &n situations in which a slow lin/ eBists between two subnets, it is highl recommended that a !&,$ ser%er be placed in both subnets to maBimi0e performance of client name2resolution re6uests. &t is for this reason that 7+D is incorrect. This is the default configuration of a !&,$ ser%er. A push of an updated !&,$ database will occur as discussed pre%iousl , and the !&,$ ser%er is also configured to pull !&,$ database information from another !&,$ ser%er at a designated time. This t pe of configuration is recommended in most cases. After configuring !&,$ ser%ers as 5ushH5ull partners, ser%ers, after replication, will contain ,et1&'$ records from all subnets. ,ow, an !&,$2enabled client on an subnet can access resources on a different subnet using the ,et1&'$ name of that resource. Incorrect O#tions: ' and D: The 6uestion does not as/ for D,$ resolution. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter G, pp. G21; to G22-. QUESTION NO: , 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F; 2 You are designing a D:'. strategy to meet the business and technical requirements !hat should you do% A. &nstall one DA.5 ser%er in each branch office and one DA.5 ser%er in 4os Angeles. 1. &nstall one DA.5 ser%er in each branch office and two DA.5 ser%ers in 4os Angeles. .. &nstall two DA.5 ser%ers in each branch office and one DA.5 ser%er in 4os Angeles. D. &nstall two DA.5 ser%ers in each branch office and two DA.5 ser%ers in 4os Angeles. )ns"er: D E3#lanation: The case stud states9 7) D:'. solution that is $ault tolerant "ithin each o$$ice must be im#lemented D 'ption 7DD allows for this to be achie%ed, b placing two DA.5 ser%ers in each o$$ice. Incorrect O#tions: )* + and ': These options do not conform to the re6uirements because the do not ha%e t"o ser%ers in each o$$ice. QUESTION NO: 4 You are designing a DNS strategy to meet the business and technical requirements !hat should you do% A. &nstall the D,$ $er%er ser%ice on all domain controllers. .reate Acti%e Director 2integrated 0ones. Replicate the 0ones to all D,$ ser%ers in the forest. 1. &nstall the D,$ $er%er ser%ice on all domain controllers. .reate Acti%e Director 2integrated 0ones.

Replicate the 0ones to all D,$ ser%ers in the domain. .. &nstall the D,$ $er%er ser%ice on all domain controllers. .reate primar 0ones and secondar 0ones. D. .reate application partitions for the different 0ones on one domain controller. .onfigure replication to occur on all D,$ ser%ers. )ns"er: + E3#lanation: The case stud states9 7Pthe com#any "ants to im#lement a !indo"s Ser/er 2==, )cti/e Directory en/ironment D This en%ironment uses D,$ for name resolution. An domain controller running the D,$ $er%er ser%ice can be designated as the primar source for a 0one and can update a 0one. &n other words, there is not one primar D,$ ser%er, as in the standard primar 0one methodolog , which can be a single point of failure for a networ/. &n the Acti%e Director integrated model, a master cop of the 0one is maintained b Acti%e Director and replicated to all domain controllers. Incorrect O#tions: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1FG 2 ): The case stud states9 7DNS re#lication o$ the $orest root domain must be limited to $orest domain controllers only D ': 1or standard &ri)ary 2ones$ on*y a sing*e server can %ost and *oad t%e )aster co&y of t%e 2one" If you create a 2one and kee& it as a standard &ri)ary 2one$ no additiona* &ri)ary servers for t%e 2one are &er)itted" /%e standard &ri)ary )ode* i)&*ies a sing*e &oint of fai*ure" D: De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter ;, pp. ;212 to ;213. QUESTION NO: 5 You need to identi$y the number o$ ser/ers that "ill be used s#eci$ically $or o#erations master roles :o" many ser/ers should you recommend% A. F 1. 11 .. 1D. 1G 3. 2" )ns"er: + QUESTION NO: 6 You are designing a strategy to #ro/ide Internet access to all users !hat should you do% A. .onfigure &nternet .onnection $haring on all client computers. 1. .onfigure Automatic 5ri%ate &5 Addressing *A5&5A+ on all client computers. .. .onfigure one ser%er as a Routing and Remote Access ?5, ser%er. D. .onfigure one ser%er as a Routing and Remote Access ,AT router. )ns"er: D E3#lanation: .omputers running a member of the !indows $er%er 2""3 famil now allow ou to add the &nternal interface as a pri%ate interface to the ,etwor/ Address Translation component of the Routing and Remote Access ser%ice. This allows connected remote access clients to access the &nternet 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F> 2 Incorrect O#tions: ): &nternet .onnection $haring is recommended onl for %er small networ/s. +: A5&5A is an addressing feature for simple networ/s that consist of a single networ/ segment. !hene%er a computer running !indows $er%er 2""3 has been configured to obtain an &5 address automaticall , and "hen no D:'. ser/er or alternate con$iguration is a/ailable, the computer uses A5&5A to assign itself a pri%ate &5 address in the range of 1;=.2F-.".1N1;=.2F-.2FF.2F-. ': De$erence: Qerr Aone cutt9 &ntroducing Microsoft !indows $er%er 2""3, Microsoft 5ress, .hapter ;. !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter =, pp. =212. QUESTION NO: 7 You are designing an )cti/e Directory $orest structure to meet the business and technical requirements !hat should you do% A. .reate a single forest that has one domain. Use 'Us to separate the departments. 1. .reate a single forest that has multiple domains to represent e%er department. .. .reate a single forest that has three domains9 one for finance, one for AR, and one for the remaining departments. D. .reate multiple forests that ha%e a single domain in each forest to represent the departments. )ns"er: ' E3#lanation: The case stud states9 7The ne" design must accommodate the $inance and :D de#artments* "hich ha/e

requirements not addressed by the com#anyFs #lanned #ass"ord #olicy D &t also states9 7) com#letely decentrali1ed administrati/e a##roach "ill be used D This means that the ha%e to ha%e their own domains to which a password polic can be applied to cater for their respecti%e needs. There are a number of reasons that ou might need to define multiple domains. These reasons include the following9 # Iou need to implement different domain2le%el securit policies. # Iou need to pro%ide decentrali0ed administration. # Iou need to optimi0e replication traffic across !A, lin/s more than ou can b di%iding a domain into multiple sites. # Iou need to pro%ide a different namespace for different locations, departments, or functions. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1F= 2 # Iou need to retain an eBisting !indows ,T domain architecture. # Iou want to put the schema master in a different domain than the domains that contain users or other resources. De$erence: !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter 3, pp. 32- to 32G. QUESTION NO: 9 You are designing a !)N im#lementation strategy to meet the business and technical requirements !hat should you do% A. .onfigure a demand2dial router. 1. .reate multiple Acti%e Director site lin/s. .. .onfigure a ?5, connection between each branch office. D. &nstall an &nternet Authentication $er%ice *&A$+ ser%er in each branch office. )ns"er: ) E3#lanation: Demand2dial connections are used b the Routing and Remote Access ser%ice to ma/e point2to2point connections between 4A,s o%er which pac/ets are routed. De$erence: Qerr Aone cutt9 &ntroducing Microsoft !indows $er%er 2""3, Microsoft 5ress, .hapter ;. QUESTION NO: ; You are designing a strategy to #ro/ide the required security $or the .ayroll ser/er You need to identi$y the actions that you should #er$orm to achie/e this goal !hat should you do% ?o/e* and arrange the actions in the #ro#er order Use only actions that a##ly 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;" 2 )ns"er: .ending Send your suggestion to $eedbac0Itest0ing com QUESTION NO: <= You are designing a #ass"ord management solution to meet the business and technical requirements !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution ( &'hoose t"o ( A. Delegate the password management controls to the help des/ staff. 1. Delegate the password management controls to the Domain Users group. .. .onfigure the Default Domain 5olic to enforce password eBpiration settings. D. .onfigure the Default Domain .ontroller 5olic to enforce password eBpiration settings. )ns"er: +* D E3#lanation: $ecurit groups are used to group domain users into a single administrati%e unit. $ecurit groups can be assigned permissions and can also be used as e2mail distribution lists. Users placed into a group inherit the permissions assigned to the group for as long as the remain members of that group. !indows itself uses onl securit groups. !e ha%e alread established that multiple domains must be used when ou need to implement different domainle%el securit policies. 1 configuring the Default Domain .ontroller 5olic we appl the settings to that specific domain. De$erence: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;1 2 !alter Clenn, and Michael T. $impson# M.$3 G"22=G Training @it 2 Designing a !indows ser%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, .hapter - , pp. -22;. 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;2 2 'ase Study G<2 !ide !orld Im#orters TeBt Missing 70 - 297

Leading the way in IT testing and certification tools, www.testking.com 2 1;3 2 'ase Study G<2 !ide !orld Im#orters &<< Questions( QUESTION NO: < You are designing a 8.N strategy to meet the business and technical requirements +ased on the current in$rastructure* "hat is the ma3imum number o$ 8.N connections that can be su##orted% A. 2F 1. 3F .. G" D. 12> 3. 2F; )ns"er: + QUESTION NO: 2 You are designing a strategy $or migrating domain user accounts to the ne" !indo"s Ser/er 2==, )cti/e Directory en/ironment You "ant to identi$y the minimum number o$ trust relationshi#s that need to be manually created to #er$orm this o#eration !hich design should you use% A. one eBternal trust relationship 1. two eBternal trust relationships .. siB eBternal trust relationships D. twel%e eBternal trust relationships 3. one two2wa cross2forest trust relationship )ns"er: + QUESTION NO: , You are designing a DNS naming strategy $or the #ro#osed )cti/e Directory en/ironment !hich domain name or names should you use% Select all that a##ly A. wideworldimporters.com 1. new or/.wideworldimporters.com .. sanfrancisco.wideworldimporters.com D. east.wideworldimporters.com 3. west.wideworldimporters.com 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;- 2 (. seattle.wideworldimporters.com )ns"er: D* E QUESTION NO: 4 You are designing the to#>le/el OU structure $or the com#any !hich action or actions should you #er$orm% Select all that a##ly A. .reate an 'U named $ales. 5lace all sales user accounts in the $ales 'U. 1. .reate an 'U named Montreal. 5lace all Montreal user accounts in the Montreal 'U. .. .reate an 'U named 3ast. 5lace all user accounts from the 3ast .oast offices in the 3ast 'U. D. .reate an 'U named ,orthAmerica. 5lace all user accounts in the ,orthAmerica 'U. 3. .reate an 'U named $er%ers. 5lace all ser%er computer accounts in the $er%ers 'U. )ns"er: + QUESTION NO: 5 You are designing the Net+IOS domain naming strategy $or the com#any !hich Net+IOS domain name or names should you use% Select all that a##ly A. east 1. west .. 6uebec D. new or/ 3. northamerica (. wideworldimporters )ns"er: )* + 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;F 2 QUESTION NO: 6 You are designing the )cti/e Directory re#lication to#ology to meet the business and technical requirements You need to con$igure the re#lication inter/als $or the site lin0s sho"n in the diagram Each site lin0 includes only the t"o sites it sho"n bet"een !hat should you do% Drag and Dro# 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;; 2 )ns"er: QUESTION NO: 7 You are designing the DNS to#ology to meet the business and technical requirements !hich DNS structure should you use%

A. one primar 0one 1. two primar 0ones .. one Acti%e Director 2integrated 0one that has the replication scope set to all D,$ ser%ers in the forest. D. two Acti%e Director 2integrated 0ones that ha%e the replication scopes set to all D,$ ser%ers in the forest. 3. one Acti%e Director 2integrated 0one that has the replication scope set to all domain controllers in the domain. (. two Acti%e Director 2integrated 0ones that ha%e the replication scopes set to all domain controllers in the domain. )ns"er: D 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;G 2 QUESTION NO: 9 You are designing the security $or dial>u# remote access to meet the business and technical requirements !hich t"o mechanisms should you use% Each correct ans"er #resents #art o$ the solution Select t"o A. 3A52T4$ authentication 1. M$2.AA5 %2 authentication .. a stand2alone certification ser%er D. an enterprise certification ser%er 3. M553 F;2bit encr ption )ns"er: )* D QUESTION NO: ; You are designing the )cti/e Directory site to#ology to meet the business and technical requirements !hich site or sites "ill require uni/ersal grou# membershi# caching% Select all that a##ly A. ,ew Ior/ 1. Montreal .. :uebec D. $an (rancisco 3. $eattle (. ?ancou%er )ns"er: '* E* E QUESTION NO: <= You are designing a strategy to allo" users to ha/e remote access to internal resources !hich ser/ice or ser/ices should you allo" on the #ublic inter$ace o$ the N)T Ser/er% Select all that a##ly A. ATT5 1. 4DA5 .. 5'53 D. $MT5 3. ?5, Catewa 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;> 2 )ns"er: + QUESTION NO: << You are designing the #lacement o$ global catalog ser/ers to meet the business and technical requirements You need to identi$y the sites that require a global catalog ser/er !hat should you do% To ans"er* drag the global catalog ser/er to the correct site or sites Drag and Dro# )ns"er: 70 - 297 Leading the way in IT testing and certification tools, www.testking.com 2 1;= 2 Microsoft 70-290 Managing and Maintaining a Microsoft Windows Server 2003 3nviron)ent 45A wit% e6&*anations ersion 78"0 Im#ortant Note .lease Dead 'are$ully Study Ti#s: This product will pro%ide ou 6uestions and answers carefull compiled and written b our eBperts. Tr to understand the concepts behind the 6uestions instead of cramming the 6uestions. Co through the entire document at least twice so that ou ma/e sure that ou are not missing an thing. Other #roducts: $tud Cuide *not a%ailable for all eBams, separate product+9 1uild a foundation of /nowledge which will be useful also after passing the eBam. 'ffline Testing engine9 not included to cut down price.

All Test@ing eBams a%ailable or will listing at9 http9HHwww.5rometric?U3.com 3mail9 infoUprometric%ue.com Aatest 8ersion: !e are constantl re%iewing our products. ,ew material is added and old material is re%ised. (ree updates are a%ailable for -F da s after the purchase. Iou should chec/ h t t p 9 H Hwww.5rometric?U3.com 32- da s before the scheduled eBam date. (or most updates, it is enough )ust to print the new 6uestions at the end of the new %ersion, not the whole document. Su##ort: This '3M product is not support from Test@ing. The wrong answer is not allow to edit b reseller, so that please do not email for correct it. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 232 Table o$ 'ontents Topic 19 Managing and Maintaining 5h sical and 4ogical De%ices *3G :uestions+ F 5art 19 Manage basic dis/s and d namic dis/s. *> :uestions+ F 5art 29 Monitor and Repair ser%er hardware. Tools might include De%ice Manager, the Aardware Troubleshooting !i0ard, and appropriate .ontrol 5anel items. *1" :uestion1sG+ 1G 5art 39 'ptimi0e ser%er dis/ performance. 3A9 &mplement a RA&D solution. *> :uestions+ 319 Defragment %olumes and partitions. *2 :uestions+ -G 5art -9 &nstall and configure ser%er hardware de%ices. F" A9 .onfigure dri%er signing options. *F :uestions+ F" 19 .onfigure resource settings for a de%ice. *3 :uestions+ FG .9 .onfigure de%ice properties and settings. *1 :uestion+ ;1 Topic 29 Managing Users, .omputers, and Croups *>= :uestions+ ;2 5art 19 Manage local, roaming, and mandator user profiles. *G :uestions+ ;2 5art 29 Monitor and Repair ser%er hardware. Tools might include De%ice Manager, the Aardware Troubleshooting !i0ard, and appropriate .ontrol 5anel items. *- :uestionsG+G5art 39 .reate and manage groups G= A9 &dentif and modif the scope of a group *> :uestions+ G= 19 (ind domain groups in which a user is a member *1 :uestion+ =3 .9 Manage group membership *- :uestions+ =D9 .reate and modif groups b using the Acti%e Director Users and .omputers Microsoft Management .onsole *MM.+ snap2in *; :uestions+ 1"1 39 .reate and modif groups b using automation *- :uestions+ 11" 5art -9 .reate and manage user accounts. 11F A9 .reate and modif user accounts b using the Acti%e Director Users and .omputers MM. snap2in. *1- :uestions+ 11F 19 .reate and modif user accounts b using automation. *3 :uestions+ 1-2 .9 &mport user accounts. *1 :uestion+ 1F" 5art F9 Troubleshoot computer accounts. 1F1 A9 Diagnose and resol%e issues related to computer accounts b using the Acti%e Director Users and .omputers MM. snap2in. *1 :uestion+ 1F1 19 Reset computer accounts. *2 :uestions+ 1F3 5art ;9 Troubleshoot user accounts. 1FF A9 Diagnose and resol%e account loc/outs. *> :uestions+ 1FF 19 Diagnose and resol%e issues related to user account properties. *1G :uestions+ 1;> 5art G9 Troubleshoot user authentication issues. *= :uestions+ 1=F Topic 39 Managing and Maintaining Access to Resources *;= :uestions+ 211 5art 19 .onfigure access to shared folders. *1F :uestions+ 211 5art 29 Troubleshoot Terminal $er%ices. 23> ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2-2 A9 Diagnose and resol%e issues related to Terminal $er%ices securit . *> :uestions2+3> 23> 19 Diagnose and resol%e issues related to client access to Terminal $er%ices. *G :uestions+ 2F1 5art 39 .onfigure file s stem permissions. *12 :uestions+ 2;F A9 ?erif effecti%e permissions when granting permissions. *F :uestions+ 2>> 19 .hange ownership of files and folders. *1" :uestions+ 2== 5art -9 Troubleshoot access to files and shared folders. *= :uestions+ 313 Topic -9 Managing and Maintaining a $er%er 3n%ironment *11F :uestions+ 32G 5art 19 Monitor and anal 0e e%ents. Tools might include 3%ent ?iewer and $ stem Monitor. *1" :uestions+ 32G

5art 29 Manage software and securit update infrastructure. *3F :uestions+ 3-F 5art 39 Manage software site licensing. *3 :uestions+ -"" 5art -9 Manage ser%ers remotel . -"3 A9 Manage a ser%er b using Remote Assistance and Remote Des/top. *> :uestion-s"+3 -"3 19 Manage a ser%er b using Terminal $er%ices remote administration mode. *1 :uestion+ -13 .9 Manage a ser%er b using a%ailable support tools. *F :uestions+ -1F 5art F9 Troubleshoot print 6ueues. *G :uestions+ -22 5art ;9 Monitor s stem performance. *11 :uestions+ -32 5art G9 Monitor file and print ser%ers. Tools might include Tas/ Manager, 3%ent ?iewer, and $ stem Monitor. --> A9 Monitor dis/ 6uotas. *1 :uestion+ --> 19 Monitor print 6ueues. *1 :uestion+ -F" .9 Monitor ser%er hardware for bottlenec/s. *3 :uestions+ -F2 5art >9 Monitor and optimi0e a ser%er en%ironment for application performance. -FG A9 Monitor memor performance ob)ects. *1 :uestion+ -FG 19 Monitor networ/ performance ob)ects. *3 :uestions+ -F> .9 Monitor process performance ob)ects. *3 :uestions+ -;2 D9 Monitor dis/ performance ob)ects. *1 :uestion+ -;; 5art =9 Manage a !eb ser%er. -;> A9 Manage &nternet &nformation $er%ices *&&$+. *1F :uestions+ -;> 19 Manage securit for &&$. *F :uestions+ -=3 Topic F9 Managing and &mplementing Disaster Reco%er *>; :uestions+ -== 5art 19 5erform s stem reco%er for a ser%er. -== A9 &mplement Automated $ stem Reco%er *A$R+. *1" :uestions+ -== 19 &mplementing shadow cop ing *G :uestions+ F1; .9 Restore data from shadow cop %olumes. *1 :uestion+ F2> D9 1ac/ up files and $ stem $tate data to media. *1G :uestions+ F2= 39 .onfigure securit for bac/up operations. *1 :uestion+ FF5art 29 Manage bac/up procedures. FF; A9 ?erif bac/up )obs and bac/up data. *12 :uestions+ FF; 19 Manage bac/up storage media. *2 :uestions+ FG1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2F2 5art 39 Reco%er from ser%er hardware failure. *11 :uestions+ FG5art -9 Restore bac/up data. *1- :uestions+ F=2 5art F9 $chedule bac/up )obs *1" :uestions+ ;13 Topic ;9 Miscellaneous *3; :uestions+ ;2> Topic G9 $imulation *13 :uestions+ ;>3 Total number o$ questions: 445 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2;2 Topic 19 Managing and Maintaining 5h sical and 4ogical De%ices *3G :uestions+ 5art 19 Manage basic dis/s and d namic dis/s. *> :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The TestBing net"or0 contains se/en a##lication ser/ers Each a##lication ser/er runs a database a##lication named TestBing)## Dequirements $or TestBing)## state that "hen you add a ne" user* you must add the user to the ser/er that has the most a/ailable dis0 s#ace You need to ensure that you meet the requirements "hen you add ne" users to TestBing)## !hat should you do% A. Use 3%ent ?iewer to re%iew the application logs on each of the se%en ser%ers. 1. Use 5erformance 4ogs and Alerts to record the 5h sicalDis/ ob)ect on all se%en ser%ers. .. Use Tas/ Manager to %iew the performance data on each of the se%en ser%ers. D. Use $ stem Monitor to generate a histogram %iew of the 4ogicalDis/ ob)ect on all se%en ser%ers. )ns"er: D E3#lanation: System ?onitor sho"s real>time #er$ormance data based on Ob2ect counters* and can dis#lay the log data recorded by .er$ormance Aogs )nd )lerts either in the $orm o$ 'ounter &inter/al #olling( logs* or Trace &e/ent>dri/en( logs Aogs "ritten by .er$ormance Aogs )nd )lerts can be loaded into System ?onitor $or analysis The System ?onitor is designed $or real>time re#orting o$ data to a console inter$ace* and can be re#orted in gra#h* histogram* or numeric $orm This

should aid you in ensuring that you meet the stated requirements Incorrect ans"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2G2 The Application log contains data written to it b software programs, it records e%ents that are generated b application programs and networ/ application ser%ices. Using 3%ent ?iewer to re%iew application logs would thus not ensure that ou add a new user to the ser%er with the most a%ailable space. +: The 5erformance 4ogs And Alerts snap2in can do no configuration, onl reporting data through .ounter 4ogs as reported b pro%iders *ob)ect counters+ on a configured inter%al, or through Trace 4ogs as reported b e%ent2dri%en pro%iders. Thus this option will not wor/. ': ?iewing performance data through the Tas/ Manager is not what ou need. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The net"or0 includes a $ile ser/er named Test0ing< Test0ing< contains a single dis0 $or system $iles and t"o S'SI hard dis0s that com#rise a 72>-+ mirrored /olume "ith 65 -+ o$ read>only data Users connect to this data by using shortcuts on their des0to#s Test0ing< is scheduled $or re#lacement You ha/e a scheduled maintenance "indo" to com#lete this tas0 +e$ore the maintenance "indo"* you build a ne" ser/er You need to bring the ne" ser/er online "ith current data and re>establish redundancy as quic0ly as #ossible You must also ensure that the des0to# shortcuts "ill continue to $unction !hat should you do% A. ,ame the new ser%er Test/ing1. .reate a new mirrored %olume b using two G22C1 dis/s. .onnect Test/ing2 to the networ/ and cop the data from Test/ing1. !hen cop ing is complete, shut down the old Test/ing1. 1. ,ame the new ser%er Test/ing1. Mo%e both dis/s from the old Test/ing1 to the new Test/ing1. $can the dis/s for changes. &mport the dis/s. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2>2 .onnect the new Test/ing1 to the networ/. .. ,ame the new ser%er Test/ing1. 1rea/ the mirror on the old Test/ing1. Mo%e one of the dis/s from the old Test/ing1 to the new Test/ing1. $can the dis/ for changes. &nitiali0e the dis/. $elect the spare dis/ and create the mirror. .onnect the new Test/ing1 to the networ/. D. ,ame the new ser%er Test/ing1. Remo%e one of the dis/s in the mirror from the old Test/ing1. Mo%e the dis/ on the new Test/ing1. $can the dis/ for changes. &mport the dis/, $hut down the old Test/ing1 and connect the new Test/ing1 to the networ/. )ns"er: + E3#lanation: You ha/e to ma0e use o$ the e3isting old TestBing< dis0s to ma0e sure that the current data "ill be brought online !hen mo/ing dis0s $rom one com#uter to another 0ee# in mind that be$ore disconnecting the dis0s $rom the old TestBing< you must ma0e sure the status o$ all /olumes on each o$ the dis0s is healthy Eor any /olumes that are not healthy* re#air the /olumes be$ore you mo/e the dis0s )$ter you #hysically connect the dis0s to the ne" TestBing<* in Dis0 ?anagement* o#en the )ction menu and choose Descan Dis0s The scanning "ill detect changes The ne" dis0 "ill sho" u# as DynamicKEoreign +y de$ault* DynamicKEoreign dis0s and should be brought online automatically* but i$ not* bring it online by right>clic0ing the dis0 and selecting Online Eurthermore* to ma0e DynamicKEoreign dis0s useable* you must im#ort it The dis0 grou# remain as is and the database does not change !hen connecting ne" TestBing< to the net"or0 you "ill enable users to use their e3isting shortcuts

Incorrect ans"ers: ): $ince Test@ing1 is scheduled for replacement ou need no mirroring to be done for the 6uestion states pertinentl that ou ha%e to re2establish redundanc which means that redundanc used to be in place before. A mirrored %olume *also /nown as RA&D 4e%el 1 or RA&D21+ consists of two identical copies of a simple %olume, each on a separate hard dis/. Mirrored %olumes pro%ide fault tolerance in the e%ent that one ph sical dis/ fails. 1esides, Test@ing2 is irrele%ant in this scenario. ': 1 mo%ing onl one dis/ from the old Test@ing1 to the new Test@ing1 will affect not onl the current amount of data a%ailable, but will also result in a lac/ of possible redundanc . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2=2 D: Remo%ing one old Test@ing1 dis/ from the mirror will not enable ou to accomplish our tas/ successfull . De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: , You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< T"o hard dis0s are installed on Test0ing< The hard dis0s are con$igured as sho"n in the e3hibit The data /olume* "hich resides on Dis0 <* is lo" on s#ace ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1" 2 You need to #ro/ide additional s#ace $or the data /olume !hat should you do% A. Use Dis/ Management to eBtend the data %olume. 1. Run the fsutil %olume command on the data %olume. .. Using Dis/part.eBe, run the eBtend command on the data %olume. D. &n De%ice Manager, select Dis/ 1. 'n the ?olumes tab, clic/ the 5opulate button. )ns"er: ) E3#lanation: To increase a /olumeJs ca#acity is to e3tend the /olume You can e3tend a sim#le or s#anned /olume on a dynamic dis0 so long as that /olume is $ormatted as NTES and so long as the /olume is not the system or boot /olume )nd this is done through Dis0 ?anagement Incorrect )ns"ers: +: !ith fsutil, !indows $er%er 2""3 administrators can perform tas/s such as managing dis/ 6uotas, managing mount points, and se%eral other ad%anced dis/2related tas/s. Thus this command does not pro%ide additional space. ': Dis/part.eBe command is used in con%erting dis/s and also to eBtend simple %olumes, and not to eBtend dis/ %olumes as is needed in this case which will ha%e to be a spanned %olume. D: 5opulating Dis/1 does not mean pro%iding additional space. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11, 1F Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com Your net"or0 includes a com#uter named Ser/er<* "hich runs !indo"s Ser/er 2==, )ll $ile and #rint ser/ices* all user home $olders and all user #ro$iles reside on Ser/er< Test0ing merges "ith )cme Users $rom both com#anies "ill store their $iles and $olders on Ser/er< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11 2 You run Dis0#art e3e to /ie" the dis0 con$iguration o$ Ser/er<* as sho"n: No" you need to increase storage s#ace on Ser/er< You "ill not create any additional /olumes !hat should you do to accom#lish this tas0% A. Ma/e use of Dis/part.eBe, run the 3Btend command on %olume C9W Then con%ert %olume C9W to (AT. 1. Ma/e use of Dis/part.eBe, run the 3Btend command on %olume .9W Then con%ert %olume .9W to ,T($. .. Ma/e use of Dis/part.eBe, run the 3Btend command on %olume &9W Then con%ert

%olume &9W to ,T($. D. Ma/e use of Dis/part.eBe, run the 3Btend command on %olume 39W Then con%ert %olume 39W to (AT32. )ns"er: ' E3#lanation: You can use the Dis0#art e3e utility to manage dis0s* #artitions* and /olumes $rom a command>line inter$ace You can use Dis0#art e3e on both +asic dis0s and Dynamic dis0s I$ an NTES /olume resides on a hard"are D)ID 5 container that has the ca#ability o$ adding s#ace to the container* you can e3tend the NTES 8olume "ith Dis0#art e3e "hile the dis0 remains a +asic dis0 Note: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12 2 !hen ou use Dis/part.eBe to eBtend an ,T($ partition, Microsoft recommends that ou perform this tas/ in $afe mode or Acti%e Director Restore mode. 1 doing so, ou pre%ent open handles to the dri%e that cause the process to fail. Use the eBtend command to incorporate unallocated space into an eBisting %olume while preser%ing the data. Incorrect ans"ers: ): ?olume C is a striped %olume which will not lend itself to being eBtended safel and without ris/s. A striped %olume *RA&D2"+ combines areas of free space from multiple hard dis/s into one logical %olume. Unli/e a spanned %olume, howe%er, data is written to all ph sical dis/s in the %olume at the same rate. 1ecause multiple spindles are in use, read and write performance is increased almost geometricall as additional ph sical dis/s are added to the stripe. 1ut li/e eBtended simple %olumes and spanned %olumes, if a dis/ in a striped %olume fails, the data in the entire %olume is lost. +: ?olume . contains the s stem information and it is thus not recommended to use that specific %olume to create space for data storage. ,T($ can be eBtended. D: (AT32 %olumes cannot be eBtended. Also ou cannot eBtend boot %olumes. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. -23 QUESTION NO: 5 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named Ser/er< hosts se/eral a##lications This ser/er contains t"o hard dis0s* Dis0= and Dis0< Each dis0 is connected to a di$$erent EIDE channel Each dis0 is con$igured as a basic dis0 and $ormatted as NTES System $iles are installed on Dis0< You install a third hard dis0 on Ser/er< You con$igure it as a basic dis0 and $ormat it as NTES !hen you restart Ser/er<* you recei/e the $ollo"ing message: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13 2 L!indo"s could not start because o$ a com#uter dis0 hard"are con$iguration #roblem 'ould not read the selected boot dis0 'hec0 boot #ath and dis0 hard"are .lease chec0 !indo"s documentation about hard"are dis0 con$iguration and your hard"are re$erence manuals $or additional in$ormation L You #ress a 0ey Ser/er< restarts* but it dis#lays the same message You need to ensure that Ser/er< "ill start correctly You solution must not require reinstalling any a##lications on Ser/er< !hat should you do% A. $tart $er%er1 from the !indows $er%er 2""3 installation .D2R'M. Use the Reco%er .onsole to repair the s stem. 1. $tart $er%er1 in $afe Mode with .ommand prompt. .. $tart $er%er1 from the !indows $er%er 2""3 installation .D2R'M. 5ress (; to replace the Mass $torage dri%er. D. Reconfigure the new dis/ dri%e so it is enumerated after the eBisting dri%es. Restart $er%er1. )ns"er: ) E3#lanation: )dding the e3tra hard dis0 has #robably caused the #roblem The boot ini $ile needs to be corrected to re$lect the ne" dis0 con$iguration !e can use the +ootc$g utility in the Deco/ery 'onsole to correct this #roblem Use the 1ootcfg utilit in the Reco%er .onsole to correct the 1oot.ini file9 1. Use the !indows <5 .D2R'M to start our computer. 2. !hen ou recei%e the message to press R to repair !indows b using the Reco%er .onsole, press the R /e .

3. $elect the !indows installation that ou want, and then t pe the administrator password when prompted. -. T pe bootcfg Hrebuild, and then press 3,T3R. F. !hen the !indows installation is located, the following instructions are displa ed9 )dd installation to boot list% &YesKNoK)ll( XT pe I in response to this message.Y Incorrect )ns"ers: +: &f the boot.ini file is wrong, ou wonKt be able to boot into safe mode. ': This is not a dri%er problem. The mass storage dri%er wor/ed before we added the new dis/. D: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1- 2 The dis/ dri%es are on different 3&D3 controllers, so this wonKt be possible *without mo%ing the dis/ to the other 3&D3 controller+. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 1F QUESTION NO: 6 You are the net"or0 administrator $or Test0ing com Your net"or0 includes a com#uter named TestBingSr/<* "hich runs !indo"s Ser/er 2==, and !indo"s @. .ro$essional in a dual boot con$iguration TestBingSr/< has t"o basic dis0s* "hich are con$igured as sho"n in the $ollo"ing table .artition Dis0 < Si1e 1 $ stem 3 C1 2 1oot - C1 ,HA Unused = C1 3 1ac/up data > C1 .artition Dis0 2 Si1e 1 1oot - C1 2 Application files > C1 ,HA Unused F C1 3 ,HA ,HA You need to create a <= -+ #artition on Ser/er < to store user data TestBingSr/< must retain its dual boot $unctionality !hat should you do% A. .on%ert both dis/s to d namic dis/s. .reate a 1" C1 eBtended %olume b using the unused space on Dis/ 1 and Dis/ 2. 1. 1ac/ up 5artition 2 on Dis/2. Remo%e 5artition 2 from Dis/ 2 and restore it on Dis/ 1 b using the unused space on Dis/ 1. .reate a 1" C1 partition on Dis/ 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F 2 .. 1ac/ up partition 2 on Dis/ 1. Remo%e 5artition 2 from Dis/ 1 and restore it on Dis/ 2 b using the unused space on Dis/ 2. .reate a 1" C1 partition on Dis/ 1. D. .on%ert both dis/s to d namic dis/s. 1ac/ up ?olume 2 on Dis/ 2. Remo%e ?olume 2 from Dis/ 2 and restore it on Dis/ 1 b using the unused space on Dis/ 1. .reate a 1" C1 %olume on Dis/ 2. )ns"er: + E3#lanation: You are #resented "ith t"o choices* one* you could mo/e the )##lication $iles $rom dis0 2 to dis0 < or* t"o* you could mo/e the boot $iles $rom a##lication $iles is a better o#tion It is not ad/isable to mo/e the boot $iles +ecause you cannot con/ert basic dis0s to dynamic dis0s i$ they contain multi#le installations o$ !indo"s 2===* !indo"s @. .ro$essional* or the !indo"s Ser/er 2==, $amily o$ o#erating systems ?oreo/er* a$ter the con/ersion* it is unli0ely that you "ill be able to start the com#uter using that o#erating system )$ter the dis0 is con/erted to dynamic* you can start the o#erating system that you used to con/ert the dis0* but you "ill not be able to start the other o#erating systems on the dis0 Aere are some considerations to /eep in mind9 1. Iou can con%ert a basic dis/ containing the s stem or boot partitions to a d namic dis/. 2. After the dis/ is con%erted, these partitions become simple s stem or boot %olumes

*after restarting the computer+. 3. Iou cannot mar/ an eBisting d namic %olume as acti%e. -. Iou can con%ert a basic dis/ containing the boot partition *which contains the operating s stem+ to a d namic dis/. F. After the dis/ is con%erted, the boot partition becomes a simple boot %olume *after restarting the computer+. Incorrect )ns"ers: ): 1ecause ou cannot con%ert basic dis/s to d namic dis/s if the contain multiple installations of !indows 2""", !indows <5 5rofessional, or the !indows $er%er 2""3 famil of operating s stems. Moreo%er, after the con%ersion, it is unli/el that ou will be able to start the computer using that operating s stem. After the dis/ is con%erted, the boot partition becomes a simple boot %olume *after restarting the computer+. ': &t is not ad%isable to mo%e the boot files e%en is it is possible. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1; 2 D: Do not con%ert basic dis/s to d namic dis/s if the contain multiple installations of !indows 'perating s stems. After the con%ersion, it is unli/el that ou will be able to start the computer using that operating s stem. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. -33 $er%er Aelp QUESTION NO: 7 You are the net"or0 administrator $or TestBing com You administare a !indo"s Ser/er 2==, com#uter named TestBing<2 TestBing<2 has a single dis0 The dis0 is con$igured so that it has $our #rimary #artitions* "hich are $ormatted as E)T,2 The dis0 also has unallocated s#ace a/ailable You need to use the unallocated dis0 s#ace to store user data !hat should you use% A. .on%ert all eBisting partitions to ,T($. 1. Using Dis/part.eBe, run the create command. .. .on%ert the dis/ to a d namic dis/, and create a new %olume. D. Using Dis/part.eBe, run the eBtend command. )ns"er: ' E3#lanation9 .on%erting the dis/ to a d namic dis/ and then creating a new %olume will enable ou to use the unallocated dis/ space to store data. Incorrect ans"ers: )9 Merel con%erting all eBisting partitions to ,T($ is not the answer. This is onl part of the solution. +9 Dis/part.eBe command is used in con%erting dis/s and also to eBtend simple %olumes, and not to eBtend dis/ %olumes as is needed in this case which will ha%e to be a spanned %olume. D9 Iou can use the Dis/part.eBe utilit to manage dis/s, partitions, and %olumes from a command2line interface. Iou can use Dis/part.eBe on both 1asic dis/s and D namic dis/s. Use the eBtend command to incorporate unallocated space into an eBisting %olume while preser%ing the data. Aowe%er, (AT32 %olumes cannot be eBtended. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G 2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. -23 QUESTION NO: 9 You are the net"or0 administrator $or TestBing com You manage a !indo"s 2==, com#uter named TestBing, that $unctions as a $ile ser/er The data /olume on TestBing, is mirrored Each #hysical dis0 is on a se#arate controller One o$ the hard dis0s that contains the data /olume $ails You disco/er that the $ailure "as caused by a $aulty S'SI controller You re#lace the S'SI controller You need to restore the data /olume to its #re/ious state You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Run the dis/part acti%e command on the failed %olume 1. .on%ert both dis/s to basic dis/s, and then restore the data. .. 1rea/ the mirror, and then re2create the mirror. D. $elect a dis/ in the mirror, and then reacti%ate the %olume. )ns"er: D

E3#lanation9 To restore the %olume, replace the failed dis/, rescan the dis/s, and reacti%ate the dis/. &f this doesnKt ma/e the %olume health again, then right2clic/ the %olume and choose Reacti%ate ?olume. The computer will chug awa for a couple of minutes, rebuilding the missing data with the parit information on the remaining dis/s, and the stripe set will be bac/ in one piece. Thus if ou select a dis/ in the mirror and then reacti%ate the %olume ou will sol%e the problem in this case. Incorrect ans"ers: )9 Replaces the (D&$@ tool with which ouKre probabl familiar. .reates or deletes dis/ partitions. 'nl use this command on basic dis/s2it can damage d namic dis/s. This is not what is needed here. +9 This is unnecessar . ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1> 2 9 There is no need to brea/ the mirror since the problem onl arose due to a failed $.$'& controller. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, pp. 23"2231 5art 29 Monitor and Repair ser%er hardware. Tools might include De%ice Manager, the Aardware Troubleshooting !i0ard, and appropriate .ontrol 5anel items. *1" :uestions+ QUESTION NO: < :OTS.OT E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1= 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Dr Bing* one o$ the users in the domain* re#ort that she cannot access a ser/er named TestBing2 !hat action should you ta0e to enable Dr Bing to access the ser/er% )ns"er: E3#lanation: De>enable the NI' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2" 2 &n the eBhibit the 3.om 3.=2" &ntegrated (ast 3thernet .ontroller is mar/ with a red cross. This means that Dr. @ing will first ha%e to enable this card to re2establish a connection to the ser%er Test@ing2. &f ou disable a listener connection, no one will be able to connect to Terminal $er%ices on the ,&. for which it is configured until ou re2enable it. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. F-G QUESTION NO: 2 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You use ?icroso$t O#erations ?anager &?O?( to monitor all ser/ers )n e>mail ser/er named ?ailTB< is located at a remote data center ?ailTB< runs ?icroso$t E3change Ser/er 2==, ?ailTB< restarts une3#ectedly during business hours The e/ent log indicates a #roblem "ith the S'SI 'D>DO? You need to ensure that ?ailTB< remains continuously a/ailable during business hours !hat should you do% A. Use De%ice Manager to disable the $.$& .D2R'M. 1. .reate and implement a new hardware profile to eBclude the $.$& .D2R'M. .. Use De%ice Manager to update the dri%er for the $.$& .D2R'M. D. Use De%ice Manager to update the dri%er for the $.$& controller. )ns"er: ) E3#lanation: The #roblem lies "ith the S'SI 'D>DO? as indicated by the E/ent Aog This means that i$ you circum/ent the #roblem you "ill a/oid the #roblem o$ ?ailTB< restarting at une3#ected times Thus you only need to disable the S'SI 'D>DO? and not remo/e it You can enable and disable de/ices $or a s#eci$ic

hard"are #ro$ile through their #ro#erties dialog bo3es in De/ice ?anager ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21 2 Incorrect ans"ers: +: &t is not necessar to create a new hardware profile. ': Updating the dri%er ma sol%e the problem. Aowe%er, disabling the de%ice will ma/e sure of it. D: Updating the dri%er for the $.$& controller b ma/ing use of De%ice Manager will not sol%e the problem of the ser%er starting uneBpectedl . De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 2 QUESTION NO: , You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Your net"or0 includes one branch o$$ice in addition to the main o$$ice ) ser/er named Ser/erTB< connects the main o$$ice to the branch o$$ice by using an e3ternal dial>u# modem One morning* users re#ort that the connection to the branch o$$ice is not $unctioning On in/estigation* you disco/er that the modem is turned o$$ You restart the modem Then you o#en De/ice ?anager and see the in$ormation sho"n in the e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22 2 You need to ensure that the connection bet"een the main o$$ice and the branch o$$ice $unctions correctly Your solution must in/ol/e the minimum amount o$ change to Ser/erTB< and the minimum amount o$ interru#tion in net"or0 ser/ice !hat should you do% A. Restart $er%erT@1. 1. .reate a new dial2up connection to the branch office. .. 'pen De%ice Manager to scan $er%erT@1 for changes in hardware. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23 2 D. Use the Add Aardware !i0ard to detect and install the modem. )ns"er: ' E3#lanation: )ccording to the e3hibit* there is no modem $ound This is e/ident $rom the lac0 o$ modem subsection You should thus O#en De/ice ?anager to scan Ser/erTB< $or changes in hard"are in an e$$ort to $ind the modem This "ill ensure that you do not add any changes to the e3isting net"or0 and "ith the minimum amount o$ ser/er do"ntime Incorrect ans"ers: ): Restarting the ser%er as suggested here does not mean restoring the settings and establishing the connection from the branch office to the head 6uarters because the modem has been unplugged. +: .reating a new dial2up connection to the branch office will in%ol%e unnecessar changes. D: Iou do not need to add an hardware as the modem was installed and was operational before. Iou use the Add Aardware !i0ard when ou want to add new hardware to the computer and the modem is not new it was )ust turned off. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 4 DD)- DDO. You are the $ile ser/er administrator $or TestBing The com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <2 !indo"s Ser/er 2==, com#uters and <*5== !indo"s @. .ro$essional com#uters You manage three ser/ers named TestBing<* TestBing2* and TestBing, You need to u#date the dri/er $or the net"or0 ada#ter that is installed in Ser/e< You log on to TestBing< by using a nonadministrati/e domain user account named Bing You o#en the 'om#uter ?anagement console !hen you select De/ice ?anager* you recei/e the $ollo"ing error message: LYou do not ha/e su$$icient security #ri/ileges to uninstall de/ices or to change de/ice #ro#erties or de/ice dri/ersL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2- 2

You need to be able to run the 'om#uter ?anagement console by using the local administrator account The local administrator account on TestBing<* TestBing2* and TestBing, has been renamed Tess TessJs #ass"ord is 0Y74@ In 'ontrol .anel* you o#en )dministrati/e Tools You right>clic0 the 'om#uter ?anagement shortcut and clic0 Dun as on the shortcut menu !hat should you do ne3t% )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F 2 Iou need to ma/e use of 8The following User8 setting because ou want to run the program under a different account to the one ouKre logged in with, b entering 8Test@ing1WTess8 in the User ,ame field, enter /IG-<8 in the password field. this scenario, this is the local administrator account. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 2 QUESTION NO: 5 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) user re#orts that she cannot access a ser/er named TestBing+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2; 2 Eirst* you /eri$y that the net"or0 ada#ter on TestBing+ has the correct dri/er installed Then* you o#en De/ice ?anager on TestBing+ You see the dis#lay sho"n in the e3hibit No" you need to use De/ice ?anager to restore net"or0 connecti/ity on TestBing+ !hat should you do% A. 3nable the networ/ adapter. 1. .hange the &R: setting of the networ/ adapter. .. .hange the &5 address of the networ/ adapter. D. Ad)ust the lin/ speed of the networ/ adapter to match the lin/ speed of the networ/. 3. Resol%e all possible hardware conflicts between the networ/ adapter and the un/nown de%ice. )ns"er: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G 2 E3#lanation: The e3hibit sho"s that the net"or0 card is disabled The question also mentions that the correct dri/er is installed There$ore* by enabling the net"or0 ada#ter "ill render it o#erational Incorrect )ns"ers: +: &nterrupt re6uest *&R:+ 2 'ne of a set of possible hardware interrupts, identified b a number. The number of the &R: determines which interrupt handler will be used. &f the &R: was wrong, the networ/ adapter would ha%e an eBclamation mar/ in a ellow circle o%er it. ': &f the &5 address was wrong, the networ/ adapter would seem to be operational in De%ice Manager. D: &f the lin/ speed was wrong, the networ/ adapter status will appear as operational in De%ice Manager. E: &f there was a hardware conflict, the networ/ adapter status will be mar/ed with an eBclamation mar/ in a ellow circle o%er it. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. G;3 QUESTION NO: 6 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing o#erates <= branch o$$ices in addition to the main o$$ice Each branch o$$ice has one $iler ser/er "ith t"o logical dis0s* .:Q and U:Q Each dis0 has a ca#acity o$ 2= -+ Eor each de#artment in the branch o$$ice* .:Q hosts one $older in "hich de#artmental users sa/e shared documents Eor all users in the branch o$$ice* U:Q hosts home $olders The main o$$ice includes a net"or0 o#erations center that monitors ser/ers and net"or0 status :o"e/er* branch o$$ice users $requently re#ort that their ser/ers ha/e no more dis0 s#ace In such cases* local su##ort technicians log on to the ser/ers and delete unnecessary $iles

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2> 2 You need to create a #roacti/e monitoring strategy $or the net"or0 o#erations center ?onitoring must alert the net"or0 o#erations center be$ore the branch o$$ice ser/ers run out o$ dis0 s#ace ?onitoring must also re#ort "hich dis0s on the ser/ers are a##roaching ca#acity The monitoring strategy must require the minimum amount o$ administrati/e e$$ort !hat should you do% A. .onfigure a ser%er in the main office to report performance alters on the branch office ser%ers. Use the logicaldis/*Jtotal+W L(ree $pace counter to indicate when free space is less than F percent. Use the logicaldis/*Jtotal+W(ree megab tes counter to indicate when free space is less than 1"" M1. 1. 'n each branch office ser%er, create a performance alert. Use the logicaldis/*Jtotal+W Z(ree $pace counter to indicate when free space is less than F percent. Use the logicaldis/*Jtotal+W(ree megab tes counter to indicate when free space is less than 1""" M1. .. .onfigure a ser%er in the main office to report performance alerts on the branch office ser%ers. Use the logicaldis/*5+W Z(ree $pace counter and the logicaldis/*U+W Z(ree $pace counter to indicate when free space is less than F percent. D. 'n each branch office ser%er, create a performance alert. Use the logicaldis/*5+W Z(ree $pace counter and the logicaldis/*U+W Z(ree $pace counter to indicate when free space is less than F percent. )ns"er: ' E3#lanation: The monitoring must alert the net"or0 o#erations centre be$ore the branch o$$ice ser/ers run out o$ dis0 s#ace and monitoring must also re#ort "hich dis0s on the ser/ers are a##roaching ca#acity AogicalDis0: R Eree S#ace is a counter that indicates the amount o$ $ree s#ace a/ailable on the dis0 as a #ercentage o$ the total dis0 ca#acity .aging #roblems can occur i$ you ha/e little dis0 s#ace to "hich the system can s"a# data out o$ memory* and o#erating system errors can occur i$ the #artition on "hich the OS is installed becomes too $ull Incorrect )ns"ers: ): &t is necessar is to /now which dis/s are near capacit , so we cannot monitor the total dis/ space 2 we must monitor the indi%idual logical dis/s. +: !e need to /now which dis/s are near capacit , so we cannot monitor the total dis/ space 2 we must monitor the indi%idual logical dis/s. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2= 2 D: The monitoring must alert the networ/ operations centre before the branch office office. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G-> QUESTION NO: 7 You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing5 The hard"are /endor $or TestBing5 noti$ies you that a critical hot$i3 is a/ailable This hot$i3 is required $or all models o$ this com#uter that ha/e a certain net"or0 inter$ace card You need to $ind out i$ the net"or0 inter$ace card that requires the hot$i3 is installed in TestBing5 !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( A. 'pen ,etwor/ .onnections, and then eBamine the properties of each connection that is listed. 1. 'pen the .omponent $er%ices snap2in, eBpand .omputers, eBpand M .omputer, and then eBamine the list. .. Run the netsh interface command, and then eBamine the list. D. 'pen De%ice Manager, eBpand ,etwor/ adapters, and then eBamine the list. )ns"er: )* D E3#lanation9 )9 The ,etwor/ .onnections tab contains settings for networ/ connections and a !i0ard to create new connections. (rom there ou will be able to eBamine the properties of each connection that is listed. This will re%eal if the networ/ interface card that re6uires the hotfiB is installed on Test@ingF.

D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3" 2 9 The De%ice Manager utilit is a graphicall 2based utilit that pro%ides information about all of the de%ices that our computer currentl recogni0es. Through De%ice installed on our computer. Iou can also run the Aardware Troubleshooting !i0ards from De%ice Manager. &f ou ma/e use of De%ice Manager and then eBpand the ,etwor/ Adapters tab, ou will be able to find out if the appropriate networ/ interface card is installed on Test@ingF. Incorrect ans"ers: +9 This option will not displa the rele%ant information needed. '9 Iou can use commands in the ,etsh &nterface &5 conteBt to configure the T.5H&5 protocol *including addresses, default gatewa s, D,$ ser%ers, and !&,$ ser%ers+ and to displa configuration and statistical information. De$erence: Microsoft @nowledge 1ase9 3";G=-9 Aow to &nstall the $upport Tools from the !indows <5 .D2R'M ,etwor/ Monitor is pro%ided with !indows $er%er products and Microsoft $ stems Management $er%er *$M$+. Microsoft .orporation, 2""Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. ;>;, >F-2>F;, =2; 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter 2, pp. >- L11; QUESTION NO: 9 You are the net"or0 administrator $or TestBing com You are the administrator o$ a !indo"s Ser/er 2==, com#uter named TestBing, Ne"ly hired em#loyees recently started storing $iles on TestBing, No" users re#ort that Test0ing, is res#onding much slo"er than it did be$ore the additional users "ere added You sus#ect the dis0 subsystem needs to be u#graded to accommodate the additional user load ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31 2 You need to con$irm "hether the dis0 subsystem on TestBing, needs to be u#graded !hat should you do% A. .onfigure a 5erformance 4ogs and Alerts on the Z(ree space counter. 1. Use De%ice Manager to populate %olume settings and eBamine the properties of the dis/ dri%es on Test@ing3. .. Use 3%ent ?iew to eBamine the s stem logs and search the s stem logs for e%ent logs for e%ents generated b the dis/ e%ent source. D. Use $ stem Monitor to monitor counters based on the 5h sicalDis/ ob)ect. )ns"er: D E3#lanation9 'ne adds /e counters to trac/ for the processes subs stem and how to tune and upgrade the processes subs stem to the $ stem Monitor. The 5h sicalDis/ ob)ect is the sum of all logical dri%es on a single ph sical dri%e. Adding this ob)ect counter to the $ stem Monitor should gi%e ou the rele%ant information necessar to confirm whether an upgrade of the dis/ subs stem is needed. Incorrect ans"ers: )9 The Z(ree space counter trac/s how much free space is a%ailable on the hard dri%e. &t is a wa to trac/ dis/ space usage proacti%el so users do not eBperience 8out of dis/ space8 errors. This is not the information needed to confirm whether an upgrade of the dis/ subs stem is needed. +9 De%ice Manager is a !indows $er%er 2""3 utilit used to %iew information about the computerKs hardware configuration and set configuration options. This is not what is re6uired. '9 3%ent ?iewer is a !indows $er%er 2""3 utilit that trac/s status information about the computerKs hardware and software, as well as securit e%ents. This information is stored in multiple log files dependent upon the configuration of the ser%er. The minimum number of logs is three9 the Application log, the $ecurit log, and the $ stem log. Aowe%er, ou should rather ma/e use of $ stem Monitor to monitor counters based on the 5h sicalDis/ ob)ect in this case. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter =, p. -;" QUESTION NO: ;

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32 2 E3hibit You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) !indo"s Ser/er 2==, com#uter named TestBing2 $unctions as a mail ser/er TestBing2 has a single dis0 that is con$igured as a basic dis0 You add a second dis0 In Dis0 ?anagement* you right>clic0 the unallocated $ile system You disco/er that the LNe" .artitionL menu command is una/ailable* as sho"n in the e3hibit You need to create a ne" #artition !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33 2 A. Restart the ser%er, and then select the ,ew partition menu command. 1. Right2clic/ the dis/, select &nitiali0e, and then select the ,ew partition menu command. .. Replace the dis/ that ou added, and then select the ,ew partition menu command. D. As/ the appropriate administrator to assign ou Administrator rights on Test@ing2, and then select the ,ew partition menu command. )ns"er: + E3#lanation9 !hen ou attach a new dis/ to our computer, ou must first initiali0e the dis/ before ou can create partitions. !hen ou first start Dis/ Management after installing a new dis/, a wi0ard appears that pro%ides a list of the new dis/s that are detected b the operating s stem. !hen ou complete the wi0ard, the operating s stem initiali0es the dis/ b writing a dis/ signature, the end of sector mar/er *also called a signature word+, and a master boot record *M1R+. The 6uestion states that a second dis/ has been added thus ou will need to initiali0e the dis/ and then select the new 5artition menu command to create a new partition. Incorrect ans"ers: )9 Restarting the ser%er is not the wa to go when ou first need to initiali0e the dis/ as the 6uestin states that a second dis/ has been added. '9 This does not ma/e sense considering that a second dis/ has alread been added. !hat is needed is to initiali0e the dis/ and onl then will the ,ew 5artition menu command be a%ailable. D9 This is not a matter of administration rights. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.3> Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter -, p. 21; QUESTION NO: <= You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3- 2 The net"or0 includes a $ile ser/er named TestBing<7 TestBing<7 contains a single dis0 $or system $iles and t"o S'SI hard dis0s that com#rise a 72>-+ mirrored /olume "ith 65 -+ o$ read>only data Users connect to this data by using shortcuts on their des0to#s TestBing<7 is scheduled $or re#lacement You ha/e a scheduled maintenance "indo" to com#lete this tas0 +e$ore the maintainance "indo"* you build a ne" ser/er You need to bring the ne" ser/er online "ith current data and re>establish redundancy as quic0ly as #ossible You must also ensure that the des0to# shortcuts "ill continue to $unctions !hat should you do% A. ,ame the new ser%er Test@ing2". .reate a new mirrored %olume b using two G22C1 dis/s. .onnect Test@ing2" to the networ/ and cop the data from Test@ing1G. !hen cop ing is complete, shut down the old Test@ing1G. 1. ,ame the new ser%er Test@ing1G. Mo%e both dis/s from the old Test@ing1G to the new Test@ing1G. $can the dis/s for changes. .onnect the new Test@ing1G to the networ/. .. ,ame the new ser%er Test@ing1G. 1rea/ the mirror on the old Test@ing1G. Mo%e one of the dis/s from the old Test@ing1G to the new Test@ing1G. $can the dis/ for changes.

&nitiali0e the dis/. $elect the spare dis/ and create the mirror. .onnect the new Test@ing1G to the networ/. D. ,ame the new ser%er Test@ing1G. Remo%e one of the dis/s in the mirror from the old Test@ing1G. Mo%e the dis/ to the new Test@ing1G. $can the dis/ for changes. &mport the dis/. $hut down the old Test@ing1G and connect the new Test@ing1G to the networ/. )ns"er: + E3#lanation9 The 8$can (or Aardware .hanges8 option allows ou to force a manual scan to see if an new hardware changes ha%e been detected. To be able to bring the ser%er online with the current data and re2establishing redundanc as soon as possible whilst ensuring that des/top shortcuts sta functional, ou will need to gi%e the same name to the new ser%er, namel Test@ing1G and use the two dis/s from the old Test@ing1G. Iou should then scan it for an changes and then connect the new Test@ing1G to the networ/. Incorrect ans"ers: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F 2 9 There is no need to create a new mirrored %olume in this case. 1esides where will ou get the two new dis/s from to cop the eBisting data of Test@ing1G onto. !hat is needed is to use the old Test@ing1G dis/s to pro%ide continuit for users insofar as dis/top shortcuts are concerned. ' C D9 This is not necessar . All that has to be done is touse the eBisting Test@ing1G dis/s and put them on the newl created and named Test@ing1G ser%er. $canning the dis/ for changes and then connecting new Test@ing1G to the networ/. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter 2, p. =1 5art 39 'ptimi0e ser%er dis/ performance. A9 &mplement a RA&D solution. *> :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TB< contains a sim#le /olume that stores mission critical data $iles TB< e3#eriences hard"are $ailure and sto#s $unctioning De#lacement #arts "ill be a/ailable "ithin 72 hours ) second $ile ser/er named TB2 is a/ailable :o"e/er* TB2 has insu$$icient dis0s s#ace to hold the data on TB< You need to #ro/ide immediate access to the data on TB< Eirst* you install the dis0s $rom TB< on TB2 and restart TB2 :o"e/er* the dis0s do not a##ear in Dis0 ?anagement !hich action or actions should you #er$orm% &'hoose all that a##ly( A. &nstall the dis/s from T@1 on T@2. &n Dis/ Management, initiali0e the dis/s. 1. &nstall the dis/s from T@1 on T@2. &n Dis/ Management, rescan the dis/s. .. &n Dis/ Management, select each dis/ from T@1. Then, select the option to import foreign dis/s. D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3; 2 &n Dis/ Management, select each dis/ from T@1. Them, select the option to repair the %olume. 3. 'n T@2, run the mount%ol Hp command from a command prompt. (. 'n T@2, con%ert the d namic dis/s to basic dis/s. )ns"er: +* ' E3#lanation9 &t is imperati%e that ou rescan dis/s after ou mo%e hard dis/s between scans all attached dis/s for changes to the dis/ configuration. &t also updates information about remo%able media, .D2R'M dri%es, basic %olumes, file s stems, and dri%e letters. !hen ou mo%e a d namic dis/ from one computer to another, !indows $er%er 2""3 considers the dis/ as a foreign dis/ b default. !hen Dis/ Manager indicates the status of a new dis/ as foreign, ou ha%e to import the dis/ before ou can access %olumes on the dis/. Incorrect )ns"ers: ): !hen ou attach a new dis/ to our computer, ou must first initiali0e the dis/ before ou can create partitions. !hen ou first start Dis/ Management after installing a new dis/, a wi0ard appears that pro%ides a list of the new dis/s that are detected b the operating s stem. !hen ou complete the wi0ard, the operating s stem initiali0es the dis/ b writing a dis/ signature, the end of sector mar/er *also called a signature word+, and a master boot record *M1R+. &f ou cancel the wi0ard before the dis/ signature is

written, the dis/ status remains ,ot &nitiali0ed. D: $ince replacement parts are underwa , ou need not repair the dis/ as this will not ma/e the T@1 data a%ailable immediatel . E: The Mount%ol command creates, deletes, or lists a %olume mount point. Mount%ol is a wa to lin/ %olumes without re6uiring a dri%e letter. E: &f ou con%ert the d namic dis/s to basic dis/s ou will lose the data and the 6uestion pertinentl as/s for the T@1 data to be made a%ailable. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.3> Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G 2 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing) hosts highly con$idential $iles The Dis0 ?anagement console $or TestBing) is sho"n in the e3hibit You need to ensure the security o$ all $iles on TestBing) In the e/ent o$ dis0 $ailure* you need to minimi1e the time required to ma0e these $iles a/ailable again You also need to im#ro/e $ile system #er$ormance :o" "ill you go about accom#lishing these ob2ecti/es% A. .onfigure the unallocated dis/s in a RA&D2" configuration and then con%ert the dis/s to basic dis/s. 1. .onfigure one of the unallocated dis/s in a RA&D21 configuration and then con%ert the dis/s to d namic dis/s. .. $tore a shadow cop of dis/ . on one of the unallocated dis/s and then con%ert the dis/s to basic dis/s. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3> 2 D. .onfigure the unallocated dis/s as an eBtended %olume and then con%ert the dis/s to d namic dis/s. )ns"er: + E3#lanation: .art o$ the ob2ecti/es state that you must minimi1e the time needed to ma0e these $iles a/ailable again in case o$ dis0 $ailure This can be accom#lished through mirroring Dis0= to another dis0 ) dis0 mirror is also 0no"n as D)ID>< You ha/e to con/ert the dis0s to dynamic dis0s to accom#lish this ) mirrored /olume is a $ault>tolerant set o$ t"o #hysical dis0s that contain an e3act re#lica o$ each otherJs data "ithin the mirrored #ortion o$ each dis0 ?irrored /olumes are su##orted only on !indo"s Ser/er com#uter /ersions &f ou con%ert the dis/ containing the boot and s stem partitions to a d namic dis/, ou can mirror the boot and s stem %olumes onto another d namic dis/. Then, if the dis/ containing the boot and s stem %olumes fails, ou can start the computer from the dis/ containing the mirrors of these %olumes. Incorrect )ns"ers: ): A RA&D2" is fast but it offers no redundanc . Redundanc is necessar if ou need to consider using the minimum time needed to ma/e these files a%ailable after possible dis/ failure. The dis/s are alread basic dis/s there is no need for an con%ersion. (urthermore the ob)ecti%es will onl be met through con%erting the dis/s to d namic %olumes. ': A shadow cop will /eep copies of pre%ious %ersions of the files. Iou wonKt be able to access these though if Dis/" fails. The dis/s are alread basic dis/s there is no need for an con%ersion. (urthermore the ob)ecti%es will onl be met through con%erting the dis/s to d namic %olumes. D: An eBtended %olume offers no redundanc which if needed to minimi0e the time needed to ma/e these files a%ailable in case of dis/ failure. Though d namic dis/s will allow mirroring, the eBtended %olume configuration will negate that possibilit . De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: , You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing4 TestBing4 has a single #hysical dis0 that is con$igured as a sim#le /olume ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3= 2

You #lan to store the $iles $or a large database on TestBing4 You #lan to install additional #hysical dis0s on TestBing4 You need to recon$igure the dis0s on TestBing4 Your solution must #ro/ide $ault tolerance $or the o#erating system and the database $iles !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. &nstall three additional ph sical dis/s. .reate a new RA&D2F %olume. 5lace the database files on the new %olume. 1. &nstall three additional ph sical dis/s. .reate a new striped %olume. 5lace the database files on the new %olume. .. &nstall one additional ph sical dis/. .onfigure the simple %olume as a mirrored %olume. D. &nstall one additional ph sical dis/. .onfigure the simple %olume as a spanned %olume. )ns"er: )* ' E3#lanation9 RA&D *Redundant Arra of &ndependent Dis/s+2F %olume or striped set with parit %olume is a fault2tolerant collection of e6ual2si0ed partitions on at least three ph sical dis/s, in which the data is striped and includes parit data. The parit data helps reco%er a member of the striped set if the member fails. &f a single dis/ fails in a RA&D2F %olume, data can continue to be accessed as is the case here. During read operations, an missing data is regenerated on the fl through a calculation in%ol%ing remaining data and parit information thus ta/ing care of redundanc in the sense that wor/ will continue and no information will be lost. RA&D2F can onl sustain a single dri%e failure. Thus RA&D2F is a %olume configuration that stripes data o%er multiple dis/ channels and places a parit stripe across the %olume for fault tolerance. A mirrored %olume set contains a primar %olume and a secondar %olume. The data written to the primar %olume is mirrored to the secondar %olume. Mirrored %olumes pro%ide fault tolerance, because if one %olume in the mirrored %olume fails, the other %olume still wor/s without an interruption in ser%ice or loss of data. Mirrored %olumes are copies of two simple %olumes stored on two separate ph sical dri%es. $o, if ou are to pro%ice fault tolerance for the operating s stem and the database files in our re2configuration of Test@ing-, ou should install three additional ph sical dis/s, create a new Raid2F %olume and place the database files on the new %olume. Iou should also install another ph sical dis/ and configure ti as amirrored %olume. Incorrect ans"ers: + ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -" 2 9 A striped %olume is a d namic dis/ %olume that stores data in e6ual stripes between 2 to 32 d namic dri%es. T picall , administrators use striped %olumes when the want to combine the space of se%eral ph sical dri%es into a single logical %olume and increase dis/ performance.Iou should not create a new striped %olume, RA&D2F will pro%ide fault tolerance since Test@ing- is configured as a simple %olume. D9 A spanned %olume is a d namic dis/ %olume that consists of dis/ space on 2 to 32 d namic dri%es. $panned %olume sets are used to d namicall increase the si0e of a d namic %olume. !ith spanned %olumes, the data is written se6uentiall , filling space on one ph sical dri%e before writing to space on the neBt ph sical dri%e in the spanned %olume set. Test@ing- is a simple %olume. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter -, p. 2"> QUESTION NO: 4 You are the net"or0 administrator $or TestBing com You manage a !indo"s Ser/er 2==, com#uter that $unctions as a $ile ser/er The data /olume on the ser/er is con$igured as a so$t"are D)ID>5 array One o$ dis0s that contain the data /olume $ails You re#lace the $ailed dis0 You start the Dis0 ?anagement utility and /ie" the status listed in the $ollo"ing table Dis0 Status Ty#e Dis/1 'nline D namic Dis/2 'nline D namic Dis/3 ,ot initiated Un/nown Missing 'ffline D namic You need to restore $ault tolerance !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. .reate a striped set that includes Dis/1 and Dis/2. 1. &nitiali0e Dis/3 and con%ert it to a d namic dis/. .. Reacti%ate the RA&D2F arra %olume.

D. Repair the RA&D2F arra %olume to include Dis/3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1 2 3. &nitiaili0e Dis/3 and configure it as a basic dis/. (. Reacti%ate the missing dis/. )ns"er: +* D E3#lanation9 The 6uestion states that Dis/3 is not initiated. Thus to restore fault tolerance ou should ma/e sure that their t pe are all the same, hence the need to initiali0e Dis/3 and con%erting it to d namic. A RA&D2F %olume is where data is written to 3 to 32 ph sical dis/s at the same rate, and is interlaced with parit to pro%ide fault tolerance for a single dis/ failure. $ince the 6uestion mentions that the data %olume that is configured as a software RA&D2F arra has one failed dis/, ou should also repair the arra to restore fault tolerance. Incorrect ans"ers: )9 A mere striped set that includes onl Dis/1 and Dis/2 will not restore the lost fault tolerance since those two dis/s are still operational and a%ailable and not Dis/3. '9 Iou need to repair the RA&D2F arra and not reacti%ate it. E9 .onfiguring Dis/3 as a basic dis/ will not restore fault tolerance. Dis/3 needs to be con%erted to d namic dis/ so as to ma/e it the same t pe as the other two dis/s. E9 Reacti%ating the missing dis/ is not going to restore fault tolerance. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.3> Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, .hapter -, p. 2"3 QUESTION NO: 5 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing2 $unctions as a $ile ser/er The hard dis0s in TestBing2 are con$igured as sho"n in the table dis#layed in the e3hibit Users in the $inance de#artment store documents in the shared $older on TestBing2 Users re#ort that they e3#erience #oor #er$ormance "hen they sa/e $iles in the shared $odler You need to use System ?onitor to $ind out i$ the storage subsystem has a #er$ormance #roblem "hen users sa/e $iles in the shared $older on Test0ing2 !hat should you do% A. Add the 4ogicalDis/ performance ob)ect. Monitor the (ree Megab tes counter on dri%e (. 1. Add the 4ogicalDis/ performance ob)ect. Monitor the A%g. Dis/ :ueue 4ength counter on ph sical dis/ 1. .. Add the 5aging (ile performanced ob)ect. Monitor the Z Usage counter. D. Add the $er%er performance ob)ect. Monitor the 1 tes TotalHsec counter. )ns"er: + E3#lanation9 Dis/ :ueue 4ength indicates the number of outstanding dis/ re6uests that are waiting to be processed. The A%g. Dis/ :ueue 4ength counter forms part of the most useful performance data and will ield the necessar information regarding the storage subs stem. Incorrect ans"ers: )9 Iou will not get the necessar information for the purposes of this 6uestion. ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3 2 9 The 5aging (ile T ZUsage counter indicates how much of the allocated page file is currentl in use. &f this number is consistentl o%er G" percent, ou ma need to add more memor or increase the si0e of the paging file. Iou should use the 5aging (ile T ZUsage counter %alue in con)unction with the Memor T A%ailable 1 tes and Memor T 5agesH$ec counters to determine how much paging is occurring on our computer. D9 This will not ield the proper information needed in this case. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda,

2""3, .hapter =, pp. -F-, -;" QUESTION NO: 6 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -- 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing6 $unctions as a #rint ser/er Users in the sales de#artment #rint large re#orts and sales documents on se/eral #rinters that ar attached to TestBing6 Users re#ort that during #eriods o$ #ea0 acti/ity* TestBing6 becomes unres#onsi/e and it is slo" to #rint documents You use System ?onitor to /ie" the #er$ormance o$ TestBing during a #eriod o$ #ea0 acti/ity The results are sho"n in the e3hibit You need to im#ro/e the #er$ormance o$ TestBing6 "hen documents are #rinted during #eriods o$ #ea0 acti/ity ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F 2 !hat should you do% A. .onfigure a printer ppol on Test@ing; b using an additional print de%ice. 1. &nstall an additional hard dis/ in Test@ing;. Mo%e the spool director to the new hard dis/. .. &ncrease the amount of ph sical RAM that is installed in Test@ing;. D. Upgrade the processor in Test@ing;. )ns"er: + E3#lanation9 A common problem with printing in larger networ/s is that the spool folder gets so large that it fills up all a%ailable space on the dis/ dri%e. To get around this, mo%e the spool folder to a different dis/ partition that has plent of free space. $ince the problem onl occurs during periods of pea/ acti%it there is an indication that ou need additional hard dri%e space so as to be able to print the large documents and reports. !ith networ/ printing ou need to spool the documents before printing as man a time there would be a print 6ueue. Thus to impro%e Test@ing; performance, ou need to install an additional hard dis/ and mo%e the spooler to the new hard dis/. Incorrect ans"ers: )9 Ma/ing use of an additional print de%ice will not sol%e the problem that the print ser%er, Test@ing;, is eBperiencing. '9 This is not a matter of insufficient RAM that causes the problem but rather a problem caused b insufficient space to spool the documents. D9 There is no need to upgrade the processor since it is not a processor that ia causing the problem. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter G, p. ;11 QUESTION NO: 7 You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing7 Users re#ort that they e3#erience #oor #er$ormance "hen they access resources located on TestBing7 You sus#ect a dis0 bottlenec0 You need to set u# #er$ormance counters to monitor TestBing7 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -; 2 You need to decide "hich #er$ormance ob2ects to monitor !hich t"o counters should you choose% &Each correct ans"er #resents #art o$ the solution Select t"o ( A. 4ogicalDis/WZ &dle Time 1. 5h sicalDis/WZ Dis/ Time .. 5h sicalDis/WA%g. Dis/ :ueue 4ength D. Memor W!rite .opiesHsec 3. Memor W.ommit 4imit )ns"er: +* D E3#lanation9 The Memor 9 5agesHsec counter is used to measure memor usage. And with the 5h sicalDis/WZDis/ Time counter ou will get an indication of whether the dis/ is being read 6uic/l enough or not. These two counters would be essential is ou suspect a dis/ bottlenec/. Incorrect ans"ers: )9 This counter will not be as crucial to the re6uirements of this 6uestion. '9 The 5h sical Dis/9 A%e. Dis/ :ueue 4ength counter is used to measure hard dis/ performance.

E9 The .ommit .harge group boB is related to the @ernel Memor group boB.The %irtual memor details can be found here. *Remember, %irtual memor is the maBimum si0e of the page file.+ The 5ea/ item in this .ommit .harge group boB can eBceed the ph sical memor %alue in the 5h sical Memor group boB since page file can be utili0ed.The 4imit item displa s the maBimum memor a%ailable. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter =, p. G2F QUESTION NO: 9 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing6 $unctions as a $ile ser/er The dis0 subsystem on TestBing6 is con$igured as sho"n in the $ollo"ing table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G 2 You need to ensure that you are noti$ied i$ there is less than < -+ o$ a/ailable dis0 s#ace $or com#any data !hat should you do% A. .reate a performance alert. .onfigure the alert to monitor 4ogicalDis/ performance ob)ects for %olume (. 1. .reate a trace log. .onfigure the log to record dis/ inputHoutput for %olume (. .. .reate a performance alert. .onfigure the alert to monitor the 5h sicalDis/ performance ob)ects for ph sical dis/s 3, -, F, and ;. D. .reate a trace log. .onfigure the log to record the 4ogicalDis/ performance ob)ects for %olume (. )ns"er: ) E3#lanation9 The purpose of an alert is to notif the s stem administrator that the s stem is not functioning according to standard operating en%ironment.Iou can configure alerts to send a networ/ message, start a program, run a script, or log an e%ent in the e%ent log if a performance threshold is reached.Thresholds are limits that ou specif *for eBample, when a dis/ is =" percent full+, or in this case to monitor 4ogicalDis/ performance ob)ect for %olume ( for %olume (9 has the compan data that is bound to grow larger in %olume. Incorrect ans"ers: +9 Iou should be creating a performance alert, not a trace log. (urthermore, recording dis/ input and output will not ield the proper alert. '9 This option if halfwa correct eBcept that ou need to monitor 4ogicalDis/ performance ob)ect for %olume (9 and not 5h sicalDis/ performance ob)ects for dis/s 3, -, F and ;. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -> 2 D9 Iou should be creating a performance alert and not a trace log. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter =, p. G>> 19 Defragment %olumes and partitions. *2 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, You administer a ser/er named TestBing76 You need to con$igure TestBing76 to $unction as a streaming media ser/er $or TestBing comJs content team The content team "ants TestBing76 to #ro/ide the $astest #er$ormance and the most a/ailable s#ace #ossible Dedundancy is not im#ort TestBing76 currently has three identical* un#artitioned hard dis0s a/ailable You need to con$igure the dis0s to meet the content teamJs requirements !hat should you do% A. .reate a simple %olume on dis/ and then eBpand it to the other two dis/s. 1. .reate a mirrored %olume that uses two of the dis/s. .. .reate a RA&D2F %olume that uses all three dis/s. D. .reate a striped %olume that uses all three dis/s. )ns"er: D E3#lanation9 A striped %olume is where data is written to 2 to 32 ph sical dis/s at the same rate. &t offers maBimum performance and capacit but no fault tolerance. $triped %olumes use RA&D2", which stripes data across multiple dis/s. $triped %olumes cannot be eBtended or mirrored, and do not offer fault tolerance. &f one of the dis/s containing a

striped %olume fails, the entire %olume fails. !hen creating striped %olumes, it is best to use dis/s that are the same si0e, model, and manufacturer. !ith a striped %olume, data is di%ided into bloc/s and spread in a fiBed order among all the dis/s in the arra , similar to spanned %olumes. $triping writes files across all dis/s so that data is added to all dis/s at the same rate. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -= 2 Despite their lac/ of fault tolerance, striped %olumes offer the best performance of all the !indows dis/ management strategies and pro%ide increased &H' performance b distributing &H' re6uests across dis/s. (or eBample, striped %olumes offer impro%ed performance when9 1. Reading from or writing to large databases. 2. .ollecting data from eBternal sources at %er high transfer rates. 3. 4oading program images, d namic2lin/ libraries *D44s+, or run2time libraries. Thus the answer to the problem would be to create a striped %olume that uses all three dis/s. Incorrect ans"ers: )9 This option will not meet the re6uirements. +9 Mirrored %oumes are used for redundanc purposes. '9 A RA&D2F %olume is where data is written to 3 to 32 ph sical dis/s at the same rate, and is interlaced with parit to pro%ide fault tolerance for a single dis/ failure. Aowe%er, since the problem mentions that redundanc is not important, it would be better to ma/e use of a striped %olume that uses all three dis/s. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 2>1, 11.-= QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing; $unctions as an a##lication ser/er The dis0s in TestBing; are con$igured as sho"n in the $ollo"ing table .hysical dis0 Dri/e Data Si1e " . 'perating s stem 2" C1 1 D (ree space 2" C1 You #urchase $our additional 2=>-+ hard dis0s $or TestBing; You #lan to install an in/entory database on TestBing; You estimate that you need a total o$ 6= -+ o$ dis0 s#ace to hold all the in/entory data You need to #rotect the data against the $ailure o$ any dis0 that contains either o#erating system data or in/entory database data ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F" 2 You need to create a ne" dis0 con$iguration on TestBing; !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution Select t"o ( A. Use one additional dis/ to create a mirror for dri%e .. 1. Use two additional dis/s to create a striped set for dri%e .. .. Use three additional dis/s to create a RA&D2F %olume for dri%e D. D. Use two additional dis/s to create a RA&D2F %olume for dri%e .. 3. Use one additional dis/ to create a mirror for dri%e D. (. Use three additional dis/s to create a striped set for dri%e D. )ns"er: )* ' E3#lanation9 A RA&D2F %olume is where data is written to 3 to 32 ph sical dis/s at the same rate, and is interlaced with parit to pro%ide fault tolerance for a single dis/ failure. processor utili0ation and write performance as parit must be calculated during write operations. $ince Dri%e . holds the operating s stem, ou should ma/e use of an additional dis/ to create a mirror for dri%e .. Incorrect ans"ers: + C E9 $triped %olumes are made up of two to 32 dis/s. 3ach dis/ should be the same si0e to efficientl use all space. &t is possible to use different2si0ed dis/s, but the stripe si0e on e%er dis/ will be limited to the amount of free space on the smallest dis/, so there will be space wasted on the larger dis/*s+. A striped set, whether ma/ing use of two or three additional dis/s, will not suffice in this case. D9 Two additional dis/s will not support RA&D2F, ou need three for Dri%e D and not Dri%e .. E9 Iou should create the mirror for Dri%e . and not dri%e D. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9

Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 2>1, 11.-= Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter 2, p. >1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1 2 5art -9 &nstall and configure ser%er hardware de%ices. A9 .onfigure dri%er signing options. *F :uestions+ QUESTION NO: < :OTS.OT E3hibit* hots#ot ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com TestBing comJs "ritten security #olicy states that all com#uters are #ermitted to use only hard"are that is listed on the !indo"s Ser/er 'atalog You need to change the #olicy settings $or the !indo"s Ser/er 2==, com#uter so that it com#lies "ith the "ritten security #olicy !hich #olicy setting should you modi$y% To ans"er* select the a##ro#riate #olicy in the e3hibit )ns"er: E3#lanation: De/ices: Unsigned Dri/er installation beha/ior Dri%er signing is a method for mar/ing or identif ing dri%er files that meet certain specifications or standards. !indows $er%er 2""3 uses a dri%er2signing process to ma/e sure dri%ers are certified to wor/ correctl with the !indows Dri%er Model *!DM+ in !indows $er%er 2""3. 1 modif ing the Unsigned Dri%er installation beha%ior, ou will be able to compl with compan regulations regarding securit polic . De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 2 QUESTION NO: 2 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) change in business rules requires you to con$igure hard"are dri/ers on all net"or0 com#uters You o#en the -rou# .olicy Ob2ect Editor* as sho"n in the "or0 area You need to con$igure Dri/er Signing in the tree/ie" #ane !hich node should you con$igure% To ans"er* select the a##ro#riate node in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3 2 )ns"er: E3#lanation: Select LAocal .oliciesL 3%er de%ice that is attached to a computer re6uires software, /nown as a de%ice dri%er, is to be installed on the computer to enable it to function properl . 3%er de%ice re6uires a de%ice dri%er to communicate with the operating s stem. De%ice dri%ers that are used with the Microsoft !indows operating s stems are t picall pro%ided b Microsoft and the de%ice manufacturer. 3ach de%ice dri%er and operating s stem file that is included with !indows has a digital signature. This setting can be located in the 4'.A4 5'4&.&3$ section. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 2 QUESTION NO: , You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< There is a dri/er con$lict on Test0ing< You sus#ect that an unsigned dri/er has been installed $or one o$ the hard"are de/ices ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F- 2 You need to locate any unsigned dri/es !hat should you do% A. Use the ad%anced options of the (ile $ignature ?erification tool to scan the contents of the $ stemrootW$ stem32 folder and all subfolders.

1. Run the dri%e6uer H si command, and eBamine the output. .. Use the ad%anced options of the (ile $ignature ?erification tool to scan the contents of the $ stemrootW$ stem folder and all subfolders. D. Run the %er command. )ns"er: ) E3#lanation: The Eile Signature 8eri$ication tool generates the re#ort o$ unsigned dri/ers "ith the least administrati/e e$$ort You can use Eile Signature 8eri$ication tool &Sig/eri$ e3e( to identi$y unsigned dri/ers on a !indo"s>based com#uter by running a scan $or unsigned dri/ers sig/eri$ e3e is a "i1ard>dri/en tool * "hich scans the system $or the #resence o$ unsigned dri/ers and critical system $iles It also creates a re#ort that lists all the $iles scanned along "ith rele/ant /ersion and digital signature in$ormation The re#ort is stored in your !indows director and is called sig%erif.tBt. This information can be helpful when ou are troubleshooting s stem instabilit in !indows. Incorrect ans"ers: +: The dri%er6uer command with the si parameter specifies to displa the properties of signed dri%ers onl and not the location of unsigned dri%ers. ': $ stemrootW$ stem32 folder is a protected director in the !indows $er%er 2""3 en%ironment and the $ stemrootW$ stem folder is not besides that folder will not indicate whether the dri%er is signed or not. D: Iou need to specif eBactl what ou want to %erif . De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 1".; QUESTION NO: 4 :OTS.OT ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF 2 You are the net"or0 administrator $or TestBing com You attem#t to install a ne" net"or0 ada#ter in a !indo"s Ser/er 2==, com#uter You recei/e an error message that states that the so$t"are $or the hard"are that you are attem#ting to install has not #assed !indo"s Aogo testing to /eri$y its com#atibility "ith this /ersion o$ !indo"s The error message also states that the hard"are has not installed You need to change the #olicies to ensure that you can install the net"or0 ada#ter on the !indo"s Ser/er 2==, com#uter !hich #olicy setting should you modi$y% To ans"er select the a##ro#riate #olicy in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F; 2 )ns"er: E3#lanation: 'hange the LUnsigned dri/er installation beha/iourL setting to L)llo" installationL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG 2 The eBhibit shows that unsigned dri%er installation beha%iour setting is on do not allow. This has to be changed in order for the networ/ adapter to be installed successfull . 3ach de%ice dri%er and operating s stem file that is included with !indows has a digital signature. The digital signature indicates that the dri%er or file meets a certain le%el of testing and that it was not altered or o%erwritten b another programs installation process. Using signed de%ice dri%ers helps to ensure the performance and stabilit of our s stem. Also, it is recommended that ou use onl signed de%ice dri%ers for new and updated de%ice dri%ers. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2"322"F QUESTION NO: 5 You are the net"or0 administrator $or TestBing com You are the administrator o$ a !indo"s Ser/er 2==, com#uter named TestBing9 You log on to TestBing9 and attem#t to access the net"or0 You disco/er that the ser/er is not communicationg on the net"or0 You disco/er that a ser/ice #ac0 and an u#dated net"or0 ada#ter dri/er "ere installed on TestBing9 the #re/ious night ) com#lete bac0u#* including the System State data* "as #er$ormed be$ore the ser/ice #ac0 and the dri/er "ere installed You need to restore net"or0 communications !hat should you do $irst% A. Use Roll 1ac/ Dri%er to reinstall the pre%ious dri%er for the networ/ adapter.

1. Use the 1ac/p or Restore !i0ard to restore the bac/up from the pre%ious night. .. Restart Test@ing> b using 4ast @nown Cood .onfiguration option. D. Use the Registr 3ditor to delete the registr settings for the networ/ adapter dri%er. )ns"er: ) E3#lanation: !hen dri/ers cause #roblems "ithin a system* you might e3#erience t"o le/els o$ se/erity The first is the de%ice simpl not being enabled on s stem startup or installation. A more se%ere le%el will result in the s stem not starting up due to a bug chec/ *also /nown as a blue screen or $T'5 error+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F> 2 &f the problem is caused during a dri%er upgrade, ou can le%erage the capabilit to rollbac/ a dri%er.To roll bac/ a dri%er from a pre%ious %ersion, open the de%ice 5roperties dialog boB in De%ice Manager and select the Dri%er tab. &n that tab is a button called Rollbac/ that ou can select to roll bac/ the dri%er to the pre%ious %ersion. Incorrect ans"ers: +9 This option would not be ad%isable in this case as the complete bac/up was performed before the ser%ice pac/ and the dri%er were installed. And what is thus needed is to )ust rollbac/ to the pre%ious dri%er. '9 !hen 4ast @nown Cood .onfiguration is used, !indows starts using the Registr information and dri%er settings sa%ed at the last successful logon. Aowe%er, all ou need to do is to ma/e use of Roll 1ac/ Dri%er to reinstall the pre%ious dri%er. D9 This would not be necessar . De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter 3, p. 23F 19 .onfigure resource settings for a de%ice. *3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com In #articular you administer a !indo"s 2==, ser/er named TestBing4 TestBing4 sto#s res#onding se/eral times Each time* the $ollo"ing error message is dis#layed: You sus#ect that a hard"are com#onent is causing the #roblem* and you contact the /endor The /endor requires debugging in$ormation You need to con$igure TestBing4 to generate a $ile that contains rele/ant in$ormation $or the /endor !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F= 2 A. .onfigure Test@ing- to perform a memor dump. 1. Add the Hdebug option to the 1oot.ini file on Test@ing-. .. 3nable 5h sical Addressing 3Btensions on Test@ing-. D. &nstall the Reco%er .onsole on Test@ing-. )ns"er: ) E3#lanation: It is im#ortant that you record the in$ormation associated "ith the bug chec0 and dri/er in$ormation sections ?any o$ the bug chec0 messages ha/e rele/ant in$ormation that you should read and understand i$ they a##ly to your situation Your de/ice /endor andKor ?icroso$t ma0e use o$ the memory dum#s to hel# understand the state o$ the system at the time that the bug chec0 occurred You can change the memory dum# settings through the Startu# and Deco/ery button in the System .ro#ertiesJ )d/anced tab Incorrect ans"ers: +: Adding the Hdebug option to the 1oot.ini file will not address our problem. ': 3nabling 5h sical Addressing 3Btensions will not generate a file with the necessar information to address our problem. D: &nstalling the Reco%er .onsole will not ield the necessar information for the %endor. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 23; QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com In #articular you administer a !indo"s 2==, ser/er named TestBing<, You need to use Dis0 ?anagement to con$igure a #artition on TestBing<, !hen you attem#t to access Dis0 ?anagement* you recei/e the $ollo"ing error message:

8Unable to connect 4ogical Dis/ Manager ser%ice.8 You /eri$y that the Aogical Dis0 ?anager ser/ice is started !hat is the most li0ely cause o$ the #roblem% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;" 2 A. There is not enough a%ailable space on the boot partition. 1. The dis/ performance counters are disabled. .. The 4ogical Dis/ Manager Administrati%e ser%ice is disabled. D. The !indows 2""3 Administration Tools 5ac/ is not installed )ns"er: ' E3#lanation: ) disabled Aogical Dis0 ?anager )dministrati/e ser/ice mani$ests as an inability to connect to Aogical Dis0 ?anager Incorrect ans"ers: ): &t is not a matter of enough a%ailable space but rather an inabilit to connect to the 4ogical Dis/ Manager ser%ice. +: Dis/ performance counters are irrele%ant in this scenario. D: De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Terminal Ser/ices is installed on your net"or0 You currently use a terminal ser/er $arm Test0ing<* the $irst ser/er in the $arm* acts as the session directory ser/er )ll terminal ser/ers are o#erating at ma3imum ca#acity )n increasing number o$ users re#ort slo" res#onse times "hen they use these ser/ers You need to im#ro/e the #er$ormance o$ the terminal ser/er $arm You #lan to use a ser/er named Test0ing4* "hich has hard"are identical to that o$ the other terminal ser/ers in the $arm Eirst* you add Tes0ing4 to the Session Directory 'om#uters grou# on Test0ing< !hat should you do ne3t% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1 2 A. Add Test/ing- to the $ession Director .omputers group on the 5D. emulator. 1. 'n Test/ing-, select the Terminal $er%ices configuration option to )oin the eBisting session director . .. 'n Test/ing-, install the $ession Director ser%ice. D. 'n Test/ing-, create a new session director ser%er. )ns"er: + E3#lanation: The session directory is a database that can reside on a ser/er that is se#arate $rom the terminal ser/ers in the $arm* although it is #ossible to ha/e it on a member o$ the $arm The session directory database maintains a list o$ the user names associated "ith the session IDs connected to the ser/ers in a load balanced Terminal Ser/er $arm There are two $ession Director components to /eep in mind when installing and configuring $ession Director 9 *1+ $ession Director ser%er and *2+ .lient ser%ers. 1. The $ession Director ser%er is the ser%er that is running the $ession Director ser%ice. &t is not re6uired to be a Terminal $er%er, or e%en to ha%e Remote Des/top enabled. 2. The client ser%ers are the Terminal $er%ers which will re6uest data from the $ession Director ser%er. .lient ser%ers need to be configured to point towards the $ession Director ser%er for $ession Director re6uests. Architecturall , one $ession Director ser%er ma ser%ice multiple load balanced farms, although this ma cause confusion if the administrator configures all farms to ha%e the same logical cluster name %alue. After adding T@- to the $ession Director .omputers group on T@1, T@- must be )oined to the eBisting session director . Incorrect ans"ers: ): The 5D. emulator can be used in a situation where ou ha%e windows ,T- ser%ers in our domain. This is howe%er not applicable in this scenario. ': 'n all editions of the !indows $er%er 2""3 famil $ession Director ser%ice is installed b default. There is thus no need to install it on T@-. D: one session director ser%er. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. GF"

Microsoft @nowledge 1ase Article 2 3"1=2;, '%er%iew of the $ession Director Technolog in Terminal $er%ices ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2 2 .9 .onfigure de%ice properties and settings. *1 :uestion+ QUESTION NO: < E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains t"o domain controllers named TestBing< and TestBing2 During routine monitoring o$ the domain controllers* you obser/e numerous errors in the system log ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3 2 The errors are similar to the one sho"n in the e3hibit You need to resol/e these errors on your domain controllers as quic0ly as #ossible !hat are t"o #ossible "ays to achie/e this goal% &Each ans"er is a com#lete solution Select t"o ( A. &nstall the appropriate printer dri%ers on Test@ing1 and Test@ing2. 1. Modif the Default domain controller C5'. 3nable the Do not allow client printer redirection polic . .. Add the Domain Admins group to the built2in 5rint 'perators group. D. Add the Domain Users group to the built2in 5rint 'perators group. )ns"er: )* + E3#lanation: The System log records e/ents generated by the o#erating system and its subsystems* such as its de/ice dri/ers and ser/ices It could be that the incorrect dri/ers "ere installed on the domain controllers Thus i$ you install the a##ro#riate dri/er on TestBing< and TestBing2 you "ill sol/e the #roblem &f the Default To Main .lient 5rinter setting is disabled, the Terminal $er%er session will use the default printer of the Terminal $er%er computer. 5rinter redirection settings can be specified b a C5'. This option should also sol%e our problem. Incorrect ans"ers: '* D: The built2in 5rint 'perators group has the right to log on locall . !hether ou add the Domain Admins group or the Domain Users group to the built2in 5rint 'perators group, it will not sol%e our problem as the problem is registered as a different t pe of error. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; Topic 29 Managing Users, .omputers, and Croups *>= :uestions+ 5art 19 Manage local, roaming, and mandator user profiles.*G :uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;- 2 QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 contains a domain controller named TestBing, You create a #recon$igured user #ro$ile on a client com#uter named TB'lient< You need to ensure that all users recei/e the #recon$igured user #ro$ile "hen they log on to the net"or0 $or the $irst time )ll users must still be able to #ersonali1e their des0to# en/ironments !hat should you do% A. (rom T@.lient1, cop the user profile to WWTest@ing3WnetlogonWDefault User. 1. (rom T@.lient1, cop the user profile to WWTest@ing3WnetlogonWDefault User. .hange the User 5rofile path for all users in the Acti%e Director to WWTest@ing3WnetlogonWDefault. User. .. (rom T@.lient1, cop the user profile to the .9WDocuments and $ettingsWDefault User folder. $hare the Default User profile on the networ/. D. .reate a (older Redirection polic in Acti%e Director . )ns"er: ) E3#lanation: The Net Aogon ser/ice uses it $or #rocessing logon scri#ts To assign a #recon$igured user #ro$ile $or all $irst time users on the net"or0* you need to co#y TB'lient<Js user #ro$ile to the QQTestBing,QnetlogonQDe$ault User This o#tion "ill still allo" users to #ersonali1e their des0to# en/ironments Incorrect ans"ers:

+: Iou do not need to change the User 5rofile path for all users, it is onl the first time users that ou need to assign the preconfigured user profile. ': $haring the Default User profile is not going to ensure that all first time users will be assigned the profile. D: (older redirection is not what is re6uired in this scenario. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters - L F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Some client com#uters run !indo"s 2=== .ro$essional* and the rest run !indo"s @. .ro$essional )ll user accounts in the Sales de#artment are located in the Sales organi1ational unit &OU( To store roaming user #ro$iles* you create a shared $older named .ro$iles on a member ser/er named TB< You assign the )llo" > Eull 'ontrol #ermission on the .ro$iles $older to the E/eryone grou# No" you need to create roaming user #ro$iles $or the user accounts in the Sales OU !hat should you do% A. $elect all user accounts in the $ales 'U. Modif the account properties to specif WWT@1W5rofilesWZusernameZ as the profile path. 1. $elect all user accounts in the $ales 'U. Modif the account properties to specif WWT@1W5rofiles as the profile path. .. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the $ales 'U. &n the User .onfiguration section of the C5', configure (older Redirection to use WWT@1W5rofiles. D. .reate a Croup 5olic ob)ect *C5'+ and lin/ to the Domain .ontrollers 'U. &n the User .onfiguration section of the C5', configure (older Redirection to use WWT@1W5rofiles. )ns"er: ) E3#lanation: The users "ill log on the client com#uters and "ill be authenticated on domain controllers The roaming #ro$iles are stored on a member ser/er* so "e must enter the UN' #ath to the shared #ro$iles $older in the #ro$ile #ath In this case* the UN' #ath is QQTB<Q.ro$iles To create #ro$iles based on the user names* "e can use the RusernameR /ariable The RusernameR /ariable "ill be changed the users log in name "hen the user logs in Eor e3am#le* i$ a user named Tess logs in* QQTB<Q.ro$ilesQRusernameR "ill become QQTB<Q.ro$ilesQTess ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;; 2 Incorrect ans"ers: +9 The account properties should specif the profile path b ma/ing use of the ZusernameZ %ariable if ou want to create roaming user profiles for the user accounts in the $ales 'U. '9 4in/ing a C5' to the $ales 'U as described in this case will not wor/, ou should still ma/e use of the ZusernameZ %ariable to create roaming user profiles for the accounts in the $ales 'U. D9 !hether ou create a C5' to be lin/ed to the Domain .ontrollers 'U, the folder Redirection should be more specific and point to the ZusernameZ %ariable as well. De$erence9 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2>F QUESTION NO: , DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, User #ro$iles are stored in a $older named TestBing.ro$iles* "hich is located on a member ser/er named TestBing<2 TestBing.ro$iles is shared as .ro$iles ) change in business rules requires you to create a tem#late account $or users in the engineering de#artment )ll user accounts that are created $rom the tem#late "ill use roaming #ro$iles Each #ro$ile name "ill be based on user name )ll #ro$iles must be stored in a central location You create the tem#late and name it T>Engineer No" you need to add in$ormation about #ro$ile location to T>Engineer !hat should you do%

To ans"er* drag the a##ro#riate #ath or #aths to the correct location or locations in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;> 2 The users will log on the client computers and will be authenticated on domain controllers. The roaming profiles are stored on a member ser%er, so we must enter the U,. path to the shared profiles folder in the profile path. &n this case, the U,. path is WWTest@ing12Wprofiles. To create profiles based on the user names, we can use the ZusernameZ %ariable. The ZusernameZ %ariable will be changed the users log in name when the user logs in. (or eBample, if a user named Tess logs in, WWTest@ing12WprofilesWZusernameZ will become WWTest@ing12WprofilesWTess. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2>F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;= 2 QUESTION NO: 4 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s 2=== .ro$essional You need to standardi1e the des0to# en/ironment $or all client com#uters Your solution must #re/ent domain users $rom #ermanently modi$ying their regional settings or the des0to# bac0ground !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. $pecif the profileKs networ/ path in the user properties in Acti%e Director Users and .omputers. 1. $pecif the profileKs local path in the user properties in .omputer Management, .. $pecif the profileKs networ/ path in the user properties in .omputer Management. D. &n the networ/ share where profiles reside, rename ,tuser.dat to ,tuser.man. 3. &n the local profile director , rename ,tuser.dat to ,tuser.man. (. &n the networ/ share where profiles reside, rename the ,tuser.ini to ,tuser.man. )ns"er: )* D E3#lanation: Your solution must #re/ent domain users $rom #ermanently modi$ying their regional settings or the des0to# bac0ground The tric0 here is the mandatory #ro$ile "ill change the settings again ne3t time the user logs on A mandator user profile is a user profile that is not updated when the user logs off. &t is downloaded to the userKs des/top each time the user logs on, and it is created b an administrator and assigned to one or more users to create consistent or )ob2specific user profiles. 'nl members of the Administrators group can change settings in a preconfigured user profile. The user can still modif the des/top, but the changes are not sa%ed when the user logs off. The neBt time the user logs on, the mandator user profile is downloaded again. User profiles become mandator when ou rename the ,Tuser.dat file on the ser%er to ,Tuser.man. 1 renaming this file, ou ha%e effecti%el made the user profile read2onl , meaning that the operating s stem does not sa%e an changes made to the profile when the user logs off. Microsoft recommends this method for creating mandator user profiles. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G" 2 Incorrect ans"ers: +: The profileKs networ/ path and not the local path should be specified. ': The profileKs networ/ path is specified in the user properties in Acti%e Director Users and .omputers and not in the user properties in .omputer Management. E: Renaming the ,tuser.dat to ,tuser.man in the local profile director thus ma/ing it a mandator user profile will onl be applicable to the local profile director and not to the networ/ share. &f the ser%er where user profiles are stored is not a%ailable when a user logs on, the operating s stem defaults to using an eBisting local profile for the user. &f the user has no local profile on that computer, it creates a local profile for the user from the local default profile. &f ou want to strictl enforce a polic that states that no user can log on without a roaming profile, ou can append the eBtension of .man to the roaming

user profile folderKs name. E: This will not wor/ e%en if ou ha%e the correct location in the networ/ share where the profiles reside. De$erence9 A'! T'9 .reate a Roaming User 5rofile in !indows $er%er 2""3 @1 article 32-G-= Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 5 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll users log on to the com#anyJs domain ) user named Tess Bing logs on to multi#le com#uters on the net"or0 Tess re#orts that her des0to# settings are not retained "hen she s"itches bet"een com#uters You decide to con$igure a roaming #ro$ile $or Tess Erom TessJs #rimary des0to# com#uter* you attem#t to co#y his #ro$ile to the net"or0 by using TessJs credentials You recei/e the dialog bo3 sho"n in the e3hibit You need to co#y TessJs #ro$ile to the net"or0 !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2 2 A. 4og on to TessKs computer b using a local Administrator account. 1. Add TessKs account to the local Administrators group. .. Add the Add the Adminstrator securit group to roaming user profiles polic setting to the Default Domain 5olic C5'. D. Remo%e the 5re%ent Roaming 5rofile changes from propagating to the ser%er polic setting from the Default Domain 5olic C5'. )ns"er: ) E3#lanation9 A roaming user profile is a ser%er2based user profile that is downloaded to the local computer when a user logs on and is updated both locall and on the ser%er when the user logs off. 1ut in this case ou need to log on to TessK computer b using the local Administrator account in order to cop TessK profile to the networ/ using her credentials. Incorrect ans"ers: +9 Qust adding TessK account to the local Administrators group will not enable ou to cop her profile to the networ/. '9 &t is )ust a matter of changing profile t pe and not changing settings to the C5' as onl TessK account is problematic. D9 This is not the solution. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, .hapter 3, p. 21" QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ?ulti#le users share the same client com#uter ) ser/er named TestBing2 $unctions as a $ile and #rint ser/er You set the #ro$ile #ath $or all user accounts to QQTestBing2Q.ro$ilesQusername Some domain users "ere added to the local )dministrators grou# on the !indo"s @. .ro$essional com#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3 2 ) user re#orts that other users can log on to client com#uters that he has #re/iously used and gain access to $iles stored in his ?y Documents $older on the local hard dis0 You need to #ermanently #re/ent users $rom being able to access the ?y Documents $older o$ other domain users on the client com#uters !hat should you do% A. &n Acti%e Director , modif the Default Domain 5olic . Disable the Do not chec/ for user ownership of Roaming 5rofile (olders setting. 1. &n Acti%e Director , modif the Default Domain 5olic . 3nable the Delete cached copies of roaming profiles setting. .. 4og on to all client computers and delete all user profiles from the local hard dis/s.

D. 4og on to all client computers and configure the ,umber of pre%ious logons to cache setting to ". )ns"er: + E3#lanation9 !hen users on our networ/ regularl mo%e from one profile2creating wor/station to another, e%er machine the use will store a cop of their local profile. Iou ma use $ stem 5olic 3ditor or Croup 5olicies to compel the wor/stations to delete cached copies of roaming profiles when the user logs out. This is a machine2specific setting that is implemented in the Registr in A@3IJ4'.A4JMA.A&,3W$'(T!AR3WM&.R'$'(TW!&,D'!$ ,TW.URR3,T?3R$&',W!&,4'C',. !hat this setting also does is to pre%ent users from being able to access the M Documents folder of other domain users on the client computers as is the case in this 6uestion. Incorrect ans"ers: )9 Disabling the Do not chec/ for user ownership of Roaming 5rofile (olders will not pre%ent users from being able to access folders of other domain users on the client computers. '9 Deleting all user profiles from the local hard dis/s is not the solution. D9 .onfiguring the number of pre%ious logons to cache setting to " is not the solution. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G- 2 QUESTION NO: 7 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing6 $unctions as a $ile ser/er )ll client com#uters run !indo"s @. .ro$essional and are members o$ the domain TestBing com #eriodically hires tem#orary em#loyees You need to #re#are a custom user #ro$ile $or all tem#orary em#loyees You log on to a client com#uter as an administrator* and you con$igure the des0to# settings You co#y the #ro$ile to a $older named QQTestBing6Q.ro$ilesQTem#S#ro$ile You rename the Ntuser dat $ile in the QQTestBing6Q.ro$ilesQTem#S#ro$ile $older to Ntuser man You create three ne" user accounts $or the tem#orary em#loyees The user accounts are named tem#Suser<* tem#Suser2* and tem#Suser, You need to con$igure the tem#orary user accounts to recei/e the ne" des0to# settings that you created on TestBing6 The tem#orary em#loyees must not be allo"ed to retain customi1ed des0to# settings% !hat should you do% A. $pecif a user profile path of WWTest@ing;W5rofilesWusername for each of the three user accounts. 1. $pecif a user profile path of WWTest@ing;W5rofilesWusername.man for each of the three user accounts. .. $pecif a home folder path of WWTest@ing;W5rofilesWusername for each of the three user accounts. D. $pecif a user profile path of WWTest@ing;W5rofilesWTempJprofile for each of the three user accounts. 3. $pecif a user profile path of WWTest@ing;W5rofilesWTempJprofile.man for each of the three user accounts. )ns"er: D E3#lanation9 (orce the user to load a particular profile 2 &f ou specif the director path on the domain controller or ser%er as D&R3.T'RI,AM3.MA, but ou do not rename the hi%e file to ,TU$3R.MA,, the operating s stem will not see it as a mandator profile. &f the hi%e file is not named ,TU$3R.MA,, the wor/station will classif it merel as a roaming profile. &n this scenario, users can ma/e changes to their Des/tops. At logon, howe%er, the user will not be able to log in if the profile director does not eBist in the specified path. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF 2 Renaming the ,TU$3R.DAT file to ,TU$3R.MA, so that the user cannot sa%e changes to the profile has been done in this case. !hat is necessar further is to specif an appropriate user profile path to the WWTest@ing;W5rofilesWTempJprofile folder for each of the three user accounts, and then ou will pre%ent temporar emplo ees from retaining customised des/top settings. Incorrect ans"ers: )9 This will not wor/. +9 This is inappropriate in this scenario. '9 Iou should not be specif ing a home folder path, but rather a user profile path to the appropriate folder. E9 This is not the solution.

De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, 5art 29 Monitor and Repair ser%er hardware. Tools might include De%ice Manager, the Aardware Troubleshooting !i0ard, and appropriate .ontrol 5anel items.*- :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The sales de#artment is hiring em#loyees )n OU named TestBingSales is created to hold ob2ects $or the ne" sales de#artment users Each sales de#artment user has a #ortable com#uter Each #ortable com#uter runs !indo"s @. .ro$essional The sales de#artment users are res#onsible $or 2oining their #ortable com#uters to the domain You need to ensure that the com#uter accounts $or the Sales de#artment userJs #ortable com#uters are created in the TestBingSales OU You need to achie/e this goal "ithout granting any unnecessary #ermissions !hat should you do% A. Assign the sales department users the Allow 2 Read permissions for the .omputer container. 1. .onfigure the sales department usersK user accounts to be trusted for delegation. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G; 2 .. 5restage the computer accounts in the Test@ing$ales 'U for the sales department usersK portable computers. D. Assign the sales depertment users the Allow 2 .reate all .hild 'b)ects permission for the Test@ing$ales 'U. )ns"er: ' E3#lanation: .re>staging #re/ents DIS $rom de#loying an o#erating system to un0no"n client com#uters )nd "ith #re>staging you can add the user accounts "ith the a##ro#riate #ermissions in the OU This o#tion is best suited in this scenario Incorrect o#tions: ): Assigning the Allow 2 Read permission for the .omputer .ontainer to the $ales department users will not wor/. +: The Account &s Trusted (or Delegation option enables a ser%ice account to impersonate a user to access networ/ resources on behalf of a user. This is not recommended in this scenario. D: Assigning the Allow 2 .reate all child ob)ects permission for the Test@ing$ales 'U will be granting unnecessar permissions. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, 39 = Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install a ne" ser/er named Ser/er22 "ith de$ault settings During installation* you set the I. con$iguration sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG 2 You ma0e Ser/er22 a member o$ a "or0grou# Then you restart Ser/er22 and use the local )dministrator account to log on locally You 2oin Ser/er22 to the domain You restart Ser/er22 and use the Domain )dministrator account to log on :o"e/er* you are unsuccess$ul You need to ensure that Ser/er22 is a member o$ the domain !hat should you do% A. 'pen the Acti%e Director Users and .omputers and reset $er%er22. 1. (rom a command prompt on another member ser%er or domain controller, t pe9 dsmod computer $er%er22.test/ing.com2reset .. 4og on locall . &n the T.5H&p properties, change the D,$ ser%er of $er%er22. D. 4og on locall . &n the T.5H&5 properties, change the subnet mas/ of $er%er22. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G> 2

3. (rom a command prompt on another member ser%er or domain controller, t pe9 nltest Hser%er9$er%er22.test/ing.com HtrustedJdomains )ns"er: E E3#lanation: The command Lnltest Kser/er:Ser/er22 test0ing com KtrustedSdomainsL "ill dis#lay a list o$ domains trusted by the ser/er Ser/er22 test0ing com ) trusted domain means the domain that the com#uter is a member o$ or other domains trusted by the com#uterJs domain Incorrect )ns"ers: ): The client wor/station hasnKt been offline. Therefore, it is unli/el that the account needs resetting. +: This command also resets the account. ': The 6uestions states, 8Iou )oin $er%er22 to the domain8. Iou would ha%e got an error if ou had a D,$ problem. D: The 6uestions states, 8Iou )oin $er%er22 to the domain8. Iou would ha%e got an error if ou had an &5 configuration problem. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2>QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 contains t"o !indo"s Ser/er 2==, com#uters named TestBing7 and TestBing9 You install a ne" modem on TestBing7 to allo" an a##lication to dial out to your #ager You install the dri/er !hen you test the modem* it does not dial out success$ully You install an identical hard"are and dri/er con$iguration on TestBing2* and the modem dials out success$ully You need to $ind out i$ the modem card in TestBing7 is de$ecti/e !hat should you do on TestBing7% A. &n De%ice Manager, right2clic/ the modem, and then clic/ $can for hardware changes. 1. &n Modem 5roperties, clic/ the Modem tab, and then set the maBimum port speed to the same %alue as the %alue for the maBimum port speed on Test@ing>. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G= 2 .. &n Modem 5roperties, clic/ the Diagnostics tab, and then clic/ the :uer Modem button. D. &n De%ice Manager, right2clic/ 5orts, and then clic/ $can for hardware changes. )ns"er: ' E3#lanation9 Iou can manage the modem properties b clic/ing on and selecting the modem ou want to manage on the Modems tab, then clic/ing the 5roperties button. This brings up the Modem 5roperties dialog boB, which allows ou to configure general properties and modem properties, run diagnostics, set ad%anced parameters, %iew and manage the dri%er, and %iew the resources the modem is using. Using the :uer Modem button will enable ou to %erif whether the modem card in Test@ingG is defecti%e or not. Incorrect ans"ers: )9 This will not aid ou in chec/ing whether the modem card is defecti%e or not. +9 The Modem tab and the setting of the maBimum port speed are not causing the problem since an identical situation on Test@ing2 has the modem dialling out successfull . D9 This is not the place to chec/ whether the modem card is defecti%e or not. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 12QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You #lace com#uter accounts $or ser/ers in OUs that are organi1ed by ser/er roles You a##ly -.Os to these ser/ers at the OU le/el You need to add a ne" ser/er to the domain You need to ensure that the a##ro#riate -.Os are a##lied to this ser/er !hat should you do% A. 5restage a domain computer account for the new ser%er in the appropriate 'U. Qoin the ser%er to the domain b using the prestaged computer account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >" 2 1. 'n the ser%er, add the domain name for the Acti%e Director domain to the D,$

suffiB setting. Qoin the ser%er to the domain. .. Assign a user account the Allow 2 .reate permission for the appropriate 'U. Qoin the new ser%er to the domain b using the user account. D. Qoin the new ser%er to the Acti%e Director domain. 'n the new ser%er, run the gpupdate Hforce command. )ns"er: ) E3#lanation9 !ith pre2staging ou can add the user accounts with the appropriate permissions in the 'U. This option is best suited in this scenario since C5's are applied at 'U le%el. Incorrect ans"ers: +9 Qoining the ser%er to the domain will not ensure that the C5' will be applied to the ser%er. '9 Assigning the Allow2.reate permission albeit to the appropriate 'U and )oining the new ser%er to the domain will not ensure that the appropriate C5's are applied to the ser%er. D9 This option is not suitable since C5's are applied at 'U le%el. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, 39 = Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 5art 39 .reate and manage groups A9 &dentif and modif the scope of a group *> :uestions+ QUESTION NO: < E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domain The $unctional le/el o$ the $orest is !indo"s 2=== The $unctional le/el $or both domains is !indo"s 2=== nati/e )ll ser/ers run !indo"s 2==, You create a grou# named TestBingSta$$ The TestBingSta$$ grou# includes users $rom both domains The grou# #ro#erties are sho"n in the e3hibit You need to use the TestBingSta$$ grou# to assign #ermissions to resources in both domains :o"e/er* "hen you attem#t to assign #ermissions to a shared $older by using the TestBingSta$$ grou#* you recei/e an error message that states than an ob2ect named LTestBingdataL cannot be $ound ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2 2 You need to ensure that the TestBingSta$$ grou# can be used to assign #ermissions to shared resources in both domains !hat should you do% A. Upgrade the forest functional le%el to !indows $er%er 2""3. 1. Upgrade the domain functional le%el for both domains to !indows $er%er 2""3. .. Modif the group properties to ma/e the group a global distribution group. D. Modif the group properties to ma/e the group a uni%ersal securit group. 3. Modif the group properties to ma/e the group a domain local securit group. )ns"er: D E3#lanation: Use security grou#s $or the distribution o$ e>mail as described $or distribution grou#s* but also use them to assign #ermissions to !indo"s resources You can also use security grou#s to assign user rights to grou# members User rights include actions such as +ac0u# $iles and directories or Destore $iles and directories* both o$ "hich are assigned to the +ac0u# O#erators grou# by de$ault You can delegate rights to grou#s to enable the members o$ the grou# to #er$orm a s#eci$ic administrati/e $unction that is not normally allo"ed by their standard user rights You can also assign #ermissions to security grou#s to enable them to access net"or0 resources* such as #rinters and $ile shares Uni%ersal groups can include other groups and userHcomputer accounts from an domain in the domain tree or forest. 5ermissions for an domain in the domain tree or forest can be assigned to uni%ersal groups. Uni%ersal groups are onl a%ailable if our domain functional le%el is set to !indows 2""" nati%e mode. Incorrect ans"ers: )* +9 Upgrading the forest functional le%el or e%en the domain functional le%el for both domains to !indows $er%er 2""3 will not wor/ because once ou ha%e raised the domain functional le%el, domain controllers running earlier operating s stems cannot be used in that domain. As an eBample, should ou decide to raise domain functional le%el to !indows $er%er 2""3, !indows 2""" $er%er domain controllers cannot be added to

that domain. '9 Distribution groups are used for distributing messages to group members. And global groups can include other groups and userHcomputer accounts from onl the domain in which the group is defined. Modif ing the group to be a global distribution group will not wor/ E9 Ma/ing the group a domain local securit group will not ensure permissions to shared resources on both domains. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3 2 De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31=232" QUESTION NO: 2 :OTS.OT Your net"or0 consists o$ a single )cti/e Directory $orest containing t"o domains hq test0ing com and manu test0ing com The $unctional le/el o$ both domains is !indo"s 2=== mi3ed hq test0ing com contains t"o domain controllers running !indo"s Ser/er 2==, and three domain controllers running !indo"s 2=== Ser/er You are the net"or0 administrator $or hq test0ing com The domain controllers in your domain host a##lications and shared $older to "hich users in manu test0ing com require access You need to create a grou# that "ill grant the required access to users in manu test0ing com !hat should you do% To ans"er* con$igure the a##ro#riate o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >- 2 )ns"er: E3#lanation: Domain local > Security Distribution groups can be used onl with e2mail applications *such as 3Bchange+ to send e2mail to collections of users. Distribution groups are not securit 2enabled, which means that the cannot be listed in discretionar access control lists *DA.4s+ discretionar access control lists *DA.4s+ The part of an ob)ectKs securit descriptor that grants or denies specific users and groups permission to access the ob)ect. 'nl the owner of an at the ownerKs discretion. &f ou need a group for controlling access to shared resources, create a securit group. access to resources on our networ/. Using securit groups, ou can9 1. Assign user rights to securit groups in Acti%e Director . 2. Assign permissions to securit groups on resources. A group can be con%erted from a securit group to a distribution group, and %ice %ersa, at an time, but onl if the domain functional le%el is set to !indows 2""" nati%e or higher. ,o groups can be con%erted while the domain functional le%el is set to !indows 2""" miBed. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F 2 Domain local groups can contain other domain local groups in the same domain, global groups from an domain, uni%ersal groups from an domain, user accounts from an domain, and computer accounts from an domain. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 32", 32= QUESTION NO: , :OTS.OT You are an em#loyee at TestBing The net"or0 consists $ a single )cti/e Directory $orest containing t"o domains helsin0i test0ing com and mumbai test0ing com The $unctional le/el o$ both domains is !indo"s 2=== mi3ed helsin0i test0ing contains t"o domain controllers running !indo"s Ser/er 2==, and three domain controllers !indo"s 2== Ser/er You are the net"or0 administrator $or helsin0i test0ing com Users in your domain require access to a##lications and shared $olders that reside on member ser/ers in mumbai test0ing com !hat action should you ta0e% &'on$igure o#tions in the dialog bo3( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >; 2 )ns"er: E3#lanation: Select L-lobalL and LSecurityL

Clobal groups can include other groups and userHcomputer accounts from onl the domain in which the group is defined. 5ermissions for an domain in the forest can be assigned to global groups. The groupKs $ecurit tab is used to add and remo%e permissions to this group for other accounts *users and groups+. Use the Add button to add the accounts, and then use the chec/ boBes at the bottom to select the permissions for the newl added accounts. Read is the default permission assigned when ou add an account to the securit tab of a group. The Ad%anced button enables ou to manage permissions to the group on a more granular le%el. This is also where ou manage auditing, ownership, as well as %iew effecti%e permissions. Using securit groups, ou can9 1. Assign user rights to securit groups in Acti%e Director . 2. Assign permissions to securit groups on resources. A group can be con%erted from a securit group to a distribution group, and %ice %ersa, at an time, but onl if the domain functional le%el is set to !indows 2""" nati%e or higher. ,o groups can be con%erted while the domain functional le%el is set to !indows 2""" miBed. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 32", 32= QUESTION NO: 4 Your com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s 2=== Nati/e The net"or0 contains 2= member ser/ers running !indo"s 2=== and 5 domain controllers running !indo"s Ser/er 2==, The user accounts $or em#loyees in the Einance de#artment are members o$ a global distribution grou# named EinanceSUsers You create a shared $older named EinanceSDocs on a !indo"s 2=== member ser/er You need to enable the Einance users to access the EinanceSDocs $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G 2 !hat should you do% A. .hange (inanceJUsers to a securit group. 1. .hange the scope of (inanceJUsers to Uni%ersal. .. .hange the scope of (inanceJUsers to Domain 4ocal. D. Raise the domain functional le%el to !indows $er%er 2""3. )ns"er: ) E3#lanation: -rou#s are s#ecial ob2ects that contain users* and security grou#s are used to sim#li$y management o$ multi#le user accounts by enabling you to a##ly #ermissions* user rights* and so $orth to an entire grou# o$ users in a single o#eration instead o$ ha/ing to a##ly them to indi/idual user accounts You cannot assign #ermissions to $ile shares to a distribution grou# The grou# must be con/erted to a security grou# Note: you must be in at least !indo"s 2=== Nati/e Eunctional Ae/el in order to be able to con/ert a distribution grou# to a security grou# Incorrect )ns"ers: +: Iou cannot assign permissions to file shares to a uni%ersal distribution group. ': Iou cannot assign permissions to file shares to a distribution group, regardless of what functional le%el the forest is in. (inanceJUsers is a distribution group. D: Iou cannot assign permissions to file shares to a distribution group, whate%er functional le%el the domain is in. (inanceJUsers is a distribution group. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2F; QUESTION NO: 5 :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest containing t"o domains* hq hmo#slab com and mm hmo#slab com The $unction le/el o$ both domains is !indo"s 2=== mi3ed hq hmo#slab com contains 2 domain controllers running !indo"s Se/er 2==, and , domain controllers running !indo"s 2=== ser/er You are the net"or0 admin $or hq hmo#slab com Users in your domain require access to a##lications and shared $olders that reside on member se/ers in mm hmo#slab com ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >> 2 You need to create a grou# in hq hmo#slab com that "ill #ro/ide the required

access !hat should do you% )ns"er: E3#lanation: -lobal* Security !e should use Clobal $ecurit groups because the users in the domain re6uire access to the applications and shared folders that are on the member ser%ers. Clobal groups can include other groups and userHcomputer accounts from onl the domain in which the group is defined. 5ermissions for an domain in the forest can be assigned to global groups. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >= 2 The groupKs $ecurit tab is used to add and remo%e permissions to this group for other accounts *users and groups+. Use the Add button to add the accounts, and then use the chec/ boBes at the bottom to select the permissions for the newl added accounts. Read is the default permission assigned when ou add an account to the securit tab of a group. The Ad%anced button enables ou to manage permissions to the group on a more granular le%el. This is also where ou manage auditing, ownership, as well as %iew effecti%e permissions. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 32", 32= QUESTION NO: 6 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) user named ?rs Bing "or0s in the in$ormation technology &IT( security de#artment ?rs Bing is a member o$ the ITSecurity global grou# ?rs Bing re#orts that no one in the ITSecurity global grou# can access the security log $rom the console o$ a com#uter named Test0ing< You need to grant the ITSecurity global grou# the minimum rights necessary to /ie" the security log on Test0ing< :o" should you modi$y the local security #olicy% A. Assign the Cenerate securit audits user right to the &T$ecurit global group. 1. Assign the Manage auditing and securit logs user right to the &T$ecurit global group. .. Assign the Allow logon through Terminal $er%ices user right to the &T$ecurit global group. D. Assign the Act as part of the operating s stem user right to the &T$ecurit global group. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =" 2 Security e/ents are logged in the security log* accessible by administrators /ia the E/ent 8ie"er )n audit entry can be either a Success or a Eailure e/ent in the security log ) list o$ audit entries that describes the li$e s#an o$ an ob2ect* $ile* or $older is re$erred to as an audit trail Security auditing enables you to trac0 access to and modi$ications o$ ob2ects* $iles* or $olders* and to determine "ho has logged on &or attem#ted to do so( and "hen The right to manage the security e/ent log is a #o"er$ul user #ri/ilege that should be closely guarded )nyone "ith this user right can clear the security log* #ossibly erasing im#ortant e/idence o$ unauthori1ed acti/ity The de$ault security grou#s $or this user right are su$$icient $or the Aegacy 'lient and Enter#rise 'lient en/ironments :o"e/er* this user right is con$igured to en$orce the de$ault )dministrators in the :igh Security en/ironment Incorrect ans"ers: ): 1eing able to generate securit audits does not mean that that specific group can %iew the securit logs. $ecurit logs can onl be %iewed with administrator rights %ia the 3%ent ?iewer. ': Aa%ing the Allow logon through Terminal $er%ices user right will not grant the abilit to %iew securit logs. D: The Act as part of the operating s stem user right will not do, ou need to be an administrator. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G-=. QUESTION NO: 7 You are the net"or0 administrator $or Test Bing The net"or0 consists o$ se/eral

domains in a single )cti/e Directory $orest test0ing com The $unctional le/el $or all child domains is !indo"s 2=== mi3ed ) ser/er named TestBing) lit"areinc com runs !indo"s Ser/er 2==, You share a $older named SalesDocs on this ser/er In the #ro#erties $or SalesDocs* you assign the )llo" > Eull 'ontrol #ermissions to a uni/ersal grou# named USSales in test0ing com E$$ecti/e #ermissions $or USSales are sho"n in the USSales e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =1 2 In each domain in the $orest* you create a global grou# named -SSales* "hose membershi# consists o$ users in that domainJs de#artment You add e/ery -SSales grou# to the USSales grou# +en Smith is a member o$ -SSales in child< test0ing com :e re#orts that he cannot access SalesDocs On TestBing)* you /eri$y the e$$ecti/e #ermissions $or +en Smith* as sho"n in the +en Smith e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =2 2 You need to ensure that +en Smith can access SalesDocs !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Add 1en $mithKs user account to UJ$ales in litwareinc.com 1. .hange the group scope of UJ$ales to domain local. .. .hange the group t pe of UJ$ales to distribution. D. Assign the Allow 2 (ull .ontrol permissions to CJ$ales in child1.test/ing.com. 3. &nstruct 1en $mith to log on b using his user principal name. )ns"er: +* D E3#lanation: +en Smith is unable to access SalesDocs because the child domains are in mi3ed mode thus cannot use the Uni/ersal grou# 'nl test/ing.com is in nati%e mode because Uni%ersal group UJsales was created there. !e need to change the scope (or UJ$ales Uni%ersal to domain local. This will gi%e 1en the re6uired permissions because the Clobal Croup CJ$ales is a member of UJ$ales. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =3 2 Alternati%el , we could assign the permission directl to the CJ$ales group in child1.test/ing.com. Incorrect ans"ers: ): UJ$ales was created in test/ing.com, but adding 1en $mithKs account to UJ$ales will not wor/ as UJ$alesK group scope will ha%e to be changed from global to domain local. ': !indows $er%er 2""3 has two group t pes9 securit and distribution. $ecurit groups are used to assign permissions for access to networ/ resources. Distribution groups are used to combine users for e2mail distribution lists. $ecurit groups can be used as a distribution group, but distribution groups cannot be used as securit groups. E: 4ogging on b ma/ing use of a U5, is irrele%ant in this scenario as one needs to change the groups scopes first and then assign the appropriate permissions that will allow 1en $mith access to $alesDocs. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The $unctional le/el o$ the domain is !indo"s 2=== nati/e Some net"or0 ser/ers run !indo"s 2=== Ser/er* and others run !indo"s Ser/er 2===, )ll users in your accounting de#artment are members o$ an e3isting global distribution grou# named -lobal>< You create a ne" net"or0 share $or the accounting users You need to enable the members o$ -lobal>< to access the $ile share !hat should you do% A. Raise the functional le%el of the domain to !indows $er%er 2""3. 1. .hange the group t pe of Clobal21 to securit . .. .hange the group scope of Clobal21 to uni%ersal. D. Raise the functional le%el of the forest to !indows $er%er 2""3. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =- 2

You cannot assign #ermissions to $ile shares to a distribution grou# The grou# has to be con/erted to a security grou# Note: you must be in at least !indo"s 2=== Nati/e Eunctional Ae/el in order to be able to con/ert a distribution grou# to a security grou# Incorrect )ns"ers: ): Iou will not be able to assign permissions to file shares to a distribution group, whate%er functional le%el the domain is in. ': Iou will not be able to assign permissions to file shares to a uni%ersal distribution group. D: Iou will not be able to assign permissions to file shares to a distribution group, whate%er functional le%el the forest is in. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3212323 19 (ind domain groups in which a user is a member *1 :uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain in its o"n $orest )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing com merges "ith Eoo com* "hich also has a single )cti/e Directory domain in its o"n $orest ) cross>$orest trust $rom TestBing com to Eoo com is created You need to ensure that all users ha/e access to #ersonal #ayroll tools located in the TestBing com domain The built>in users grou# $or TestBing com has the a##ro#riate #ermissions on the #ayroll tools !hat should you do% A. .reate a new uni%ersal group in the (oo.com domain. Add all (oo.com users to the group. 5lace the new group in the built2in Users group for (oo.com. 1. .reate a new uni%ersal group in the Test@ing.com domain. Add all Test@ing.com users to the group. 5lace the new group in the built2in Users group for Test@ing.com. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =F 2 .. .reate a new uni%ersal group in the (oo.com domain. Add all (oo.com users to the group. 5lace the new group in the built2in Users group for Test@ing.com. D. .reate a new uni%ersal group in the Test@ing.com domain. Add all Test@ing.com users to the group. 5lace the new group in the built2in Users group for (oo.com. )ns"er: ' E3#lanation9 Uni%ersal groups are used to logicall organi0e global groups and appear in the Clobal .atalog. Uni%ersal groups can contain users from an where in the domain tree or forest, other uni%ersal groups, and global groups. (or all users to ha%e access to the personal pa roll tools in the Test@ing.com domain ou need to create a new uni%ersal group for the (oo.com domain and then place it in the built2in users group for Test@ing.com since the Test@ing.com domain contains the tools. Incorrect ans"ers: )9 This option is suggesting the wrong group of users to be added to the new uni%ersal group and the wrong built2in Users group to add it to. +9 The Test@ing.com domain does not need to be gi%en access to the personal pa roll tools. D9 Iou should add the (oo.com users to the group and not the Test@ing.com users. (urthermore, ou should place the new group in the built2in users for Test@ing.com and not (oo.com De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1;G .9 Manage group membership *- :uestions+ QUESTION NO: < E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =; 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, Eiles and $olders $or the net"or0 users are stored on a member ser/er named TestBing9 Eolders are shared on the net"or0 by assigning the )llo" > Eull 'ontrol #ermission to the )uthenticated Users grou# ) $older named +udget contains $inancial in$ormation .ermissions $or +udget are

sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =G 2 ) ne" em#loyee named Tess Bing is hired to manage TestBingJs $inancial in$ormation You create a user account $or her :o"e/er* Tess re#orts that she cannot create ne" $iles in +udget You need to ensure that Tess can #er$orm these actions To "hich grou# should you add her user account% A. Croup1 1. Croup2 .. Croup3 D. Administrators 3. Users )ns"er: + E3#lanation: The grou#2 account has the )llo" > ?odi$y #ermission a##lied to the budget $older only The )llo" > ?odi$y #ermission in/ol/es: 8ie" and list $olders should enable Tess to #er$orm her duties since the +udget $older contains the $inancial in$ormation De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )n administrator named Tess Bing attem#ts to #er$orm troubleshooting tas0s on a $ile ser/er :o"e/er* "hen she attem#ts to o#en the security e/ent log* she recei/es the error message sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 => 2 You need to ensure that Tess can com#lete her troubleshooting tas0s !hat should you do% A. Add TessKs user account to the $er%er 'perators domain group. 1. Add TessKs user account to the local Administrators group on the file ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 == 2 .. .onfigure TessKs client computer to enable the &5$ec $er%er *Re6uest $ecurit + polic . D. Assign TessKs user account the Allow logon through Terminal $er%ices user right for the file ser%er. )ns"er: + E3#lanation: You can con$igure the security logs to record in$ormation about )cti/e Directory and ser/er e/ents These e/ents are recorded in the !indo"s security log The security log can record security e/ents* such as /alid and in/alid logon attem#ts* as "ell as e/ents that are related to resource use* such as creating* o#ening* or deleting $iles You must log on as an administrator to control "hat e/ents are audited and dis#layed in the security log $ecurit log files are also stored in the s stemrootHs stem32Hconfig director . $ecurit logs can be eBported and archi%ed in the following file formats9 1. 3%ent log files *.e%t+ *Default+. 2. .omma delimited *.cs%+. 3. TeBt file *.tBt+. local administrators group. Ma/ing Tess part of the AdministratorKs group will allow her access to the securit log which will enable her to perform troubleshooting. Incorrect ans"ers: )9 To be able to access the securit log one has to be part of the administratorKs group on that specific ser%er, thus ma/ing Tess part of the $er%er 'perators will not grant her enough permissions to %iew the securit log. '9 3nabling the &5$ec $er%er *Re6uest $ecurit + polic permission for TessKs client computer will not suffice in allowing her to %iew the securit log. $he still needs to be an administrator on the ser%er. D9 The Allow logon through Terminal $er%ices user right for the file ser%er will not grant the same rights as an administrator account. Thus this option will not grant Tess the abilit to %iew the securit log. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 23"2233 QUESTION NO: ,

You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"" 2 The sales de#artment recently hired <= ne" em#loyees User accounts $or these em#loyees "ere created in )cti/e Directory The manager o$ the sales de#artment sent you a list o$ a ne" users and as0ed you to add the user accounts to an e3isting global grou# named SalesDe#t You need to add the users to the SalesDe#t global grou# !hat are t"o #ossible "ays to achie/e this goal% Each correct ans"er #resents a com#lete solution 'hoose t"o A. Use the dsadd user command to add the user accounts to the $alesDept global group. 1. Use the dsadd group command to add the user accounts to the $alesDept global group. .. &n Acti%e Director Users and .omputers, select all 1" user accounts. Right2clic/ the selected users, and then select the 5roperties menu command. D. &n Acti%e Director Users and .omputers, select all 1" user accounts. Right2clic/ the selected users, and then select the Add to a Croup menu command. )ns"er: +* D E3#lanation9 Iou can automate the process of creating users, groups, and computers through the Dsadd command2line utilit . 3ach Dsadd command offers a series of switches *which can be %iewed from a command prompt window b t ping Dsadd H[+ that can be used to configure the ob)ect that is being created. Acti%e Director Users and .omputers on !indows $er%er 2""3 domain controllers, is the main tool used for managing the Acti%e Director users, groups, and computers. To set up and manage domain user accounts, ou use the Acti%e Director Users And .omputers utilit . The Add to a Croup menu command will enable ou to add the users to the $alesDept global group. Incorrect ans"ers: )9 The Dsadd user command includes parameters for almost all of the options that can be configured for a user through the Acti%e Director Users And .omputers utilit . This is not the appropriate parameter in this case. '9 The properties menu command would be the inappropriate choicein this matter. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 22G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"1 2 QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controller run !indo"s Ser/er 2==, TestBing com em#loyes three database administrators "ho administer se/en databases ser/ers that run !indo"s Ser/er 2==, The database administrators occasionally restore a database ser/er a$ter a disaster To restore a ser/er* database administrators need the rights required to #er$orm the $ollo"ing tas0s: 1. 1ac/ up files and folders 2. Restore files and folders. 3. Restore the $ stem $tate data. You need to assign the database administrators the rights that they require to #er$orm the s#eci$ied tas0s Eor security reasons* you must not assign the administrators more rights than they require to #er$orm the tas0s !hat should you do% A. Add the database administratorsK user accounts to the Administrators group on each of the database ser%ers. 1. Add the database administratorsK user accounts to the 5ower Users group on each of the database ser%ers. .. Add the database administratorsK user accounts to the 1ac/up 'perators group on each of the database ser%ers. D. Add the database administratorsK user accounts to the 1ac/up 'perators group on one of the domain controllers. 3. Add the database administratorsK user accounts to the $er%er 'perators group on one of the domain controllers. )ns"er: ' E3#lanation9 The members of the 1ac/up 'perators group ha%e rights to bac/ up and restore the file s stem, e%en if the file s stem is ,T($ and the ha%e not been assigned

permissions to the file s stem. Aowe%er, the members of 1ac/up 'perators can access the file s stem onl through the 1ac/up utilit . To be able to directl access the file s stem, the must ha%e eBplicit permissions assigned. Thus b adding the database administratorKs user accounts to this group on each of the database ser%ers, ou will be granting them the appropriate rights to perform their tas/s. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"2 2 Incorrect ans"ers: )9 The Administrators group has full rights and pri%ileges on all domain controllers within the domain. &ts members can grant themsel%es an permissions the do not ha%e b default to manage all of the ob)ects on the computer. *'b)ects include the file s stem, printers, and account management.+ 1 default, the Administrator user account and the Domain Admins and 3nterprise Admins groups are members of the Administrators group. 1ecause of the permissions associated with this group, ou should add users to this group with caution. This should wor/, but it would be granting the database administrators too much permissions. +9 This option would also gi%e them too much permissions. D9 This is the correct group to ma/e them members of, but it should be done on all the database ser%ers. E9 The $er%er 'perators group members can administer domain ser%ers. Administration tas/s include creating, managing, and deleting shared resources, starting and stopping ser%ices, formatting hard dis/s, bac/ing up and restoring the file s stem, and shutting down domain controllers.The $er%er 'perators Croup would be the wrong choice to add the database administrators to. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 1;>21G3 D9 .reate and modif groups b using the Acti%e Director Users and .omputers Microsoft Management .onsole *MM.+ snap2in *; :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You create an organi1ational unit &OU( named Engineering* "hich "ill hold all ob2ects associated "ith the users and com#uters in the engineering de#artment You also create a global grou# named Engineering )dmins* "hose members "ill administer these ob2ects No" you need to assign the a##ro#riate #ermissions to the Engineering )dmins grou# so its members can administer the ob2ects in the Engineering OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"3 2 Eirst* you use )cti/e Directory Users and 'om#uters to /ie" the #ro#erties o$ the Engineering OU :o"e/er* the Security tab is not a/ailable !hat should you do ne3t% A. .on%ert the s stem partition to ,T($. 1. 3nable the Ad%anced (eatures option in the ?iew menu of Acti%e Director Users and .omputers. .. 3nable the Users, Croups, and .omputers as .ontainers option in the ?iew menu of Acti%e Director Users and .omputers. D. 4og on b using a user account that has Administrator permissions for the 3ngineering 'U. )ns"er: + E3#lanation9 The $ecurit tab is a%ailable for modification in the Ad%anced (eatures option of the ?iew menu. &f ou select that entr and clic/ ?iewH3dit, ou will see the specific permissions assigned to. 1 default we cannot see the securit tab. Therefore we must enable the ad%anced features option in the ?iew menu of Acti%e Director Users and .omputers. Incorrect ans"ers: ): .on%erting the s stem partition to ,T($ does not facilitate the %iewing of the securit tab as this tab is a%ailable in the %iew menu of Acti%e Director Users and computers and con%erting an s stem partition will not ma/e it a%ailable as it has to be enabled in that %iew menu. ': A .ontainer is an ob)ect in a director that contains other ob)ects. 1 enabling the Users, Croups and .omputers as containers, ou grant ourself the abilit to organi0e the ob)ects. Though, ou still ha%e to enable the Ad%anced (eatures option to get the securit tab a%ailable. D: Administrator permissions 2 Members of the administration group ha%e complete and

unrestricted access to the domain and to ser%ers and other resources within the domain. Administrators ha%e the power to grant themsel%es an rights or permissions that the do not alread ha%e. 1ecause the securit conteBt for members of the Administrators group is so high, the ser%er and the networ/ is %ulnerable to attac/s from &nternet2related sources and email2related %irus2infected attachments if accounts in the Administrators group are compromised. (or these reasons, members of the Administrators group should log on using an administrati%e account onl when necessar . The Runas command enables administrators to log on to the machine with their ordinar user accounts et launch support tools under an administrati%e securit conteBt. Aowe%er, to ma/e the securit tab a%ailable, the still ha%e to enable the Ad%anced (eatures option. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"- 2 De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 1;; Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest that contains three domains The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, The domain names are test0ing com* euro#e test0ing com* and asia test0ing com Each domain contains 5== user accounts TestBing com is in the #rocess o$ acquiring se/eral other com#anies "hose net"or0s "ill be add to the test0ing com !indo"s Ser/er 2==, domain These acquisitions "ill entail the addition o$ se/eral ne" o$$ices* "hich "ill be connected to TestBingJs net"or0 by means o$ dedicated 56>Bb#s !)N connections You create a ne" shared $older named Ne".ro2ects on a $ile ser/er in test0ing com Se/eral users in each e3isting domain need access to the Ne".ro2ects $older These users are not in the same grou# in any domain )ll users "ho need access to the Ne".ro2ects $older must be able to add* delete* and modi$y $iles and $olders in the Ne".ro2ects $older Users in the acquired com#anies also "ill require access to this $older You need to create the required )cti/e Directory grou#s and con$igure the required #ermissions $or the Ne".ro2ects $older Your solution must minimi1e ongoing administrati/e e$$ort as you add ne" com#anies to the net"or0 You must also minimi1e unnecessary tra$$ic across the !)N connections !hat should you do% A. .reate a single uni%ersal securit group. Add all users that re6uire access to the folder to the group. .reate a domain local group in the test/ing.com domain. Add the uni%ersal group to the domain local group. Assign permissions to the shared folder b using the domain local group. 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"F 2 .reate a global securit group in each domain. Add all users that re6uire access to the folder to the global group in their domain. .reate a domain local group in test/ing.com domain. Add the global groups to the domain local group. Assign permissions to the shared folder b using the domain local group. .. .reate a uni%ersal securit group in each domain. Add all users that re6uire access to the folder to the group in their domain. Assign permissions to the shared folder b using the uni%ersal groups. D. .reate a global securit group in each domain. Add all users that re6uire access to the folder to the group in their domain. Assign permissions to the shared folder b using the global groups. )ns"er: + E3#lanation: )##lying security #ermissions to grou#s o$ users instead o$ to indi/idual users greatly eases the administrati/e burden o$ managing control o/er data and other resources You can change the ty#e o$ a grou# $rom security to distribution or $rom distribution to security at any time* #ro/ided that the domain is set at the !indo"s 2=== nati/e or the !indo"s Ser/er 2==, domain $unctional le/el Domain local group scope 2 a group assigned as domain local can onl specif permissions on resources within a single domain. Clobal group scope 2 a global group can contain users, groups, and computers from its own domain as members. Clobal groups are a%ailable under an domain functional le%el. (ollowing this it would ma/e sense to create a global securit group in each domain, add

all users that needs access to the global group in their domain. .reate a domain local group and add the global group to this domain local group. After which ou can assign permissions to the shared folder. Incorrect ans"ers: )9 .reating a uni%ersal securit group will result in too much o%erhead in terms of bandwidth usage. The 6uestion pertinentl states that ou should minimi0e traffic o%er the !A, connections. '9 A uni%ersal group can contain users, groups, and computers from an domain in its forest. The membership list of uni%ersal groups is maintained b global catalog *C.+ ser%ers, unli/e global groups and domain local groups. .ertain D.s must be assigned as C.s so that applications and computers can locate resources within the Acti%e Director database. !hen a member is added to or remo%ed from a uni%ersal group, global catalog ser%ers must trac/ the change, and each change must be replicated to all the global catalog ser%ers in the forest. This result in increased o%erhead and networ/ replication traffic for uni%ersal groups and thus will not ser%e the purpose. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"; 2 9 Assigning permissions to the shared folder b using the global groups will not wor/ in this scenario. Iou need to assign permissions to the shared folder b ma/ing use of the domain local group. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s 2=== nati/e ) global grou# named Tra/elling contains 7*=== users )ll o$ these users are assigned #ortable com#uters* "hich they "ill use to run ne" .OSI@>com#liant a##lication You create a global grou# named .OSI@ Eor all 7*=== users in Tra/elling* you change the #rimary grou# to .OSI@ ?embers o$ Tra/elling no" re#ort that they cannot access necessary domain resources :o" should you sol/e this #roblem% A. 3nsure that each site on our networ/ is connected to at least one other site b a replication lin/ that uses the $MT5 protocol. 1. .reate two new global groups, Tra%elling1 and Tra%elling2. 5lace one half of the members of Tra%elling in each new group. Then place both new groups in Tra%elling. .. Remo%e all domain users from the Users group, and then add all domain users to the group again. D. Remo%e all users from Tra%elling. .hange Tra%elling to a uni%ersal group. Add the same users to the new Tra%elling group. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"G 2 .er ?icroso$t: U#dates to the )cti/e Directory store must be made in a single transaction One consequence o$ this is that you should not create grou#s "ith more than 5*=== members +ecause grou# membershi#s are stored in a single multi>/alued attribute* a change to the membershi# requires that the "hole attribute>that is* the "hole membershi# list>be u#dated in a single transaction ?icroso$t has tested and su##orts grou# membershi#s o$ u# to 5*=== members Clobal groups are used primaril to pro%ide categori0ed membership in domain local groups for indi%idual securit principals or for direct permission assignment *particularl in the case of a miBed or interim domain functional le%el domain+. 'ften, global groups are used to collect users or computers in the same domain and share the same )ob, role, or function. Clobal groups9 1. 3Bist in all miBed, interim, and nati%e functional le%el domains and forests 2. .an onl include members from within their domain 3. .an be made a member of machine local or domain local group -. .an be granted permission in an domain *including trusted domains in other forests and pre2!indows 2""3 domains+ F. .an contain other global groups *!indows 2""" nati%e or !indows $er%er 2""3 domain functional le%el onl + A global group is a group that can be used in its own

domain and in trusting domains. Aowe%er, it can contain user accounts and other global groups onl from its own domain. A domain local group can contain users and global groups from an domain in the forest, uni%ersal groups, and other domain local groups in its own domain. A local group used on A.4s onl in its own domain. Clobal group *scope+ is a group that is a%ailable domain2wide in an domain functional le%el. Incorrect ans"ers: )9 Replication on networ/ computers enables the contents of a director , designated as an eBport director , to be copied to other directories, called import directories. Acti%e Director changes are replicated to all domain controllers on a regular schedule. Thus the contents of a director do not mean access to domain resources. '9 Remo%ing all domain users from the group and then re2adding them to the group will not help as the Microsoft recommended amount of members per group will still be eBceeded. D9 .on%erting tra%elling to a new uni%ersal group and in the process getting rid of the eBisting tra%elling group, but uni%ersal groups are used primaril to grant access to resources in all trusted domains, but uni%ersal groups can onl be used as a securit principal *securit group t pe+ in a !indows 2""" nati%e or !indows $er%er 2""3 domain functional le%el domain. Thus this option is not %iable. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"> 2 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. -9 F221, GG" QUESTION NO: 4 You are the net"or0 administrator $or TestBing Oil The net"or0 consists o$ three )cti/e Directory domains in a single $orest )ll domain controllers run !indo"s Ser/er 2==, TestBing Oil enters into a business #artnershi# "ith Oil Im#orters The Oil Im#orters net"or0 consists o$ $our )cti/e Directory domains in a single $orest To enable the t"o com#anies to share resources* a t"o>"ay $orest trust relationshi# "ith selecti/e authentication is created No" you need to ensure that the research data o$ TestBing Oil "ill remain inaccessible to all users in Oil Im#orters Eirst* you create a local grou# named No Oil Then* you assign the Deny > Eull 'ontrol #ermission to No Oil !hat should you do ne3t% A. Add the Domain Cuests group from each of the four domains of 'il &mporters to ,o 'il. 1. Add the 'ther 'rgani0ation group to ,o 'il. .. Add the Users group from each of the four domains of 'il &mporters to ,o 'il. D. Add the 5roB group to ,o 'il. )ns"er: ' E3#lanation: Using )cti/e Directory Domains and Trusts* you can determine the sco#e o$ authentication bet"een t"o $orests that are 2oined by a $orest trust Iou can set selecti%e authentication differentl for outgoing and incoming forest trusts. !ith selecti%e trusts, administrators can ma/e fleBible forest2wide access control decisions. &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. (or eBample, if (orestA has an incoming forest trust from (orest1 and forest2wide authentication is used, users from (orest1 would be able to access an resource in (orestA *assuming the ha%e the re6uired permissions+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"= 2 &f ou decide to set selecti%e authentication on an incoming forest trust, ou need to manuall assign permissions on each domain and resource to which ou want users in the second forest to ha%e access. To do this, set a control access right Allowed to authenticate on an ob)ect for that particular user or group from the second forest. Therefore we need to add the Users group from each of the four domains of 'il &mporters to ,o 'il. !ith the Den 2(ull .ontrol permission acti%ated to the ,o 'il local group, and b adding the users of all the four domains to ,o 'il, ou will ensure the integrit of the research data b /eeping it inaccessible. Incorrect ans"ers: )9 (or the data to remain inaccessible to all users ou need to add all the users from all the groups to the ,o 'il local group. &f ou add the Domain Cuests group from each of

the four domains of 'il &mporters to the ,o 'il local group then ou are not including all the users. +9 Adding the 'ther 'rgani0ation group to ,o 'il will not ha%e the desired effect. D9 1 adding onl the 5roB group to ,o 'il, will not wor/ as 5roB ser%ers onl pro%ide securit b shielding the &5 addresses of internal clients from the &nternet. De$erence9 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. >2= Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. G;= QUESTION NO: 5 You are the net"or0 administrator $or TestBing com )cti/e Directory domain The domain includes !indo"s Ser/er 2==, domain controllers and !indo"s @. .ro$essonal client com#uters ) ne" administrator named Sandra is hired to assist you in de#loying !indo"s @. .ro$essional to <== ne" com#uters Sandra installs the o#erating system on a ne" com#uter named TestBing<< :o"e/er* "hen Sandra tries to log on to the domain $rom TestBing<<* she is unsuccess$ul The logon bo3 does no" allo" her to /ie" and select the domain name ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11" 2 You need to ensure that Sandra can log on to the domain $rom TestBing<< !hat should you do% A. 3nable the computer account for Test/ing11. 1. .onfigure Test@ing11 as a member of the domain. .. Add $andraKs user account to the 3nterprise Admins group. D. Add $andraKs user account to the $er%er 'perators group. )ns"er: + QUESTION NO: 6 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The net"or0 consists o$ <= o$$ices located across Euro#a The OU structure consists o$ one to#>le/el OU $or each branch o$$ice Each to#>le/el OU contains eight or more child OUs* one $or each de#artment User accounts are located in the a##ro#riate de#artmental OU "ithin the a##ro#riate o$$ice OU Eor security #ur#oses* you routinely disable user accounts $or terminated em#loyees )s #art o$ an internal audit* you need to create a list o$ all disabled user accounts You need to generate the list o$ disabled user accounts as quic0ly as #ossible !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( A. &n Acti%e Director Users and .omputers, create a new sa%ed 6uer . 1. Run the dsget user command. .. Run the ds6uer user command. D. Run the netsh command. )ns"er: )* ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 111 2 39 .reate and modif groups b using automation *- :uestions+ QUESTION NO: < DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Some client com#uters run !indo"s NT 4 = !or0station* others run !indo"s 2=== .ro$essional* and the rest run !indo"s @. .ro$essional You need to create a ne" global grou# by modi$ying an e3isting scri#t "ritten in ?icroso$t 8isual +asic* Scri#ting Edition &8+scri#t( 'lient com#uters "ill access the ne" global grou# by using the name )ccounting :o" should modi$y the scri#t% &Drag suitable lines o$ code to the corrections to the "or0 area Use only code that a##ly ( )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 112 2 $ince all client computers will access the new global group b ma/ing use of the name Accounting, the group setting should be set accordingl . Clobal groups can include other

groups and userHcomputer accounts from onl the domain in which the group is defined. 5ermissions for an domain in the forest can be assigned to global groups. Clobal group can contain users, groups, and computers from its own domain as members. Clobal groups are a%ailable under an domain functional le%el. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 32" Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ t"o )cti/e Directory domains in a single $orest The $unctional le/el o$ each domain is !indo"s 2=== mi3ed Your engineering de#artment has ,*=== users The engineering users are members o$ /arious global grou#s ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 113 2 TestBing #lans to o#en a ne" o$$ice "here engineering users "ill test #roducts Engineering users "ill need to dial in to the com#any net"or0 "hen they "or0 at the ne" o$$ice You need to ensure that all ne" user accounts in the engineering de#artment "ill ha/e the a##ro#riate grou# membershi#s These accounts must be allo"ed to connect to the net"or0 by using remote access #ermissions You must achie/e your goal by using the minimum amount o$ administrati/e e$$ort Eirst* you create a tem#late account $or engineering users !hich t"o additional actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Modif the schema for the office and street attributes b selecting the &ndeB this attribute in the Acti%e Director chec/ boB. 1. Modif the schema for the group attribute b selecting the &ndeB this attribute in the Acti%e Director chec/ boB. .. Manuall add the Allow Access remote access permission to each new user account that ou create. D. Manuall add the group membership information to each new user account that ou create. 3. Add the group membership information to the template account. (. Add the Allow Access remote access permission to the template account. )ns"er: '* E E3#lanation: You can add the tem#late account to the a##ro#riate grou#s !hen you co#y the tem#late account* the co#y "ill ha/e the same grou# membershi# as the tem#late account This does not a##ly ho"e/er* to remote access #ermission !hen you co#y the tem#late account* the co#y "ill ha/e the de$ault remote access #ermission There$ore* "e need to manually assign the a##ro#riate remote access #ermission to the ne" user accounts Incorrect )ns"ers: ): Modif ing the schema would be obsolete as it would result in additional administrati%e efforts. +: &f ou want to a%oid adding to the administrati%e efforts that has to be done, then ou do not ha%e to modif the schema. D: !hen ou cop the template account, the cop will ha%e the same group membership as the template account. E: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11- 2 The cop will ha%e the default remote access permission when one copies the template account. Therefore, we need to manuall assign the appropriate remote access permission to the new user accounts. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2>3 QUESTION NO: , You are the net"or0 administrator $or TestBing com )ll user accounts and grou#s in the domain are in the container named Users 'om#any naming con/entions require that names o$ global grou#s begin "ith -S and names o$ domain local grou#s begin "ith DAS ) domain local grou# named :DSer/ices does not meet the requirements The :DSer/ices grou# has one global

grou# member named -S:DUsers The :DSer/ices grou# is assigned to )llo" > Eull 'ontrol #ermission $or a shared $older named :DEiles The shard $older is located on a $ile ser/er You need to rename the :DSer/ices grou# to meet the naming con/ention requirements In addition* you need to ensure that user access to the :DEiles shared $older is not disru#ted "hile you #er$orm the #rocedure !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( A. 'pen Acti%e Director Users and .omputers, and then delete the eBisting AR$er%ices domain local group. .reate a new domain local group named D4JAR$er%ices. Add the CJARUsers group to the D4JAR$er%ices group. Assign the D4JAR$er%ices group the Allow 2 (ull .ontrol permission for the AR(iles shared folder. 1. 'pen the Acti%e Director Users and .omputers, and then change the name of the ARser%ices group to D4JAR$er%ices. .. Run the following command9 dsadd group .,\D4JAR$er%ices,.,\Users,D.\test/ing.com,D.\com 2 member .,\CJARUsers,.,\Users,D.\test/ing,D.\com D. Run the following command9 dsmo%e .,\AR$er%ices,.,\Users,D.\test/ing,D.\com 2newname D4JAR$er%ices ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11F 2 )ns"er: +* D E3#lanation9 The Dsmo%e command2line utilit is used to rename or mo%e a single ob)ect within the Acti%e Director . !hen ou use the Dsmo%e command2line utilit , ou specif the ob)ectKs distinguished name, then the new name of the ob)ect *if ou are changing the ob)ectKs name+ and the new location of the ob)ect. Acti%e Director Users and .omputers on !indows $er%er 2""3 domain controllers, is the main tool used for managing the Acti%e Director users, groups, and computers. To set up and manage domain user accounts, ou use the Acti%e Director Users And .omputers utilit . Iou need to change the name of the ARser%ices group to D4JAR$er%ices. And then run the appropriate dsmo%e command. Incorrect ans"ers: )9 Iou onl need to change the name and not assign the D4JAR$er%ices group (ull .ontrol permission. '9 Iou can automate the process of creating users, groups, and computers through the Dsadd command2line utilit . Aowe%er, in this case ou should rather run the dsmo%e command with the appropriate parameters. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 22G QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains three domains The $unctional le/el o$ the $orest is !indo"s 2=== The Net+IOS names o$ the domains are TesBing<* TesBing2* TestBing, The $unctional le/el o$ all three domains is !indo"s 2=== mi3ed You manage resources in TesBing< ) ne" $ile ser/er is added to TesBing< Users in all three domains need access to resources on the $ile ser/er You need to create a grou# that "ill be used to grant access to the $ile ser/er in TesBing< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11; 2 !hich t"o actions should you #er$orm% Each correct ans"er #resents #art o$ the solution Select t"o A. .reate a securit group. 1. .reate a distribution group. .. .onfigure the group to be a global group. D. .onfigure the group to be a uni%ersal group. 3. .onfigure the group to be a domain local group. )ns"er: )* E E3#lanation9 The group t pe securit group is a logical group of users who need to access specific resources. $ecurit groups are listed in Discretionar Access .ontrol 4ists *DA.4s+ to assign permissions to resources. A domain local group is a t pe of group used to assign permissions to resources. &t can contain user accounts, uni%ersal groups, and global groups from an domain in the tree or forest. &t can also contain other domain local groups from its own local domain.

These two options should allow ou to create a group that will be used to grant access to the file ser%er in Tes@ing1 under the gi%en circumstances. Incorrect ans"ers: +9 A distribution group t pe is a logical group of users who ha%e common characteristics. Applications and e2mail programs *for eBample, Microsoft 3Bchange+ can use distribution groups. Distribution groups canKt be listed in DA.4s and therefore ha%e no permissions. This is not what is re6uired. '9 Clobal groups are used to organi0e users who ha%e similar networ/ access re6uirements. A global group is simpl a container of users. This will not do in these circumstances. D9 Uni%ersal groups are used to logicall organi0e global groups and appear in the Clobal .atalog *a search engine that contains limited information about e%er ob)ect in the Acti%e Director +. Uni%ersal groups can contain users *not recommended+ from an where in the domain tree or forest, other uni%ersal groups, and global groups. 1ut this is not what is re6uired. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 1;G21G" 5art -9 .reate and manage user accounts. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11G 2 A9 .reate and modif user accounts b using the Acti%e Director Users and .omputers MM. snap2in.*1- :uestions+ QUESTION NO: < :OTS.OT E3hibit* :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 contains a third>#arty a##lication that runs as a ser/ice The a##lication ser/ice is secured "ith a domain>le/el ser/ice account The #ro#erties o$ the ser/ice account are dis#layed in e3hibit Users re#ort that the a##lication is no longer a/ailable The a##lication ser/ice is sto##ed )n administrator re#orts that the #ass"ord o$ the ser/ice account had e3#ired and "as changed You reset the #ass"ord on the ser/ice to match the ne" #ass"ord o$ the ser/ice account You unsuccess$ully attem#t to restart the ser/ice You need to ensure that the ser/ice "ill start You need to #re/ent this #roblem $rom ha##ening again "hile retaining administrati/e control o/er the ser/ice account #ass"ord !hat should you do% )ns"er: E3#lanation: Enable .ass"ord ne/er e3#ires ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11> 2 $ince the 6uestion states that the password of the ser%ice account had eBpired and was changed, ou need to enable the 5assword ne%er eBpires option especiall in lieu of ou alread ha%ing has the password reset to match the new password of the ser%ice account and ou still unable to restart the ser%ice. This option will enable ou to start the ser%ice and also pre%ent this situation from occurring again, whilst it will allow ou to retain administrati%e control o%er the password. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. G912213 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You use a non>administrati/e user account named Hose#h to log on to a client com#uter You need to change the #ass"ord $or a domain user account named So#hia You o#en the )cti/e Directory Users and 'om#uters console !hen you attem#t to change So#hiaJs #ass"ord* you recei/e the $ollo"ing error message: L)ccess is deniedL You need to remain logged on to the client com#uter as Hose#h* and you need to be able to change So#hiaJs #ass"ord

!hat should you do% A. Add the non2administrati%e domain user account to the local Administrators group. 1. Use the runas command to run Acti%e Director Users and .omputers with domain administrati%e credentials. .. (rom a command prompt, run the net user $ophia Hadd Hpasswordre69 es command. D. (rom a command prompt, run the net accounts Huni6uepw9 Hdomain command. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11= 2 )ns"er: + E3#lanation: The runas command can be used to #er$orm administrati/e tas0s Dun as* also called secondary logon* is a use$ul tool that allo"s a user to run a s#eci$ied #rogram "ith #ermissions that are di$$erent $rom those belonging to the account "ith "hich the user is currently logged on You can use this command to run e3ecutable $iles* and 'ontrol .anel items* among other tas0s It allo"s you to run a s#eci$ied #rogram "ith #ermissions that are di$$erent $rom that associated to the account &user account named Hose#h( "ith "hich you are currently logged on There$ore* you can use the runas command to run )cti/e Directory Users and 'om#uters "ith domain administrati/e credentials to change So#hiaJs #ass"ord Incorrect )ns"ers: ): Adding a non2administrati%e account to the local administrators group will allow ou to complete this tas/. 1ut the 6uestion states that ou need to remain logged on the client computer as Qoseph. This results in ou needing a secondar logon rather than being added to the local administrators group. ': This command allows ou to add or modif user accounts or displa user account info. And as this command is used in this scenario, it also specifies that the user must ha%e a password. This will not allow ou to change $ophiaKs password because ou need to ha%e either administrator status or use the run as command especiall since the 6uestion states that ou need to remain logged on to the client computer as Qoseph who is a non2administrati%e account. D: This specific command updates user accounts database and modifies password and logon re6uirements for all accounts. (urthermore it re6uires the user not to use same password for the number of password changes and it performs the operation on the primar domain controller of the current domain, else the modification will be performed on the local computer. Aowe%er, this assumes that ou are wor/ing from an administratorKs account rather than a non2administrati%e user account named Qoseph. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, .hapter 1, p. 3; QUESTION NO: , You are the net"or0 administrator $or TestBing Your net"or0 consists o$ three )cti/e Directory domains in a single $orest You do not ha/e administrati/e rights to the $orest ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12" 2 )ll domain controllers run !indo"s Ser/er 2==, Uni/ersal grou# membershi# caching is enabled TestBing has a main o$$ice in ?adras and $i/e branch o$$ices located "orld"ide Each o$$ice is con$igured as an )cti/e Directory site* as sho"n in the e3hibit Each o$$ice contains three domain controllers* one $or each domain ) ne" em#loyee named Dr Bing is hired in the +erlin o$$ice You create a ne" user account $or Dr Bing $rom a domain controller in +erlin :o"e/er* Dr Bing re#orts that he cannot log on to his domain Other users $rom +erlin re#ort no di$$iculties You need to ensure that Dr Bing can log on success$ully !hat should you do% A. Delete the user account in 1erlin. Recreate the user account in Madras. 1. (orce director replication between all domain controllers in 1erlin. .. Restore networ/ connecti%it between the domain controllers in 1erlin and Madras. D. &nstruct Dr @ing to use his user principal name when he logs on for the first time. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 121 2 )ns"er: ' E3#lanation: !hen a ne" user logs on to a nati/e mode domain* the authenticating domain controller needs to be able to contact a -lobal 'atalog ser/er to obtain uni/ersal grou# in$ormation The -lobal 'atalog ser/ers are in the ?adras o$$ice* so a lac0 on net"or0 connecti/ity bet"een +erlin and ?adras "ould #re/ent the

ne" user $rom being able to log on The reason no one else has a #roblem logging on is that Uni/ersal -rou# caching is enabled :o"e/er* the in$ormation in the cache on the +erlin domain controller is out o$ date in the sense that it doesnJt contain in$ormation about the ne" user Incorrect )ns"ers: ): The account does not need to be created in Madras. &t can be created on an domain controller in the domain. +: The domain controllers in 1erlin are in separate domains. The do not need to replicate to each other. D: Iou donKt ha%e to log on using our U5, name. The 6uestion states that the user couldnKt log on to 8his8 domain. This implies that he either attempted to log on using his U5, or he entered his downle%el username and selected the correct domain in the drop down boB. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. -2; QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) ne" management directi/e states that users can log to the domain only during business hours Users "ho remain logged on a$ter business hours must be automatically disconnected $rom net"or0 resources You need to en$orce this directi/e by using the minimum amount o$ administrati/e e$$ort !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 122 2 A. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to increase scheduling priorit for all users. 1. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to force users to log off when their logon hours eBpire. .. $elect all user accounts. Modif the account properties to restrict logon hours to business hours. D. .reate a domain user account named Temp. .onfigure the account properties to restrict logon hours to business hours. 3. Modif the DA.4 on the Default Domain 5olic Croup 5olic ob)ect *C5'+ to assign the Allow 2 Read permission to the Users group. )ns"er: +* ' E3#lanation: !hen you restrict logon hours* you might also "ant to $orce users to log o$$ a$ter a certain #oint I$ you a##ly this #olicy* users cannot log on to a ne" com#uter* but they can stay logged on e/en during restricted logon hours To $orce users to log o$$ "hen logon hours e3#ire $or their account* a##ly the Net"or0 security: Eorce logo$$ "hen logon hours e3#ire #olicy Iou can assign logon hours as a means to ensure that emplo ees are using computers onl during specified hours. This setting applies both to interacti%e logon, in which a user unloc/s a computer and has access to the local computer, and networ/ logon, in which a user obtains credentials that allow him or her to access resources on the networ/. Incorrect ans"ers: ): &ncreasing the scheduling priorit will not affect logon hours. D: Restricting logon hours to business hours b configuring the account properties will wor/, but this option does not mention measures to cut down on administrati%e effort. E: A DA.4 is a list of A.3s that lets administrators set permissions for users and groups at the ob)ect and attribute le%els. This list represents part of an ob)ectKs securit descriptor that allows or denies permissions to specific users and groups. Modif ing the DA.4 b assigning the Allow2Read permission will not wor/ as ou first need to force all users to log off when their logon hours eBpire. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. F>2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F>, --2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 123 2 QUESTION NO: 5

You are res#onsible $or administering the .roduction OU You are assigned the )llo" > Eull 'ontrol #ermission $or the OU )ll com#uter ob2ects in the .roduction OU are administered by another administrator named Tom The .roduction OU contains the com#uter account $or a !indo"s Ser/er 2==, com#uter named Test0ing< Tom submits a list o$ con$iguration settings that he "ants to a##ly to Test0ing< by means o$ a -rou# .olicy ob2ect &-.O( ) -.O that contains TomJs required settings is created in another OU by the domain administrator You only "ant to allo" Tom to lin0 e3isting -.Os to the .roduction OU :e must not ha/e any more rights than he needs to #er$orm the required tas0s !hat should you do% A. Add TomKs user account to the Croup 5olic .reator 'wners group in the domain. 1. Run the Delegation of .ontrol !i0ard and assign TomKs user account the Allow 2 Manage group polic lin/s permission for the 5roduction 'U. .. Run the Delegation of .ontrol wi0ard and assign TomKs user account the Allow 2 .hange permission for the 5roduction 'U. D. Run the Delegation of .ontrol wi0ard and assign TomKs user account the Allow 2 Appl group polic permission for all C5's that are lin/ed to the 5roduction 'U. )ns"er: + E3#lanation: You can delegate #ermissions to manage -rou# .olicies o$ the .roduction OU This is done through delegation o$ control Dight clic0 the designated container in )cti/e Directory Users and 'om#uters Select Delegate 'ontrol Once the Delegate 'ontrol !i1ard runs* select the user &Tom( "hom should be granted control in the container Then* add ?anage -rou# .olicy Ain0s $rom the .ermissions list* and com#lete the Delegate 'ontrol !i1ard Tom "ill only be able to create -.O lin0s in containers "here he has been allo"ed the #articular #ermission Thus restricting him to only "hat he needs to be able to do his 2ob Incorrect )ns"ers: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12- 2 9 This t pe of group permissions should be applied at the root of the %olume. The .reator 'wner group e.g. is a special group that determines the access that a user has to files and folders he or she has created. 1 default, the (ull .ontrol special permissions assigned to this group automaticall appl to e%er folder created on the %olume. Thus the default permissions of being .reator 'wner would grant Tom too man permissions than is necessar . '* D9 Acti%e Director enables ou to efficientl manage ob)ects b delegating administrati%e control of the ob)ects. Iou can use the Delegation of .ontrol !i0ard and customi0ed consoles in Microsoft Management .onsole *MM.+ to grant specific users the permissions to perform %arious administrati%e and management tas/s. Iou use the Delegation of .ontrol !i0ard to select the user or group to which ou want to delegate control. Iou also use the wi0ard to grant users permissions to control organi0ational units and ob)ects and to access and modif ob)ects. Aowe%er, these options, whether Allowchange or Allow 2 Appl group polic permission, will grant Tom more than the necessar permissions to perform his tas/s. De$erence: Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1" p. ;"1 QUESTION NO: 6 You are the net"or0 administrator $or TestBing The net"or0 consists o$ t"o )cti/e Directory domains: test0ing com and Domain 2 )ll client com#uters run !indo"s @. .ro$essional The rele/ant #ortion o$ your net"or0 con$iguration is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12F 2 ) su##ort technician named Tess needs to create user accounts in both domains You delegate the a##ro#riate #ermissions to her Then you run )dmin#a0 msi $rom the !indo"s Ser/er 2==, 'D>DO? on TessJs com#uter Aater* Tess re#orts that she cannot connect to TestBingSr/) or TestBingSr/+ by using her administrati/e tools :o"e/er* she can access all other resources in both domains :o" should you sol/e this #roblem% A. 'n TessKs computer use Registr 3ditor to disable signing and encr ption of 4DA5 traffic. 1. 'n Test@ing$r%A and Test@ing$r%1, use Registr 3ditor to change the 4DA5 port %alue to 3>".

.. 'n Test@ing$r%A and Test@ing$r%1, run Adminpa/.msi from the !indows $er%er 2""3 .D2R'M. D. 'n TessKs computer, change the domain membership from Domain 2 to Test/ing.com. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12; 2 )ns"er: ) E3#lanation: To use the !indows $er%er 2""3 Acti%e Director administrati%e tools to manage !indows 2"""2based domain controllers with !indows 2 $er%ice 5ac/ 2 *$52+ or earlier installed when ,T4M authentication is negotiated, ou can configure the administrati%e tools to communicate b using non2secured 4DA5 traffic. To turn off the signature and encr ption of 4DA5 traffic for the !indows $er%er 2""3 Acti%e Director tools, set the ADs'pen'b)ect(lags %alue to "B"3. Incorrect )ns"ers: +: &t is not necessar to change the 4DA5 port %alue. ': Iou cannot install the !indows 2""3 adminpa/.msi on a !indows 2""" computer. D: &t is not necessar to change the domain membership of the computer. De$erence: QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll user accounts in the Sales de#artment are located in the Sales organi1ational unit &OU( You sus#ect that one or more user accounts in the OU ha/e com#romised #ass"ords You need to $orce all users in the Sales de#artment to reset their #ass"ords !hat should you do% A. $elect all user accounts in the $ales 'U. Disable the accounts and re2enable them. 1. $elect all user accounts in the $ales 'U. Modif the account properties to force all passwords to be changed on neBt logon. .. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the $ales 'U. Modif the password polic to set the maBimum password age to ". D. .reate as Croup 5olic ob)ect *C5'+ and lin/ it to the domain. Modif the password polic to set the maBimum password age to ". )ns"er: + ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12G 2 E3#lanation: To $orce all the users in the Sales OU to reset their #ass"ords* "e must select all user accounts in the Sales OU and modi$y the account #ro#erties to $orce all #ass"ords to be changed on ne3t logon User rights can be assigned in a domain en%ironment b editing a C5' assigned to the domain. To access the default domain polic and set user rights on its C5', open Acti%e Director Users and .omputers console from the Administrati%e Tools menu, right2clic/ the domain name in the left console pane, select 5roperties. .lic/ the Croup 5olic tab, select the C5', and then clic/ 3dit. This opens the Croup 5olic 'b)ect 3ditor. Under .omputer .onfiguration in the left pane, eBpand !indows $ettings, eBpand $ecurit $ettings, eBpand 4ocal 5olicies, and select User Rights Assignment. Incorrect ans"ers: ): Disabled accounts ha%e as a conse6uence the inabilit to log on with the account. &t does not alter or modif password settings. ': MaBimum password age determines the period of time *in da s+ that a password can be used before the s stem re6uires the user to change it. Iou can set passwords to eBpire after a number of da s between 1 and ===, or ou can specif that passwords ne%er eBpire b setting the number of da s to ". 4in/ing the C5' to the 'U will not compel users to reset their passwords. D: 4in/ing a C5' where the maBimum password age is set to " to the domain will not force users to reset their passwords. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2=G, --2. QUESTION NO: 9 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12> 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s 2=== Your sales de#artment em#loys <== users )ll users accounts $or sales em#loyees are located in an OU named Sales To reduce the si1e o$ the sales de#artment* the com#any terminates <= sales users You need to disable these <= user accounts by using the minimum amount o$ administrati/e e$$ort ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12= 2 You use the )cti/e Directory Users and 'om#uters in an attem#t to disable all <= users accounts simultaneously You see the dialog bo3 in the e3hibit !hat should you do% A. Disable each of the 1" affected user accounts, one b one. 1. 4og on b using an account that has administrati%e access to the domain. Disable all user accounts in the $ales 'U simultaneousl . .. $elect all user accounts in the $ales 'U. Disable all user accounts simultaneousl . D. $elect onl the 1" affected user accounts in the $ales 'U. Disable all 1" user accounts simultaneousl . )ns"er: D E3#lanation: )cti/e Directory Users and 'om#uters is used to manage )cti/e Directory ob2ects such as users* grou#s* and machines "ithin the domain To ma0e s#ace a/ailable and thus reduce the si1e o$ the Sales OU in an e$$icient manner "ith the least amount o$ administrati/e e$$ort* you can ma0e use o$ )cti/e Directory Users and 'om#uters to disable se/eral user accounts simultaneously Incorrect ans"ers: )9 Disabling each of the 1" affected user accounts one b one can be made more efficient. Though this option will wor/, it is not the answer as it results in too much administrati%e effort and does not disable the accounts simultaneousl . +* .9 Disabling all the user accounts will not be ad%isable in this scenario as ou will then ha%e to re2enable all the user accounts other than the 1" affected user accounts afterward. Also option 1 has e%en more administrati%e effort attached to it than is alread mentioned for option . and 1 together. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2F=22;G, 33G QUESTION NO: ; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13" 2 ) user named Bing "ill lea/e TestBing in one "ee0 ) re#lacement "ill be hired in one month The re#lacement "ill need the same access to net"or0 resources that Bing currently has The re#lacement "ill also need o"nershi# o$ all $iles that currently reside in BingJs home $older You need to minimi1e the administrati/e e$$ort that "ill be required "hen the re#lacement is hired You also need to ensure that no one can use BingJs user account to log on to the domain until the re#lacement is hired !hat should you do% A. Mo%e @ingKs user account to the 4ostAnd(ound organi0ational unit *'U+. 1. Disable @ingKs user account. .. .onfigure @ingKs user account to re6uire a change in password at neBt logon. D. Delete @ingKs user account. )ns"er: + E3#lanation: The quic0est "ay is to disable BingJs user account !hen the re#lacement starts* "e can enable and rename the account To ensure no unauthori0ed use of @ingKs account it should be disabled onl because the 6uestion also poses the scenario of wanting to use the @ing user account with all its wor/, documents, etc for the new replacement. Disabling the account will not destro the information and the documents residing in that account. &t will lea%e the option there for the administrators to use it for the new replacement. Incorrect ans"ers: ): 5lacing files in whate%er 'U will not render it safe from other users who might still be able to access it. ': A change in password at the neBt logon configuration will not preclude tempering with the account till the replacement arri%es.

D: Deleting @ingKs user account would be foll as his replacement will need that account and the data that it holds. Deleting the account will destro the information and the documents residing in that account. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 1G321G> ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 131 2 QUESTION NO: <= You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll domain controllers run !indo"s Ser/er 2==, Users "ho enter an in/alid #ass"ord more than t"ice in one day must be loc0ed out You need to con$igure domain account #olicy settings to en$orce this rule !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. $et the minimum password age to one da . 1. $et the maBimum password age to one da . .. .hange the 3nforce password histor setting to three passwords remembered. D. .hange the Account loc/out duration setting to 1--" minutes. 3. .hange the Account loc/out threshold setting to three in%alid logon attempts. (. .hange the Reset account loc/out counter after setting to 1--" minutes. )ns"er: E* E E3#lanation9 An Account loc/out polic disables a user account if an incorrect password is entered a specified number of times o%er a specified period. These polic settings help ou to pre%ent attac/ers from guessing usersK passwords, and the decrease the li/elihood of successful attac/s on our networ/ Account loc/out threshold is a securit setting that determines the number of failed logon attempts that causes a user account to be loc/ed out. A loc/ed2out account cannot be used until it is reset b an administrator or until the loc/out duration for the account has eBpired. Iou can set a %alue between " and === failed logon attempts. &f ou set the %alue to ", the account will ne%er be loc/ed out. Reset account loc/out counter after is a securit setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to " bad logon attempts. The a%ailable range is 1 minute to ==,=== minutes. &f an account loc/out threshold is defined, this reset time must be less than or e6ual to the Account loc/out duration. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 132 2 Thus when ou choose Account loc/out threshold to 3, b default !indows $er%er 2""3 will put 3" minutes %alue for9 Reset account loc/out and Account loc/out duration, but if ou change Reset account loc/out default %alue to 1--". !indows $er%er 2""3 will change for ou the %alue for Account loc/out duration to match Reset account loc/out. Incorrect ans"ers: ): $etting the minimum password age to one da will not wor/ as it is a case of entering a wrong in%alid password, whether it is once, twice, or e%en man times, in a single da that has to be pre%ented. +: $etting the maBimum password age to one da is irrele%ant as this scenario calls for pre%enting the entering of in%alid passwords more than twice in a single da . ': .hanging the enforce password histor setting to three password remembered will result in Acti%e Director maintains a list of recentl used passwords, and will not allow a user to create a password that matches a password in that histor . The result is that a user, when prompted to change his or her password, cannot use the same password again, and therefore cannot circum%ent the password lifetime. The polic is enabled b default, with the maBimum %alue of 2-. to ma/e this setting to three passwords remembered will result in users being allowed to enter in%alid passwords more than twice. D: This polic defines how long loc/ed2out accounts remain loc/ed out. The default setting is none *or undefined+ because ou must enable the Account 4oc/out Threshold polic for this polic to be in effect. The a%ailable range is from " minutes through ==,=== minutes. This does not include a setting for a 6uantit of in%alid password entering. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2>2, 31G231> Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter -

QUESTION NO: << DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You add a !indo"s Ser/er 2==, com#uter to the domain This ser/er is used to store critical business a##lications and con$idential data You create se/eral local accounts on the ser/er to manage the a##lications ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 133 2 Some users re#ort that they are ha/ing di$$iculty accessing an a##lication that is stored on the ser/er The a##lication uses local accounts You need to enable auditing to trac0 all attem#ts to access the ser/er through a local account in order to gather more in$ormation You must not trac0 more data than is necessary !hat should you do% To ans"er* drag the a##ro#riate setting or settings to the correct #olicy or #olicies in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13- 2 )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13F 2 E3#lanation9 $uccess Audit 2 &ndicates the occurrence of an e%ent that has been audited for success. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13; 2 (or eBample, a $uccess Audit e%ent is a successful logon when s stem logons are being audited. (ailure Audit 2 &ndicates the occurrence of an e%ent that has been audited for failure. (or eBample, a (ailure Audit e%ent is a failed logon due to an in%alid username andHor password when s stem logons are being audited. These would be the onl necessar information in this case. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. -=" QUESTION NO: <2 DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing com #urchases a ne" ser/er to test a##lications in a stand>alone en/ironment TestBing comJs "ritten security #olicy includes the $ollo"ing requirements: 1. User #ass"ords on stand>alone com#uters must be changed e/ery 45 days 2. Users can change their #ass"ords immediately a$ter they change their #ass"ords once 3. Users must not be able to use the same #ass"ord again until at least <= di$$erent #ass"ords are used You need to con$igure the #ass"ord settings so that the ne" ser/er con$orms to the "ritten security #olicy !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13G 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13> 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-" 2 Minimum 5assword Age defines the minimum number of da s a user must /eep a

password before the can change the password. MaBimum 5assword Age defines how man da s a user can /eep the same password before ha%ing to create a new password. 3nforce 5assword Aistor , specifies how man passwords are remembered and is used to pre%ent users from re2using the same password when the configure new passwords. $etting the minimum password age to ", $etting the maBimum password age to -F and $etting the enforce password histor to 1" will compl with the written re6uirements. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 1-121-2 QUESTION NO: <, You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and are members o$ the domain The domain has security settings that are a##lied that are a##lied the De$ault Domain .olicy -.O The current #ass"ord #olicy sho"n in the .olicy E3hibit ) ne" user named Tess Bing logs on to the domain $or the $irst time and is #rom#ted to reset her #ass"ord Tess success$ully sets a ne" #ass"ord Aater the same day* she attem#ts to change her #ass"ord You /ie" the #ro#erties o$ her account in )cti/e Directory Users and 'om#uters The #ro#erties $or Tess BingJs account are sho"n in the )ccount .ro#erties e3hibit You need to ensure that Tess can change her #ass"ord !hat should you do% A. &n the properties of Tess @ingKs user account, select the $tore password using re%ersible encr ption chec/ boB. 1. &n the properties of Tess @ingKs user account, on the Account tab, select the User must change password at neBt logon chec/ boB. .. &n the properties of Tess @ingKs user account, on the Account tab, select the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-1 2 5assword ne%er eBpires chec/ boB. D. &n the properties of Tess @ingKs user account, on the Account tab, configure the account to eBpire toda . )ns"er: + E3#lanation9 User Must .hange 5assword At ,eBt 4ogon &f selected, forces the user to change the password the first time the log on. This is done to increase securit and mo%es password responsibilit to the user and awa from the administrator. And in this case it will ensure that Tess can change her password. Incorrect ans"ers: )9 This will not ensure that Tess will be able to change her password. '9 5assword ,e%er 3Bpires 2 if selected specifies that the password will ne%er eBpire, e%en if a password polic has been specified. (or eBample, ou might select this option if this is a ser%ice account and ou do not want the administrati%e o%erhead of managing and changing passwords. This is not what is re6uired. D9 This will not ensure that Tess will be able to change her password. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1-F QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists i$ t"o )cti/e Directory domains )ll client com#uters run !indo"s @. .ro$essional The rele/ant #ortion o$ your net"or0 con$iguration is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-2 2 ) su##ort technician named Sandra needs to create user accounts in both domains You delegate the a##ro#riate #ermissions to her Then you run )dmin#a0 msi $rom the !indo"s Ser/er 2==, 'D>DO? on SandraJs com#uter Aater* Sandra re#orts that she cannot connect to D'< or D'2 by using her administrati/e tools :o"e/er* she can access all other resources in both domains :o" should you sol/e this #roblem% A. 'n $andraKs computer, use Registr 3ditor to disable signing and encr ption of 4DA5 traffic. 1. 'n D.1 and D.2, use Registr 3ditor to change the 4DA5 port %alue to 3>". .. 'n D.1 and D.2, run Adminpa/.msi from the !indows $er%er 2""3 .D2R'M. D. 'n $andraKs computer, change the domain membership from Domain 2 to Domain 1.

)ns"er: ) E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-3 2 9 1ecause Acti%e Director is based on the 4ightweight Director Access 5rotocol *4DA5+, ou can reference each ob)ect within Acti%e Director using different t pes of 4DA5 naming con%entions. Distinguished names *D,s+ and relati%e distinguished names *RD,s+ are two of the naming con%entions that Acti%e Director uses for its ob)ects. D,s and RD,s use specific naming components to define the location of the ob)ects that the are identif ing. There is a need to import and eBport data into and out of Acti%e Director and other 4ightweight Director Access 5rotocol *4DA5+ director ser%ices. &n the abo%e scenario $andra is unable to connect to D.2 or D.2 and to sol%e her problem ou need to use the Registr 3ditor on her computer to disable signing and encr ption of 4DA5 traffic since she can access all other resources in both the domains. Incorrect ans"ers: +9 The problem that is being described stems from $andraKs computer and not the domain controllers, thus changing thr 4DA5 port %alue on the domain controllers will nto address to connect b means of her administrati%e tools. ' the problem is with $andraKs computer and not the domain controllers. D9 Iou do not need to change domain membership on $andraKs computer. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 31F Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er 19 .reate and modif user accounts b using automation.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 originally consists o$ a single !indo"s NT 4 = domain You u#grade the domain to a single )cti/e Directory domain )ll net"or0 ser/ers no" run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Your sta$$ #ro/ides technical su##ort to the net"or0 They $requently establish Demote Des0to# connections "ith a domain controller named D'< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-- 2 You hire 25 ne" su##ort s#ecialists $or your sta$$ You use 's/de e3e to create )cti/e Directory user accounts $or all 25 ) ne" su##ort s#ecialist named Bing re#orts that he cannot establish a Demote Des0to# connection "ith D'< :e recei/es the message sho"n in the Aogon ?essage e3hibit: You o#en -#edit msc on D'< You see the dis#lay sho"n in the Security .olicy e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-F 2 You need to ensure that Bing can establish Demote Des0to# connections "ith D'< !hat should you do% A. Direct @ing to establish a ?5, connection with D.1 before he starts Remote Des/top .onnection. 1. Direct @ing to set a password for his user account before he starts Remote Des/top .onnection. .. &n the local securit polic of D.1, disable the Re6uire strong *!indows 2""" or later+ session /e setting. D. &n the local securit polic of D.1, enable the Disable machine account password changes setting. )ns"er: + E3#lanation: The e3hibit sho"s us that logons by accounts "ith blan0 #ass"ords are limited to console logons only &this is also the de$ault setting( The error message indicates that this is the reason that Bing is unable to connect "ith a Demote Des0to# connection !e can sol/e this #roblem by instructing Bing to set a #ass"ord $or his user account be$ore he starts a Demote Des0to# 'onnection Incorrect )ns"ers: ): &t is not necessar to create a ?5, connection before starting a Remote Des/top .onnection. ': This will not help. The client computer is running !indows <5 5rofessional, which can use a strong session /e .

D: This is unrelated to Remote Des/top connections. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FG4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. F-F2F-; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-; 2 QUESTION NO: 2 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You use a scri#t "ritten in ?icroso$t 8isual +asic* Scri#ting Edition &8+Scri#t( to create ne" user accounts You need to modi$y the scri#t and enable all ne" user accounts created $rom the scri#t !hat should you do% To ans"er* drag the a##ro#riate line or lines o$ code to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-G 2 )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-> 2 E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-= 2 E3#lanation: The /e here is that we need to enable all new user accounts. This script creates two different sets of user accounts, one to create the 3mpadminuser and one counter to create salesuser from 1 to F. !e need to enable all new accounts, in this wa we had to drag and drop. oUser.AccountDisabled \ (alse for enable user 3mpadminuser. to oUser set info part o4eaf.AccountDisabled \ (alse for enable users $alesUser1, $alesUser2, $alesUser3, $alesUser-, $aleUserF to o4eaf set info part De$erence: http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3HproddocsH Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;=2 QUESTION NO: , E3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F" 2 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing5 is 2oined to the domain TestBing5 $unctions as a #rinter ser/er Your user account is a member o$ only the Domain )dmins grou# and the Domain Users grou# You attem#t to establish a Demote Des0to# connection to Test0ing5 You recei/e the error message dis#layed in the e3hibit !hat should you do% A. 3nable the Digitall sign secure channel data securit setting on Test@ingF. 1. Add our user account to the Remote Des/top Users group in the test/ing.dom domain. .. Add our user account to the Remote Des/top Users group on Test@ingF. D. 3nable Remote Assistance on Test@ingF. 3. .onfigure the appropriate remote settings on Test@ingF b using $ stem 5roperties in .ontrol panel. )ns"er: D E3#lanation9 Remote Des/top allows ou to remotel ta/e control of a !indows $er%er 2""3 ser%er from another location. (or eBample, ou could access a ser%er located in a remote office from our compan Ks corporate head6uarters. Remote Assistance is used to

re6uest assistance from another user or an eBpert user. .ommon eBamples of when ou would use Remote Assistance include9 1. !hen ou are diagnosing problems that are difficult to eBplain or reproduce. 1 using Remote Assistance, ou can remotel %iew the computer and the remote user can show ou what the error is or step ou through processes that caused the error to occur. 2. !hen an ineBperienced user needs to perform a compleB set of instructions. &nstead of as/ing the ineBperienced user to complete the tas/, ou can use Remote Assistance to ta/e control of the computer and complete the tas/s ourself. Incorrect ans"ers: )9 Iou need to enable Remote Assistance to establish a Remote Des/top connection and not the Digitall sign secure channel data. + C '9 Adding our user account to the Remtoe Des/top Users group in the test/ing.com domain or on Test@ingF is not going to wor/ in this case. Iou should enable Remote Asistance on Test@ingF. E9 This is not the solution. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F1 2 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. F-F, FF3 .9 &mport user accounts.*1 :uestion+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional TestBing acquires a subsidiary You recei/e a comma delimited $ile that contains the names o$ all user accounts at the subsidiary You need to im#ort these accounts into your domain !hich command should you use% A. ldi$de 1. cs/de .. ntdsutil with the authoritati%e restore option D. dsadd user )ns"er: + E3#lanation: The cs/de &'S8 Directory E3change( command can be used to im#ort and e3#ort )cti/e Directory in$ormation using $iles $ormatted in the ?icroso$t comma>se#arated /alue &'S8(* or comma delimited* $ormat The cs/de command can also su##ort batch o#erations The cs/de command only allo"s you to add ne" ob2ects It does not allo" you to modi$y e3isting ob2ects Incorrect O#tions: ): The ldifde *4D&( Director 3Bchange+ command can be used to create, modif , and delete director ob)ects on !indows $er%er 2""", !indows $er%er 2""3 and !indows <5 5rofessional. Iou can also use ldifde to eBtend the schema, eBport Acti%e Director user and group information to other 4DA5 *4ightweight Director Access 5rotocol+ applications or ser%ices, and populate Acti%e Director with data from other director ser%ices. The ldifde command, howe%er, uses the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F2 2 4DA5 Data &nterchange (ormat *4D&(+ file format, which is a draft &nternet standard for a file format that ma be used to perform batch operations against directories that conform to the 4DA5 standards. ': The ntdsutilcommand is used to perform an authoritati%e restore of Acti%e Director . The ntdsutil is used to mar/ the restored Acti%e Director database as authoritati%e. Aowe%er, in this scenario we are not restoring the Acti%e Director database, but importing user accounts into it from a .$? file. D: The dsadd user command allows ou to add a single user to Acti%e Director director . The dsadd user command has a number of parameters that allows ou to specif %arious attributes of the user account, such as first name, last name, password, etc. The dsadd user command, howe%er, does not allow ou to import ob)ects into Acti%e Director from a .$? file. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp 3""23"3, 31F. 5art F9 Troubleshoot computer accounts. A9 Diagnose and resol%e issues related to computer accounts b using the Acti%e Director Users and .omputers MM. snap2in.*1 :uestion+

QUESTION NO: < You are the net"or0 administrator $or Test0ing com com )ll net"or0 ser/ers run !indo"s ser/er 2===,* and all client com#uters run !indo"s @. .ro$essional ) user named Bing manages an a##lication ser/er named Ser/er25 One morning* Bing tries to log on to the net"or0 $rom Ser/er 25 :e recei/es the message sho"n in the Aogon message e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F3 2 Bing noti$ies you o$ the #roblem You o#en )cti/e Directory Users and 'om#uters and see the dis#lay sho"n in the )cti/e Directory e3hibit You need to enable Bing to log on to Ser/er 25 Your solution must require the minimum amount o$ administrati/e e$$ort !hat should you do% A. 3nable the computer account for $er%er 2F 1. Reset the computer account for $er%er 2F. .. Remo%e $er%er 2F from the domain, and then re)oin $er%er2F to the domain. D. Delete the computer account for $er%er2F, and then create a new account with the same name. )ns"er: ) E3#lanation: You need a /alid user account as "ell as a /alid com#uter account to be able to log on to a domain In this case the red balloon means that Ser/er25 account has been disabled Incorrect )ns"ers: +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F- 2 The eBhibit shows that the account is disabled and it thus resetting the account is not needed. ': This would be unnecessar . D: This will not wor/ due to the new account ha%ing a different $ecurit &dentifier *$&D+ from the original computer account. $ecurit &dentifier *$&D+ is a uni6ue identifier associated with a specific resource, such as a user account ob)ect or a computer. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -11 19 Reset computer accounts.*2 :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com Your net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing has o$$ices in 'hicago* Ne" Yor0 and Aos )ngeles Each o$$ice has one domain controller Each o$$ice also has its o"n organi1ation unit &OU(* "hich contains all user accounts and com#uter accounts in that o$$ice The 'hicago OU is accidentally deleted $rom )cti/e Directory You #er$orm an authoritati/e restoration o$ that OU Some users in 'hicago no" re#ort that they recei/e the $ollo"ing error message "hen they try to log on to the domain LThe session setu# $rom the com#uter DO?)IN?E?+ED $ailed to authenticate The name o$ the account re$erenced is the security database in DO?)IN?E?+EDT The $ollo"ing error occurred: )ccess is deniedL :o" should you sol/e this #roblem% A. Reset the computer accounts of the computers that recei%e the error message. &nstruct the affected users to restart their computers. 1. 5erform a nonauthoritati%e restoration of Acti%e Director . (orce director replication on all domain controllers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FF 2 .. Restart the @erberos @e Distribution .enter ser%ice on each domain controller. D. Run ,ltest.eBe on the computers that recei%e the error message. Restart the ,et 4ogon ser%ice on the domain controller on .hicago. )ns"er: ) E3#lanation: You ha/e restored the com#uter accounts The result is that you restored com#uter accounts ha/e an older #ass"ord to the #ass"ord that the com#uters are currently using The #ass"ord is used $or the secure channel bet"een the client com#uter and the domain controller You must reset the com#uter accounts to synchroni1e the #ass"ords

Incorrect )ns"ers: +: A nonauthoritati%e restoration of Acti%e Director will be o%erwritten b the eBisting cop of Acti%e Director . !e need an authoritati%e restore of the 'U. ': The @erberos @e Distribution .enter ser%ice is irrele%ant to this scenario. D: The securit channel is used b the ,et 4ogon ser%ice on the client and on the domain controller to communicate. Aowe%er, then problem doesnKt lie with the ,et 4ogon ser%ice. (urthermore, ,ltest.eBe can be used onl to test the trust relationship between the client and the domain controller on which its machine account resides. &t doesnKt resol%e the problem. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install a ne" $ile and #rint ser/er named Eile< You con$igure standard com#any #olicies and other local o#tions You use third>#arty so$t"are to create and sa/e an image o$ the ser/er Then you 2oin Eile< to the domain Si3 "ee0s later* you rea##ly the sa/ed image to Eile< and restart the ser/er You try to log on to the domain by using domain credentials :o"e/er* you are unsuccess$ul You need to log on to Eile< and re>establish its domain membershi# Your solution must require the minimum amount o$ administrati/e e$$ort !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F; 2 A. Reset the computer account for (ile1 in Acti%e Director Users and .omputers. 1. Reset the password for Administrator account b logging on locall to (ile1 as a member of the local 5ower Users group. .. Reinstall and reconfigure (ile1. D. Qoin (ile1 to the domain. 3. Remo%e (ile1 from the domain. )ns"er: )* D E3#lanation: Desetting the #ass"ord $or domain controllers using this method is not allo"ed Thus resetting a com#uter account brea0s that com#uterJs connection to the domain and requires it to re2oin the domain This is also the quic0est "ay $ince the print ser%er named (ile1 was )oined to the domain after the image of the ser%er was sa%ed, it resulted in (ile1 not being present when the sa%ed image was reapplied. &n order to successfull log on to the domain, (ile1 must be added to the domain. Incorrect ans"ers: +: Iou should be resetting the computer account for (ile1 and not the password for the administrator account. Although this can also be done to achie%e this goal, it in%ol%es more administrati%e effort. ': Reinstalling and reconfiguring (ile1 will result in unnecessar administrati%e effort. E: Remo%ing (ile1 from the domain will not ma/e it a%ailable to all users and will ine%itabl amount to more administrati%e effort. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. >;2>> 5art ;9 Troubleshoot user accounts. A9 Diagnose and resol%e account loc/outs.*> :uestions+ QUESTION NO: < You are the domain administrator $or TestBing comJs )cti/e Directory domain )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FG 2 ) user re#orts that she attem#ted to log on si3 times unsuccess$ully She re#orts that she logged on success$ully yesterday You disco/er that the user reset her #ass"ord three days ago to com#ly "ith a ne" security #olicy that requires strong #ass"ords The account #olicies that are a##lied in the Domain Security -rou# .olicy ob2ect &-.O( as sho"n in the $ollo"ing table .olicy setting 8alue Minimum5asswordAge 1 MaBimum5asswordAge -2 Minimum5assword4ength G 5assword.ompleBit 1 5asswordAistor $i0e 24oc/out1ad.ount F Reset4oc/out.ount 3"

4oc/outDuration 3" You need to ensure that the user can log on to the domain !hat should you do% A. Reset the password for the computer account. 1. Unloc/ the user account. .. &n the user account properties, select the 5assword ne%er eBpires chec/ boB for the user account. D. &n the user account properties, select the User must change password on neBt logon chec/ boB for the user account. )ns"er: + E3#lanation: )s you can see in the e3hibit* the user account "ill be loc0ed out i$ someone tries to login 5 times &Aoc0Out+ad'ount( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F> 2 The most common problems with user accounts are due to group membership, password problems, or account loc/outs. Croup membership problems manifest themsel%es b users not being able to access resources that are assigned through group membership. This can easil be %erified and corrected %ia Acti%e Director Users and .omputers or from the command line using the dsget.eBe and dsmod.eBe commands. 5assword problems are usuall due to users forgetting their password and needing it reset. This can be accomplished %ia Acti%e Director Users and .omputers or %ia the dsmod.eBe command. 4astl 9 users often loc/out their accounts due to them entering their password incorrectl . This is usuall due to them forgetting their password because the )ust changed it recentl , in which case ou would need to unloc/ their account and reset their password. $ometimes the )ust cannot t pe or .A5$ 4'.@ is on and the enter in their password incorrectl too man times and loc/ their account. User accounts can be unloc/ed b using Acti%e Director Users and .omputers or b using the dsmod.eBe command. The user said she attempted to log on siB times, but failed. As a result the account is loc/ed out. Therefore we can simpl unloc/ the user account, and she can logon again. Incorrect ans"ers: )9 Resetting the password for the user account does not necessaril grant log on rights to the domain. Iou need to unloc/ the account first. '9 Modif ing the properties of the account to password ne%er eBpires will not affect the situation. The account must first be unloc/ed. !hether the password eBpires or not, she will still need to use a strong password once the account has been unloc/ed. $he ob%iousl went o%er the account loc/out count threshold. D9 The userKs problems stems from going o%er the account loc/out threshold too man times. Aer account has to be unloc/ed first to be able to log on to the domain. The User must change password on neBt logon chec/ boB in her user account properties will not help in this case as her account has been loc/ed out. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ single )cti/e directory domain test0ing com ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F= 2 The domain contains a !indo"s Ser/er 2==, domain controller named TestBing, The secure"s in$ security #olicy has been a##lied to the domain ) net"or0 a##lication requires a ser/ice account The net"or0 a##lication runs constantly You create and con$igure a ser/ice account named Sr/)cct $or the net"or0 a##lication The so$t"are $unctions #ro#erly using the ne" account and ser/ice You disco/er an ongoing brute $orce attac0 against the Sr/)cct account The intruder a##ears to be attem#ting a distributed attac0 $rom se/eral !indo"s @. .ro$essional domain member com#uters on the A)N The account has not been com#romised and you are able to sto# the attac0* you restart Ser/er6 and attem#t to run the net"or0 a##lication* but the a##lication does not res#ond A. Reset the $r%Acct password, 1. .onfigure the default Domain .ontrollers polic to assign the $r%Acct account the right to log on locall . .. Unloc/ the $r%Acct account. D. Restart the ,etApp$er%ice ser%ice. )ns"er: ' E3#lanation9 Disabling the &nteracti%e logon9 Re6uire Domain .ontroller authentication to unloc/ wor/station will wea/en the securit configuration, but it will allow the

application to run smoothl . Incorrect )ns"ers: ): Resetting the password for that specific account will not wor/ in this scenario. Iou want to be able to run the networ/ application after the attac/ has been stopped and thus loc/ed the account which first has to be unloc/ed to enable the application to run smoothl . +: still need to unloc/ the account. D: Restarting the bac/up application is not sufficient as the account has to be unloc/ed for the application to respond. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. -"1 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;" 2 QUESTION NO: , You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com The De$ault Domain -rou# .olicy ob2ect &-.O( uses all de$ault settings The net"or0 contains $i/e ser/ers running !indo"s Ser/er 2==, and 9== client com#uters :al$ o$ the client com#uters are #ortable com#uters The other hal$ are des0to# com#uters Users o$ #ortable com#uters o$ten "or0 o$$line* but users o$ des0to# com#uters do not You install !indo"s @. .ro$essional on all client com#uters "ith de$ault settings Then you con$igure user #ro$iles and store them on the net"or0 Some users o$ #ortable com#uters no" re#ort that they cannot log on to their com#uters Other users o$ #ortable com#uters do not e3#erience this #roblem You need to ensure that all users o$ #ortable com#uters can log on success$ully* "hether they are "or0ing online or o$$line !hat should you do% A. .onfigure all portable computers to cache user credentials locall . 1. 3nsure that all users of portable computers log on to the networ/ at least once before wor/ing offline. .. &n all portable computers, rename ,tuser.dat to ,tuser.man. D. (or all portable computers, configure the 4oopbac/ polic setting. )ns"er: + E3#lanation: I$ a user is logging on to the domain $or the $irst time* then a #ro$ile "ill be created on his "or0station So the "or0station has to be connected to the net"or0 $or this to "or0 I$ the "or0station is not connected to the net"or0* then the user login cannot be /alidated and a #ro$ile "ill not be created )$ter the user has logged on to the domain and logged out again* the "or0station can be disconnected $rom the net"or0 The user can no" log in using cached credentials +y com#elling the #ortable users to log on to the net"or0 at least once is a logical "ay o$ $inding out "hich o$ the #ortable users can log on success$ully Incorrect ans"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;1 2 ): This setting is default9 3,A143D. ': Iou can protect both local and roaming profiles from being permanentl changed b users if ou simpl rename the ntuser.dat file to ntuser.man. 1 renaming this file, ou ha%e effecti%el made the user profile read2onl , meaning that the operating s stem does not sa%e an changes made to the profile when the user logs off. &f ou enable user profiles on !indows =B computers, the file that stores the user settings is named user.dat instead of ntuser.dat. Iou can rename user.dat to user.man to ma/e the user profile mandator *read2onl +. Thus this action will create mandator profiles meaning the profile settings cannot be changed. D: The User Croup 5olic loopbac/ processing mode polic setting is an ad%anced option that is intended to /eep the configuration of the computer the same regardless of who logs on. This option is appropriate in certain closel managed en%ironments, such as ser%ers, terminal ser%ers, classrooms, public /ios/s, and reception areas. $etting the loopbac/ processing mode polic setting applies the same user settings for an user who logs onto the computer, based on the computer. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3

3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 4 You are the administrator o$ an )cti/e Directory domain named test0ing com ) user re#orts that he $orgot his #ass"ord and cannot log on to the domain You disco/er that yesterday morning the user reset his #ass"ord and success$ully logged on to the domain You need to enable the user to log on to the domain !hat should you do% &'hoose t"o( A. Use Acti%e Director Users and .omputers to mo%e the account to the default organi0ational unit *'U+ named Users. &nstruct the user to restart his computer. 1. Use Acti%e Director Users and .omputers to open the account properties for the userKs user account. .lear the Account is loc/ed out chec/ boB, and select the User must change password at neBt logon chec/ boB. .. Use Acti%e Director Users and .omputers to reset the userKs password. Ci%e the user the new password. D. Use .omputer Management to reset the password for the local Administrator account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;2 2 Ci%e the user the new password. )ns"er: +* ' E3#lanation: his account is loc0ed There$ore "e must unloc0 his account and reset his #ass"ord since he has $orgotten it 5assword problems are usuall due to users forgetting their password and needing it reset. This can be accomplished %ia Acti%e Director Users and .omputers or %ia the dsmod.eBe command. Users often happen to loc/out their accounts. This is usuall due to them forgetting their password because the )ust changed it recentl , in which case ou would need to unloc/ their account and reset their password. $ometimes the )ust cannot t pe or .A5$ 4'.@ is on and the enter in their password incorrectl too man times and loc/ their account. User accounts can be unloc/ed b using Acti%e Director Users and .omputers or b using the dsmod.eBe command. Incorrect ans"ers: )9 Iou would need to open the account properties to get access to the Account is loc/ed out chec/ boB. That is the chec/boB that has to be accessed to get to the User must change password at neBt logon option. Mo%ing the account to the default organi0ational unit *'U+ named Users will not sol%e the problem D9 Resetting the password for the local Administrator account will not grant a user account right to log on to the domain. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. QUESTION NO: 5 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional DobertJs user account is located in the standard Users $older o$ the domain One day* Dobert tries to log on to his com#uter !hen he enters the #ass"ord he recei/es an error message indicating that his account is loc0ed out Dobert cannot remember the correct #ass"ord ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;3 2 You e3amine the domainJs )ccount Aoc0out .olicy* "hich is sho"n in the e3hibit You need to ensure that Dobert can log on as soon as #ossible !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Unloc/ RobertKs account. 1. &ncrease the %alue for the Reset account loc/out after option. .. Decrease the %alue for the Reset account loc/out after option. D. Reset RobertKs password. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;- 2 3. &ncrease the %alue for the Account loc/out threshold option. (. Decrease the %alue for the Account loc/out threshold option.

)ns"er: )* D E3#lanation: )ccount loc0out #olicy disables users account i$ an incorrect #ass"ord is entered a s#eci$ied number o$ times o/er a s#eci$ied #eriod These #olicy settings hel# you to #re/ent attac0ers $rom guessing usersJ #ass"ords* and they decrease the li0elihood o$ success$ul attac0s on your net"or0 )ccount loc0out is based on the loc0out security #olicy* a user "ill be denied access* or loc0ed out* a$ter a #rede$ined number o$ $ailed logon attem#ts The duration o$ the loc0out is also set in the loc0out security #olicy You need to enable Dobert to access his account by unloc0ing it )nd then you need to reset DobertJs #ass"ord to grant him the ability to log on in a s#eedy manner RobertKs account will be loc/ed out because he entered a wrong password at least fi%e times. Therefore we need to unloc/ RobertKs account. !e can do this manuall or we can wait for 3" minutes. The 6uestion states that ou need to ensure that Robert can log on as soon as possible so weKll unloc/ the account manuall . Robert canKt remember his password so we can set a new password. Users often loc/out their accounts due to entering incorrect passwords due to them forgetting their password because the )ust changed it recentl , in which case ou would need to unloc/ their account and reset their password. $ometimes the )ust cannot t pe or .A5$ 4'.@ is on and the enter in their password incorrectl too man times and loc/ their account. User accounts can be unloc/ed b using Acti%e Director Users and .omputers or b using the dsmod.eBe command. Incorrect ans"ers: +: Reset account loc/out counter after is a securit setting that determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to " bad logon attempts. The a%ailable range is 1 minute to ==,=== minutes. Thus increasing this %alue setting is not going to allow Robert to be able to log on as soon as possible. Manual unloc/ing of the account would be best suited. ': (or the same reason as option 1, decreasing the %alue setting will not ensure Robert the abilit to log on as soon as possible. E: Account loc/out threshold is a securit setting determines the number of failed logon attempts that causes a user account to be loc/ed out. A loc/ed2out account cannot be used until it is reset b an administrator or until the loc/out duration for the account has eBpired. Iou can set a %alue between " and === failed logon attempts. &f ou set the %alue to ", the account will ne%er be loc/ed out. Thus increasing the threshold will not aid Robert as his account is alread loc/ed out. E: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;F 2 A loc/ed2out account cannot be used until it is reset b an administrator or until the loc/out duration for the account has eBpired. Iou can set a %alue between " and === failed logon attempts. &f ou set the %alue to ", the account will ne%er be loc/ed out. Unloc/ing and resetting the user account manuall will grant Robert the abilit to log on as soon as possible. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231> QUESTION NO: 6 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional TestBing has <6 di$$erent o$$ice locations Each o$$ice is a se#arate )cti/e Directory site You "or0 in the main o$$ice ) user named )nne "or0s in a branch o$$ice E/ery morning $or one "ee0* )nne re#orts that her user account is loc0ed out Each time* you are obliged to unloc0 her account You sus#ect that )nneJs account is being misused or attac0ed outside o$ regular business hours You need to in/estigate the cause o$ the account loc0out !here should you search $or security e/ents% A. 'nl in the e%ent log of a domain controller in our site. 1. 'nl in the e%ent logs of the domain controllers in AnneKs site. .. &n the e%ent logs of all domain controllers in all sites. D. 'nl in the e%ent log of AnneKs computer. )ns"er: ' E3#lanation: The E/ent 8ie"er dis#lays e/ent log data There are at least three di$$erent e/ent log $iles: the a##lication* security* and system logs Security log > E/ents that a$$ect system security are included in this e/ent log These e%ents include failed or successful logon attempts, creating, opening or deleting files, changing properties or permissions on user accounts and groups, etc.

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;; 2 Domain logons gi%e users access to resources throughout the domain. Domain user accounts are stored in an Acti%e Director domain. Acti%e Director is deplo ed on each domain controller and domain user accounts are replicated throughout a domain. 1efore a user can log on to a computer using a domain account, the computer must be )oined to a domain. &f the computer has access to a networ/ connection, the user can log on to a domain pro%ided that the user has an account in the domainKs Acti%e Director . The computer must transparentl authenticate to the domainKs Acti%e Director . This form of logon is called a computer logon. 1oth users and computers are considered e6ual must be able to %erif their identities. Therefore to in%estigate the cause of the account loc/out we must loo/ at all e%entlogs of all the domain controllers in all sites. Incorrect ans"ers: )9 .hec/ing the e%ent log of the domain controllers in our site will not ield the information that ou need. +9 &f AnneKs account is being misused or e%en attac/ed outside of regular business hours, then ou need to chec/ the e%ent logs of all the domain controllers in all the sites. 1ecause it could be that the attac/ can be launched from outside of the office where AnneKs account resides. D9 &f ou are to chec/ onl the e%ent log on AnneKs computer then ou will not be able to see who or from where an attac/ has been launched on her account. 1oth users and access to networ/ resources, both must be able to %erif their identities. Thus ou need to chec/ the e%ent log of all the domain controllers in all the sites. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. G;", G;2. QUESTION NO: 7 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s 2=== .ro$essional TestBing is organi1ed in three de#artments Each de#artment corres#onds to a se#arate organi1ational unit &OU( 'om#uter accounts $or each de#artment reside in the corres#onding OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;G 2 Domain users re#ort that their accounts are loc0ed out a$ter three unsuccess$ul attem#ts to log on You need to increase your account loc0out setting to $i/e unsuccess$ul attem#ts to log on You also need to ensure that you can re/ie" all unsuccess$ul attem#ts to log on to the domain or to log on locally to client com#uters The ne" settings must be a##lied to a limited number o$ ob2ects !hat should you do% To ans"er* drag the a##ro#riate security #olicy settings to the correct locations in the "or0 area )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;> 2 E3#lanation: )ccount Aoc0out Settings must alwa s be applied at domain le%el. &f the are applied at an other le%el such as an 'U for eBample, the will not appl to domain user accounts. )udit )ccount Aogon E/ents: therefore, this polic must be applied to the domain controllers. )udit Aogon E/ents: This is for auditing local logon e%ents. The Mar/eting, (inance and Research 'Us all contain computer accounts, so we must appl this polic to all three 'Us. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 31G QUESTION NO: 9 You are the administrator o$ a !indo"s 2==, domain TestBing com The domain contains 2= !indo"s 2=== .ro$essional com#uters and t"o !indo"s 2==, Ser/er com#uters Eor the domain* you "ant to set an account #olicy that loc0s any userJs account a$ter three consecuti/e $ailed logon attem#ts You also "ant to ensure that only administrators "ill be able to unloc0 the account

!hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;= 2 A. $et the Account loc/out duration %alue to ". 1. $et the Account loc/out duration %alue to 3. .. $et the Account loc/out threshold %alue to ". D. $et the Account loc/out threshold %alue to 3. 3. $et the Reset account loc/out counter after %alue to ". (. $et the Reset account loc/out counter after %alue to 3. )ns"er: )* D E3#lanation: The )ccount loc0out duration security setting determines the number o$ minutes a loc0ed>out account remains loc0ed out be$ore automatically becoming unloc0ed The a/ailable range is $rom = minutes through ;;*;;; minutes I$ you set the account loc0out duration to =* the account "ill be loc0ed out until an administrator e3#licitly unloc0s it The Account loc/out threshold determines the number of failed logon attempts that will cause a user account to be loc/ed out. A loc/ed out account cannot be used until it is reset b an administrator or the account loc/out duration has eBpired. Incorrect )ns"ers: +: $etting the Account loc/out duration %alue to 3 would cause a loc/ed account to become unloc/ed after 3 minutes. ': $etting the Account loc/out threshold %alue to " would cause the accounts to ne%er be loc/ed out. E: $etting the Reset account loc/out counter after %alue to " determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to " bad logon attempts. A setting of " is not possible. E: $etting the Reset account loc/out counter after %alue to 3 determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to " bad logon attempts. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 31G 19 Diagnose and resol%e issues related to user account properties.*1G :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G" 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Eor security reasons* management decides that a #articular user must not be able to log on to the domain a$ter 5:== . ? I$ the user is logged on to the domain at 5:== . ? * he must be logged o$$ automatically You con$igure the Aogon :ours setting $or the a##ro#riate user account That night* you /eri$y that the user cannot log on to the domain a$ter 5:== . ? The ne3t day* you notice that the user is still accessing domain resources at 6:== . ? You /eri$y that the time on the userJs com#uter and on the domain controller are correct You need to ensure that the user is logged o$$ automatically i$ he is still "or0ing on the domain a$ter 5:== . ? !hat should you do% A. &n Acti%e Director Users and .omputers, on the $essions tab, configure the 3nd $ession setting for the user account. &nstruct the user to log off from the domain and log on again. 1. Modif the Default Domain 5olic C5' to enforce logoff when logon hours eBpire. 3nsure that the userKs computer has the latest Croup 5olic settings applied. .. Remo%e the userKs domain account from the local Administrators group on the userKs client computer. &nstruct the user to log off from the domain and log on again. D. Use .omputer Management on the domain controller. Restart the ,et 4ogon ser%ice. )ns"er: + E3#lanation: !hen you restrict logon hours* you might also "ant to $orce users to log o$$ a$ter a certain #oint I$ you a##ly this #olicy* users cannot log on to a ne" com#uter* but they can stay logged on e/en during restricted logon hours To $orce users to log o$$ "hen logon hours e3#ire $or their account* a##ly the Net"or0 security: Eorce logo$$ "hen logon hours e3#ire #olicy Iou can assign logon hours as a means to ensure that emplo ees are using computers onl during specified hours. This setting applies both to interacti%e logon, in which a user

unloc/s a computer and has access to the local computer, and networ/ logon, in which a user obtains credentials that allow him or her to access resources on the networ/. Incorrect ans"ers: )9 'ption A suggests instructing the user to log off and then on again. This is not what is re6uired. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G1 2 ': 'ption . suggests instructing the user to log off and then on again. Aowe%er, when remo%ing the userKs domain account from the local AdministratorKs group on the userKs client computer, ou will onl be fulfilling half of what is re6uired. Iou need to ensure that the user is logged off automaticall if he is still wor/ing on the domain after F9"" 5.M. D9 Restarting the ,et 4ogon ser%ice is not what is re6uired in this scenario. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. F>2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F>, --2. QUESTION NO: 2 E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll se/en ser/ers are con$igured as domain controllers and run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional TestBing com $requently hires tem#orary em#loyees You s#eci$y account e3#iration dates "hen you con$igure user accounts $or tem#orary em#loyees ) $ormer tem#orary em#loyee named Tess Bing is hired $ull>time !hen Tess tries to log on* she recei/es the logon message sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G2 2 You need to modi$y the #ro#erties o$ TessJ user account to correct this #roblem !hat action should you ta0e% A. $elect the Account is loc/ed out option 1. $elect the 5assword ne%er eBpires option. .. $et the Account eBpires option to ne%er. D. .lear the Account is disabled option. )ns"er: ' E3#lanation: Setting an account e3#ires o#tion is a good $eature i$ you ha/e contract or tem#orary em#loyees "or0ing $or you I$ you 0no" they are on a si3>month contract* go ahead and set their accounts to e3#ire in si3 months Some com#anies set all tem#orary em#loyee user accounts to e3#ire monthly as a security #recaution I$ the tem#orary user lea/es the com#any "ithout noti$ying the IT de#artment* the account can only be used &or abused( $or ,= days :o"e/er* in this scenario Tess is made one o$ the #ermanent sta$$ and thus you ha/e to set the )ccount e3#ires o#tion to ne/er Incorrect )ns"ers: ): $electing the Account is loc/ed out option will not allow Tess to log on. +: !ith this option the userKs password will not eBpire. This option o%errides the account polic configured for the domain *in the default domain polic C5'+. This is not desired as it poses a securit ris/. D: Disabling an account does not change an permissions assigned to or settings configured for the user account. &t )ust disables logging on with the account. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2>222>3 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named ad test0ing*com TestBing also uses a DNS names#ace named test0ing com $or its e3ternal Internet communications ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G3 2 Users in the sales de#artment log on by using their e>mail addresses ) user named +en Smith "or0s $or the sales de#artment :e re#orts that "hen he attem#ts to log by using bsmithItest0ing com* he recei/es the error message sho"n in the Error ?essage e3hibit

The details o$ +enJs user account are sho"n in the User )ccount e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G- 2 You need to ensure that +en can log on by using a user ID that matches his e>mail address !hat should you do% A. .onfigure 1enKs user account to be trusted for delegation. 1. .onfigure 1enKs user account to re6uire a smart card for interacti%e logon. .. &n User logon name options, change the user principal name *U5,+ for 1enKs account. D. .hange the 4og 'n To options for 1enKs account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GF 2 )ns"er: ' E3#lanation: )s you can see in the User )ccount e3hibit* his U.N is bsmithIad test0ing com !e must change this to bsmithItest0ing com )$ter that he can logon to the domain T ping the User logon name automaticall fills in the User logon name *pre2!indows 2"""+ field as well. !hen ou ha%e filled in all necessar information, clic/ ,eBt to continue. 1. XHU$3R9XdomainnameWYusernameY 2. XHU$3R9Xdotted domain nameWYusernameY 3. XHU$3R9XusernameUdotted domain nameY The first one XHU$3R9XdomainnameWYusernameY tells ou to specif the username in the format of domain name followed b the username. This format uses the one2word ,et1&'$2compatible domain name. The second one tells ou to specif the username in the format of full 6ualified domain name followed b the username. This is the hierarchical Acti%e Director domain name. The third one tells ou to specif the username b using the user principal name *U5,+. This format uses the U sign between the user account name and the domain name, li/e an &nternet e2mail address. The Account tab is where most of the action ta/es place. This is where ou change a userKs logon name, the user principal name *U5,+, or a userKs U5, suffiB. 2u SUser,ameT .onnects as SUser,ameT. Default9 the logged2on user. Username can be9 username, domainWusername, or user principal name *U5,+. Incorrect ans"ers: )9 Delegation trust will not sol%e the problem that 1en is eBperiencing. This tab should be left unchec/ed most of the time. $electing it could wea/en our networ/ securit . $etting an account to be trusted for delegation enables a ser%ice running as this account to impersonate a client to get access to resources on another machine running the same ser%ice. +9 A smart card for interacti%e logon will not sol%e 1en problem. This configuration disables logging on without a smart card. The userKs password is randoml changed and set to ne%er eBpire. Acti%e Director manages the password for the account. This is good for securit , but it can be a problem if a user forgets his or her smart card or needs to log on to a machine that does not ha%e a smart card reader. D9 .hanging the 4og 'n To options for 1enKs account will not sol%e the problem. 1en needs the U5, to be changed to enable him to log on. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G; 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2;-, 2>222>-, 33QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, Some user accounts ha/e e3#iring #ass"ords and some do not You need to identi$y all user accounts that do not ha/e e3#iring #ass"ords You need to modi$y the #ass"ord #ro#erty to allo" the #ass"ords on these accounts to e3#ire You must com#lete this tas0 by using the minimum amount o$ administrati/e e$$ort Eirst* you create a sa/ed query to obtain a list o$ all user accounts that do not ha/e e3#iring #ass"ords !hat should you do ne3t% A. 3Bport the 6uer results to a comma2delimited file. Use a .$?D3 script to modif the password propert of each user account. 1. (rom the Results pane of the 6uer , select all user accounts and modif their password

properties simultaneousl . .. 3Bport the 6uer results to a comma2delimited file. Use an 4D&(D3 script to modif the password propert of each user account. D. (rom the Results pane of the 6uer , select each user account and modif the password propert , one b one. )ns"er: + E3#lanation: You ha/e created a sa/ed query to obtain a list o$ all user accounts that do not ha/e e3#iring #ass"ords ) ne" $eature o$ !indo"s 2==, is that you can ma0e changes to the #ro#erties o$ multi#le user accounts simultaneously You can do this by dis#laying the resultant set o$ user accounts $rom the query* selecting them all and accessing the #ro#erties o$ the accounts :ere you can ma0e a change that "ill a##ly to all user accounts To get the desired e$$ect you need to select all users and modi$y their #ass"ords simultaneously a$ter the query has been run ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GG 2 Incorrect )ns"ers: ): A script is not necessar because it is not the 6uic/est wa to ma/e the same change to multiple accounts. The cs%de *.$? Director 3Bchange+ command can be used to import and eBport Acti%e Director information using files formatted in the Microsoft comma2separated %alue *.$?+, or comma delimited, format. The cs%de command can also support batch operations. The cs%de command onl allows ou to add new ob)ects. &t does not allow ou to modif eBisting ob)ects. ': A script is not necessar because it is not the 6uic/est wa to ma/e the same change to multiple accounts. The ldifde *4D&( Director 3Bchange+ command can be used to create, modif , and delete director ob)ects on !indows $er%er 2""", !indows $er%er 2""3 and !indows <5 5rofessional. Iou can also use ldifde to eBtend the schema, eBport Acti%e Director user and group information to other 4DA5 *4ightweight Director Access 5rotocol+ applications or ser%ices, and populate Acti%e Director with data from other director ser%ices. The ldifde command, howe%er, uses the 4DA5 Data &nterchange (ormat *4D&(+ file format, which is a draft &nternet standard for a file format that ma be used to perform batch operations against directories that conform to the 4DA5 standards. D: A new feature of !indows 2""3 is that ou can ma/e changes to the properties of multiple user accounts simultaneousl . Iou donKt need to do it one at a time. This option will ta/e much longer than option 1 though it will achie%e the same result after much more administrati%e effort. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 39 1;, 2", -9 13, 139 ;. QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, :al$ o$ the client com#uters run !indo"s @. .ro$essional and the other hal$ run !indo"s NT 4 = !or0station You install Terminal Ser/er on $i/e member ser/ers named TestBingSr/' through TestBingSr/- You #lace all $i/e ser/ers in an organi1ational unit &OU( named Terminal Ser/er You lin0 a grou# .olicy ob2ect &-.O( to the Terminal Ser/er OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G> 2 T"o days later* users noti$y you* that the #er$ormance o$ TestBingSr/E is unacce#table slo" You disco/er that TestBingSr/E has 75 disconnected Terminal Ser/er sessions You need to con$igure all $i/e terminal ser/ers to end disconnected sessions a$ter <5 minutes o$ inacti/ity You must achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 4og on the console of each terminal ser%er. &n the RD52Tcp connection properties, set the 3nd a disconnected session option to 1F minutes. 1. 3dit the C5' to set the time limit for disconnected sessions to 1F minutes. .. 'n Test@ing$r%., run the tsdisconY command to disconnect all GF users from Test@ing$r%( D. &n Acti%e Director Users and .omputers, set the 3nd a disconnected session option for all domain user accounts to 1F minutes. )ns"er: + E3#lanation: !e can con$igure a grou# #olicy to con$igure the Terminal Ser/ers to set the time limit $or disconnected sessions to <5 minutes ,ote9 !e are appl ing this polic to the Terminal $er%ers, not the users or the client

computers. The $essions tab enables ou to control how long a user ma remain acti%el connected to a session and how long a disconnected session should be allowed to remain on the Terminal $er%ices computer. 3%en though the are not acti%e, disconnected sessions can use substantial resources on the Terminal $er%ices computer because applications are still running on them. Depending on our en%ironment, it ma be ad%isable to terminate them after a specific period of time. 1 default, most of the settings on this page are configured to use the user account propert settings and se%eral settings are gra ed out. This can be o%erridden b selecting the chec/ boB neBt to '%erride user settings. Incorrect )ns"ers: ): Using a group polic re6uires less administrati%e effort. ': 3nding the current disconnected sessions wonKt help. !e also need to end future disconnected sessions after 1F minutes to pre%ent the problem reoccurring. D: This would wor/ for current users, but not future users. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G= 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. --2, FF1. QUESTION NO: 6 Your com#any net"or0 consists o$ a single !indo"s 2==, )cti/e Directory domain You are a member o$ the Domain )dmins grou# The net"or0 includes <= member ser/ers running !indo"s Ser/er 2==, and 4 domain controllers running !indo"s Ser/er 2==, The 2== client com#uters all run !indo"s @. .ro$essional The user accounts $or em#loyees in the Einance de#artment are located in an Organisational Unit &OU( named Einance The Einance OU also contains a -lobal Security grou# named EinanceUsers )ll Einance em#loyees are members o$ EinanceUsers )n em#loyee named )lice "or0s in the Einance de#artment )lice re#orts that she cannot log in the domain She recei/es the error message sho"n in the e3hibit: You need to enable )lice to log in to the domain !hat should you do% A. Use the dsmod user command line tool to enable AliceKs user account. 1. Use Acti%e Director Users and .omputers to add AliceKs user account to the Domain Users group. .. Use Acti%e Director Users and .omputers to add AliceKs user account to the Cuests group. D. Use the net accounts command line tool to enable AliceKs user account. 3. 5erform an authoritati%e restore of AliceKs user account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>" 2 )ns"er: ) E3#lanation: dsmod user UserD, 2disabled ] es^no_ UserD, $pecifies the distinguished name of the user ob)ect to be disabled or enabled. ] es^no_ $pecifies whether the user account is disabled for log on * es+ or not *no+. Incorrect ans"ers: +: Domain users cannot ma/e changes to their computer s stems nor can the install application or utilit programs. 1ut the 6uestion states that Alice gets the account disables message which means that her account should be enabled first. ': Cuest accounts members can log on, run applications, and e%en shut down the s stem on computers that are not D.s. Aowe%er, in this scenario Alice needs to be able to log into a domain. D: Ma/ing use of the net accounts toll will not enable Alice to log in to the domain. E: 5erforming an authoritati%e restore of AliceKs user account will not enable her to log into the domain. The account has to be enabled first. De$erence: http9HHwww.microsoft.comHwindowsBpHhomeHusingHproductdocHenHdefault.asp[url\HwindowsBpHhomeHusingHprod Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. >F, 1";, 1=QUESTION NO: 7 You are the net"or0 administrator $or your com#any The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll client com#uter accounts are stored in the 'om#uter container

) user named .eter re#orts that he cannot log on to the domain $rom his com#uter .eter recei/es the logon message sho"n in the e3hibit E3hibit: Aogon ?essage Iour account is configured to pre%ent ou from using this computer. 5lease tr another computer. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>1 2 You need to enable .eter to log on !hat should you do% A. .reate an account for 5eterKs computer in the .omputers container. 1. Crant the 4og on locall user right to 5eterKs user account. .. 3nable 5eterKs user account. D. .hange the properties of 5eterKs user account so he can log on to an computer. )ns"er: D E3#lanation: This issue occurs if the user account is configured to log on from specific wor/stations. .hange the setting in 4og'n To option in the User 5roperties dialog boB. Incorrect ans"ers: )9 Although the .omputers container is the default container for computer ob)ects, it is not the ideal container for computer ob)ects. Unli/e 'Us, containers such as .omputers, Users and 1uiltin cannot be lin/ed to policies, limiting the possible scope of computer2focused group polic . Thus placing 5eterKs computer in the .omputers container is not the answer. +9 The Den logon locall user right will o%erride our capabilit as an administrator to log on to the console. Iou need to remo%e this group assignment to be able to log on to the console again. Thus the same will happen when ou grant this right to the Users group. Thus this option will not ensure that all users be authenticated when the log on to the domain controller. ' ou need to do is to change the properties of his user account. De$erence9 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 1-;, 1G-, 2"=, =1F Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>2 2 You are the net"or0 administrator $or TestBing -m+h The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional TestBingJs main o$$ice is located in +erlin* "hich is also the location o$ all domain controllers The +erlin o$$ice contains 2== client com#uters ) branch o$$ice is located in :elsin0i This o$$ice contains 6= client com#uters )ll user accounts $or #ermanent em#loyees in :elsin0i are contained in an organi1ational unit &OU( named :elUsers )ll user accounts $or tem#orary em#loyees in :elsin0i are contained in an OU named Tem#Users ) tem#orary em#loyee named Bing is hired in the :elsin0i o$$ice The business hours in his o$$ice are ;:== ) ? to 5:== . ? at ;:=5 ) ? on his $irst ?onday at "or0* Bing tries to log on to the domain $rom his client com#uter :o"e/er* he recei/es the message sho"n in the e3hibit You need to ensure that Bing can log on to the domain !hat should you do% A. Mo%e @ingKs account to AelUsers. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to AelUsers. &n the C5', decrease the account loc/out duration. 1. Ma/e TempUsers a child of AelUsers. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to AelUsers. &n the C5', decrease the account loc/out threshold. .. Modif the properties of @ingKs user account to the 4ogon Aours setting is the same as the business hours for the Aelsin/i office. D. Modif the properties for @ingKs user account to eBtend the dates during which his account can be used. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>3 2

)ns"er: D E3#lanation: The user account has e3#ired This means that the user account "as created "ith an e3#iry date set !e need to modi$y the user account to e3tend the dates during "hich his account can be used In other "ords* "e need to set the account to e3#ire at a later date Incorrect )ns"ers: ): The accounts in AelUsers are for permanent users and ha%e no eBpir date. @ing is a temporar user so we should set an eBpir date on his account. The account loc/out duration is the time an account is loc/ed out after failed log on attempts due to incorrect username or passwords. &t is not related to this 6uestion. +: !e donKt need to rearrange the 'U structure. The account loc/out threshold is related to logon failures due to incorrect username or passwords. &t is not related to this 6uestion. ': The logon hours setting is not the cause of the problem. The account has eBpired. &f ou tried to log on Kout of hoursK, ou would get a different error message. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2>2, 31> QUESTION NO: ; You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll domain controllers run !indo"s Ser/er 2==, ) user named Bing is res#onsible $or managing grou#s in the domain In )cti/e Directory* you delegate the #ermissions to create* delete* and manage grou#s to him !hen Bing tries to log on to a domain controller* he recei/es the error message sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>- 2 You need to ensure that Bing can immediately manage grou#s !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Modif the default securit polic for the domain. Refresh the polic b using $ecedit.eBe. 1. Modif the default securit polic for the domain. Refresh the polic b using Cpupdate.eBe. .. Modif the default securit polic for the Domain .ontrollers organi0ational unit *'U+. Refresh the polic b using $ecedut.eBe. D. Modif the default securit polic for the Domain .ontrollers organi0ational unit *'U+. Refresh the polic b using Cpupdate.eBe. 3. &nstall the !indows $er%er 2""3 administrati%e tools on @ingKs computer. &nstruct him to run Dsa.msc from his computer. (. $hare Dsa.msc from a computer running !indows $er%er 2""3. &nstruct @ing to run Dsa.msc from his computer. )ns"er: D* E E3#lanation: Normal users are not able to log on to a domain by de$ault Thus* to enable Bing to manage accounts $rom his com#uter* his user account has to be granted these #ermissions To a##ly the ne" #olicy immediately* "e need to re$resh the #olicy The secedit tool to re$resh #olicies has changed $rom 2=== ser/er to 2==, Incorrect )ns"ers: ): Using a group polic is a 6uic/er wa of appl ing a setting to all the domain controllers. +: @ing needs to log on to the domain controllers onl , so we should appl the polic to the domain controllers 'U. ': $ecedit.eBe is no longer used in !indows 2""3. &t has been replaced b gpupdate.eBe. E: Iou cannot share a single file. Iou can onl share folders containing files. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters - L F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>F 2 QUESTION NO: <= E3hibit You are the net"or0 administrator $or TestBing com You manage a !indo"s Ser/er 2==, com#uter named TestBing2 TestBing2 is a stand>alone ser/er in your "or0grou#* "hich also contains $i/e client com#uters )ll client com#uters on the net"or0 run !indo"s @. .ro$essional No time

synchroni1ation mechanism is currently in #lace ) user named Sandra is gi/en management res#onsibilities on TestBing2 :o"e/er* "hen Sandra tries to log on to TestBing2* she recei/es the error message sho"n in the e3hibit You need to ensure that Sandra can log on to TestBing2 to #er$orm her management res#onsibilities !hat should you do% A. $ ncrhoni0e the cloc/s on all computers in our wor/group. 1. &nstall Acti%e Director on Test@ing2. .. .onfigure $andraKs account password so it ne%er eBpires. D. Modif the securit polic on Test@ing2 to assign the appropriate rights to $andra. )ns"er: D E3#lanation9 User right assignment is done in the $ecurit settings in the local 5olicies. The default securit settings do not allow regular users to log on interacti%el at a ser%er. Iou can change this setting through $tart ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>; 2 Administrati%e Tools $ecurit 5olic . 3Bpand 4ocal 5olicies, then User Rights Assignment. Doubleclic/ Allow 4og 'n 4ocall and clic/ the Add User 'r Croup button. &n the Add User 'r Croup dialog boB, t pe in $andra and clic/ the '@ button. &n the $ecurit 5olic $etting dialog boB, clic/ the '@ button. .lose an open dialog boBes. &n the eBhibit is shows clearl that it is a local securit polic %iolation when $andra attempts to logon. !hat is thus necessar is to modif the securit polic and assign $andra the appropriate rights to carr out her tas/s. Incorrect ans"ers: )9 &t is not a matter if s nhroni0ing cloc/s on the computers in the wor/group, as the problem are located at the local securit polic . +9 Iou do not need to install Acti%e Director . This will not sol%e the problem of loging on interacti%el . '9 (ollowing the eBhibit, ou will see that it is not a matter of altering $andraKs password so it ne%er eBpires. Rather it is a matter of chaing the local securit polic to allow $andra to logon interacti%el . De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1-2 QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The De$ault Domain .olicy -.O is con$igured to #rom#t users to change their #ass"ord <4 days be$ore it e3#ires ) user "ho returns $rom a t"o>"ee0 /acation re#ortes that she cannot log on to the domain You disco/er that "hen she last logged on* she "as #rom#ted to change her #ass"ord She re#orts that she did not change her #ass"ord be$ore lea/ing on /acation You need to ensure that the user can log on to the domain !hat should you do% A. 3nable the user account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>G 2 1. Reset the password for the user account. .. Use Acti%e Director Users and .omputers to select the 5assword ne%er eBpires option. D. .onfigure the 5rompt user to change password before eBpiration securit polic option to 21 da s. )ns"er: + E3#lanation9 &n the 6uestion it is mentioned that the default domain C5' is set to ha%e users change their passwords 1- da s before eBpir which the user neglected to do. !hat is thus needed is to reset the password for the user account to enable to user to log on. Incorrect ans"ers: )9 The user account has wor/ed before and thus it is not a matter of enabling the user account. '9 This is contradictor to the default domain C5'. D9 .hanging the polic option to 21 da s will not ensure that the user can log on to the domain, the account is alread not able to log on. De$erence9

4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1-= QUESTION NO: <2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll ,*5== user accounts are located in the de$ault Users container )ll user accounts ha/e their De#artment attribute /alues set to the a##ro#riate em#loyee de#artment The net"or0 engineer creates an OU structure $or the domain* based on the Test0ingJs de#artments You need to #lace all user accounts that ha/e the De#artmetn attribute set to Sales in the Sales OU +ecause o$ time constraints* you need to automate this #rocess ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>> 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Run the dsmod command with the appropriate parameters. 1. Run the dsget command with the appropriate parameters. .. Run the ds6uer command with the appropriate parameters. D. Run the dsmo%e command with the appropriate parameters. 3. Run the dsrm command with the appropriate parameters. (. Run the find command with the appropriate parameters. )ns"er: '* D E3#lanation9 The Dsmo%e command2line utilit is used to rename or mo%e a single ob)ect within the Acti%e Director . !hen ou use the Dsmo%e command2line utilit , ou specif the ob)ectKs distinguished name, then the new name of the ob)ect *if ou are changing the ob)ectKs name+ and the new location of the ob)ect. Iou use the Ds6uer command2line utilit to 6uer the Acti%e Director for ob)ects that meet specified criteria. Incorrect ans"ers: )9 Iou can modif eBisting Acti%e Director ob)ects through the Dsmod command2line utilit . +9 The Dsget command2line utilit is used to displa the selected properties of a specified ob)ect within the Acti%e Director . E9 This is not what is needed in this case. E9 (ind is usuall used to find and locate. This is not what is re6uired. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 1="21=QUESTION NO: <, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>= 2 The $inance de#arment uses a s#eci$ic naming #rocess to audit users and their com#uters The #rocess requires that each userJs client com#uter has an account in )cti/e Directory and that each client com#uter name corres#onds to a s#eci$ic user account ) user name ?arie is a member o$ only the Domain Users security grou# She re#orts that the hard"are on her com#uter $ails She recei/es a ne" com#uter You need to add ?arieJs ne" com#uter to the domain You need to com#ly "ith the $inance de#artment naming #rocess !hat should you do% A. &nstruct Marie to run the ipconfig Hflushdns command on her new computer and to add the new computer to the domain b using the same computer name as her failed computer. 1. Assign Marie permissions for adding computer accounts to the default container named .omputers. &nstruct Marie to add her new computer to the domain. .. Reset the computer account for MarieKs failed computer. &nstruct Marie to add her new computer to the domain b using the same name as her failed computer. D. .onfigure the &5 address of MarieKs new computer to be the same as the failed computer. &nstruct Marie to add the new computer to the domain. )ns"er: ' E3#lanation9 Acti%e Director is a director ser%ice that is a%ailable with the !indows

2""" $er%er and $er%er 2""3 platforms. &t stores information in a central database that allows users to ha%e a single user account for access to resources across the enterprise networ/. The users and groups that are stored in Acti%e Director Ks central database are called Acti%e Director users or domain users. $ince MarieKs hardware failed and she will be recei%ing a new computer, it will be a matter of )ust substituting the old computer account for the new one is ou are to compl with the finance departmentKs naming process. $he will then still be using her own name. Incorrect ans"ers: )9 The ipconfig Hflushdns command flushes and resets the D,$ resol%er cache. This is not what is re6uired here. +9 &t is not a matter of assigning permissions in this case. D9 This option will not sol%e the problem and compl with the finance departments re6uirements. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=" 2 De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. ==, 311 QUESTION NO: <4 E3hibit: You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=1 2 ) user named TessBing regurarly accesses a $older named TestBingDocs on a ser/er named TestBing< You instruct another administrator to audit and modi$y share #ermissions and NTES #ermissions on testBing< No"* TessBing re#orts that she cannot access the shared $older $rom the net"or0 You /eri$y that no changes "ere made to grou# membershi#s in the domain On TestBing<* you /ie" the e$$ecti/e #ermissions $or the TestBingDocs $older* as sho"n in the e3hibit* You need to ensure that TessBing can access the data in the shared $older !hat should you do% A. Add Tess@ingKs user account to the A.4 on the $haring tab. 1. &nstruct Tess@ing to log off and log on to the computer. .. Delete Tess@ingKs user account and re2create the user account. D. Add Tess@ingKs user account to the local 5ower Users group. )ns"er: ) E3#lanation9 $ince Tess could pre%iousl access that particular folder, and the 6uestion states that group memberships were not changed and that it is onl a matter of share permissions and ,T($ permissions that was modified, it stands to reason that TessK user account should be added to the Access .ontrol 4ist on the $haring tab of the Test/ingDocs folder, because the shared folder has enough effecti%e permissions for Tess to be able to access it. Incorrect ans"ers: +9 Merel logging on and logging off to the computer will not ensure access to the folder especiall if ou do not ha%e access to the folder. '9 Recreating the user account will not sol%e the problem. D9 Adding that particular user account to the local 5ower Users group will not address the problem. &t has been stated that the group memberships ha%e not been altered and that there was pre%ious access to this folder. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 21-, 2=1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=2 2 QUESTION NO: <5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing com #urchases a ne" ser/er to test a##lications in a stand>alone en/ironment The com#anyJs "ritten security #olicy states that i$ a user attem#ts to log on by using an incorrect #ass"ord three times in ,= minutes* the account is

loc0ed out )n administrator must unloc0 the account You disco/er that users o$ the ne" ser/er "ho ha/e accounts that are loc0ed out can log on again a$ter ,= minutes You need to ensure that the ne" ser/er meets the requirements o$ the "ritten security #olicy !hat should you do% A. $et the Reset account loc/out counter after polic to 1. 1. $et the Reset account loc/out counter after polic to =====. .. $et the Account loc/out duration polic to ". D. $et the Account loc/out duration polic to =====. )ns"er: ' E3#lanation9 The account loc/out policies are used to specif how man in%alid logon attempts should be permitted. Iou configure the account loc/out policies so that after B number of unsuccessful logon attempts within number of minutes, the account will be loc/ed for a specified amount of time or until the administrator unloc/s it. Account 4oc/out Duration specifies how long account will remain loc/ed if Account 4oc/out Threshold is eBceeded. Thus setting the account loc/out duration polic to " will ha%e the desired effect and compl with the written securit polic . Incorrect ans"ers: ) L 19 This counter specifies how long counter will remember unsuccessful logon attempts. .learl this counter whether set to 1 or ===== will not ha%e the desired effect. D9 $etting the account loc/out duration to ===== will result in the new ser%er being uinable to compl with written securit polic . De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=3 2 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 112 QUESTION NO: <6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional Tess* a user in the Sales sta$$* re#orts that she has attem#ted to log on si3 times unsuccess$ully Tess re#orts that she logged on success$ully yesterday You disco/er that Tess reset her #ass"ord three days ago to com#ly "ith a ne" security #olicy that requires strong #ass"ords The account #olicies that are a##lied in the Domain Security -.O are sho"n in the $ollo"ing table .olicy setting 8alue Minimum5asswordAge 1 MaBimum5asswordAge -2 Minimum5assword4ength G 5assword.ompleBit 1 5asswordAistor $i0e 24oc/out1ad.ount F Reset4oc/out.ount 3" 4oc/outDuration 3" You need to ensure that the user can log on to the domain !hat should you do% A. Reset the password for the computer account. 1. Unloc/ the user account. .. &n the user account properties, select the 5assword ne%er eBpires chec/ boB the user account. D. &n the user account properties, select the User must change password on neBt login chec/ boB the user account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=- 2 )ns"er: + E3#lanation9 TessK account got loc/ed out since she made siB unsuccessful attempts to log on to the domain and the table in the 6uestion clearl shows that the 4oc/out1ad.ount is set to F. The most common problems with user accounts are due to group membership, password problems, or account loc/outs. Croup membership problems manifest themsel%es b users not being able to access resources that are assigned through group membership. This can easil be %erified and corrected %ia Acti%e Director Users and .omputers or from the command line using the dsget.eBe and dsmod.eBe commands. 5assword

problems are usuall due to users forgetting their password and needing it reset. This can be accomplished %ia Acti%e Director Users and .omputers or %ia the dsmod.eBe command. 4astl 9 users often loc/out their accounts due to them entering their password incorrectl . This is usuall due to them forgetting their password because the )ust changed it recentl , in which case ou would need to unloc/ their account and reset their password. $ometimes the )ust cannot t pe or .A5$ 4'.@ is on and the enter in their password incorrectl too man times and loc/ their account. User accounts can be unloc/ed b using Acti%e Director Users and .omputers or b using the dsmod.eBe command. The user said she attempted to log on siB times, but failed. As a result the account is loc/ed out. Therefore we can simpl unloc/ the user account, and she can logon again. Incorrect ans"ers: )9 Resetting the password for the user account does not necessaril grant log on rights to the domain. Iou need to unloc/ the account first. '9 Modif ing the properties of the account to password ne%er eBpires will not affect the situation. The account must first be unloc/ed. !hether the password eBpires or not, she will still need to use a strong password once the account has been unloc/ed. $he ob%iousl went o%er the account loc/out count threshold. D9 The userKs problems stems from going o%er the account loc/out threshold too man times. Aer account has to be unloc/ed first to be able to log on to the domain. The User must change password on neBt logon chec/ boB in her user account properties will not help in this case as her account has been loc/ed out. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=F 2 QUESTION NO: <7 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You install a ne" ser/er named TestBing6 You install an a##lication on TestBing6 The a##lication $ails to start because o$ the NTES #ermission on TestBing6 are too restricti/e You use a security tem#late $rom the manu$acturer o$ the a##lication to modi$y the NTES #ermissions on TestBing6 to allo" the a##lication "or0 ) ne" u#date to the a##lication is released The a##lication no longer requires the modi$ied NTES #ermissions You need to restore the de$ault #ermissions on TestBing6 to restore the original le/el o$ system security !hich security tem#late should you im#ort into the local security #olicy o$ TestBing6% A. The $ ssetup.inf template. 1. The 5rofsec.inf template. .. The Deflts%.inf template. D. The ,etser%.inf template. )ns"er: ' E3#lanation: The de$ault #ermissions are sa/ed in the De$lts/ in$ security tem#late This "ould thus be the tem#late to im#ort into the local security #olicy o$ TestBing6 i$ you need to restore de$ault #ermissions in stead o$ the modi$ied #ermissions The other tem#lates "ill not ha/e the de$ault #ermissions De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2"2, ;FF G"22=1+, .hapter ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=; 2 5art G9 Troubleshoot user authentication issues.*= :uestions+ QUESTION NO: < You are the net"or0 administrator $or .rose"are* Inc )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The net"or0 consists o$ t"o )cti/e Directory $orests: #rose"are com and test0ing com E3ternal trust relationshi#s e3ist bet"een the t"o $orests You create an additional user #rinci#al name &U.N( su$$i3 $or #rose"are com The ne" U.N su$$i3 is mail #rose"are com Da/id 'am#bell a user $rom #rose"are com* re#orts that he cannot log on to #rose"are com $rom test0ing com The con$iguration o$ Da/id 'am#bellJs user

account is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=G 2 You need to ensure that Da/id 'am#bell can log on to his domain $rom test0ing com !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. .hange Da%id .ampbellKs user logon name to match his pre2!indows 2""" user logon name. 1. .lear the User cannot change password option in the Da%id .ampbell 5roperties dialog boB. .. &nstruct Da%id .ampbell to log on b using his pre2!indows 2""" user logon name. D. .hange Da%id .ampbellKs U5, suffiB to proseware.com. 3. .reate a computer account for Da%id .ampbellKs computer in test/ing.com. (. Delete Da%id .ampbellKs user account and recreate it in test/ing.com. )ns"er: )* ' E3#lanation: The user cannot log on because it is only #ossible to use an e3#licit U.N>Name to log on "hen there is $orest trust )s stated in the question there is an e3ternal trust relationshi# bet"een the t"o $orests* not $orest trust In this case you can only use an im#licit U.N>Name to log on )lternati/ely* you can use the #re>!indo"s 2=== user logon name to log on A user principal name *U5,+ is a %ariation of a user account name that loo/s li/e an e2mail name but can be used to log on to a domain. The s ntaB is Suser nameTUSstringT. U5,s allow ou to use the same logon name across different domains in the same forest or in different forests. The $ollo"ing t"o ty#es o$ U.Ns e3ist: 1. Im#licit: Alwa s ta/es the form user&DUD,$Domain,ame. (or eBample, )ohnsUcorp.contoso.com is the U5, for the account of Qohn $mith, whose user &D is )ohns and whose account is a member of the corp.contoso.com forest. The implicit U5, is alwa s associated with the userKs account, regardless of whether an eBplicit U5, is defined. 2. E3#licit: Alwa s ta/es the form stringUAn string, where both string and An string are eBplicitl defined b the administrator. (or eBample, Qohn $mith might ha%e the U5, &TQ$Uconeast. 3Bplicit U5,s are useful for situations when the organi0ation does not want to publici0e the name of domains or the forest structure. Incorrect )ns"ers: +: This is not a password problem. Thus clearing the option User cannot change password will not sol%e the problem. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=> 2 D: able to log on is an implicit U5, name. E: &t is unnecessar to create a computer account for Da%id .ampbellKs computer in All that is needed to grant Da%id .ampbell logon abilities is to use an implicit U5,2name. E: Deleting Da%id .ampbellKs user account and recreating it in test/ing.com is not the solution. There is alread an eBternal trust relationship between the two forests. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2;-, 2>222>-, 33http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3HplanHmtfst QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You install !indo"s Ser/er 2==, on a com#uter named Test0ing6 Test0ing6 is a member o$ a "or0grou# You con$igure Test0ing6 as the !eb ser/er $or TestBingJs intranet !eb site TestBingJs "ritten security #olicy states the $ollo"ing requirements: 1. Smart cards are required to log on to all ser/ers 2. ?embershi# to the Demote Des0to# Users grou# should remain em#ty 3. Users should not be able to log on through Terminal Ser/er by using a blan0 #ass"ord -. Third>#arty a##lications should not be installed on net"or0 ser/ers !hen you attem#t to log on to Test0ing6 by using your smart card* you recei/e an error message You /eri$y that your user account is a member o$ the Domain )dmins global grou# in your domain You need to be able to log on to Test0ing6 by using your smart card

!hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1== 2 A. Qoin Test/ing; to the domain. 1. &n .omputer Management, add our user account to the Administrators local group. .. Restart Test/ing; in safe mode. (rom a command prompt, run the runas.eBe Hsmartcard command. D. &n the local securit polic , assign our user account the Allow log on locall user right. )ns"er: ) E3#lanation: Smart cards are small credit>card>si1ed cards that usually store encry#tion 0eys* #ublic 0ey certi$icates* and other ty#es o$ account in$ormation The card is inserted into a card reader attached to the com#uter* "hich reads the in$ormation stored on the card Ty#ically* a #ass"ord or .ersonal Identi$ication Number &.IN( is required to release the account in$ormation $or authentication "ithin a net"or0 This means that* in order to authenticate* a user must both ha/e #hysical #ossession o$ the card and ha/e 0no"ledge o$ the .IN This is commonly used "ith E).>TAS authentication !hat should also be 0e#t in mind is that $or you to be able to log on to Test0ing6 using the smart card is that Test0ing6 should also be 2oined to the domain Incorrect )ns"ers: +: Adding our user account to the Administrators local group will not wor/ when ou want to ma/e use of smart cards to log on to Test/ing;. $ince ou user account is alread a member of the Domain Admins global group, ou need to )oin Test/ing; to the domain. ': Restarting Test/ing; and running the runas.eBeHsmartcard command is not enough, Test/ing; has to be part of the domain as well. D: Allow logging on locall will ma/e the use of smart cards obsolete and the 6uestion states pertinentl that ou want to log on b means of the smart card so as to compl with compan polic . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. ;3G2;3> QUESTION NO: , ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"" 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional "ith de$ault settings Some users ha/e #ortable com#uters* and the rest ha/e des0to# com#uters You need to ensure that all users are authenticated by a domain controller "hen they log on :o" should you modi$y the local security #olicy% A. Re6uire authentication b a domain controller to unloc/ the client computer. 1. .ache 0ero interacti%e logons. .. .ache F" interacti%e logons. D. Crant the 4og on locall user right to the Users group. )ns"er: + E3#lanation: ) cache is a local store o$ data commonly used To ensure that all users are authenticated by a domain controller "hen they log on* you need to set the cache to 1ero $or interacti/e logons System cache holds data that "as #rocessed #re/iously It is $aster to obtain data $rom cache* rather than re#eating the transaction +ut this also reduces the need to authenticate users and $or security #ur#oses you need to #urge the cache and set it to not cache log on in$ormation so as to com#el all users to be authenticated each time they log on -.O Setting >U Interacti/e logon: Number o$ #re/ious logons to cache &in case domain controller is not a/ailable( 1 default 1" logons. This setting would pre%ent logon using cached credentials if the networ/ was down or domain controllers otherwise una%ailable. .ertainl a non %iable setting for mobile laptop usersV &f we use the 0ero setting, then e%er user MU$T be authenticated b a domain controller. Incorrect ans"ers: ): Unloc/ing the client computer will not ser%e the purpose of authentication b the domain controller upon log on. ': &f ou cache F" interacti%e logons then users will be able to b pass being authentication b the domain controller.

D: Users with this right will be able to log on to the console interacti%el as if the were sitting down at the actual ser%er itself, and the 6uestion states pertinentl that ou want all users to be domain controller authenticated when the log on. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"1 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -3=2--1 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll client com#uter accounts $or the sales de#artment are located in an organi1ational unit &OU( named Sales ) user named ?arie* in the sales de#artment* uses a client com#uter named Test0ing< :er com#uter is a member o$ the domain :o"e/er* ?arie re#orts that she cannot log on to the domain You /eri$y that a com#uter account $or Test0ing< e3ists in the Sales OU Then you log on to Test0ing< as a local )dministrator and use E/ent 8ie"er to /ie" the contents o$ the e/ent log* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"2 2 You need to ensure that ?arie can log on to the domain !hat should you do% A. Mo%e the Test/ing1 account to the .omputers 'U. 1. Reset the password for MarieKs user account. .. Reset the Test/ing1 account. D. .onfigure the properties for the Test/ing1 account so Test/ing1 is managed b MarieKs user account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"3 2 )ns"er: ' E3#lanation: The secure channelJs #ass"ord is stored along "ith the com#uter account on all domain controllers Eor !indo"s 2=== or !indo"s @.* the de$ault com#uter account #ass"ord change #eriod is e/ery ,= days I$* $or some reason* the com#uter accountJs #ass"ord and the AS) secret are not synchroni1ed* the Netlogon ser/ice logs one or both o$ the $ollo"ing errors messages: The session setup from the computer D'MA&,M3M13R failed to authenticate. The name of the account referenced in the securit database is D'MA&,M3M13R`. The following error occurred9 Access is denied. ,3T4'C', 3%ent &D 321" (ailed to authenticate with WWD'MA&,D., a !indows ,T domain controller for domain D'MA&,. The ,etlogon ser%ice on the domain controller logs the following error message when the password is not s nchroni0ed9 &n the Acti%e Director Users and .omputers MM. *D$A+, ou can right2clic/ the computer ob)ect in the .omputers or appropriate container and then clic/ Reset Account. This resets the machine account. Resetting the password for domain controllers using this method is not allowed. Resetting a computer account brea/s that computerKs connection to the domain and re6uires it to re)oin the domain, which will allow Marie to log on to the domain. Incorrect ans"ers: )9 Mo%ing the Test/ing1 account to the .omputers 'U will not help because Marie is part of the $ales 'U as well as Test/ing1. (or Marie to be able to log on to the domain she needs to ma/e use of Test/ing1. +9 Resetting MarieKs user account password will not ensure her logging on to the domain. !hat needs to be done is that the computer account that is used in the connection should be reset, in other words resetting the machine, so as to allow Marie to log on to the domain. D9 'ption D will not ensure that Marie will be able to log on to the domain. &t is the Test/ing1 account that is problematic. De$erence9 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. GG1 QUESTION NO: 5 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) user named Ailli recei/es a ne" com#uter named 'lient22, She success$ully logs on to the domain The ne3t day* she tries to log on again The domain name a##ears in the domain dro#do"n list in the dialog bo3 :o"e/er* Ailli cannot log on You try to log on by using 'lient22,* but you are also unsuccess$ul Then you use a local )dministrator account to log on You read the $ollo"ing error message in the system e/ent log LNETAO-ON E/ent ID ,2<=: Eailed to authenticate "ith QQSer/er5* a !indo"s NT domain controller $or domain TestBingL You search the com#uter account $or 'lient22, in )cti/e Directory Users and 'om#uters* but the account does not a##ear You need to ensure that Ailli can log on to the domain success$ully !hat should you do% A. Recreate the user account for 4illi and add her to all appropriate securit groups. 1. Run the netdom reset K.lient223K Hdomain9Ktest/ingK command and then restart .lient223. .. Add .lient223 to a wor/group. Then )oin .lient223 to the domain. D. Reset the computer account for $er%erF in Acti%e Director Users and .omputers. )ns"er: ' E3#lanation: Eor a user to be able to log on success$ully to a domain* it has to be #art o$ a "or0 grou# that has the ability to log on to the domain Clobal groups can include other groups and userHcomputer accounts from onl the domain in which the group is defined. 5ermissions for an domain in the forest can be assigned to global groups. &t loo/s li/e the computer account for .lient223 has been deleted. Therefore we need to recreate the account. Aowe%er, we cannot )ust create an account named .lient223 as this account will ha%e a different $&D *$ecurit &dentifier+ to the original account. Therefore, we need to dis)oin .lient223 from the domain b adding .lient223 to a wor/group. ,ow we can re)oin .lient223 to the domain and create a new computer account in the process. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"F 2 Incorrect )ns"ers: ): 4illiKs user account itself is not problematic. The problem is that the computer account is missing. +: This command is used to reset the secure channel between a wor/station and the domain. &f the wor/station and computer account passwords are out of s nc, the secure channel will not wor/. Aowe%er, this is not the problem in this 6uestion. The problem is that the computer account is missing *probabl deleted+. D: !ith the computer account missing ou will be unable to reset the computer account. De$erence9 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. GG1 QUESTION NO: 6 DD)- DDO. You are the net"or0 administrator $or 'ontoso* Atd Your net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You need to audit all logon attem#ts by domain users You must ensure that the minimum amount o$ necessary in$ormation is audited To achie/e this goal* you "ill edit the De$ault Domain 'ontroller -rou# .olicy ob2ect &-.O( !hat should you do% To ans"er* drag the #olicy setting to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"; 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"G 2 This setting will audit all logon e%ents that use domain user accounts. The Audit 4ogon 3%ents polic is for auditing log on attempts using local user accounts. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9

Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 321 QUESTION NO: 7 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"> 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) user named Bing re#orts that she cannot log on to the domain $rom his com#uter Bing recei/es the logon message sho"n in the e3hibit You need to enable Bing to log on !hat should you do% A. Run the net user command with the appropriate switches. 1. Run the net accounts command with the appropriate switches. .. Run the dsmod user command with the appropriate switches. D. Add @ing to the Users group. 3. Remo%e @ing from the Cuests group. )ns"er: ' E3#lanation: To enable Bing to log on to the domain you "ould need to run dsmod user UserDN >disabled VyesWnoX where UserD, specifies the distinguished name of the user ob)ect to be disabled or enabled and VyesWnoX specifies whether the user account is disabled for log on * es+ or not *no+. Incorrect ans"ers: ): The net user command is used mainl to find out which domain groups that a user is a member of, as well as %iew other pertinent information about a user. +: This command will not enable @ing to log on to the domain. D: account should first be enabled for @ing to ha%e the abilit to log on. E: Remo%ing @ing from the Cuests group is irrele%ant in this scenario. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"= 2 De$erence: http9HHwww.microsoft.comHwindowsBpHhomeHusingHproductdocHenHdefault.asp[url\HwindowsBpHhomeHusingHprod Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com The com#anyJs main o$$ice is in To0yo* and it has a branch o$$ice in Osa0a Each o$$ice is con$igured as an )cti/e Directory site The t"o o$$ices are connected by a <29>Bb#s connection )ll domain controllers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll net"or0 administrators are located in To0yo Uni/ersal grou# membershi# caching is enabled The ser/er roles and I. addresses $or each site are sho"n in the $ollo"ing table Site Ser/er role I. address To/ o D,$, global catalog, !&,$, DA.5 1".1".1".2"" 'sa/a D,$, domain controller, DA.5 1".1".2".2"" The net"or0 connection bet"een To0yo and Osa0a intermittently $ails Only the client com#uters in To0yo ha/e Net+IOS enabled )ll client com#uters are con$igured to use D:'. The signi$icant D:'. sco#e o#tions $or To0yo are sho"n in the $ollo"ing table Sco#e o#tion Setting !&,$H,1,$ $er%ers 1".1".2".2"" D,$ $er%ers 1".1".1".2"", 1".1".2".2"" Router 1".1".2".1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21" 2 You create a user account $or a ne" em#loyee in Osa0a The user re#ort that she cannot log on to the domain You con$irm that you can log on by using your account and then by using the userJs account You also con$irm that all other users in Osa0a can log on You need to ensure that the user can authenticate to the domain

!hat should you do% A. .onfigure the userKs user account to store passwords b using re%ersible encr ption. 1. .onfigure the userKs computer account to be trusted for delegation. .. (orce Acti%e Director replication to occur between To/ o and 'sa/a. D. .hange the Router setting in the DA.5 scope options to 1".1".1".1. )ns"er: ' E3#lanation9 $ites are primaril used for director replication purposes. .onsider what happens when ou ha%e two ph sicall separate locations that share a common director . !ithout fre6uent replication, the two directories would become horribl dis)ointed and practicall useless. Thus if ou force replication between To/ o and 'sa/a, then ou will enable the user to be authenticated to the domain sincew the userKs account is in 'sa/a and onl client computers in To/ o ha%e ,et1&'$ enabled. Incorrect ans"ers: )9 $toring password b means of re%ersible encr ption is not going to sol%e the problem. +9 This is not a delegator matter. D9 There is no need to change the router settings as it is onl one user that is eBperiencing the problem. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p.1"QUESTION NO: ; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 211 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The Net+IOS name o$ your domain is TESTBINTess Bing* a user in a the branch o$$ice in Aos )ngeles* re#orts that she cannot log on to the domain $rom a client com#uter named TestBing<72 She recei/es the $ollo"ing error message: LThe system cannot log you on to this domain because the systemJs com#uter account in its #rimary domain is missing or the #ass"ord on that account is incorrect L You /eri$y that the userJs com#uter is connected to the net"or0 )ll other users can log on to the domain success$ully You need to ensure that the user can log on to the domain !hat should you do% A. &n the DA.5 snap2in, ensure that the correct D,$ ser%er settings are pro%ided to client computers. 1. &n Acti%e Director Users and .omputers, ensure that a computer account eBists for Test@ing1G2. .. &n Acti%e Director Users and .omputers, reset the userKs user account password. D. &n the D,$ snap2in, %erif that the host *A+ resource record eBists for Test@ing1G2. )ns"er: + E3#lanation9 Acti%e Director Users and .omputers on !indows $er%er 2""3 domain controllers, is the main tool used for managing the Acti%e Director users, groups, and computers. To set up and manage domain user accounts, ou use the Acti%e Director Users And .omputers utilit . This tool is the tool to use so that the user can log on to the domain. Incorrect ans"ers: )9 This is not a problem that can be sol%ed with the DA.5 snap2in. besides the other users can log on to the domain successfull . '9 Though ou can use this tool to reset the userKs account password, this will not sol%e the problem of the user being unble to log on. D9 This is not a D,$ problem since the other users are all able to log on and that the userKs computer is connected to the networ/. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 212 2 De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 22G Topic 39 Managing and Maintaining Access to Resources *;= :uestions+

5art 19 .onfigure access to shared folders.*1F :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create a shared $older named 'lient Docs on a member ser/er named TestBing<, 'lient Docs "ill store #ro2ect documents You con$igure shado" co#ies $or the /olume containing 'lient Docs You need to enable client com#uters to access #re/ious /ersion o$ the documents in 'lient Docs !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ to enable 'ffline (iles on all client computers. 1. 'n each client computer, customi0e the %iew for .lient Docs to use the Documents *for an file t pe+ folder template. .. .reate a Croup 5olic ob)ect *C5'+ that installs the 5re%ious ?ersions client software on all client computers. D. Assign the Allow 2 (ull .ontrol permission on .lient Docs to all users. 3. 'n each client computer, install the 1ac/up utilit and schedule a dail bac/up. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 213 2 To enable users to access #re/ious /ersions o$ the $iles* you must install the .re/ious 8ersions client so$t"are on all client com#uters The easiest "ay to do this is to de#loy the so$t"are using a -rou# .olicy Ob2ect Incorrect )ns"ers: ): 'ffline (iles are irrele%ant to this scenario. +: This is irrele%ant to this scenario. D: The users do not need (ull .ontrol access to the files. This will not enable users to access pre%ious %ersions of the files. E: The files do not need to be bac/ed up on each client computers. The $hadow .op ser%ice creates bac/ups of pre%ious %ersions of the files on the ser%er. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. 2>F22>> QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Each o$ the <4 de#artments at TestBing has an e3clusi/e shared $older on a ser/er named TestBing5 You need to ensure that the managers can reset $ile #ermissions $or any $ile and $older on TestBing5 You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er is a com#lete solution Select t"o ( A. Assign the managers the Allow 2 (ull .ontrol ,T($ permission for each folder. 1. Assign the managers the Ta/e ownership of files or other ob)ects user right. .. Assign the managers the 1 pass tra%erse chec/ing user right. D. Assign the managers the Act as part of the operating s stem user right. )ns"er: )* + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21- 2 The )llo" Eull 'ontrol #ermissionJs access le/el is as $ollo"s: 8ie" and list $olders The special permission Ta/e 'wnership can be granted to an user or group. A user with Allow Ta/e 'wnership permission can ta/e ownership of the resource. These two options will ensure that managers will ha%e the abilit to reset file permissions for a file or folder on Test@ingF with the least amount of administrati%e effort. Incorrect ans"ers: ': 1 passing tra%erse chec/ing permission will allow the users to na%igate through the folder, but this is not what is re6uired. The Managers need to be able to reset file permissions. D: This option in%ol%es too much administrati%e effort. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F

QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest containing t"o domains* ch test0ing com and de test0ing com The $unctional le/el o$ both domains is !indo"s 2=== mi3ed ch test0ing com contains t"o domain controllers running !indo"s 2==, and three domain controllers running !indo"s 2=== ser/er ) member ser/er named TestBing; hosts a##lications and $iles that all com#any users need to access You need to enable all users in de test0ing com to access the a##lications and $iles on TestBing; !hich three actions should you #er$orm% &Each correct ans"er is a #art o$ a com#lete solution Select three ( A. .reate a domain local group named DeutschUsers in ch.test/ing.com. 1. .reate a domain local group named DeutschUsers in de.test/ing.com. .. Add the Users group from ch.test/ing.com to DeutschUsers. D. Add the Users group from de.test/ing.com to DeutschUsers. 3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21F 2 'n Test@ing=, grant the appropriate permissions to the Users group from ch.test/ing.com. (. 'n Test@ing=, grant the appropriate permissions to DeutschUsers. )ns"er: )* D* E E3#lanation: Domain local grou#s can contain user accounts* uni/ersal grou#s* and global grou#s $rom any domain in the tree or $orest ) domain local grou# can also contain other domain local grou#s $rom its o"n local domain To enable the all users to connect to the a##lications and $iles on TestBing;* a member ser/er that ch test0ing com Then you should add the de test0ing com users to this grou# and then grant the a##ro#riate #ermissions to the LunitedL grou# This should enable that all users ha/e access to a##lications and $iles on TestBing; Incorrect ans"ers: +9 The domain local group should be created in ch.test/ing.com since this is where Test@ing= resides. '9 &t follows logicall that the de.test/ing.com users group should be added to the domain local group that was created and not the users of ch.test/ing.com E9 5ermissions should be granted to the DeutchUsers not to the ch.test/ing.com Users. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31=232" QUESTION NO: 4 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) ser/er named Test0ing,2 contains a $older that is shared as ?anagerDataT ) global grou# named )ll?anagers has #ermission to access the shared $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21; 2 ) user re#orts that he needs access to the ?anagerDataT shared $older You add his user account to the )ll?anagers global grou# !hen the user attem#ts to connect to the shared $older by ty#ing QQTest0ing,2Q?anagerDataTQ * he recei/es the $ollo"ing error message: LQQTest0ing,2Q?anagerDataTQ is not accessible You might not ha/e #ermissions to use the net"or0 resource 'ontact the administrator o$ this ser/er to $ind out i$ you ha/e access #ermissions )ccess is denied You need to ensure that the user can access the ?anagerDataT shared $older on tTest0ing,2 !hat should you do% A. &nstruct the user to t pe WWTest/ing32WManagerDataW when he attempts to access the folder. 1. Add the Anon mous 4ogon group to the A.4 for the ManagerData` shared folder. .. $elect the Replace permission entries on all child ob)ect with entries shown here that appl to child ob)ects chec/ boB. D. &nstruct the user to log off and log on again before he accesses the folder. )ns"er: D E3#lanation: !hen a user logs on to the net"or0* an access to0en is created that lists the usersJ grou# membershi#s This access to0en is used "hen the user tries to access a resource I$ you change a userJs grou# membershi#* the change "ill not be re$lected in the access to0en until the user logs o$$ and logs on again Instructing the use to log o$$ and then on again "ill ensure that all the connections "ill be made It

could ha/e been that the user tried to access the $older be$ore he "as granted access )nd to e$$ect those changes o$ adding that #articular user to gain access needs to be enabled This action should enable access to the shared $older Incorrect ans"ers: )9 The user account has alread been added to the AllManagers global group and there is thus no need to t pe WWTest/ing32WManagerDataW when attempting to gain access. +9 &t will be a huge securit breach if Anon mous access is enabled. '9 1 following option ., ou will not be granting access to the user. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21G 2 QUESTION NO: 5 :OTS.OT You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The user accounts $or all managers are in a global grou# named ?anagers ) manager named Doger creates a $older named ?anagerData on a com#uter named TestBing< :e shares the $older to enable other managers to re/ie" em#loyee documents Other managers need to be able to bro"se and read the documents in the ?anagerData $older ?anagers must not ha/e other #ermissions to the shared $older You add the ?anagers grou# to the )'A on the $ecurit tab $or the $older You need to con$igure #ermissions $or the shared $older You need to ensure that you do not grant any unnecessary #ermissions !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21> 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21= 2 (or managers to be able to browse, read, and edit documents that are in the shared folder, ou should assign the allow Read L 3Becute, 4ist (older .ontents, Read and !rite permissions. ,T($ (older 5ermissions are as follows9 1. Dead 23nables ob)ects to read the contents of a folder, including file attributes and permissions. 2. !rite 2 3nables ob)ects to create new files and folders within a folder, write attributes and eBtended attributes on files and folders, and can read permissions and attributes on files and folders. 3. Aist Eolder 2 Ci%es ob)ects the same rights as the Read permission, but also .ontents enables the ob)ect to tra%erse the folder path beneath the folder where this permission is applied. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22" 2 -. Dead C E3ecute 2 Ci%es ob)ects the same rights as the 4ist (older .ontents permission, but also enables the ob)ect to eBecute program files stored in the folder. F. ?odi$y 2 Ci%es the ob)ect the same permissions as the Read, !rite, 4ist (older .ontents, and Read L 3Becute permissions, but also enables the ob)ect to delete files and folders within the designated folder. ;. Eull 'ontrol 2 Ci%es ob)ects full access to the entire contents, including the capabilit to ta/e ownership of files and change permissions on files and folders. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -1QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll TestBing data is stored in shared $olders on net"or0 $ile ser/ers The data $or each de#artment is stored in a de#artmental shared $older Users in each de#artment are members o$ the de#artmental global grou# Each de#artmental

global grou# is assigned the )llo" > Eull 'ontrol #ermission $or the corres#onding de#artmental shared $older TestBing requirements state that all access to shared $olders must be con$igured by using global grou#s ) user named Dr Bing "or0s in the sales de#artment Dr Bing needs to be able to modi$y $iles in the ?ar0eting shared $older You need to ensure that Dr Bing has the minimum #ermissions $or the ?ar0eting shared $older that he needs to do his 2ob You need to achie/e this goal "hile meeting TestBing requirements and "ithout granting unnecessary #ermissions !hat should you do% A. Add Dr @ingKs user account to the Mar/eting global group. 1. Assign the $ales global group the Allow 2 .hange permission for the Mar/eting shared folder. .. .reate a new global group. Add Dr @ingK user account to the group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 221 2 Assign the new global group the Allow 2 .hange permission for the Mar/eting shared folder. D. Assign Dr @ingKs user account the Allow 2 .hange permission for the Mar/eting shared folder. )ns"er: ' E3#lanation: The best "ay to accom#lish this tas0 is to create a ne" global grou# You need to add Dr BingJ user account to the grou# and assign the ne" global grou# the )llo" > 'hange #ermission $or the ?ar0eting shared $older -lobal grou#s can include other grou#s and userKcom#uter accounts $rom only the domain in "hich the grou# is de$ined .ermissions $or any domain in the $orest can be assigned to global grou#s Incorrect )ns"ers: ): This would mean that Dr. @ing would ha%e permissions on other folders as well. !e need to ensure that Dr @ing has the minimum permissions for the Mar/eting shared folder that he needs to do his )ob. +: This would mean that the whole $A43$ group would ha%e permissions on Mar/eting. !e need to ensure that Dr @ing has the minimum permissions for the Mar/eting shared folder that he needs to do his )ob. D: Microsoft does ,'T want ou to gi%e user account permissions to files. !e must do this through ma/ing use of groups. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 32". QUESTION NO: 7 :OTS.OT You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )nother administrator shares a $older as TestBingData :e "ants users to be able to create $iles in the $older :e does not "ant users to able to o#en $iles in the $older !hen users attem#t to connect to the TestBingData $older* they recei/e an error message ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 222 2 You need to con$igure the #ermission $or the $older so that users can #lace their $iles in the shared $older You need to achie/e this goal "ithout granting unnecessary #ermissions !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3es in the "or0 area )ns"er: E3#lanation: NTES #ermissions: )llo" Aist Eolder 'ontents and !rite Share #ermissions: 'hange Allowing the 4ist (older .ontents and !rite permissions will allow users to place their files in the shared folder. 1. Aist Eolder ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 223 2 .ontents 2 Ci%es ob)ects the same rights as the Read permission, but also enables the ob)ect to tra%erse the folder path beneath the folder where this permission is applied.

2. !rite 2 3nables ob)ects to create new files and folders within a folder, write attributes and eBtended attributes on files and folders, and can read permissions and attributes on files and folders. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -1QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< hosts a $older named .ublic* "hich stores $iles $or all users in TestBing .ublic is located on an NTES #artition E3isting #ermissions $or .ublic are con$igured as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22- 2 You need to share .ublic on the net"or0 )ll net"or0 users* including members o$ the )dministrators grou#* should ha/e read>only #ermissions on the contents o$ the $older !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. $hare 5ublic with default share permissions. 1. $hare 5ublic b assigning the Allow 2 (ull .ontrol permission to the 3%er one group. .. $hare 5ublic b assigning the Allow 2 (ull .ontrol permission to the Authenticated Users group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22F 2 D. 'n the $ecurit tab, add the Authenticated Users group and assign the Allow 2 Read permission to this group. 3. 'n the $ecurit tab, add the &nteracti%e group and assign the Allow 2 Read permission to this group. (. 'n the $ecurit tab, assign the Den 2 (ull .ontrol permission to the Administrators group. )ns"er: )* D E3#lanation: +y de$ault* the E/eryone grou# has only Dead and E3ecute #ermissions on the root o$ each dri/e These #ermissions are not inherited by $older or $ile $imilarl , when ou create a shared dri%e or folder, the 3%er one group now has onl Read permission b default, rather than full control. This is 6uite a change from earlier %ersions of !indows, where e%er new folder ga%e e%er one full control %ia both ,T($ and share permissions. $o e%er user that is tr ing to access the files b using the $AAR3 will ha%e read permissions. Aowe%er if an admin is tr ing to access the files b ,'T going through the $AAR3, heHshe can still change the contents. Therefore we add the Authenticated Users group and assign the Allow 2 Read permission to this group. The file that needs to be shared with e%er bod ha%ing read2onl permissions on the contents should ha%e the default share permissions. That should ensure that onl administrators will ha%e full2control permissions on it and not the other users as well. Aowe%er, the 6uestion states that all users including networ/ administrators should ha%e read2onl permission, thus ou should add the Authenticated Users group to the Allow2Read permission group. Incorrect ans"ers: +9 The Allow2(ull .ontrol will also allow more permissions than are re6uired. The file that needs to be shared with e%er bod ha%ing read2onl permissions on the contents should ha%e the default share permissions. '9 The Allow2(ull .ontrol will also allow authenticated users more permissions than are re6uired because the file that needs to be shared with e%er bod ha%ing read2onl permissions on the contents should ha%e the default share permissions. E9 The authenticated users and not the interacti%e group should be granted permissions. E9 Assigning the Den 2 (ull .ontrol permission to the Administrators group on the $ecurit tab will not ha%e the file that needs to be shared with e%er bod ha%ing read2onl permissions on the contents. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22; 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied,

Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -1-2-2> QUESTION NO: ; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create and share a $older named Sales on a member ser/er You a##ly the de$ault share #ermission and NTES #ermissions to Sales Then you create a $older named SalesEorecast in Sales You a##ly the de$ault NTES #ermissions to SalesEorecast ?anagers in the sales de#artment are members o$ a domain user grou# named Sales?anagers !hen members o$ Sales?anagers try to add $iles to SalesEorecast* they recei/e the L)ccess is deniedL error message You need to con$igure #ermissions on these $olders to $ul$il the $ollo"ing requirements: 1. ?embers o$ Sales?anagers must be able to create* modi$y* and delete $iles in both $olders 2. )ll other domain users must only be able to read $iles in both $olders !hat should you do% A. .onfigure the share permissions on $ales to assign the Allow 2 .hange permission to the 3%er one group. .onfigure the ,T$( permissions on $ales(orecast to assign the Allow 2 !rite permission to the $alesManagers group. 1. .onfigure the share permissions on $ales to assign the Allow 2 .hange permissions to the $alesManagers group. .onfigure the ,T$( permissions on $ales to assign the Allow 2 !rite permissions to the $alesManagers group. .. .onfigure the share permissions on $ales to assign the Allow 2 .hange permissions to the 3%er one group. .onfigure the ,T($ permissions on $ales to assign the Allow 2 Modif permission to the $alesManagers group. D. .onfigure the share permissions on $ales to assign the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22G 2 Allow 2 .hange permission to the $alesManagers group. .onfigure the ,T($ permissions on $ales to assign the Allow 2 Modif permission to the $alesManagers group. )ns"er: D E3#lanation: +y de$ault* the E/eryone grou# has only Dead and E3ecute #ermissions on the root o$ each dri/e These #ermissions are not inherited by $older or $ile $imilarl , when ou create a shared dri%e or folder, the 3%er one group now has onl Read permission b default, rather than full control. This is 6uite a change from earlier %ersions of !indows, where e%er new folder ga%e e%er one full control %ia both ,T($ and share permissions. The following configurations should be carried out when configuring the correct permissions9 1. $hare 5ermissions 2 $ales (older 2 3%er one group 2 Allow Read 5ermissions. 2. $hare 5ermissions 2 $ales (older 2 $alesManagers group 2 Allow .hange 5ermissions. 3. ,T($ 5ermissions 2 $ales (older 2 3%er one group 2 Allow Read 5ermissions. -. ,T($ 5ermissions 2 $ales (older 2 $alesManagers group 2 Allow modif 5ermissions. Incorrect )ns"ers: ): This would pre%ent the $alesManagers group being able to delete files in the $ales(orecast folder. +: This would pre%ent the $alesManagers group being able to delete files in the $ales(orecast and $ales folder. ': This option would wor/, howe%er answer D would be a better and more secure solution. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -232-2F QUESTION NO: <= :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll $ile and #rint ser/ices are hosted by a member ser/er named TB< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 22> 2 You create a $older named Data on TB< You need to con$igure the initial #ermissions settings $or Data You must ensure that only local access is #re/ented You must also ensure that users "ho are logged on to TB< cannot modi$y any access #ermissions $or Data !hat should you do% To ans"er* select the a##ro#riate grou# and ma0e the #ro#er con$iguration in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23" 2 )ns"er: E3#lanation9 To pre%ent local access we must Den the interacti%e group. $etting User Rights and 5ri%ileges 1. User rights can o%erride ,T($ permissions in certain cases *a user with the 1ac/up files and directories right is able to read all files on the %olume, regardless of the ,T($ permissions assigned, but onl for the purpose of bac/ing up and restoring data+. 2. Assign user rights to groups whene%er possible. Assigning user rights to indi%idual user accounts is difficult to manage. 3. User rights are set using Croup 5olic . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 231 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -GF QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Some client com#uters run !indo"s NT 4 = !or0station Others run !indo"s 2=== .ro$essional* and the rest run !indo"s @. .ro$essional Users in the accounting de#artment require a shared $older $or their o"n use only The accounting users must be able to read* edit* and delete $iles in the shared $older You create the shared $older and use de$ault share #ermissions You assign the )llo" > Eull 'ontrol NTES #ermission to members o$ the )dministrators grou# You assign the )llo" > ?odi$y NTES #ermission to the accounting users :o"e/er* accounting users re#ort that they cannot access the shared $older :o" should you sol/e this #roblem% A. .hange the t pe of setting on the folder to Documents *for an file t pes+. 1. .hange the ,T($ permissions on the folder to assign the Allow 2 Delete $ub2(olders and (iles permission to the accounting users. .. Add the accounting users as owners of the folder. D. .hange the share permissions to assign the Allow 2 (ull .ontrol permission to the accounting users. )ns"er: D E3#lanation: +y de$ault* the E/eryone grou# has only Dead and E3ecute #ermissions on the root o$ each dri/e These #ermissions are not inherited by $older or $ile Similarly* "hen you create a shared dri/e or $older* the E/eryone grou# no" has only Dead #ermission by de$ault* rather than $ull control This is quite a change $rom earlier /ersions o$ !indo"s* "here e/ery ne" $older ga/e e/eryone $ull control /ia both NTES and share #ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 232 2 To grant the accounting users access to the shared folder so that that can read, write, edit and delete files, the need the Allow2(ull control permission. Incorrect ans"ers: )9 .hanging the file t pe to whate%er t pe will not sol%e the problem of access to the shared folder. &t is a permissions issue not a file t pe issue. +9 Assigning the Allow2Delete $ubfolders and (iles permission to the accounting users enables the ob)ect to delete a file or subfolder, e%en if the Delete permission has not been granted to the ob)ect. Though, this does not sol%e the access problem. '9 Ta/ing 'wnership enables the ob)ect to change the owner of a file or folder to the ob)ectKs user ownership. 1ut what is needed in this scenario is to ha%e Allow2(ull .ontrol permission. .hanging ownership of the file effecti%el remo%es the user that created the

file from the .R3AT'R '!,3R group for that file, and that userKs access to the file re%erts to the default access he or she has based on the folder permissions. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -2" 2 -21, -23 QUESTION NO: <2 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) $ile ser/er named TestBingSr/) has shado" co#ies enabled One shared $older on TestBingSr/) has the con$iguration sho"n in the $ollo"ing table !hile /ie"ing a #re/ious /ersion o$ TestBingDocs* you o#en and edit Einancials 3ls :o"e/er* "hen you try to sa/e the edited $ile* you recei/e the $ollo"ing error message: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 233 2 You need to sa/e your changes to the #re/ious /ersion o$ Einancials 3ls You must ensure that other users can continue to access current data on TestBingSr/) "ithout interru#tion !hat should you do% A. .op the pre%ious %ersion of Test@ingDocs to a separate location. 1. Restore the pre%ious %ersion of Test@ingDocs to the default location. .. $a%e (inancials.Bls in a separate location b using Microsoft 3Bcel. D. &n the securit properties of (inancials.Bls, assign the Allow 2 Modif permissions to the 3%er one group. )ns"er: ' E3#lanation: !hen you /ie" a J#re/ious /ersionJ o$ a $ile* the $ile is o#ened as Dead Only You can ma0e changes to the $ile* but you cannot sa/e the $ile in its current location You need to sa/e the $ile to an alternate location or else you "ill interru#t the other users Incorrect )ns"ers: ): &f ou cop a shared folder to a new location, the original folder will continue to ha%e the original share pointing to it. Iou ha%e made changes to the file. Iou cannot cop the file to another location without losing our changes. This is wh ou must sa%e the file to another location. +: Iou ha%e made changes to the file b editing it. Iou will be unable to restore the pre%ious %ersion of the file to the default location without losing our changes. D: cop the file to another location first *or restore it to its default location+. &n this scenario, the file must be sa%ed to an alternate location because ou donKt want to lose our changes to the file. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23- 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -2;2-2> QUESTION NO: <, :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?ost client com#uters run !indo"s @. .ro$essional* and the rest run !indo"s 2=== .ro$essional You create and share a $older named .ro2ectDocs on a member ser/er The current state o$ #ermissions $or the $older is sho"n in the dialog bo3 Users re#ort that they recei/e an J)ccess is deniedJ error message "hen they try to add or create $iles and $olders in .ro2ectDocs You need to con$igure the #ermissions on .ro2ectsDocs to $ul$ill the $ollo"ing requirements: 1. Domain users must be able to create or add $iles and $older 2. Domain users must not be able to change NTES #ermissions on the $iles or $olders that they create or add 3. Domain users must recei/e the minimum le/el o$ required #ermissions !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23F 2 )ns"er:

E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23; 2 The default share permission is 3%er one 2 Read. To be able to write to the shared folder, the users re6uire 8.hange8 permission. The .hange permission allows users to Read, !rite, 3Becute and Delete files in the shared folder. ,ote9 the eBhibit shows the e%er one group. &n the eBam, if ou ha%e the option to select the groups, then selecting Domain users 2 .hange would be a better option. $hare permissions can be set onl at the folder le%el, not at the file le%el. Also note that shared2folder permissions appl onl when accessing the resources across the networ/. These are the two most important wa s in which ,T($ permissions differ from shared2folder permissions. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23G 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -1QUESTION NO: <4 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The $unctional le/el o$ the domain is !indo"s 2=== nati/e )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The net"or0 includes a shared $older named TestBingIn$o Your boss Dr Bing re#orts that he is o$ten unable to access this $older You disco/er that the #roblem occurs "hene/er more than <= users try to connect to the $older You need to ensure that all a##ro#riate users can access TestBingIn$o !hat should you do% A. Decrease the default user 6uota limit. 1. Raise the functional le%el of the domain to !indows $er%er 2""3. .. 5urchase additional client access licenses. D. Mo%e Test@ing&nfo to one of the ser%ers. )ns"er: D E3#lanation: It is li0ely that the share e3ists on a !indo"s @. client That "ould lead to a situation "here the !indo"s @. client com#uter only allo"s u# to <= connections at the same time resulting in users being unable to access TestBingIn$o "hen the <= connections are $ull ?o/ing the shared $older to a ser/er com#uter "ill allo" more concurrent connections Incorrect )ns"ers: ): The 6uota limit is irrele%ant to networ/ connections. &t onl comes into pla when considering dis/ space. +: The functional le%el of the domain is not the cause of the problem. The problem stems from connecti%it difficulties when multiple users access the folder. !indows 2""" ,ati%e2 this le%el supports !indows 2""" D.s and !indows $er%er 2""3 D.s onl . !indows 2""" D.s in nati%e mode mo%e to !indows 2""" nati%e functional le%el when upgraded to !indows $er%er 2""3. ': This is not a .A4 problem. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23> 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -G2F", 1-1 QUESTION NO: <5 :OTS.OT You are the administrator o$ TestBingJs net"or0 Your accounting de#artment has a !indo"s Ser/er 2==, com#uter named TestBingSr/) This com#uter hosts a secured a##lication that is shared among se/eral users in the accounting de#artment )ll users o$ the a##lication must log on locally to TestBingSr/) You decide to create des0to# shortcuts that #oint to the a##lication These shortcuts must be a/ailable only to ne" users o$ TestBingSr/) !hich $older or $olders should you modi$y on Ser/er% &'hoose all that a##ly( To ans"er* select the a##ro#riate $older or $olders in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23= 2 )ns"er: E3#lanation: De$ault User

!hen a new user logs on to a machine for the first time, a new profile is created for that user. The 8Default User8 profile is copied and gi%en the same name as the username. An settings in the Default User profile will be applied to an new users. Incorrect )ns"ers: )ll Users: $ettings in this profile appl to all users of the machine, including current users. This is contrar to the re6uirements set out in the 6uestion. )dministrator* ?Yimmerman* D:unter* User: These are all user profiles. i.e. 5rofiles belonging to users who ha%e logged in to the computer. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2>;22=2 5art 29 Troubleshoot Terminal $er%ices. A9 Diagnose and resol%e issues related to Terminal $er%ices securit .*> :uestions+ QUESTION NO: < DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Terminal ser/ices is installed on a ser/er named TestBing6 This ser/er also stores user #ro$iles TestBing6 has limited #rocessor resources* limited memory resources* and limited dis0 s#ace Demote users connect to TestBing6 to read e>mail* re/ie" documents* and access a $ront>end SQA query tool )ll remote users ha/e su$$icient #ermissions to edit their registries )ll client com#uters are licensed to use the query tool Tess Bing* another administrator at TestBing* accidentally changes the ser/er settings on TestBing6 You are required to restore the ser/er settings to com#ly "ith com#any standards You also need to ensure that no unnecessary $iles are stored on TestBing6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-" 2 !hat action should you% )ns"er: E3#lanation: Delete tem#orary $olders on e3it Z Yes Use tem#orary $olders #er session Z Yes Aicensing Z .er De/ice )cti/e Des0to# Z Disable .ermission 'om#atibility Z Eull Security Destrict Users to one session Z Yes Delete a sessionKs temporar folder when the user logs off. This setting is configured to Ies b default. Thus the Delete temporar folders on eBit enabled is necessar as Test@ing;Ks dis/ space is limited. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-1 2 4icensing 2 Allows for the administrator to configure the ser%er as a terminal ser%er or Remote Des/top for Administration computer. This setting is configured to Remote Des/top for Administration if the terminal ser%er role has not been installed. &f it has, this setting reflects the licensing choice made when ou installed the terminal ser%er role *per De%ice or per User+ and can be changed here. Acti%e Des/top 2 3nables the use of Acti%e Des/top technologies in Terminal $er%ices sessions. These des/tops can use considerabl more bandwidth than traditional des/tops. This setting is configured to be enabled b default. 5ermission .ompatibilit (ull securit is the onl choice a%ailable for Remote Des/top for Administration. A second mode, RelaBed $ecurit , is added when the terminal ser%er role is installed on the ser%er, which loosens securit to accommodate older !indows computers and legac applications. This is configured as (ull $ecurit b default. Restrict each user to one session 2 .an be used to ensure that users do not establish more than one session to a Terminal $er%ices s stem. $a%% users ma be able to wor/ around this setting b specif ing a different program to start upon connection for each different session. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. FF= QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domains You ha/e not modi$ied the de$ault )cti/e Directory site con$igurations The $unctional le/el o$ both domains is

!indo"s 2=== nati/e Ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er TestBingJs internal domain is named test0ing local Test0ingJs e3ternal domain is named e3tranet test0ing com The e3ternal domain is accessed only by TestBingJs business #artners You install a !indo"s Ser/er 2==, com#uter named Test0ing7 in the e3tranet test0ing com domain You install and con$igure Terminal Ser/ices on Test0ing7 Test0ing7 is con$igured as a member ser/er in the domain You install a secure database a##lication on Test0ing7 that "ill be accessed by TestBingJs business #artners ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-2 2 ) $e" months later* users re#ort that they can no longer establish Terminal Ser/ices session to Test0ing7 You /eri$y that only the de$ault #orts $or :TT.* :TT.S* and Terminal Ser/ices on your $ire"all are o#en to the Internet You need to ensure that TestBingJs business #artners can establish Terminal Ser/ices sessions to Test0ing7 !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall Terminal $er%ices 4icensing on a !indows 2""" $er%er computer in test/ing.local. .onfigure the computer as an 3nterprise 4icense $er%er. 1. &nstall Terminal $er%ices 4icensing on a !indows 2""" $er%er computer in eBtranet.test/ing.com. .onfigure the computer as an 3nterprise 4icense $er%er. .. &nstall Terminal $er%ices 4icensing on a !indows $er%er 2""3 computer in eBtranet.test/ing.com. .onfigure the computer as an 3nterprise 4icense $er%er. D. &nstall Terminal $er%ices 4icensing on a !indows $er%er 2""3 computer in test/ing.local. .onfigure the computer as an 3nterprise 4icense $er%er. 3. &nstruct Test@ingKs business partners to connect b using the Terminal $er%ices Ad%anced .lient *T$A.+ o%er ATT5$. )ns"er: +* ' E3#lanation: 'lients connecting to a !indo"s 2=== terminal ser/er $rom a !indo"s 2=== .ro$essional com#uter are not required to #urchase a license* as !indo"s 2=== .ro includes a Terminal Ser/ices ')A :o"e/er* you still must set u# a licensing ser/er In !indo"s Ser/er 2==,* Demote )dministration mode has been renamed to Demote Des0to# $or )dministration and it is installed by de$ault This "or0s li0e the Demote Des0to# $eature in !indo"s @. )s in !indo"s 2===* you are still limited to t"o simultaneous remote des0to#s at a time :o"e/er* there is one im#ro/ement: you can no" ta0e o/er the local console session Incorrect ans"ers: ): &nstalling Terminal $er%ices on Test/ing.local will not enable Test@ingKs business partners to establish terminal ser%ice sessions on Test/ingG. D: &nstalling Terminal $er%ices on Test/ing.local e%en if it is a !indows $er%er 2""3 machine, will not enable Test@ingKs business partners to establish Terminal $er%ice sessions. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-3 2 E: !ith the release of the Terminal $er%ices Ad%anced .lient *T$A.+ as a ?alueAdd component on Microsoft !indows 2""" $er%er, $er%ice 5ac/ 1, the Terminal $er%ices solution is now eBtended to the !eb. (or eBample, organi0ations needing to deplo line of business applications to remote offices can do so b means of a Terminal ser%er and a !eb ser%er running A$5 pages, such as the sample pages supplied with the T$A.. 'n the client side, all that is needed is &nternet 3Bplorer, a connection to the !orld !ide !eb, and appropriate access rights, howe%er this is not applicable in this scenario. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 3=. QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install Terminal Ser/er on three member ser/ers named TestBing<* TestBing2* and TestBing, You add a domain grou# named :D to the Demote Des0to# Users grou# on all three terminal ser/ers

One "ee0 later* you disco/er that $iles on TestBing< and TestBing2 "ere deleted by a user named Tess* "ho is a member o$ the :D grou# You need to #re/ent Tess $rom connecting to any o$ the terminal ser/ers !hat should you do% A. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Den 2 Users Access and the Den 2 Cuest Access permissions to the AR group. 1. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Allow 2 Cuest Access permission to TessKs user account. .. &n the properties of TessKs user account, disable the Allow logon to a terminal ser%er option. D. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Den 2 User Access and the Den 2Cuest Access permissions to the Remote Des/top Users group. 3. &n the properties of TessKs user account, enable the 3nd session option. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-- 2 )ns"er: ' E3#lanation: Tess is a member o$ the :D grou# "hich is a member o$ the Demote Des0to# Users grou# on the member ser/ers )s such she has #ermission to log in to the member ser/ers !e can deny that #ermission by disabling the L)llo" logon to a terminal ser/erL o#tion on the Terminal Ser/ices .ro$ile tab in the #ro#erties o$ her user account This setting "ill o/erride the #ermissions gi/en to her by "ay o$ grou# membershi# Incorrect )ns"ers: ): The Den 2 Users access permission will den all users access to the terminal ser%ers. +: !e need to pre%ent Tess from connecting to the terminal ser%ers. Allowing Cuest 2 access will still enable her to connect. D: This will pre%ent an one from connecting to the terminal ser%ers. E: will not pre%ent her connecting to the ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F-G2F-> QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Three member ser/ers are con$igured as terminal ser/ers )ll three host con$idential data 'urrently* all net"or0 users are $ull>time em#loyees* and all net"or0 users are allo"ed to log on to the terminal ser/ers TestBing hires 25 tem#orary em#loyees You create a user account $or each one You need to ensure that only $ull>time em#loyees are allo"ed to log on to the terminal ser/ers !hat should you do% A. Modif the Default Domain Croup 5olic ob)ect *C5'+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-F 2 .onfigure a computer2le%el polic to pre%ent the temporar emplo ees from connecting to the terminal ser%ers. 1. Modif the Default Domain Croup 5olic ob)ect *C5'+. 3nable the user2le%el Terminal $er%er setting $ets rules for remote control of Terminal $er%ices user sessions. .. 'n the Terminal $er%ices 5rofile tab of the user properties for each account, disable the option to log on to terminal ser%ers. D. &n the securit polic for domain controllers, disable the computer2le%el Terminal $er%er setting Allow users to connect remotel using the terminal ser%er. )ns"er: ' E3#lanation: Terminal Ser/ices is the underlying technology that enables Demote Des0to# $or )dministration* Demote )ssistance* and Terminal Ser/er +y disabling the logon o#tion in the .ro$ile tab "ill e$$ecti/ely #re/ent "or0ers other than $ull time "or0ers $rom logging on Since all net"or0 users are $ull time em#loyees are the as such the only users allo"ed in the net"or0 The )llo" Aogon to Terminal Ser/er chec0 bo3 controls "hether the #erson is #ermitted to log in to the terminal ser/er at all +y de$ault* anyone "ith an account on the domain or ser/er may do so There$ore "e need to disable this $or the tem#orary users Incorrect )ns"ers: ):

should not affect the networ/ users. +: D: need to configure the temporar users without interfering with the full2time personnel. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 5 You are the administrator $or TestBing comJs )cti/e Directory domain )ll client com#uters run !indo"s @. .ro$essional ) !indo"s Ser/er 2==, com#uter named Test0ing9 has Terminal Ser/ices installed Users in the $inance de#artment access a custom a##lication that is installed on Test0ing9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-; 2 ) $inance de#artment user re#orts that he cannot co#y $iles $rom his Terminal Ser/ices session to his local com#uter You /ie" his user account #ro#erties* "hich are sho"n in the e3hibit Other $inance de#artment users are not e3#eriencing this #roblem ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-G 2 You need to ensure that the user can access his local dri/es through his Terminal Ser/ices session !hat should you do% A. &n the en%ironment properties of the user account, enable the $tart the following program at logon option. $pecif net use 09 WW4ocalhostW.` as the program file name. 1. &nstruct the user to enable the Dis/ Dri%es option in the properties of his remote des/top connection. .. &nstruct the user to log off, and then to select 4og on using dial2up connection from the 4og 'n to !indows dialog boB. D. &nstruct the user to run the mstsc Hconsole command. 3. &nstruct the user to run the mstsc Hedit command. )ns"er: + E3#lanation: !hen you initially launch the Demote Des0to# 'onnection utility* most o$ its con$iguration in$ormation is hidden To dis#lay it be$ore you use it to establish a connection* clic0 the O#tions button This "ill re/eal a series o$ tabs and many additional settings that ha/e be con$igured Aocal Desources tab enables you to control "hether or not client resources are accessible in your remote session +y instructing the user to enable the dis0 dri/es "ill ensure hisKher access through his terminal sessions Incorrect ans"ers: )9 This option will not sol%e the userKs problem. The userKs dis/ dri%es should be enabled in the properties of his remote des/top connection. '9 To sol%e this userKs problem a new connection must be added using the Remote Des/tops snap2in and accept all default settings. ,ot logging on and using the dial2up connection. D9 The mstsc Hconsole command can be used to connect to the console session of a Terminal $er%ices computer. Aowe%er, an administrator actuall sitting at the ser%er and using the console session can re6uest help b using the Remote Assistance functionalit in Terminal $er%ices. E9 This command does allow editing it displa s the Remote Des/top .onnection to establish a connection with a terminal ser%er. 1ut this is not going to help this user. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F2F2F2; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-> 2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 6 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The domain contains t"o !indo"s Ser/er 2==, terminal ser/ers that host a##lications that are used by com#any em#loyees )n organi1ation unit &OU( named TerminalSer/ers contains only the com#uter accounts $or these t"o

Terminal ser/ers ) -rou# .olicy ob2ect &-.O( named TS.olicy is lin0ed to the TerminalSer/ers OU* and you ha/e been granted the right to modi$y the -.O Users should use the terminal ser/ers to run only authori1ed a##lications ) custom $inancial a##lication suite is currently the only allo"ed a##lication The $inancial a##lication suite is installed in the $older ':Q.rogram EilesQ?T )##s The $inancial a##lication suite contains many e3ecutable $iles Users must also be able to use Internet E3#lorer to access a bro"ser>based a##lication on the com#any intranet The bro"ser>based a##lication ma0es e3tensi/e use o$ unsigned )cti/e@ com#onents The $inancial a##lication suite and the bro"ser>based a##lication are $requently u#dates "ith #atches or ne" /ersions You need to con$igure the terminal ser/ers to #re/ent users $rom running unauthori1ed a##lications You #lan to con$igure so$t"are restriction #olicies in the TS.olicy -.O To reduce administrati/e o/erhead* you "ant to create a solution that can be im#lemented once* "ithout requiring constant recon$iguration !hich three actions should you #er$orm to con$igure so$t"are restriction #olices% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. $et the default securit le%el to Disallowed. 1. $et the default securit le%el to Unrestricted. .. .reate a new certificate rule. D. .reate a new hash rule. 3. .reate a new &nternet 0one rule. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-= 2 (. .reate a new path rule. )ns"er: )* E* E E3#lanation: !e need to #re/ent unauthori1ed a##lications $rom running !e should set the de$ault security le/el to Disallo"ed This "ill #re/ent the users An &nternet 0one rule would allow the users to run the intranet application. ':Q.rogram EilesQ?T )##s The 6uestion states that the application is regularl updated with patches etc. Therefore, we cannot use a hash rule or a certificate rule, because we would ha%e to recreate the hash or the certificate e%er time the application was updated. The purpose of a rule is to identif one or more software applications, and specif whether or not the are allowed to run. .reating rules largel consists of identif ing software that is an eBception to the default rule. 3ach rule can include descripti%e teBt to help communicate wh the rule was created. A software restriction polic supports the following four wa s to identif software. (ollowing are two of them9 1. .ath Dule 2 5ath is the local or uni%ersal naming con%ention *U,.+ path of where the file is stored. A path rule can specif a folder or full 6ualified path to a program. !hen a path rule specifies a folder, it matches an program contained in that folder and an programs contained in subfolders. 1oth local and U,. paths are supported. 2. Yone Dule > A rule can identif software from the &nternet 3Bplorer 0one from which it is downloaded. Incorrect ans"ers: +9 The unrestricted securit le%el will not restrict the users from running unauthori0ed applications. '9 .ertificate Rule9 A certificate rule specifies a code2signing, software publisher certificate. (or eBample, a compan can re6uire that all scripts and Acti%e< controls be signed with a particular set of publisher certificates. .ertificates used in a certificate rule can be issued from a commercial certificate authorit *.A+ such as ?eri$ign, a !indows 2"""H!indows $er%er 2""3 5@&, or a self2signed certificate. A certificate rule is a strong wa to identif software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. &f ou wish to ma/e eBceptions to a certificate rule, ou can use a hash rule to identif the eBceptions. D9 Aash is a cr ptographic fingerprint of the file. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;FG 2;F= QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, You install Terminal Ser/ices on all domain controllers :o"e/er* your technical

su##ort s#ecialists re#ort that they cannot use Terminal Ser/ices to access any domain controllers !hich action or actions should you #er$orm to sol/e this #roblem% &'hoose all that a##ly( A. &nstall Remote Des/top for Administration. 1. Re6uire the support specialists to use a console session to connect to the terminal ser%ers. .. Add the Remote Administrators group to the Account 'perators group. D. Add the support specialists to the Remote Des/top group. 3. Modif the Default Domain .ontroller Croup 5olic ob)ect *C5'+ to grant the 4og on locall user right to the support specialists. )ns"er: D* E E3#lanation: The Demote Des0to# grou# has the necessary #ermissions to connect to the ser/ers using Terminal Ser/ices Terminal Ser/ices is a built>in ser/ice that enables you to use the Demote Des0to# 'onnection so$t"are to connect to a session that is running on a remote com#uter "hile you are sitting at another com#uter in a di$$erent location This #rocess is e3tremely use$ul $or em#loyees "ho "ant to "or0 $rom home but need to access their com#uters at "or0 Terminal Ser/er mode* de#loyed traditionally* allo"s multi#le remote clients to simultaneously access !indo"s>based a##lications that run on the ser/er Remote Des/top for Administration is used to remotel manage !indows $er%er 2""3 ser%ers. !e need to add the support specialists to the Remote Des/top group. As the ser%ers are domain controllers, we must to grant the 4og on locall user right to the support specialists. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F1 2 Incorrect )ns"ers: ): Remote Des/top for Administration is installed b default in !indows $er%er 2""3. (or securit reasons it is disabled b default. &t can be enabled through the $ stem control panel. There is thus no need to install it. +: The do not re6uire a console session. ': The Account 'perators do not ha%e permission to connect using Terminal $er%ices. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters F L G QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named TestBing, is con$igured as a member ser/er in your domain You install Terminal Ser/ices on TestBing, You also install se/eral legacy a##lications on TestBing, Users re#ort that they cannot run many o$ the legacy a##lications on TestBing, through their Terminal Ser/ices sessions You establish a Terminal Ser/ices session by using the )dministrator account* and you /eri$y that you can run the legacy a##lications You need to ensure that users can run the legacy a##lications on TestBing, "hile they are connected through Terminal Ser/ices !hat should you do% A. Add all Terminal $er%ices users to the domain $er%er 'perators group. 1. $hare the .9W5rogram (iles folders on Test@ing2. Assign the Domain Users group the Allow 2 (ull .ontrol share permissions. .. &nstall Terminal $er%er 4icensing $er%er on Test@ing3. D. Use Terminal $er%ices .onfiguration to change the 5ermissions .ompatibilit setting. )ns"er: D E3#lanation9 5ermission .ompatibilit can be set to either (ull $ecurit or RelaBed $ecurit . &t specifies whether ou are using (ull $ecurit or RelaBed $ecurit for clients accessing the Terminal $er%ices ser%er. $ome applications ma not wor/ properl with (ull $ecurit . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F2 2 Thus in this case ou need to change the 5ermissions .ompatibilit setting to ensure that users will be able to run the legac applications on Test@ing3 when connected through Terminal $er%ices. Incorrect ans"ers: )9 This option will not ensure that all Terminal $er%ices users will be bale to run the legac applications on Test@ing3. +9 3%en though Test@ing3 is a member ser%er in the domain, assigning Domain Users the Allow2(ull .ontrol share permission will not ensure that the can run the legac

application when connected through Terminal $er%ices. '9 &t is not a 4icensing matter. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, p. -1" 19 Diagnose and resol%e issues related to client access to Terminal $er%ices.*G :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing Your net"or0 consists o$ t"o )cti/e Directory domains Each de#artment has its o"n organi1ational unit &OU( $or de#artmental user accounts Each OU has a se#arate -rou# .olicy ob2ect &-.O( ) single terminal ser/er named TestBingTerm< is reser/ed $or remote users In addition* se/eral de#artments ha/e their o"n terminal ser/ers $or de#artmental use Your hel# des0 re#orts that user sessions on TestBingTerm< remain connected e/en i$ the sessions are inacti/e $or days Users in the accounting de#artment re#ort slo" res#onse times on their terminal ser/er You need to ensure that users o$ TestBingTerm< are automatically logged o$$ "hen their sessions are inacti/e $or more than t"o hours Your solution must not a$$ect users o$ any other terminal ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F3 2 !hat should you do% A. (or all accounting users, change the session limit settings. 1. 'n Test@ingTerm1, use the Terminal $er%ices configuration tool to change the session limit settings. .. Modif the C5' lin/ed to the Accounting 'U b changing the session limit settings in user2le%el group polices. D. Modif the C5' lin/ed to the Accounting 'U b changing the session limit settings in computer2le%el group polices. )ns"er: + E3#lanation: The question states that you need to ensure that users o$ TestBingTerm< are automatically logged o$$ "hen their sessions are inacti/e $or more than t"o hours There$ore* you need to con$igure TestBingTerm< by changing the session limit settings Iou can limit the amount of time that acti%e, disconnected, and idle *without client acti%it + sessions remain on the ser%er. This is effecti%e since sessions which remain running indefinitel on the ser%er, t picall consume %aluable s stem resources. !hen a session limit is reached for acti%e or idle sessions, ou can select to either disconnect the user from the session or end the session. A user who is disconnected from a session can reconnect to the same session later. !hen a session ends, it is permanentl deleted from the ser%er, and an running applications are forced to shut down. This can result in data loss at the client. !hen a session limit is reached for a disconnected session, the session ends. This permanentl deletes it from the ser%er. $essions can also be allowed to continue indefinitel . Incorrect )ns"ers: ): Iou need to change the session limit for all users of Test@ingTerm1, not onl for the (inance users. ': Iou need to configure Test@ingTerm1 to change the session limit settings. D: Iou need to configure Test@ingTerm1 to change the session limit settings. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. ;;F QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F- 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, :al$ o$ the client com#uters run !indo"s @. .ro$essional* and the other hal$ run !indo"s NT 4 = !or0station You install Terminal Ser/er on three member ser/ers named TestBing<* TestBing2* and TestBing, Each ser/er has a single .entium III 6==>?h1 '.U "ith 5<2 ?+ o$ D)? and a single>channel EIDE dis0 subsystem You #lace all three terminal ser/ers in an organi1ational unit &OU( named Terminal Ser/er You lin0 a -rou# .olicy Ob2ect &-.O( to the Terminal Ser/er OU Se/eral days a$ter the installation* users re#ort that the #er$ormance o$ all three

terminal ser/ers is unacce#tably slo" You disco/er that each ser/er has at least 5= acti/e sessions at once You need to im#ro/e #er$ormance o$ all three terminal ser/ers You must achie/e this goal by using the minimum amount o$ administrati/e e$$ort* "ithout u#grading any hard"are !hat should you do% A. 4og on to the console of each terminal ser%er. &n the RD52Tcp connection properties, set the MaBimum connections option to 3F. 1. 3dit the C5' to set the 4imit number of connections polic to 3F. .. Modif all domain user accounts to set the !hen a session limit is reached or bro/en user propert to 3nd session. D. 3dit the C5' to enable the Remo%e Disconnect option from shutdown dialog polic . )ns"er: + E3#lanation: +y setting the Aimit number o$ connections #olicy in the grou# #olicy ob2ect to ,5* you "ill be able to #re/ent a situation "here there is more than the necessary amount o$ simultaneous connections at any one time Then you "ill not get a situation "here there is more than 5= simultaneous connections that "ould #robably be idle sessions and thus cause the #er$ormance o$ the ser/ers to be #oor This o#tion "ill not require the u#grading o$ any hard"are or unnecessary administrati/e e$$ort De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -G2F1, ;>2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FF 2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: , You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) single ser/er running Terminal Ser/er is a/ailable to remote users Your hel# des0 sta$$ is res#onsible $or monitoring user acti/ity on the terminal ser/er The sta$$ is also res#onsible $or sending messages to users about ne" #rograms and about modi$ications to the terminal ser/er ) com#any de/elo#er "rites a scri#t that "ill log the rele/ant user in$ormation in a $ile and #ro/ide #o#>u# messages as needed You need to ensure that the scri#t runs e/ery time a user logs on to the terminal ser/er !hat should you do% A. Deplo a client connection ob)ect for remote users. .onfigure the client connection ob)ect to run the script. 1. 'n the terminal ser%er, configure the RD52tcp properties with the name of the script. '%erride other settings. .. &n the Default Domain Croup 5olic ob)ect *C5'+, select the $tart a program on startup option and specif the name of the script. D. 'n the terminal ser%er, configure the RD5 client properties with the name of the script. )ns"er: + E3#lanation: ) listener connection &also called the DD.>Tc# connection( must be con$igured and e3ist on the ser/er $or clients to success$ully establish Terminal Ser/ices sessions to that ser/er Iou should /eep in mind that e%er propert ou set will affect all users who connect through the listener connection. Thus b configuring RD52Tcp properties with the name of the script on the terminal ser%er and o%erriding all the settings will ensure that the script runs e%er time a user logs on to the terminal ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F; 2 Incorrect ans"ers: ): .onfiguring the client connection ob)ect to run the script will not run the script when a user logs on to the terminal ser%er. ': $electing the $tart a program on startup option and specif ing the name of the script in the Default Domain Croup 5olic ob)ect will not ma/e a scrip run e%er time a user logs on to the terminal ser%er. D: The most important thing to remember is that e%er propert ou set affects all users who connect through the listener connection. 1ut configuring the RD5 client properties will not ensure that the script runs e%er time a user logs on to the terminal ser%er.

De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F-G2F-=. QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Some client com#uters run !indo"s @. .ro$essional* and the rest run !indo"s NT 4 = !or0station TestBing includes de#artments $or accounting* design* mar0eting* and sales Each de#artment has a corres#onding organi1ational unit &OU( ) member ser/er named Test0ing< can be accessed only by user accounts in the )ccounting* Design* ?ar0eting* and Sales OUs You install Terminal Ser/er on Test0ing< Then you install $our ne" a##lications on Test0ing< Each a##lication is intended $or users in only one o$ the $our de#artments You need to ensure that each a##lication can be accessed only by users in the a##ro#riate de#artment You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. &n the Default 5olic Croup 5olic ob)ect *C5'+, configure the $tart program on connection polic to be the program path and file name of the application to start when the user logs on. 1. &n each 'U, set the 3n%ironment propert for each user to the program path and file name of the application that corresponds to the 'U. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FG 2 .. 'n Test/ing1, select the RD52Tcp connection properties. $et the program path and file name of the application to start when the user logs on. D. .reate one Croup 5olic ob)ect *C5'+ for each department. 4in/ each C5' to the corresponding 'U. (or each C5', configure the $tart program on connection polic to run the application that corresponds to the appropriate department. )ns"er: D E3#lanation: -rou# #olicies cannot be a##lied to grou#s* only sites* domains* and organi1ational units )n organi1ational unit &OU( is a container ob2ect in )cti/e Directory used to se#arate com#uters* users* and other resources into logical units )n organi1ational unit is the smallest entity to "hich -rou# .olicy can be lin0ed It is also the smallest sco#e to "hich administration authority can be delegated )t the client le/el* a user can s#eci$y that a #rogram be launched "hen they connect to a ser/er instead o$ recei/ing a des0to# Ai0e"ise* an administrator can s#eci$y this at the connection le/el $or all users that connect to a s#eci$ic listener connection Einally* this can also be set in -rou# .olicy :o"e/er* the client may recei/e a message stating* LThis initial #rogram cannot be startedL This error ma be caused b an input error or incorrect path and eBecutable file name. &f ou ha%e entered the incorrect path and eBecutable file name, the will be pointing to a file that does not eBist. Another possible cause is that the correct permissions are not set on the eBecutable file. &f !indows $er%er 2""3 cannot access the file, it will not be able to launch the program. Iou should %erif that the appropriate read and eBecute permissions are applied to both the file and the wor/ing folder. &f neither of these two possible solutions resol%es the issue, the application itself ma ha%e become corrupt. Tr to launch the application at the ser%er. &f it will not open, ou ma need to uninstall and reinstall the application. Incorrect )ns"ers: ): +: ': The 6uestion states9 minimum amount of administrati%e effort, therefore we need to use a C5'. This would wor/ though. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 1G9 2" Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F> 2 QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional

Terminal Ser/ices is installed on a member ser/er named Terminal< "ith de$ault settings Users in the editing de#artment are members o$ a grou# named Editors !hen these users try to ma0e a Terminal Ser/ices connection to Terminal<* they recei/e the $ollo"ing error message: LThe local #olicy o$ this system does not #ermit you to logon interacti/elyL You need to enable members o$ the Editors grou# to establish Terminal Ser/ices sessions on Terminal< !hat should you do% A. 3nable the Allow users to connect remotel to this computer option on Terminal1. 1. Add the 3ditors group to the Remote Des/top Users group on Terminal1. .. .onfigure the RD52Tcp connection properties on Terminal1 to assign the Allow 2 (ull .ontrol permission to the 3ditors group. D. Add the 3ditors group to the Remote Des/top Users group in Acti%e Director . )ns"er: + E3#lanation: The Demote Des0to# Users grou# on Terminal< ha/e the necessary #ermission to connect to Terminal< using a remote des0to# connection +y sim#ly adding the Editors grou# to the Demote Des0to# Users grou# on Terminal< "e can gi/e the Editors the required #ermission The Demote Des0to# Ser/ices on Terminal< is not con$igured to allo" Editors access This grou# should be added to the Demote Des0to# Users grou# on Terminal< to enable them to establish Terminal Ser/ices sessions Incorrect )ns"ers: ): The Allow users to connect remotel to this computer option are for Remote Des/top (or Administration, not Terminal $er%ices. ': The 3ditors group do not need (ull .ontrol access to the ser%er. The problem is that the donKt ha%e the necessar permission to connect to Terminal1 using a remote des/top connection. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F= 2 D: &f ou add the 3ditors group to the remote Des/top Users group in Acti%e Director ou would allow the 3ditors group to connect to an Terminal ser%er in the domain. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 6 :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install Terminal Ser/er on a member ser/er named TestBing4 Se/eral days later* users re#ort that ser/er #er$ormance is unacce#tably slo" On Ser/er<* you disco/er 75 disconnected sessions and 25 sessions that ha/e been idle $or at least three hours You need to con$igure TestBing4 to $ul$ill the $ollo"ing requirements: 1. Disconnected sessions remain on the ser/er $or a ma3imum o$ < minute 2. Idle sessions remain on the ser/er $or a ma3imum o$ ,= minutes 3. Sessions idle $or more than ,= minutes are automatically reset -. )cti/e sessions are not a$$ected !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;" 2 )ns"er: E3#lanation: +y de$ault* most o$ the settings in the sessions tab are con$igured to use the user account #ro#erty settings and se/eral settings are grayed out This can be o/erridden by selecting the chec0 bo3 ne3t to O/erride user settings !hen user 1. 3nd a disconnected session Used to specif the amount of time a disconnected session can remain running on the Terminal $er%ices computer. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;1 2 2. Acti%e session limit Used to specif the amount of time an acti%el used session can remain connected and in use. 3. &dle session limit Used to specif the amount of time an idle session can remain connected to the Terminal $er%ices computer. The first K'%erride user settingsK chec/boB specifies that a session is ended when the session limit is reached or the connection is bro/en. That will ensure that disconnected sessions remain on the ser%er for a maBimum of one minute. Iou can specif the

maBimum time limit for a disconnected session to remain on the ser%er b configuring maBimum time limit for a session to remain idle b configuring the K&dle session limitK option. This should /eep idle sessions on the ser%er for a maBimum of 3" minutes and reset them automaticall . The second K'%erride user settingsK chec/boB specifies the t pe of action to be ta/en when the session limit is reached. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. FF1 QUESTION NO: 7 You are the net"or0 administrator $or TestBing com )ll client com#uters run !indo"s 2=== .ro$ession al You recently de#loyed <= ne" ser/ers that run !indo"s Ser/er 2==, You #laced the ser/ers in an ne" OU named !2B,Ser/ers Tess is another net"or0 administraror You need to con$igure the a##ro#riate #ermissions to allo" Tess to manage the ne" ser/ers by using Terminal Ser/ices $rom her client com#ueter You need to assign Tess only the #ermissions she needs to #er$orm her 2ob !hat should you do% A. Add TessKs users account to the local 5ower Users group on each ser%er that runs !indows $er%er 2""3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;2 2 1. Add TessKs users account to the Remote Des/top Users group on each ser%er that runs !indows $er%er 2""3. .. Assign TessKs user account the Allow 2 Read and the Allow 2 !rite permissions for the !2@3$er%ers 'U. D. .onfigure the Managed 1 propert for the !2@2$er%ers 'ut to TessKs user account. )ns"er: + E3#lanation9 The Remote Des/top Users group is a special group that allows its members to log on to the ser%er remotel . This is what is needed b Tess if she is to perform her )ob. Incorrect ans"ers: )9 Adding TessK account to the local 5ower Users group will not enable her to ma/e use of Terminal $er%ices. '9 Aa%ing the Allow2Read and the Allow2!rite permissions will not ensure that Tess can do her )ob %ia Terminal $er%ices. D9 This will not wor/ for Tess as she will not be able to use Terminal $er%ices to carr out her tas/s. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, p. 1;= QUESTION NO: 9 E3hibit* Table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;3 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory Domain named test0ing com )ll ser/ers run !indo"s ser/er 2==, )ll user accounts are members o$ the Domain Users grou# You manage a ser/er that is a member o$ the domain Some administration tas0s must be #er$ormed "hile you are logged on to the ser/er ) ne" "ritten security #olicy states that only s#eci$ied users must be able to access the ser/er by using Terminal Ser/ices The "ritten security #olicy also states that only administrators on the local ser/er must be able to log on locally to the ser/er The settings $or the ser/er are sho"n in the table e3hibit You are a member o$ the Domain )dmins global grou# You attem#t to #er$orm maintenance tas0s on the ser/er* but you recei/e an error message stating that the local #olicy o$ the com#uter is #re/enting you $rom logging on locally You need to ensure that you can #er$orm the maintenance tas0s that are required $or the serer You also need to meet the requirements o$ the "ritten security #olicy !hat should you do% A. Remo%e the 3%er one group from the Access this computer from the networ/ polic . Add the Domain Admins group to the Allow log on locall polic . 1. Remo%e the Domain Users group from the Den log on locall polic . .. Add the Administrators group to the Allow log on through Terminal $er%ices polic . D. Add the Domain Admins group to the Allow log on through Terminal $er%ices polic .

)ns"er: + QUESTION NO: ; You are the administrator o$ a !indo"s Ser/er 2==, com#uter named TestBing, TestBing, has Terminal Ser/ices installed TestBing, connects to the Internet through a #ro3y ser/er on the com#any net"or0 :el# des0 em#loyees #eriodically access custom "eb a##lications on the com#any net"or0 You install IIS on TestBing, "ith all the de$ault settings You need to ensure that hel# des0 em#loyees can access Terminal Ser/ices on TestBing, $rom Internet E3#lorer 6 = ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;- 2 !hat should you do% A. Uninstall &&$ and Terminal $er%ices. Reinstall &&$, and then reinstall Terminal $er%ices. 1. .onfigure the &nternet .onnection (irewall *&.(+ to allow incoming ports >" and 33>=. .. .reate a new %irtual director named Tsweb. D. .reate a new web site named Tsweb. 3. &nstall Remote Des/top !eb .onnection. )ns"er: E QUESTION NO: <= :OTS.OT You are the net"or0 administrator $or TestBing com You manage a ser/er that runs !indo"s Ser/er 2==, You use a client com#uter that runs !indo"s @. .ro$essional to #er$orm administrati/e tas0s The net"or0 "as attac0ed recently* "hich #rom#ts you to change the security settings on the ser/er )$ter you change the settings* you attem#t to manage the ser/er by using Demote Des0to# You attem#t to connect to the ser/er by using its I. address* but you cannot connect The Demote Des0to# client "or0ed #ro#erly be$ore you changed the security settings You /eri$y that the ser/er has net"or0 access and that you are a member o$ the local administrators grou# You also con$irm that Demote Des0to# is enabled You sus#ect that the Internet 'onnection Eire"all is not con$igured correctly You need to maintain the highest #ossible le/el o$ security $or the ser/er You also need ensure that Demote Des0to# $unctions #ro#erly !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;F 2 )ns"er: Tic0 the LDemote Des0to#L chec0bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;; 2 5art 39 .onfigure file s stem permissions.*12 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;G 2 The domain contains a grou# named Sales)dmin ?embers o$ the Sales)dmin grou# need the #ermission to add -rou# .olicy lin0s and create -rou# .olicy ob2ects &-.Os( $or only the Sales organi1ational unit &OU( You need to con$igure the domain to #ro/ide the Sales)dmin grou# "ith the minimum #ermissions necessary to meet these requirements !hat should you do% A. Add the $alesAdmins group to the Croup 5olic .reator 'wners group. 1. .onfigure the discretionar access control list *DA.4+ on all of the Croup 5olic lin/s for the $ales 'U to assign the $alesAdmins group the Allow 2 Appl Croup 5olic permission. .. Run the Delegation of .ontrol wi0ard on the domain to assign the $alesAdmin group the Manage Croup 5olic lin/s tas/. D. Run the Delegation of .ontrol wi0ard on the $ales 'U to assign the $alesAdmins group the Manage Croup 5olic lin/s tas/. )ns"er: D E3#lanation: To s#eci$y "hich -rou# .olicy ob2ects are lin0ed to a gi/en site*

domain* or OU* use the -rou# .olicy tab in the .ro#erties #age $or a site* domain* or OU This #ro#erty #age stores the userJs choices in t"o )cti/e Directory #ro#erties called g.Ain0 and g.O#tions The g.Ain0 #ro#erty contains the #rioriti1ed list o$ -rou# .olicy ob2ects* and the g.O#tions #ro#erty contains the +loc0 .olicy Inheritance setting To manage C5' lin/s to a site, domain, or 'U, ou must ha%e Read and !rite access to the g54in/ and g5'ptions properties. 1 default, Domain Administrators ha%e this permission for domains and 'Us. 3nterprise Administrators and Domain Administrators of the forest root domain can manage lin/s to sites. Iou can delegate rights to additional groups and users b using the Delegation !i0ard and selecting the Manage Croup 5olic lin/s predefined tas/. Incorrect )ns"ers: ): The .reator 'wner group permissions should be applied at the root of the %olume. The .reator 'wner group e.g. is a special group that determines the access that a user has to files and folders he or she has created. 1 default, the (ull .ontrol special permissions assigned to this group automaticall appl to e%er folder created on the %olume. Thus the default permissions of being .reator 'wner would grant the $alesAdmins group too man permissions than is necessar . +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;> 2 The DA.4 is the part of the securit descriptor that grants or denies access to indi%iduals or groups for the ob)ect. These permissions can be assigned b an one with 8change permissions8 credentials. Aence, it is under the discretion of the owner to assign lin/s and ob)ects to their own group. This t pe of permission will allow them to appl their wor/ to all on the domain. ': Iou should be running the Delegation of .ontrol !i0ard on the $ales 'U and not on the domain. De$erence: Designing a Croup 5olic &nfrastructure !indows Resource @its Delegating Croup 5olic 2Related 5ermissions on $ites, Domains, and 'Us Managing C5' lin/s QUESTION NO: 2 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) manager named Tess Bing creates a ne" $older named TestBingData Tess shares this $older on a ser/er so that TestBing em#loyees can create* edit* and delete documents Tess "ants users to ha/e only these #ermissions You add the )uthenticated Users grou# to the )'A on the Sharing tab and the )'A on the Security tab $or the TestBingData $older You need to con$igure the a##ro#riate #ermissions !hat should you do% To ans"er* drag the a##ro#riate share #ermissions and NTES #ermissions to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;= 2 )ns"er: E3#lanation9 Share #ermission: 'hange NTES #ermission: ?odi$y 'ne has to /eep in mind that *1+ 1oth ,T($ and share permissions are cumulati%e. &f a user belongs to more than one group, and two or more of these groups are assigned permissions on a file or folder, the userKs effecti%e permissions *,T($ or share+ on the file or folder is the sum of all the groupsK permissions. *2+ !hen determining the effecti%e permissions on a file or folder access through a share, the more restricti%e permissions *that is, the cumulati%e effecti%e ,T($ permissions or the cumulati%e effecti%e share permissions+ are the ones applied. And *3+ Assign user rights to groups whene%er possible, assigning user rights to indi%idual user accounts is difficult to manage. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G" 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -GF2-G; QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run

!indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create a net"or0 share named )##Share This Share resides on a NTES #artition on a ser/er named TestBingSr/' You set NTES #ermissions on )##Share as sho"n in the $ollo"ing table Users NTES #ermissions Share #ermissions Tess@ing Read Read Test@ingCroup3 Read .hange Test@ingCroup- ReadH!rite (ull .ontrol All Users Read and 3Becute Read Tess belongs only to the )ll User -rou#s You need to enable Tess to delete $iles $rom )##Share !hat should you do% A. Assign the Allow 2 (ull .ontrol share permissions to the All Users group. 1. Add TessKs User account to Test@ingCroup-. Assign the Allow 2 Read and 3Becute ,T($ permission to Test@ingCroup-. .. Add TessKs user Account to Test@ingCroup3. Assign the Allow 2 Modif ,T($ permissions to Test@ingCroup3. D. Assign the Allow 2 (ull .ontrol ,T($ permissions to the All Users group. 3. Assign the Allow 2 (ull .ontrol share permissions to TessKs user account. )ns"er: ' E3#lanation: Tess only belongs to the )AA USEDS grou#* so her e$$ecti/e NTES #ermissions are: DeadKE3ecute [ Dead Z DeadKE3ecute #ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G1 2 Tess onl belongs to the A44 U$3R$ group, so her effecti%e $AAR3 permissions are9 Read a Read \ Read permissions. TAU$ her Total effecti%e permissions are9 ReadH3Becute a Read \ R3AD 5ermissions. .hanging TessK status b adding her to the Usergroup3 will enable Tess with the rights to delete files from the App$hare. &f we add Tess to the Test/ingCroup3, and we add 2 modif ,T($ permissions to that group9 Then her effecti%e ,T($ permissions are9 ReadH3Becute a Read a Modif \ Modif permissions. Then her effecti%e $AAR3 permissions are9 Read a Read a (ull .ontrol \ (ull .ontrol permissions. Aer total effecti%e permissions will be9 Modif a (ull .ontrol \ M'D&(I 5ermissions. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -GF 2 ->" QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll summer interns in the com#any are members o$ the Interns global grou# )ll users in the engineering de#artment are members o$ the Engineering global grou# ) member ser/er named TB< contains a $older that is shared as +lue#rints .ermissions on +lue#rints are sho"n in the $ollo"ing table Share #ermissions NTES #ermissions 3%er one9 .hange Administrators9 (ull .ontrol 3ngineers9 Modif User accounts in Interns and Engineers do not ha/e the Aog on locally user right on TB< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G2 2 ) user named ?ar0 is a member o$ both Interns and Engineers You disco/er that data in +lue#rints "as modi$ied by ?ar0 You need to recon$igure the #ermissions on +lue#rints to ensure that ?ar0 cannot access the $older You must not a$$ect the access o$ any other users You must ensure that ?ar0 remains in Engineers so he can access other a##ro#riate resources !hat should you do% A. .onfigure the share permissions to assign the Allow 2 Read permission to Mar/. 1. .onfigure the ,T($ permissions to assign the Den 2 Read permission to 3ngineers. .. .onfigure the ,T($ permissions to assign the Den 2 Read and Den 2 3Becute permissions to Mar/. D. .onfigure the ,T($ permissions to assign the Allow 2 Read permission to &nterns. )ns"er: '

E3#lanation: !e can #re/ent ?ar0 $rom accessing the +lue#rints $older by assigning the Deny > Dead and Deny > E3ecute #ermissions to ?ar0 The Deny #ermissions "ill o/er"rite any other #ermissions that gi/e ?ar0 access to the $older To accommodate ?ar0Js needs* since he $orms #art o$ both Interns and Engineers* you should con$igure the NTES #ermissions to assign the )llo">Dead #ermission to Interns "hich "ould be the a##ro#riate setting so as not to a$$ect other users "hile allo"ing ?ar0 to remain and o#erate in Engineers )lso 0ee# in mind that "hen a Deny #ermission is a##lied* it ta0es #recedence o/er any #ermission Incorrect ans"ers: ): Mar/ has dual membership and is thus also a member of the 3%er one group. $o he has change share permissions alread . This will not pre%ent Mar/ from accessing the 1lueprints folder. +: Assigning the Den 2 Read permission to the 3ngineers group will pre%ent the 3ngineers group accessing the folder. The 3ngineers group re6uire access to the folder so this answer is incorrect. D: Assigning the Allow 2 Read permission to the &nterns group will not affect Mar/s access to the folder because of his membership to the two groups. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -232-2F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G3 2 QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s 2==, Ser/er* and all client com#uters run !indo"s @. .ro$essional ) $ile ser/er named TB< has t"o hard dri/es You $ormat D:Q and use the de$ault $ile #ermissions Then you co#y a directory named Data $rom another $ile ser/er to D:Q on TB< No" you need to create a net"or0 share and con$igure NTES #ermissions settings $or D:QData You must $ul$il the $ollo"ing requirements: 1. )ll domain users need read access to D:QData 2. ?embers o$ the Sales grou# need the ability to add and delete $iles in a directory named D:QDataQSales 3. ?embers o$ the Engineering grou# need the ability to read and modi$y $iles in a directory named D:QDataQEnginering !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. Assign the Allow 2 Modif ,T($ permission on D9WDataW$ales to the $ales group. 1. Assign the Allow 2 !rite ,T($ permission on D9WDataW3ngineering to the 3ngineering group. .. $hare D9WData as Data and use the default share permissions. D. $hare D9WData as Data and assign the Allow 2 .hange share permission to the 3%er one group. 3. Assign the Allow 2 (ull .ontrol ,T($ permission on D9WData to the Administrators group. (. .hange the share permission on D9WData to assign the Allow 2 Modif permission to the 3%er one group. C. Assign the Allow 2 Read ,T($ permission on D9WData to the Users group. A. Assign the Allow 2 !rite ,T($ permission on D9WDataW$ales and D9WDataW3ngineering to the .reator 'wner group. )ns"er: )* +* D E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G- 2 9 1 default, the 3%er one group has onl Read and 3Becute permissions on the root of permissions b default to a newl created folder or file. $imilarl , when ou create a shared dri%e or folder, the 3%er one group now has onl Read permission b default, rather than full control. This is 6uite a change from earlier %ersions of !indows, where e%er new folder ga%e e%er one full control %ia both ,T($ and share permissions. 'ne big difference between 3%er one and Users is that ou can add and delete members of the Users group. 1 default, an new user ou create will belong to the Users group but this can be changed. The 3%er one group is a built2in group with set membership *that is, ou cannot add and delete members as ou can with most other securit groups+. Incorrect ans"ers:

': $hare permissions, be it default permissions or not can onl be set at folder le%el. E: Although the 3%er one group has no ,T($ permissions to a newl created folder or file, the Users group does ha%e the following permissions9 Read L 3Becute, Read, and 4ist (older .ontents. E: As mentioned in the pre%ious option, $hare permissions can onl be set at folder le%el. -: The engineering group must not onl be able to read, the also need to modif . Thus this option will not allow then to fulfil their tas/s. This option will onl allow the users group to ha%e read access and nothing more. :: The Modif permission gi%es the ob)ect the same permissions as the Read, !rite, 4ist (older .ontents, and Read L 3Becute permissions, but also enables the ob)ect to delete files and folders within the designated folder. Assigning the Allow 2 !rite permission will not be sufficient. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -1-2-1G QUESTION NO: 6 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. #ro$essional ) $ile ser/er named TestBingEileSr/ is con$igured as a stand>alone Distributed Eile System &DES( root The dis0 con$iguration o$ TestBingEileSr/ is sho"n in the $ollo"ing table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GF 2 Dis0 8olume 'ontents Dis/" MA&, $ stem files Dis/1 DATA Database files Dis/1 U$3R$ (iles and data for users USEDS hosts a shared $older named User Data You use -rou# .olicy to de#loy the .re/ious 8ersions client so$t"are to all client com#uters :o"e/er* users re#ort that they cannot access any #re/ious /ersion o$ any o$ the $iles in User Data Erom your client com#uter* you o#en the .ro#erties dialog bo3 o$ User Data* as sho"n in the e3hibit J You need to enable all users to access #re/ious /ersions o$ the $ile in User Data To achie/e this goal* you "ill modi$y TestBingEileSr/ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G; 2 !hat should you do% A. $tart the Distributed 4in/ Trac/ing .lient ser%ice. 1. .reate a D($ lin/ to User Data. .. 3nable shadow copies of U$3R$. D. Disable 6uota management on U$3R$. )ns"er: ' E3#lanation: Enabling users to access #re/ious /ersions o$ their $iles is a t"o ste# #rocess The clients need the J#re/ious /ersionsJ client so$t"are installed and the /olume hosting the shared $older must ha/e Shado" 'o#ies enabled Incorrect )ns"ers: ): The Distributed 4in/ Trac/ing .lient ser%ice is not related to shadow copies. +: .reating a D($ lin/ to User Data is not necessar to enable shadow copies. D($ allows ou to create a single logical tree %iew for multiple ser%ers, so that all directories appear to be on the same ser%er. D: :uota management is not enabled b default. The 6uestion doesnKt state that 6uota management is enabled. 3ither wa , 6uota management is not related to shadow copies. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2=, 1-" QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com You manage a !indo"s Ser/er 2==, com#uter named TestBing, This ser/er hosts all $ile and #rint ser/ices $or the net"or0 on NTES /olumes Tess Bing is a technical su##ort s#ecialist $or TestBing She belongs only to de$ault grou#s in )cti/e Directory She needs the ability to change #ermissions $or $iles stored in a $older named Data on TestBing, You share Data and con$igure the $older #ermissions sho"n in the $ollo"ing table

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GG 2 Tess logs on to TestBing,* but she cannot change #ermissions $or any $iles in Data :o" should you sol/e this #roblem% A. Remo%e the Allow 2 Read ,T($ permissions from TessKs user account. Add TessKs user account to Croup 1. 1. Add TessKs user account to Croup 3. .. Assign the Allow 2 (ull .ontrol share permissions to Croup 2. Add TessKs user account to Croup 2. D. Assign the Allow 2Modif ,T($ permission to TessKs user account. )ns"er: + E3#lanation: -rou# , has the Eull 'ontrol NTES #ermission and this is thus the only #ermission listed that "ill enable Tess the change the $ile #ermissions :o"e/er* this ans"er "ill #re/ent Tess $rom reading the $iles o/er the net"or0 due to the Deny > Dead Share #ermission Since her tas0 is to change #ermissions $or $iles this is the a##ro#riate ans"er Incorrect ans"ers: ): Adding Tess to Croup1 will result in Tess being able to gi%e the ob)ect the same permissions as the Read, !rite, 4ist (older .ontents, and Read L 3Becute permissions, but also enables the ob)ect to delete files and folders within the designated folder. ': Assigning the allow full control share permissions to Croup 2 will not resol%e the problem D: The more restricti%e permission *of the cumulati%e total of each t pe of permission+ is the one that ta/es precedence in determining access. 4oo/ first at the permissions defined on the share before ou loo/ at the ,T($ permissions defined. &f the user onl has Read permissions on the share, he or she will onl ha%e read access to the contents. &f the user has (ull .ontrol permissions on the share, then loo/ to the ,T($ permissions defined to determine the le%el of access the user has. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G> 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -1-2-1F, -2F2-2; QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com The com#any has a main o$$ice in Bairo and a branch o$$ice in Dubai The Dubai branch o$$ice has three ser/ers that are described in the $ollo"ing table Ser/er name O#erating System Ser/er Dole Test@ing1 !indows $er%er 2""3 Domain .ontroller Test@ing2 !indows $er%er 2""3 (ile ser%er Test@ing3 !indows $er%er 2""3 5rint ser%er E/ery ser/er that $unctions as a $ile ser/er or as a #rint sre/er contains a shared $older named TestBingAogs that contain log $iles ?embers o$ a global grou# named ITSecurity must not be able to change the log $iles on any $ile or #rint ser/er that is located in Dubai You need to create the a##ro#riate grou# or grou#s and grant the necessary #ermissions to the ITSecurity grou# to allo" them to read the ser/er logs on all $ile or #rint ser/ers !hat should you do% A. .reate a domain local group named Dubai4ogAccess and add the &T$ecurit global group to it. Assign the Dubai4ogAccess group the Allow 2 Read permission for the Test@ing4ogs shared folder on Test@ing2. Assign the Dubai4ogAccess group the Allow 2 Read permission for the Test@ing4ogs shared folder on Test@ing3. 1. .reate a domain local group named Dubai4ogAccess and add the &T$ecurit global group to it. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G= 2 Assign the Dubai4ogAccess group the Den 2 (ull .ontrol permission for the Test@ing4ogs shared folder on Test@ing2. Assign the Dubai4ogAccess group the Den 2 (ull .ontrol permission for the Test@ing4ogs shared folder on Test@ing3. .. .reate a local group named Test@ing24ogAccess and add the &T$ecurit global group to it.

.reate a local group named Test@ing34ogAccess and add the &T$ecurit global group to it. Assign the Dubai4ogAccess group the Allow 2 Read permission for the Test@ing4ogs shared folder on Test@ing2. Assign the Dubai4ogAccess group the Allow 2 Read permission for the Test@ing4ogs shared folder on Test@ing3. D. .reate a local group named Test@ing24ogAccess and add the &T$ecurit global group to it. .reate a local group named Test@ing34ogAccess and add the &T$ecurit global group to it. Assign the Dubai4ogAccess group the Den 2 (ull .ontrol permission for the Test@ing4ogs shared folder on Test@ing2. Assign the Dubai4ogAccess group the Den 2 (ull .ontrol permission for the Test@ing4ogs shared folder on Test@ing3. )ns"er: ) E3#lanation9 Domain local groups are a t pe of group used to assign permissions to resources. Domain local groups can contain user accounts, uni%ersal groups, and global groups from an domain in the tree or forest. A domain local group can also contain other domain local groups from its own local domain. The share2le%el permission onl represents the maBimum le%el of access ou will get on the inside. &f ou get read permissions at the share, the best ou can do once ouK%e connected remotel to the share is read. Thus option A would be the solution to this problem. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: ; DD)- DDO. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>" 2 You are the net"or0 administrator $or TestBing com You install a ne" !indo"s Ser/er 2==, com#uter in an e3isting subnet $or ser/er com#uters The s"itch that manages this subnet uses $ull du#le3 East Ethernet connections The !indo"s Ser/er 2==, com#uters $unctions as a $ile ser/er Users ha/e only intermittent net"or0 access to the $ile ser/er You need to ensure that users maintain a consistent connection to the $ile ser/er !hat should you do% To ans"er* drag the a##ro#riate setting or settings to the correct location in the "or0 area )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>1 2 QUESTION NO: <= You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Users in the human resources &:D( de#artment #rint to a #rinter named TestBing.r< TestBing.r< is con$igured on a !indo"s Ser/er 2==, com#uter named TestBing) ) user named Tess Bing is in the :D de#artment Tess is res#onsible $or #ausing documents that are submitted to TestBing.r< "hen required Tess re#orts that she cannot #ause documents that are submitted by other users You need to ensure that Tess can #ause documents "hen required* but cannot #ause the entire #rinter ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>2 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Assign Tess the Allow 2 Manage Documents permission for Test@ing5r1. 1. Remote the Allow 2 Manage 5rinters permission assigned to Tess. .. Assign Tess the Allow 2 Modif permission for the .9W!indowsW$ stem32W$poolW5rinters folder. D. Assign Tess the Den 2 (ull .ontrol permission for the .9W!indowsW$ stem32W$poolW5rinters folder. )ns"er: )* + E3#lanation9 The Manage Documents permission allows a user to control document2specific settings and pause, resume, restart, and delete spooled print )obs. And the Manage 5rinters permission allows a user to change printer properties and permissions. Thus options A and 1 will allow Tess to pause documents when re6uired to

do so without pausing the entire printer. Incorrect ans"ers: ' C D9 These options will not result in the desired effect. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: << DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The user accounts $or all managers are in global grou# named ?anagers You create a ne" shared $older that managers "ill use to run an a##lication The a##lication su##ort $iles are stored locally on the client com#uters Only the a##licationJs e3ecutable $iles are stored in the shared $older You need to ensure that the managers ha/e only the #ermissions that are required to run the a##lication $rom the shared $older You add the ?anagers grou# to the )'A on the Sharing tab and the )'A on the Security tab $or the $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>3 2 You need to con$igure the a##ro#riate #ermissions !hat should you do% Drag the a##ro#riate share #ermissions and NTES #ermissions to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>- 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>F 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>; 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>G 2 QUESTION NO: <2 :OTS.OT You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )nother administrator shares a $older as TestBingData :e "ants users to be able to create and modi$y documents in the $older !hen users attem#t to connect to o#en a document in the TestBingData $older* they recei/e an error message You need to con$igure the #ermission $or the $older so that users can only create and modi$y documents !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3es in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>> 2 )ns"er: E3#lanation: )llo" ?odi$y The Modif permission simpl put, Modif permissions are the combination of Read and 3Becute and !rite, but gi%e ou the added luBur of Delete. 3%en when ou could change a file, ou ne%er reall could delete the file. IouKll notice that, when ou select permissions for files and folders, if ou select Modif onl , then Read, Read and 3Becute, and !rite are automaticall chec/ed for ou. &n full, the Modif permission also includes the right to !rite Attributes, !rite 3Btended Attributes, and Delete files and folders. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>= 2 De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, A9 ?erif effecti%e permissions when granting permissions.*F :uestions+ QUESTION NO: < You are the administrator o$ some o$ TestBingJs $ile ser/ers .eter is hired as an

intern in the human resources de#artment .eter needs access to some :D $iles :e also needs to be able to read the $ile named :andboo0 doc* but he must not be able to ma0e changes to it :andboo0 doc e3ists in a $older named :DDesources .eter needs to ha/e Dead and ?odi$y #ermissions $or the other $iles in the :DDesources $older .eter is a member o$ the Domain Users grou# and the :D grou# The #ermissions on the :DDesources $older are sho"n in the $ollo"ing table -rou# .ermission Ty#e o$ #ermission Domain Users Read $hare AR .hange $hare Domain Users Read ,T($ AR Modif ,T($ You need to ensure that .eter can access the a##ro#riate $iles and that he cannot ma0e changes to :andboo0 doc !hat should you do% A. $et the hidden and s stem attributes on Aandboo/.Doc. 1. Disable permissions inheritance on Aandboo/.doc. .. Assign 5eter the Allow2Read permission for Aandboo/.doc. D. Assign 5eter the Den 2!rite ,T($ permission for Aandboo/.doc. )ns"er: D E3#lanation: .eter has 'hangeK?odi$y #ermission on the :andboo0 doc $ile by "ay o$ his membershi# o$ the :D grou# !e need to ensure that .eter cannot ma0e changes to the :andboo0 doc $ile To ma0e changes* .eter needs the J"riteJ #ermission !e can #re/ent .eter ma0ing changes to the $ile by denying him the "rite #ermission on the $ile ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=" 2 Incorrect )ns"ers: ): This would hide the file. &t wouldnKt stop 5eter editing the file if he opens it b entering the correct path to the file. +: &f ou disabled the permission inheritance, ou would ha%e to manuall configure the permissions to gi%e 5eter *and e%er one else+ the appropriate permissions. This would wor/, but it is unnecessar and impractical. ': 5eter alread has .hangeHModif permission on the file. Adding the Allow2Read permission wouldnKt ma/e an difference to his eBisting permissions. De$erence: $er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23. Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 2>"22>; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) $older named Data resides on a net"or0 ser/er You share Data "ith de$ault share #ermissions ) user named Scott 'oo#er re#orts that he can access Data* but he cannot create ne" $iles in the $older You re/ie" Scott 'oo#erJs e$$ecti/e #ermissions $or Data* "hich are sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=1 2 You need to ensure that Scoot 'oo#er can create $iles in Data !hat should you do% A. 'n the $haring tab of Data, assign the Allow 2 (ull .ontrol permission to the &nteracti%e group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=2 2 1. 'n the $haring tab of Data, assign the Allow 2 .hange permission to $cott .ooperKs user account. .. 'n the $ecurit tab of Data, assign the Allow 2 (ull .ontrol permission to the Authenticated users. D. 'n the $ecurit tab of Data, assign the Allow 2 Modif permission to the ,etwor/ group. )ns"er: +

E3#lanation: The de$ault Share #ermissions are usually )llo">Dead on the root o$ has no #ermissions by de$ault to a ne"ly created $older or $ile $imilarl , when ou create a shared dri%e or folder, the 3%er one group now has onl Read permission b default, rather than full control. This is 6uite a change from earlier %ersions of !indows, where e%er new folder ga%e e%er one full control %ia both ,T($ and share permissions. The effecti%e permissions tabs show effecti%e ,T($ permissions, not shares. $cott onl has read permissions because R3AD is the default share permission. To enable $cott to write to the share, we need to change the share permissions. !e can set the permissions to Allow2.hange. To enable $cott .ooper to use and create new files in this particular folder, he needs to be assigned the Allow2.hange permissions. This should be done on the $haring tab of Data. Incorrect ans"ers: )9 The Allow2(ull .ontrol will also allow $cott .ooper to create files in the Data folder, but this would gi%e him more permissions than are re6uired. '9 The Allow2(ull .ontrol on the $ecurit tab is not the same as the $haring tab of data and will thus not ha%e the desired effect. 1esides, as mentioned in option A, it will onl lead to $cot .ooper ha%ing more permissions than is necessar D9 The assigning of the Allow2 Modif permission on the securit tab will not ha%e the desired effect. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -1-2-2> QUESTION NO: , ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=3 2 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ t"o )cti/e Directory domains in a single $orest )ll net"or0 ser/ers run !indo"s Ser/er 2==, 'urrently* you use more than <*=== security grou#s ) member ser/er named TB< contains a $older named Testing This $older contains resources required by users in the engineering de#artment ) "ritten security #olicy states that engineering users must ha/e the a##ro/al o$ the management grou# be$ore they can be assigned the Eull 'ontrol NTES #ermission on Testing You need to disco/er "hether any engineering users currently ha/e the Eull 'ontrol NTES #ermission on Testing You must com#lete this tas0 by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Use Acti%e Director Users and .omputers to %iew the access le%el a%ailable to engineering users. 1. Use the (ind Users, .ontacts, and Croups utilit to %iew the membership of each group that has access to Testing. .. &n the properties of Testing, %iew the 3ffecti%e 5ermissions tab. D. !rite an AD$& script to search for members of all groups that ha%e access to testing. )ns"er: ' E3#lanation9 3ffecti%e 5ermissions are the permissions that result from the e%aluation of group and user permissions allowed, denied, inherited, and eBplicitl defined on a resource. The effecti%e permissions determine the actual access for a securit principal. !indows 2""3 offers an eas wa to %iew which permissions are effecti%el granted to an specified user or group for the current ob)ect. Iou can %iew this information in the 3ffecti%e 5ermissions dialog boB. 3ffecti%e permissions reflect the wor/ of combining permissions, both allowed and denied, from all matching entries, whether eBplicit or inherited. Matching entries name either the user or group directl , or a group in which the specified user or group is a member. The effecti%e permissions tab of Testing is what ou need to %iew to chec/ whether an of the engineering users ha%e (ull .ontrol ,T($ permission. The properties of Testing will re%eal the information that ou need, i.e., which users currentl ha%e which permissions. Incorrect ans"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=- 2 The Acti%e Director Users and .omputers console allows ou to configure a Terminal $er%ices User 5rofile, logon permissions, Remote .ontrol permissions, session settings, and T$ startup and redirection settings for domain users. ,ot to %iew who has which permissions. +: ?iewing memberships does not mean %iewing permissions. D: This option will result in unnecessar administrati%e effort, since ou first ha%e to

write a script and then run it whereas all ou need to do is to %iew the 3ffecti%e 5ermissions in the properties of Testing. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. GF= QUESTION NO: 4 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll users log on to the domain to access resources )ll $iles and $olders are stored on a member ser/er named Ser/erTB< You need to con$igure #ermissions $or a $older named )##s You must ensure that authenticated users cannot create ne" $iles directly in )##s This restriction must not a$$ect any other #ermissions set on )##s* on the contents o$ its sub$olders* or on its e3isting $iles Users must still be able to modi$y $iles in )##s !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=F 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=; 2 The.reate (ilesH!rite Data permission for folders, enables the ob)ect to create new files within the folder. !hile for files it enables the ob)ect to change or replace the contents of an eBisting file. The .reate (oldersHAppend Data permission for folders create (olders allows or denies creating folders within the folder. &n files it the Append Data allows or denies ma/ing changes to the end of the file but not changing, deleting, or o%erwriting eBisting data. Den ing the right to create files and write data will not affect other permissions that were set on Apps, on the contents of its subfolders, or on its eBisting files. &t will howe%er den authenticated users the right to create new files directl in Apps. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=G 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -2" QUESTION NO: 5 You are the net"or0 administrator $or Test0ing com Your net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Dis0 dri/e D on a ser/er named TestBing) is $ormatted "ith de$ault NTES $ile #ermissions You create a $older named D:QTestBingData on TestBing) You share D:QTestBingData as TestBingData "ith de$ault share #ermissions Then you create a sub$older named Sales in D:QTestBingData ) user named Aisa "or0s in the sales de#artment :er user account is a member o$ ,4 security grou#s Aisa re#orts that she cannot add $iles to QQTestBing)QTestBingDataQSales You re/ie" AisaJs e$$ecti/e #ermissions $or Sales* "hich are sho"n in the e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=> 2 You need to ensure that Aisa can add $iles to QQTestBing)QTestBingDataQSales !hat should you do% A. Modif the ,T($ permissions so 4isa inherits permissions on $ales from WWTest@ingAWTest@ingData. 1. Remo%e 4isa from the Users group. .. Assign the Allow 2 Modif ,T($ permissions to the .reator 'wner group. D. Modif the share permissions for WWTest@ingAWTest@ingData to assign the Allow 2 .hange permissions to the 3%er one group. )ns"er: D E3#lanation: The e3hibit sho"s that Aisa has enough #ermissions to be able to "rite to the directory The #roblem must there$ore be "ith the share #ermissions The de$ault share #ermission is E/eryone > )llo" Dead This needs to be changed to E/eryone > )llo" 'hange ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 2== 2 Incorrect )ns"ers: ): The eBhibit shows that 4isa has enough permissions to be able to write to the director . The problem must therefore be with the share permissions. !hen permissions are applied to a folder, those permissions appl to the files within the folder as well. +: The eBhibit shows that 4isa has enough permissions to be able to write to the director . The problem must therefore be with the share permissions. Remo%ing 4isa from the Users group will be to her detriment. ': The eBhibit shows that 4isa has enough permissions to be able to write to the director . The problem must therefore be with the share permissions. To assign the Allow2Modif permission to the .reator 'wner group will not sol%e 4isaKs problem. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"" 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -1F2-1; 19 .hange ownership of files and folders.*1" :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll users in the sales de#artment are members o$ a grou# names Sales Tess* a member o$ Sales* creates a custom document named Salescustom doc She is res#onsible $or ma0ing all required changes to this $ile Tess #laces the $ile in a shared $older named TessDocs on a member ser/er named TestBing) Then she goes on /acation !hen users $rom the sales de#artment try to o#en Salescustom doc* they recei/e the $ollo"ing error message: J)ccess is deniedJ You log on to the console o$ TestBing) and try to o#en Salescustom doc You recei/e the same error message You need to ensure that members o$ Sales ha/e read>only access to Salescustom doc You must not a$$ect TessJs #ermissions on Salescustom doc or on any other $iles in TessDocs You must not grant access to Salescustom doc to any other users Eirst* you log on to TestBing) as an administrator !hat should you do ne3t% A. Ta/e ownership of TessDocs and select the Replace owner on subcontainers and ob)ects chec/ boB. .onfigure the ,T($ permissions to assign the Allow 2 Modif permissions on the folder to $ales. 1. Ta/e ownership of $alescustom.doc. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"1 2 .onfigure the ,T($ permissions to assign the Allow 2 .reate (ilesH!rite Data permissions on the file to $ales. .. Ta/e ownership of $alescustom.doc. .onfigure the ,T($ permissions to assign the Allow 2 Read permissions on the file to $ales. D. Ta/e ownership of TessDocs and select the Replace owner on subcontainers and 'b)ect chec/ boB. .onfigure the ,T($ permissions to assign the Allow 2 Read permissions on the folder to $ales. )ns"er: ' E3#lanation: O"nershi# can be trans$erred in the $ollo"ing "ays: 1. The current owner can grant the Ta/e ownership permission to another user, allowing that user to ta/e ownership at an time. 2. The user must actuall ta/e ownership to complete the transfer. 3. An administrator can ta/e ownership. -. A user who has the Restore files and directories pri%ilege can double2clic/ F. 'ther users and groups and choose an user or group to assign ownership to. ;. !e must change the permissions on the $alescustom.doc file onl . 3%er ob)ect has an owner, whether in an ,T($ %olume or Acti%e Director . And it is the owner that controls how permissions are set on that specific ob)ect as well as to whom permissions are granted. !e must change the permissions on the $alescustom.doc file onl . Incorrect )ns"ers: ): Cranting the $ales group Allow 2 Modif permissions to the TessDocs folder will

allow members of that group to ma/e changes to all files in the TessDocs folder, including the $alescustom.doc file.This will gi%e $ales modif access to e%er file in the TessDocs folder. +: !e must onl assign Read access. Aowe%er, if we grant the $ales group Allow 2 .reate (ilesH!rite Data permissions to the $alescustom.doc file, we would allow members of that group to ma/e changes to the file. D: Crant permissions at the file le%el and not the folder le%el as permissions granted at the folder le%el will appl to all files and subfolders contained in the folder. This will gi%e $ales read access to e%er file in the TessDocs folder. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp ;213 to ;22?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"2 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp -1=223. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You create a $older on thet net"or0 and share it as TestBingDocs You "ant users to be able to read* create* and modi$y documents that are stored in the shared $older You also "ant users to be able to delete the $olders and the $iles that they create ) user re#orts that another used deleted a $older that she created You disco/er that the E/eryone grou# ias assigned the )llo" > Eull 'ontrol NTES #ermission $or the $older You remo/e all assigned #ermissions $or the E/eryone grou# You need to con$igure #ermission $or the TestBingDocs shared $older to meet your requirements You also need to ensure that users cannot delete the $olders and $iles that other users create !hich t"o actions should you #er$orm &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Assign the Authenticated Users group the Allow 2 Read L 3Becute permission. 1. Assign the Anon mous group the Allow 2 Modif permission. .. Assign the .reator 'wner group the Allow 2 Modif permission. D. Assign the .reator 'wner group the Allow 2 (ull .ontrol permission. )ns"er: )* ' E3#lanation9 Read and 3Becute permissions are identical to Read, but gi%e ou the added atomic pri%ilege of tra%ersing a folder. Modif permissions are the combination of Read and 3Becute and !rite, but gi%e ou the added luBur of Delete. 3%en when ou could change a file, ou ne%er reall could delete the file. IouKll notice that, when ou select permissions for files and folders, if ou select Modif onl , then Read, Read and 3Becute, and !rite are automaticall chec/ed for ou. These permissions applied as suggested b options A and . will ha%e the desired effect. Incorrect ans"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"3 2 +9 Iou cannot assign the Allow 2 modif permission to the Anon mous group as this will result in users being able to delete folders and files that others created. D9 (ull .ontrol is a combination of all a number of permissions, with the abilities to change permissions and ta/e ownership of ob)ects thrown in. (ull .ontrol also allows ou to delete subfolders and files, e%en when the subfolders and files donKt specificall allow ou to delete them. This is not the appropriate permission for this group. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: , :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Desources $or the TestBing Sales de#artment are located on a net"or0 named TestBingEiles ?embers o$ a grou# named Sales are allo"ed to run a##lications $rom the net"or0 share You need to con$igure #ermissions on TestBingEiles $or member o$ a grou# named Sales ?anagers ?embers o$ Sales ?anagers must be able to run the same a##lications that are run by members o$ Sales :o"e/er* member o$ Sales ?anagers must be assigned only the minimum le/el o$ required #ermissions !hich #ermissions should you assign to Sales ?anagers%

To ans"er* con$igure the a##ro#riate o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"- 2 )ns"er: E3#lanation9 Allow 2 Read Read permissions are our most basic rights. The allow ou to %iew the contents, permissions, and attributes associated with an ob)ect. &f that ob)ect is a file, ou can %iew the file, which happens to include the abilit to launch the file, should it be an eBecutable program file. &f the ob)ect in 6uestion is a folder, Read permissions let ou %iew the contents of the folder. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"F 2 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#ter named TestBing< TestBing< $unctions as a $ile ser/er Si3 users in the accounting de#artment use an accounting so$t"are a##lication to o#en $iles that are stored in a shared $older on TestBing< The users 0ee# these $iles o#en $or an e3tended #eriod o$ time You need to restart TestBing< You need to $ind out i$ any $iles on Test0ing< are o#en be$ore you restart the com#uter !hat should you do% A. Use .omputer Management to %iew eBisting connections. 1. Use the netsend command to send a message to all domain members. .. Use Tas/ Manager to monitor processes started b all users. D. Use $ stem Monitor to monitor the $er%er ob)ect in Report %iew. )ns"er: ) E3#lanation9 Ad%anced user, group, and computer management, which is used to locate ob)ects within the Acti%e Director , mo%e ob)ects within the Acti%e Director , create and manage users, groups, and computers through automation, and how to import user accounts from a !indows ,T -." domain or a !indows 2""" domain. &f ou want to find out if an files on Test@ing1 are open before attempting to restart the computer ou should ma/e use of .omputer Management to %iew the eBisting connections as .omputer Management will also ield this information to ou. Incorrect ans"ers: +9 Ma/ing use of the ,etsend command to message all domain members is not her wa to chec/ eBisting connections to see if an files on Test@ing1 are open. '9 Tas/ Manager is a !indows $er%er 2""3 utilit that can be used to start, end, or prioriti0e applications. The Tas/ Manager shows the applications and processes that are currentl running on the computer, as well as .5U and memor usage information. Iou can also %iew networ/ utili0ation and manage networ/ users. Aowe%er, this wil not shows if files are open. (or that ou need to ma/e use of .omputer Management. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"; 2 D9 $ stem Monitor is a !indows $er%er 2""3 utilit used to monitor real2time s stem acti%it or %iew data from a log file. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. -G; QUESTION NO: 5 :OTS.OT You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll $ile ser/ers contain shared /olumes that use shado" co#ies )ll client com#uters run the .re/ious 8ersions client so$t"are ) user named ?arie creates a $ile named Aogo bm# Other users edit the $ile The editing history o$ Aogo bm# is sho"n in the $ollo"ing table User 'hanges to Aogo bm# Date Marie .reates 4ogo.bmp. The foreground color is green. The bac/ground color is ellow. Qanuar -, 2""3 3llen .hanges the bac/ground color to blue.

Qanuar ;, 2""3 And .hange the foreground color to magenta. Qanuar G, 2""3 $andra .hanges the foreground color to green. During the sa%e, 4ogo.bmp is corrupted and cannot be reopened. Qanuar 1", 2""3 You need to ensure that the $oreground color o$ Aogo bm# is green and the bac0ground color is blue You also need to ensure that other users cannot access the corru#ted /ersion o$ Aogo bm# Your solution must require the minimum amount o$ user e$$ort ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"G 2 !hat should you do% To ans"er* con$igure the a##ro#riate o#tions in the dialog bo3 )ns"er: E3#lanation: Destore the Hanuary =6* 2==, /ersion o$ the $ile QUESTION NO: 6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"> 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional One managerJs client com#uter has a single #artition $ormatted as NTES The manager creates a $ile named TestBingData doc on his client com#uter :e "ants to share this $ile "ith other users in the com#any :e assigns the Domain Users security grou# the )llo" > Dead #ermission $or the $ile :e then mo/es the TestBingData doc $ile $rom the $older in "hich he created it to a shared $older named TestBingEiles on his com#uter The #ermissions $or the TestBingEiles $older are sho"n in the $ollo"ing table -rou# .ermission Managers Modif Users Read !hen another manager attem#ts to edit the document o/er the net"or0* he recei/es an error message You need to ensure that managers ha/e the a##ro#riate #ermissions $or the $ile "hen they access the $ile o/er the net"or0 !hat should you do% A. $elect the Replace permission entries on all child ob)ects with entries shown here that appl to child ob)ects option for the Test@ing(iles folder. 1. $elect the &nherit from parent the permission entries that appl to child ob)ects. &nclude these with entries eBplicitl defined here option for the Test@ing(iles folder. .. &mport the Rootsec.inf securit template b using $ecedit.eBe. D. &mport the Aisecws.inf securit template b using $ecedit.eBe. )ns"er: ) E3#lanation9 The options that can be configured for permission inheritance are9 1. Allow inheritable permissions from the parent to propagate to this ob)ect and all child ob)ects. &nclude these with entries eBplicitl defined here. 2. Replace permission entries on all child ob)ects with entries shown here that appl to child ob)ects. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"= 2 &f an Allow or a Den chec/boB in the 5ermission list in the $ecurit tab has a shaded chec/ mar/, this indicates that the permission was inherited from an upper2le%el folder. &f the chec/ mar/ is not shaded, it indicates that the permission was applied at the selected folder. This is /nown as an eBplicitl assigned permission. &t is useful to see inherited permissions so that ou can more easil troubleshoot permissions. To minimi0e administration and simplif troubleshooting of folder permissions, ou should assign permissions at higher2le%el folders within the director structure and use inheritable permissions to propagate the permissions to all child ob)ects within the director structure. Incorrect ans"ers: +9 $electing this option for the Test@ing(iles folder will not ensure that managers ha%e the appropriate permissions.

': The rootsec.inf securit template is used to restore permissions on the root file s stem. This is not appropriate in this case. D9 The Aighl $ecure !or/station *hisecws.inf+ template applies super2secure settings to wor/stations or non2D. ser%ers. IouKll want to read the documentation on this template authentication and encr ption re6uirements. &t also remo%es all members of the 5ower Users group and remo%es all members from the local Administrators group eBcept Domain Admins and the local Administrator account. This is not the solution. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 2>QUESTION NO: 7 You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing, ) user needs to share documents that are stored in a $older on TestBing, "ith other users in his de#artment !hen she attem#t to share the $older* she disco/ers that the Sharing tab is missing You need to ensure that the user can share the documents on TestBing, You need to ensure that you grant the user the minimum amount o$ #ermissions required !hat should you do% A. &nstruct the user to mo%e the documents to the $hared (olders folder. 1. Add the userKs user account to the local 5ower Users group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31" 2 .. Add the userKs user account to the ,etwor/ .onfiguration 'perators group. D. Add the userKs user account to the local Adminstrators group. )ns"er: + E3#lanation9 1efore ou can create a shared folder, ou must ha%e appropriate rights to do so. This re6uires that ou are either an Administrator or a 5ower User. Thus ou should add the userKs user account to the local 5ower Users group. Incorrect ans"ers: )9 Mo%ing the folder will not enable sharing. &t is a matter of adding the user to the appropriate group. '9 This is the wrong group to be adding the user to for the purposes of this case. D9 This option will result in granting the user more than the minimum appropriate rights. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The net"or0 includes a member ser/er named TestBing4 You need to create a shared $older on TestBing4 to store #ro2ect documents You must $ul$il the $ollo"ing requirements: 1. Users must be able to access #re/ious /ersions o$ the documents in the shared $older 2. 'o#ies o$ the documents must be retained e/ery hour during business hours 3. ) history o$ the last <= /ersions o$ each document must be maintained -. Documents that are not contained in the shared $older must not be retained !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. .reate the shared folder in the root of the s stem dis/ on Test@ing-. 1. .reate a new %olume on Test@ing-. .reate the shared folder on the new %olume. .. 3nable the 'ffline (iles option to ma/e the shared folder a%ailable offline. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 311 2 D. 3nable the 'ffline (iles option to ma/e the shared automaticall folder a%ailable offline. 3. Use Dis/ Management to configure shadow copies of the %olume tha contains the shared folder. )ns"er: +* E E3#lanation9 $hadow copies are used to create copies of shared folders and files at specified points in time. $hadow copies are copies of files ta/en at different points in time that can be restored in the e%ent that a file is accidentall deleted or o%erwritten, or if ou want to compare a current %ersion of a file with a pre%ious %ersion of the same file. Iou can configure the .lient for $hadow .opies on !indows <5 and !indow $er%er 2""3 computers. &n order to use shadow copies, the client must install the $hadow .opies of $hared (olders software. !indows $er%er 2""3 computers ha%e this software installed in the WWwindirWs stem32WclientsWtwclient folder. Iou can distribute this software through group polic , or ou can create a share to let the clients download and install the client

software. Thus to compl with the re6uirement as stated in the 6uestion options 1 and 3 is the wa to go. Incorrect ans"ers: )9 .reating a shared folder in the root of the s stem dis/ is not the solution to this problem. 'C D9 These two options will not compl with the re6uirements. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 2G2 QUESTION NO: ; E3hibit* Error message ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 312 2 E3hibit* E$$ecti/e .ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 313 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )n administrator named Sandra creates a shared $older named TestBingsData on a ser/er named TestBing5 The shared $older is a central location $or users to store and share data The shared $older is accessed only $rom the net"or0 !hen a user named Tess Bing attem#ts to co#y a $ile named TestBing.ro2 doc to a shared $older* she recei/es the error message sho"n in the e3hibit You /ie" the e$$ecti/e #ermissions o$ the Users grou# grou# $or the TestBingData $older* as sho"n in the E$$ecti/e .ermissions e3hibit You need to ensure that users can modi$y documents in the TestBingData shared $older !hat should you do% A. Assign the Anon mous group the Allow 2 (ull .ontrol ,T($ permissions for the Test@ingData folder. 1. Assign the Anon mous group the Allow 2 .hange share permissions for the Test@ingData shared folder. .. &nstruct Tess @ing to log off and then log on to her computer. D. 3nable (ile and 5rint $haring on Tess @ingKs computer. )ns"er: ' QUESTION NO: <= You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll users in the #ublishing de#artment are members o$ a global grou# named .ublishing Interns in the #ublishing de#artment are also member o$ a global grou# named o$ .ublishingInterns ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31- 2 ) net"or0 $ile ser/er contains a shared $older .ubSalesData Interns must not be able to /ie" or modi$y any $iles in the .ubsSalesData $older )ll other em#loyees in the #ublishing de#artment must be able to /ie" and modi$y the $iles in the .ubsSalesData $older The NTES #ermissions $or all $olders are con$igured the )llo" > Eull 'ontrol #ermissions to members o$ the Domain Users global grou# You need to con$igure the share #ermissions $or the .ubSalesData $older !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Assign the Allow 2 Read permission to the 5ublishing global group. 1. Assign the Allow 2 .hange permission to the 5ublishing global group .. Assign the Den 2 .hange permission to the 5ublishing&nterns global group. D. Assign the Allow 2 Read permission to the 5ublishing&nterns global group )ns"er: +* ' E3#lanation9 Iou can assign three t pes of share permissions9 *1+ The (ull .ontrol share permission allows full access to the shared folder. !hen the (ull .ontrol permission is assigned, the .hange and Read permissions are chec/ed as well. *2+ The .hange share permission allows users to change data in a file or to delete files. And *3+ The Read share permission allows a user to %iew and eBecute files in the shared folder. Thus options 1 and . will represent the appropriate share permissions for the 5ub$alesData folder for the groups as indicated in these options.

Incorrect ans"ers: ) C D9 The Allow 2 Read permission will be inappropriate in both these cases.. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 2=3 5art -9 Troubleshoot access to files and shared folders.*= :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31F 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ an internal net"or0 and a #erimeter net"or0 The internal net"or0 is #rotected by a $ire"all The #erimeter net"or0 is e3#osed to the Internet You are de#loying <= !indo"s Ser/er 2==, com#uters as !eb ser/ers The ser/ers "ill be located in the #erimeter net"or0 The ser/ers "ill host only #ublicly a/ailable !eb #ages You "ant to reduce the #ossibility that users can gain unauthori1ed access to the ser/ers You are concerned that a user "ill #robe the !eb ser/ers and $ind #orts or ser/ices to attac0 !hat should you do% A. Disable (ile and 5rinter $haring on the ser%ers. 1. Disable the &&$ Admin ser%ice on the ser%ers. .. 3nable $er%er Message 1loc/ *$M1+ signing on the ser%ers. D. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic to the ser%ers. )ns"er: ) E3#lanation: !e can secure the "eb ser/ers by disabling Eile and .rinter sharing Eile and .rinter Sharing $or ?icroso$t Net"or0s The (ile and 5rinter $haring for Microsoft ,etwor/s component allows other computers on a networ/ to access resources on our computer b using a Microsoft networ/. This component is installed and enabled b default for all ?5, connections. Aowe%er, this component needs to be enabled for 555o3 and dial2up connections. &t is enabled per connection and is necessar to share local folders. The (ile and 5rinter $haring for Microsoft ,etwor/s component is the e6ui%alent of the $er%er ser%ice in !indows ,T -.". (ile and 5rinter sharing is not re6uired on web ser%ers because the web pages are accesses o%er web protocols such as http or https, and not o%er a Microsoft 4A,. Incorrect )ns"ers: +: This is needed to administer the web ser%ers. !hilst it could be disabled, disabling (ile and 5rinter sharing will secure the ser%ers more. ': $M1 signing is used to %erif , that the data has not been changed during the transit through the networ/. &t will not help in reducing the possibilit that users can gain unauthori0ed access to the ser%ers. D: This will pre%ent computers on the internet accessing the web pages. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31; 2 QUESTION NO: 2 You are the administrator o$ the TestBing com com#any net"or0 The net"or0 consists o$ a single acti/e directory domain The net"or0 includes <= ser/ers running !indo"s Ser/er 2==, and 2== client com#uters running !indo"s @. .ro$essional You install and con$igure a ser/er named TestBingSr/ as a #rint ser/er The name o$ the #rint queue is QQTestBingSr/Qlaser#rinter You assign the E/eryone grou# the )llo" > .rint #ermissions ) user named Aisa in the Einance de#artment re#orts that she is unable to #rint to QQTestBingSr/Qlaser#rinter Se/eral other users re#ort that they are unable to #rint to QQTestBingSr/Qlaser#rinter You log on to AisaJs com#uter and submit se/eral #rint 2obs* but none o$ them #rint and no error message is dis#layed In .rinters and Ea3es on AisaJs com#uter* you o#en QQTestBingSr/Qlaser#rinter You see the $ollo"ing status o$ the #rint queue: Llaser#rinter on TestBingSr/ is unable to connectL You are able to #ing TestBingSr/ You need to ensure that #rint 2obs submitted to QQTestBingSr/Qlaser#rinter "ill be #rinted !hat should you do% A. 'n a domain controller, create a shared printer ob)ect in Acti%e Director for WWTest@ing$r% Wlaserprinter. 1. (rom a command prompt on 4isaKs computer, run the ,et 5rint WWTest@ing$r% Wlasterprinter command. .. 'n 4isaKs computer, open the $er%ices console and restart the 5rint $pooler ser%ice.

D. 'n 4isaKs computer, open the $er%ices console and connect to Test@ing$r%. Restart the 5rint $pooler ser%ice. )ns"er: D E3#lanation: The .rint S#ooler ser/ice loads $iles to memory $or #rinting Sometimes "e need to sto# and restart the ser/ice to delete the queues !e can do this b using the net stop spooler command to stop the ser%ice. !e can delete the printer ob)ects from the 6ueue in .9W!&,D'!$W$ stem32WspoolW5R&,T3R$, and then start the ser%ice with the net start spooler command. After deleting the 6ueues the users will need to resubmit their print )obs. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31G 2 Incorrect )ns"ers: ): The printer is alread shared. &t does not ha%e to be published in Acti%e Director . +: This command is used to connect to a shared printer. This has alread been done. ': 'ther users are eBperiencing printing problems. The problem is therefore li/el to be with the print ser%er, not )ust 4isaKs computer. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. >2 QUESTION NO: , You are the administrator o$ a !indo"s 2==, #rint ser/er named Ser/er) Ser/er) is a member o$ a !indo"s 2==, Domain You install a high>s#eed laser #rint de/ice on the net"or0 You create and share a #rinter on Ser/er) named EastAsr "ith the de$ault settings You "ant all o$ the users in TestBing to be able to use to EastAsr You "ant the users in the .ayroll domain local grou# to ha/e e3clusi/e use o$ the #rint de/ice bet"een the hours o$ <=:== ) ? and ,:== . ? and shared use o$ the #rint de/ice during all other times !hat should you do% A. .onfigure and share (ast4sr to be a%ailable from 39"" 5.M to 1"9"" A.M. (or the print de%ice, create a second printer that has default a%ailabilit . (or the second printer, assign the 3%er one group the Den 25rint permission and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. 1. .onfigure and share (ast4sr to be a%ailable from 39"" 5.M to 1"9"" A.M. (or the print de%ice, create a second printer that has default a%ailabilit . (or the second printer, remo%e permissions for the 3%er one group and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. .. .reate and share a second printer de%ice and configure it to be a%ailable from 1"9"" A.M to 39"" 5.M. (or the second printer, assign the 3%er one group the Den 25rint permission and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31> 2 .reate and share a second printer for the print de%ice and configure it to be a%ailable from 1"9"" A.M to 39"" 5.M. (or the second printer, remo%e permissions for the 3%er one group and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. )ns"er: + E3#lanation: !e ha/e a shared #rinter named EastAsr The de$ault #ermission $or a shared #rinter is to allo" e/eryone to #rint at any time !e need to change the a/ailability o$ EastAsr so that it is a/ailable $or anyone to #rint $rom ,:== . ? to <=:== ) ? This means that no one can #rint to it bet"een <=:== ) ? and ,:== . ? 'nl the 5a roll group should be able to print between 1"9"" A.M and 39"" 5.M. Therefore, we need to create a second shared printer and change the a%ailabilit to be between 1"9"" A.M and 39"" 5.M. Then we need to configure the permissions so that onl the 5a roll group can use the second shared printer. Incorrect )ns"ers: ): !e canKt assign the 3%er one group the Den 25rint permission, because no one *including the 5a roll group+ would be able to use the printer. ': !e canKt assign the 3%er one group the Den 25rint permission, because no one *including the 5a roll group+ would be able to use the printer. D: This answer is close, but incomplete. The first shared printer *(ast4sr+ allows an one to print at an time. !e need to re2configure the a%ailabilit of (ast4sr. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied,

M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3;;23;G QUESTION NO: 4 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s 2==, Ser/er* and all client com#uters run !indo"s @. .ro$essional ) shared $older named Sales resides on an NTES /olume on one o$ your ser/ers Sales contains t"o sub$olders named TESTBIN-< and TESTBIN-2 Eiles and $olders in these t"o sub$olders "ere created by /arious users "ith /arying NTES #ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31= 2 You need to mo/e some o$ the $iles and $olders $rom TESTBIN-< to TESTBIN-2 You must retain the e3isting $ile #ermissions* and you must accom#lish your goal by using the minimum amount o$ administrati/e e$$ort !hich action or actions should you #er$orm% &'hoose all that a##ly( A. Mo%e the files and folders from T3$T@&,C1 to T3$T@&,C2. 1. .op the files and folders from T3$T@&,C1 to T3$T@&,C2. .. .hange the ,T($ permissions on T3$T@&,C2 to match the ,T($ permissions on T3$T@&,C1. D. 1ac/ up the files and folders in T3$T@&,C1 and restore them, including permissions, to T3$T@&,C2. )ns"er: ) E3#lanation: ) number o$ $actors im#act the security settings that "ill be #laced on the $ile in its ne" location* including the $ollo"ing: 1. !hether the file is copied or mo%ed 2. !hether the destination is an ,T($ %olume or not 3. !hether the destination is on the same %olume as the original location (iles and folders that are mo%ed or copied to non2,T($ %olumes lose all permissions. &f the destination is on an ,T($ %olume, the securit permissions the file will ha%e after the transfer will depend on se%eral factors. !hen cop ing files or folders to a location on an ,T($ %olume, the user must ha%e permission to create files in the destination location. !hen the file or folder is copied, it is created as a new ob)ect in the destination, and the user ob)ect that copied the file or folder becomes the owner of the newl created item. Destination .ermissions 'b)ects mo%ed within the same ,T($ %olume 'b)ects retain their original ,T($ permissions in the new location 'b)ects mo%ed to a different ,T($ %olume 'b)ects inherit the permissions of the new location The 6uestion states pertinentl to mo%e the files and folders from $r%1 to $r%2 which resides in the same ,T($ %olume. ,ot cop . Mo%ing the files will ensure that the permissions as assigned to the %arious creators of these files and folders will not be modified. .op ing it would result in modification. $ince both Test@ing1 and Test@ing2 reside within the same %olume, it will retain its original ,T($ permissions in the new location. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32" 2 Incorrect ans"ers: +: !hen cop ing files and folders from one %olume to another albeit both ,T($ %olumes ou are bound to lose the permissions that are on those files and folders. .op ing files and folders will result in modifications. ': There is no need to change an permissions since both T3$T@&,C1 and T3$T@&,C2 reside within the same ,T($ %olume and the 6uestions onl as/s for mo%ing files and folders which can be done without changing the original permissions. .hanging the permissions will result in more than the minimum amount of administrati%e effort. D: 1ac/ing up and restoring the files and folders into the desired locations will also accomplish the tas/, but it will result in more administrati%e effort than is necessar . De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -232-2-

QUESTION NO: 5 E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing< that $unctions as a $ile ser/er TestBing< contains a shared $older named TestBingSta$$ $or the TestBing Sta$$ and a shared $older named Engineering $or the engineering de#artment ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 321 2 Users in the TestBing Sta$$ re#ort that "hen they attem#t to connect to the TestBingSta$$ shared $older the connection occasionally $ails !hen the connection $ails* users recei/e the error message in the e3hibit Users in the engineering de#artment do not recei/e the error message "hen they connect to the Engineering shared $older You need to ensure that users in the mar0eting de#artment can consistently connect to the TestBingSta$$ shared $older !hat should you do% A. &ncrease the user limit %alue on the Test@ing$taff shared folder. 1. 5urchase additional licenses and install them on the file ser%er. .. .hange the ser%er licensing mode from 5er $er%er to 5er $eat. D. Replace the user limit %alue on the 3ngineering shared folder. )ns"er: ) E3#lanation: To increase the user limit /alue on the TestBing Sta$$ shared $older should enable all the users to connect to the TestBing Sta$$ shared $older on a consistent basis Incorrect ans"ers: +: The problem is not licensing. 5urchasing additional licenses would be unnecessar . ': 5er De%ice or 5er User mode *formerl called 85er $eat8 mode+ re6uires that each de%ice or user ha%e its own !indows .A4. .hanging ser%er licensing from per ser%er to per seat mode will ha%e no effect on the situation. D: The engineering department is not the department that is eBperiencing the problems of non2connecti%it . De$erences: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -;2-G Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 322 2 QUESTION NO: 6 E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBingE* a net"or0 $ile ser/er* contains a $older named TestBingData The $ile structure is sho"n in the e3hibit )ll users are members o$ the Domain Users global grou# Users in the sales de#artment are members o$ a global grou# named Sales )ll users access shared $olders only by using ma##ed dri/es Users in the engineering* mar0eting* and sales de#artments need to be able to /ie" documents that are in any o$ the $olders in TestBingData Users in the sales de#artment need to be able to modi$y only the documents in the SalesData $older The NTES #ermissions $or all $olders are con$igured to assign the )llo"> Eull 'ontrol #ermission to the Domain Users global grou# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 323 2 You need to con$igure the a##ro#riate share #ermissions You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hich t"o actions should you #er$orm% &Each correct ans"er #resent #art o$ the solution Select t"o( A. Assign the $ales global group the Allow 2 Read permission for both the 3ngineeringData share and the Mar/etingData share. 1. $hare the Test@ingData folder. Assign the Domain Users global group the Allow 2 Read permission for the Test@ingdata share. .. $hare the Test@ingData folder. Assign the $ales global group the Allow 2 .hange permission for the Test@ingdata share. D. Assign the $ales global group the Allow 2 .hange permission for the $alesData $hare.

)ns"er: +* D E3#lanation9 'ne has to /eep in mind that *1+ 1oth ,T($ and share permissions are cumulati%e. &f a user belongs to more than one group, and two or more of these groups are assigned permissions on a file or folder, the userKs effecti%e permissions *,T($ or share+ on the file or folder is the sum of all the groupsK permissions. *2+ !hen determining the effecti%e permissions on a file or folder access through a share, the more restricti%e permissions *that is, the cumulati%e effecti%e ,T($ permissions or the cumulati%e effecti%e share permissions+ are the ones applied. And *3+ Assign user rights to groups whene%er possible, assigning user rights to indi%idual user accounts is difficult to manage. Thus in this scenario options 1 and D would be appropriate. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -GF2-G; QUESTION NO: 7 )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Sandra* the manager o$ the human resources de#artment* as0s you to create a shared $older named :DDro# You create a :DDro# $older on a member ser/er You assign the )llo" > Eull 'ontrol share #ermission to the E/eryone grou# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32- 2 No" you need to con$igure the NTES #ermissions on :DDro# to $ul$il the $ollo"ing requirements: 1. Sandra must be able to read* modi$y* change #ermissions on* and delete all $iles and sub$olders in :DDro# 2. )ll other domain users must only be able to add ne" $iles to :DDro# !hat should you do% A. Assign the Allow 2 Modif permission to $andra. Assign the Allow 2 Read permission to the Users group. 1. Assign the Allow 2 (ull .ontrol permission to $andra. Assign the Allow 2 !rite permission and the Den 2 Read and 3Becute permission to the Users group. .. Assign the Allow 2 Modif permission to $andra. Assign the Allow 2 4ist (older permission to the Users group. D. Assign the Allow 2 (ull .ontrol permission to $andra. Assign the Allow 2 Read permission to the Users group. 3. Assign the Allow 2 (ull .ontrol permission to $andra. Assign the Allow 2 !rite permission to the Users group and remo%e the Read and 3Becute permissions to the Users group. )ns"er: E E3#lanation: ?any access #roblems can arise $rom incorrectly con$igured Share and NTES #ermissions* you can e3#ect to see at least one e3am question related to setting Share and NTES #ermissions )l"ays remember that the more restricti/e #ermission &o$ the cumulati/e total o$ each ty#e o$ #ermission( is the one that ta0es #recedence in determining access Aoo0 $irst at the #ermissions de$ined on the share be$ore you loo0 at the NTES #ermissions de$ined I$ the user only has Dead #ermissions on the share* he or she "ill only ha/e read access to the contents I$ the user has Eull 'ontrol #ermissions on the share* then loo0 to the NTES #ermissions de$ined to determine the le/el o$ access the user has ) userJs access to a $ile or $older is the most restricti/e set o$ e$$ecti/e #ermissions bet"een share #ermissions and NTES #ermissions on that resource I$ you "ant a grou# to ha/e $ull control o$ a $older and ha/e granted $ull control through NTES #ermissions* but the share #ermission is the de$ault &E/eryone: )llo" Dead( or e/en i$ the share #ermission allo"s 'hange* that grou#Js NTES $ull control access "ill be limited by the share #ermission ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32F 2 This d namic means that share permissions add a la er of compleBit to the management of resource access, and is one of se%eral reasons that organi0ations cite for their directi%es to configure shares with open share permissions *3%er one9 Allow (ull .ontrol+, and to use onl ,T($ permissions to secure folders and files. &t is useful to remember9 1. 5ermissions on shares are cumulati%e. &f a user belongs to multiple groups, and two or more of those groups ha%e permissions on a share, the user has all the permissions allowed b all the groups. 2. Den permissions o%erride Allow permissions. &f a user belongs to multiple groups,

and one of those groups has Allow permissions on a share while another has Den permissions, the user will be denied access to the share based on the Den permission. Incorrect ans"ers: ): The Allow2 Read and Allow2 Modif permissions will not be enough for $andra and her )ob re6uirements. +: The Den 2 Read and 3Becute permission will ta/e precedence o%er the other permissions. Thus this option will not suffice. ': The Allow2Modif and Allow 2 4ist (older permissions to $andra and the Users group respecti%el will result not result in $andra being granted the abilit to fulfil her tas/s. D: The Read and 3Becute permission of the Users group should also be remo%ed since this will pre%ent $andra from carr ing out her duties. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. ;9 G Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -2;, -2> QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Your net"or0 includes a shared $older named TestBingDocs This $older must not be /isible in a bro"se list ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32; 2 :o"e/er* users re#ort that they can see TestBingDocs "hen they bro"se $or shared $olders :o" should you sol/e this #roblem% A. Modif the share permissions to remo%e the All 2 Read permission on Test@ingDocs from the Users group. 1. Modif the ,T($ permissions to remo%e the Allow 2 Read permissions on Test@ingDocs from the Users group. .. .hange the share name to Test@ingDocsb. D. .hange the share name to Test@ingDocs`. )ns"er: D E3#lanation: )##ending a dollar sign &T( to a share name hides the share Iou can hide the shared resource from users b t ping ` as the last character of the shared resource name *the ` then becomes part of the resource name+. Users can map a dri%e to this shared resource, but the cannot see the shared resource when the browse to it in !indows 3Bplorer, or in M .omputer on the remote computer, or when the use the net %iew command on the remote computer. Incorrect )ns"ers: ): This will not hide the share. +: This will not hide the share. Users will see the share, but get an 8Access Denied8 message. ': The share will be %isible with the name Test@ingDocsb. De$erence: $er%er Aelp9 To share a folder or dri%e Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -G> QUESTION NO: ; E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32G 2 Share #ermissions NTES .ermissions Test@ingAR9 .hange Test@ing- Administrators9 (ull .ontrol Test@ingAR9 (ull .ontrol You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Users in the human resources de#artment are members o$ a domain user grou# named TestBing:D You create and share a $older named TestBing:DEiles on a member ser/er named TestBing4 You con$igure #ermissions on the TestBing:DEiles as sho"n in the e3hibit ?arie* a user in the human resources de#artment* create a $ile in TestBing:DEiles

)t ?arieJs request* you assign the Deny > Delete s#ecial #ermission on her $ile to the :D -rou# The ne3t day* 8eroni0a re#orts that her $ile is deleted You need to recon$igure the #ermissions on TestBing:DEiles You must $ul$il the $ollo"ing requirements: 1. ?embers o$ the TestBing:D grou# must be able to read* create* and modi$y $iles 2. ?embers o$ the TestBing:D grou# must not be able to delete $iles on "hich they ha/e no access #ermission 3. ?embers o$ the TestBing:D grou# must not be able to delete $iles that they do not ha/e #ermission to delete !hat should you do% A. &n the share permissions, assign the Den 2 .hange permission to the Test@ingAR group. 1. &n the ,T($ permissions, assign the Allow 2 Read permission to the Test@ingAR group. .. &n the share permissions, assign the Allow 2 Read permission to the Test@ingAR group. D. &n the ,T($ permissions, assign the Allow 2 Modif permission to the Test@ingAR group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32> 2 )ns"er: D E3#lanation: One has to 0ee# in mind that &<( +oth NTES and share #ermissions are cumulati/e I$ a user belongs to more than one grou#* and t"o or more o$ these grou#s are assigned #ermissions on a $ile or $older* the userJs e$$ecti/e #ermissions &NTES or share( on the $ile or $older is the sum o$ all the grou#sJ #ermissions &2( !hen determining the e$$ecti/e #ermissions on a $ile or $older access through a share* the more restricti/e #ermissions &that is* the cumulati/e e$$ecti/e NTES #ermissions or the cumulati/e e$$ecti/e share #ermissions( are the ones a##lied In this scenario the )llo" > ?odi$y NTES #ermission "ould be the best o#tion to $ul$il the stated requirements Incorrect ans"ers: ): Iou need to assign ,T($, not share permissions in this scenario. 1esides the Den 2.hange permission would ha%e been too restricti%e to compl with the stated re6uirements. +: 3%en if it is done in the ,T($ permissions, the Allow 2 Read permission will not satisf all the stated re6uirements. ': Iou need to assign ,T($, not share permissions in this scenario. The Allow 2 Read permission also would not ha%e complied with all of the stated re6uirements. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -GF 2 -G; Topic -9 Managing and Maintaining a $er%er 3n%ironment *11F :uestions+ 5art 19 Monitor and anal 0e e%ents. Tools might include 3%ent ?iewer and $ stem Monitor.*1" :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com )mong other duties you administer a !indo"s 2==, ser/er named TestBing+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32= 2 You install Terminal Ser/ices on TestBing+ You add users $rom the TestBing su##ort de#artment to the .o"er Users grou# and to the Demote Des0to# Users grou# on TestBing+ You notice that TestBing+ is #eriodically una/ailable You o#en E/ent 8ie"er on TestBing+ and disco/er that the ser/er "as restarted accidentally by users in the TestBing su##ort de#artment You need to ensure that users in the TestBing su##ort de#artment can establish a Terminal Ser/ices session and can manage local user accounts on TestBing+ :o"e/er* they should not ha/e the ability to restart TestBing+ !hich action or actions should you #er$orm% Select all that a##ly A. Remo%e the Test@ing $upport department user accounts from the 5ower Users group. 1. Remo%e the Test@ing $upport department user accounts from the Remote Des/top Users group. .. Remo%e the 5ower Users group from the $hut down the s stem user right. D. Add the 5ower Users group to the Den log on locall user right. 3. Modif the permission on the RD52Tcp connection b using Terminal $er%ices

.onfiguration. Assign the 5ower Users group the Den 2 (ull .ontrol permission )ns"er: ' E3#lanation: I$ you "ant to ensure that TestBing su##ort de#artment users ha/e the ability to establish Terminal ser/ices and manage local user accounts on TestBing+ "ithout being able to restart TestBing+ then you need to deny them the Shut do"n the system user right by remo/ing the .o"er Users -rou# $rom the Shut Do"n the system right De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. --"2--1 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter QUESTION NO: 2 SI?UA)TION ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33" 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You o#en E/ent 8ie"er on a ser/er named Test0ing< You see the /ie" sho"n in the e3hibit You need to con$igure a ser/er named Test0ing2 to $ul$ill the $ollo"ing requirements: 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 331 2 'on$igure the security log to dis#lay only the e/ents that are sho"n in the e3hibit 2. Ensure that security in$ormation can be deleted only by user inter/ention !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3es ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 332 2 )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 333 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33- 2 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The audit #olicy $or the domain ensures that all accounts logon e/ents are audited ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33F 2 T"o client com#uters* TB< and TB2* are con$igured as 0ios0s in the lobby o$ the main o$$ice Some users log on to the domain by using these t"o com#uters You need to use E/ent 8ie"er to re/ie" success$ul logon attem#ts on these t"o com#uters only You do not "ant to /ie" any other auditing details !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure a filter for the securit log to list all successful account logon attempts. 1. .onfigure a filter for the securit log to list all failed account attempts. .. .reate one new log %iew. .onfigure a filter to show all account logon and account logoff e%ents. D. .reate two new log %iews. .onfigure a filter on one log %iew to show successful account logon e%ents onl . .onfigure a filter on the other log %iew to show failed account logon e%ents onl . 3. .reate two new log %iews. .onfigure a filter on one log %iew to show account logon e%ents for T@1 onl . .onfigure a filter on the other log to show account logon e%ents for T@2 onl . )ns"er: )* E E3#lanation: !hen a user logs on to a domain* &and auditing is enabled(* the authenticating domain controller "ill log an e/ent in its log It is li0ely that multi#le must e3amine the security log on each domain controller In e/ent /ie"er* you can

set /arious $ilters to sim#li$y the search $or in$ormation In this case* "e can $ilter the logs to sho" e/ents $or only the users account The default auditing polic setting for domain controllers is ,o Auditing. This means that e%en if auditing is enabled in the domain, the domain controllers do not inherit auditing polic locall . &f ou want domain auditing polic to appl to domain controllers, ou must modif this polic setting. Einding s#eci$ic logged e/ents: After ou select a log in 3%ent ?iewer, ou can9 1. $earch for e%ents9 $earches can be useful when ou are %iewing large logs. (or eBample, ou can search for all !arning e%ents related to a specific application, or search for all 3rror e%ents from all sources. To search for e%ents that match a specific t pe, source, or categor , on the ?iew menu, clic/ (ind. The options a%ailable in the (ind dialog boB are described in the table about (ilter options. 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33; 2 (ilter e%ents9 3%ent ?iewer lists all e%ents recorded in the selected log. To %iew a subset of e%ents with specific characteristics, on the ?iew menu, clic/ (ilter, and then, on the (ilter tab, specif the criteria ou want. (iltering has no effect on the actual contents of acti%e or not. &f ou archi%e a log from a filtered %iew, all records are sa%ed, e%en if ou select a teBt format or comma2delimited teBt format file. Incorrect ans"ers: +: Iou need to log all successful account logon attempts and not the failed account attempts. ': Iou will ha%e to create two new log %iews and not onl one. D: Iou need to configure the %iews to show the account logon e%ents for T@1, and to show the account logon e%ents for T@2, respecti%el . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;2"2;23 QUESTION NO: 4 You are the net"or0 administrator $or Test0ing com The com#any contains o$ a main o$$ice and $i/e branch o$$ices Net"or0 ser/ers are installed in each o$$ice )ll ser/ers run 2==, The technical su##ort stu$$ is located in the main o$$ice Users in the branch o$$ice do not ha/e the LAog on locallyL right on local ser/ers Ser/ers in the branch o$$ice collect auditing in$ormation You need the ability to re/ie" the ability to re/ie" the auditing in$ormation located on each branch o$$ice ser/er "hile you are "or0ing at the main o$$ice You also need to sa/e the auditing in$ormation on each branch o$$ice ser/er on the local hard dri/e !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. (rom the $ecurit .onfiguration and Anal sis snap2in sa%e the appropriate .inf file on the local hard dri%e. 1. $olicit Remote Assistance from each branch office ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33G 2 .. (rom .omputer Management open 3%ent ?iewer, sa%e the appropriate .e%t file on the local hard dri%e D. Run secedit.eBe, specif the appropriate parameter 3. 3stablish a Remote Des/top client session with each branch office ser%er )ns"er: '* E E3#lanation: !e can connect to the branch o$$ice ser/ers using a Demote Des0to# connection !e can then use E/ent 8ie"er to sa/e the log $iles to the local hard dis0 Incorrect )ns"ers: ): Auditing information is not stored in .inf files. .inf files ha%e to do with setup information. +: D: $ecedit.eBe is not used to sa%e auditing information. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 5 You are the net"or0 administrator $or the +erlin o$$ice o$ TestBing The com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com The +erlin o$$ice contains <5 $ile ser/ers that contain con$idential $iles )ll the $ile ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er )ll the $ile

ser/ers are in the +erlinEile.rint organi1ational unit &OU( TestBingJs security de#artment sets a rule that s#eci$ies the si1e and retention settings $or the Security e/ent log o$ all $ile ser/ers The rule also s#eci$ied that local administrators on ser/ers cannot o/erride the changes you ma0e to the settings $or the Security e/ent log You need to de$ine a method to modi$y the Security e/ent log settings on each $ile ser/er in the +erlin o$$ice in order to meet the states requirements !hat should you do% A. Modif the local securit polic on each file ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33> 2 Define the si0e and retention settings for the $ecurit e%ent log. 1. .reate a securit template on one of the file ser%ers b using the $ecurit .onfiguration and Anal sis tool. Define the si0e and retention settings for the $ecurit e%ent log in the template. &mport the securit template into the local securit polic of the other 1- file ser%ers. .. Use 3%ent ?iewer to modif the e%ent log properties on each file ser%er. Define the si0e and retention settings for the $ecurit e%ent log. D. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the 1erlin(ile5rint 'U. &n the C5', define the si0e and retention settings for the $ecurit e%ent log. )ns"er: D E3#lanation: The ser/ers are in OU +erlinEile.rint Setting "ill a##ly to !indo"s 2=== Ser/ers and !indo"s Ser/ers 2==, 'onsider im#lementing these E/ent Aog settings at the site* domain* or organi1ational unit le/el* to ta0e ad/antage o$ -rou# .olicy settings E/ent Aog > This securit area defines attributes related to the Application, $ecurit , and $ stem e%ent logs9 maBimum log si0e, access rights for each log, and retention settings and methods. 3%ent 4og si0e and log wrapping should be defined to match the business and securit re6uirements ou determined when designing our 3nterprise $ecurit 5lan. Incorrect ans"ers: ): Modif ing the local securit polic on each file ser%er will not suffice in this scenario. +: .reating a securit template on one of the ser%ers and then importing it to the other ser%ers will not wor/ as ou need to define the si0e and retention settings for the $ecurit e%ent log in a C5'. ': Ma/ing use of 3%ent ?iewer to modif the e%ent log properties on each file ser%er will not wor/. (urthermore ou need to define the si0e and retention settings for the $ecurit e%ent log in the C5'. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G;1 QUESTION NO: 6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33= 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll $i/e domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The domainJs audit #olicy ensures that all account logon e/ents are audited ) tem#orary em#loyee named Bing uses a client com#uter named TestBing< !hen BingJs tem#orary assignment concludes* his em#loyment is terminated No" you need to learn the times and dates "hen Bing logged on to the domain You need to accom#lish this goal by re/ie"ing the minimum amount o$ in$ormation !hat should you do% A. 4og on to Test@ing1 as a local Administrator. Use 3%ent ?iewer to %iew the local securit log. Use the (ind option to list onl the e%ents for @ingKs user account. 1. 4og on to Test@ing1 as a local Administrator. Use 3%ent ?iewer to %iew the local securit log. Use the (ind option to list onl the e%ents for the Test@ing1 computer account. .. Use 3%ent ?iewer to %iew the securit log on each domain controller. Use the (ind option to list onl the e%ents for @ingKs user account. D. Use 3%ent ?iewer to %iew the securit log on each domain controller. $et a filter to list onl the e%ents for @ingKs user account. 3. Use 3%ent ?iewer to %iew the securit log on each domain controller. $et a filter to list onl the e%ents for the Test@ing1 computer account. )ns"er: D E3#lanation: !hen a user logs on to a domain* &and auditing is enabled(* the

authenticating domain controller "ill log an e/ent in its log It is li0ely that multi#le must e3amine the security log on each domain controller In e/ent /ie"er* you can set /arious $ilters to sim#li$y the search $or in$ormation In this case* "e can $ilter the logs to sho" e/ents $or only the usersJ account The default auditing polic setting for domain controllers is ,o Auditing. This means that e%en if auditing is enabled in the domain, the domain controllers do not inherit auditing polic locall . &f ou want domain auditing polic to appl to domain controllers, ou must modif this polic setting. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-" 2 Incorrect )ns"ers: ): The logon e%ents will be recorded in the logs on the domain controllers, not the client computer. +: The logon e%ents will be recorded in the logs on the domain controllers, not the client computer. ': The (ind option will mo%e to the neBt e%ent in the log according to the (ind criteria. &t will not filter the log to )ust show the rele%ant information. E: This will show when someone logged on to Test@ing1 using a domain account. This is not what weKre loo/ing for. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. G>;2G>= QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The TestBing Sta$$ de#artment has a !indo"s 2==, com#uter that $unctions as a $ile ser/er The com#uter contains a $older named TestBingData )uditing is enabled on the TestBingData $older The TestBing Sta$$ de#artment re#orts that con$idential $iles "ere deleted $rom the $older You need to identi$y the user "ho deleted the con$idential $iles !hat should you do% A. &n 3%ent ?iewer, create a new log %iew from the securit log. (ilter the log %iew to displa onl success audits. 1. &n 3%ent ?iewer, create a new log %iew from the securit log. (ilter the log %iew to displa onl failure audits. .. &n 3%ent ?iewer, create a new log %iew from the s stem log. (ilter the log %iew to displa onl success audits. D. &n 3%ent ?iewer, create a new log %iew from the s stem log. (ilter the log %iew to displa onl failure audits. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-1 2 E/ent 8ie"er is a ??' sna#>in that dis#lays the !indo"s Ser/er 2==, e/ent logs $or system* a##lication* security* directory ser/ices* DNS ser/er* and Eile De#lication Ser/ice log $iles Security log #ro/ides /ital in$ormation $or trac0ing success$ul and $ailed breaches o$ security $ecurit e%ents are logged in the securit log, accessible b administrators %ia the 3%ent ?iewer. An audit entr can be either a $uccess or a (ailure e%ent in the securit log. (iltering the log %iew to displa onl success audits will displa audited securit e%ents that are completed successfull are logged in this categor . *(or eBample, a successful user logon when securit auditing is enabled.+ To be able to identif the user who deleted confidential files means that this user ob%iousl had a successful logon, thus this option will help ou identif the culprit. Incorrect ans"ers: +9 (ailure Audit All audited securit e%ents that fail are logged here. Thus this option will not re%eal who the user was that deleted the confidential files. '* D9 The $ stem log contains e%ents related to !indows s stem components. This includes entries regarding failure of dri%ers and other s stem components during startup and shutdown. This will not displa securit breaches. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. G-=, G;"2 G;2. Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 9

You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< is located in an organi1ational unit &OU( named Ser/ers TB< contains a $older named 'ontracts* "hich is con$igured to audit all the acti/ity You are directed to re/ie" the audit log on 'ontracts You "ant to identi$y any $iles that "ere modi$ied during the #ast "ee0 by a user named )ndre" :o"e/er* the audit log contains thousands o$ entries $or the #ast "ee0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-2 2 You need to /ie" entries $or )ndre"Js user account only !hat should you do% A. &n Acti%e Director Users and .omputers, open the properties for AndrewKs user account. ?iew the Auditing tab of the Ad%anced $ecurit $etting dialog boB for his account. 1. &n !indows 3Bplorer, open .ontracts. Add the 'wner column for the file pane. $earch for files that list Andrew as the owner. .. 'n T@1, use !ord5ad to open .9WwindowsWs stem32WconfigW$ec3%ent.e%t. $earch for entries that contain AdrewKs user account. D. 3dit the Croup 5olic ob)ect *C5'+ for the $er%ers 'U. Add AndrewKs user account to the Cenerate securit audits Croup 5olic option. 3. &n 3%ent ?iewer, appl a filter to displa onl e%ents that contain AndrewKs user account in the User field. )ns"er: E E3#lanation: On the Eilter tab* you can select a single entry $rom the dro#>do"n list and clic0 the )##ly button to $ilter the e/ents You can also $ilter the e/ents by #o#ulating the 'ategory* E/ent ID* User* and 'om#uter name $ields as arguments and clic0ing the )##ly button The $iltering $eature also su##orts multi#le $ilter criteria !hen a user logs on to a domain, *and auditing is enabled+, the authenticating domain controller will log an e%ent in its log. &t is li/el that multiple domain controllers ha%e each domain controller. &n e%ent %iewer, ou can set %arious filters to simplif the search for information. &n this case, we can filter the logs to show e%ents for onl the userKs account. The default auditing polic setting for domain controllers is ,o Auditing. This means that e%en if auditing is enabled in the domain, the domain controllers do not inherit auditing polic locall . &f ou want domain auditing polic to appl to domain controllers, ou must modif this polic setting. Einding s#eci$ic logged e/ents After ou select a log in 3%ent ?iewer, ou can9 1. $earch for e%ents 2 $earches can be useful when ou are %iewing large logs. (or eBample, ou can search for all !arning e%ents related to a specific application, or search for all 3rror e%ents from all sources. To search for e%ents that match a specific t pe, source, or categor , on the ?iew menu, clic/ (ind. The options a%ailable in the (ind dialog boB are described in the table about (ilter options. 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-3 2 (ilter e%ents 2 3%ent ?iewer lists all e%ents recorded in the selected log. To %iew a subset of e%ents with specific characteristics, on the ?iew menu, clic/ (ilter, and then, on the (ilter tab, specif the criteria ou want. (iltering has no effect on the actual contents of acti%e or not. &f ou archi%e a log from a filtered %iew, all records are sa%ed, e%en if ou select a teBt format or comma2delimited teBt format file. Incorrect ans"ers: )9 Iou need to open 3%ent ?iewer to be able to %iew these logs. The Auditing tab of the Ad%anced $ecurit $etting dialog boB is not in the Acti%e Director Users and .omputers. +9 These logs can onl be %iewed through the 3%ent ?iewer. '9 Audit entries alone do not generate audit logs. Iou must also enable the Audit 'b)ect Access polic from 4ocal $ecurit 5olic , the Domain .ontroller $ecurit 5olic , or a C5'. D9 Add AndrewKs user account to the Cenerate securit audits Croup 5olic option will not enable ou to %iew AndrewKs entries alone. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 231, 23F QUESTION NO: ; :OTS.OT ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing6 that $unctions as a $ile ser/er TestBing6 contains a $older named .ayrollData Users in the #ayroll de#artment re#ort that con$idential $iles "ere deleted The manager o$ the #ayroll de#artment as0s you to enable auditing on the .ayrolldata $older You need to con$igure the Aocal Security .olicy o$ TestBing6 !hich audit #olicy should you con$igure% To ans"er* select the a##ro#riate #olicy in the "or0 area )ns"er: E3#lanation: )udit Ob2ect )ccess Audit ob)ect access shares the most important spot with the logon e%ents audits. 1ecause ou can as/ our s stems to /eep trac/ of who reads, writes, deletes, or creates an file or an group of files on themsel%es. !ith ob)ect access auditing, ouKre able to loo/ at the userKs wor/stationKs logs and tell eBactl when the file met its ma/er. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The domain contains t"o OUs named 'lients and Ser/ers )ll com#uter accounts $or the client com#uters are located in the 'lients OU )ll com#uter accounts $or member ser/ers are located in the Ser/ers OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-F 2 TestBing comJs "ritten security #olicy requires you to con$igure s#eci$ic #ermissions $or the :BEYSAO')AS?)':INE hi/e in the registry on all com#uters in the domain The client com#uters and the ser/ers required a di$$erent set o$ registry #ermissions You create t"o -.Os named Degistry.ermissions'lients and Degistry.ermissionsSer/ers You con$igure each -.O "ith the correct registry #ermissions You need to ensure that the required registry #ermissions are con$igured on all client com#uters and ser/ers in the domain !hich three actions should you #er$om% Each correct ans"er #resents #art o$ the solution 'hoose three A. 4in/ both C5's to the domain ob)ect. 1. $et a !M& filter on the Registr 5ermissions.lients C5' that targets all !indows <5 5rofessional computers. .. $et a !M& filter on the Registr 5ermissions$er%ers C5' that targets all !indows $er%er 2""3 computers. D. 5lace a securit filter on the C5's to onl appl the C5's to the Domain .omputers group. 3. 4in/ the Registr 5ermissions$er%ers C5' to the $er%ers 'U. )ns"er: )* +* ' E3#lanation9 !indows $er%er offers a !M& filtering option for group policies, which it didnKt offer in !indows 2""". !M& filters run 6ueries created in !M& :uer 4anguage *!:4+ to determine whether or not to appl the entire polic .Iou can onl ha%e one !M& filter per C5'. &f ou use !M& filters, ouKll probabl end up creating more C5's than ou normall would. (irst ou would create one or more 8generic8 C5's, the ones that appl to the entire site, domain, or 'U without an of the hardware or software2dependent settings. Then ou would create a bunch of 8mini2C5's8 that each use a !M& filter to determine whether or not to deplo . Thus in this scenario ou would follow options A, 1 and . to ensure that the necessar registr re6uirements are configured on all client computers and ser%ers in the domain. Incorrect ans"ers: D9 This option will not satisf the re6uirements in this 6uestion. E9 This option will onl appl to ser%ers and to to the client computers. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-; 2 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, 5art 29 Manage software and securit update infrastructure.*3F :uestions+ QUESTION NO: <

You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain The domain contains 2= !indo"s Ser/er 2==, com#uters and 4== !indo"s @. .ro$essional com#uters So$t"are U#date Ser/ices &SUS( is installed on a ser/er named Test0ing2 The net"or0 security administrator "ants you to ensure that the administrati/e #ass"ord is not com#romised "hen an administrator connects to Test0ing2Js SUS)dmin !eb site remotely by using :TT. You "ant only SSA to be used to connect to the SUS)dmin !eb site The net"or0 security administrator creates a digital certi$icate and enables communication $or SSA on #ort 44, o$ Test0ing2 :o"e/er* administrators are still able to connect to the SUS)dmin !eb site by using :TT. You need to ensure that communication to the SUS)dmin !eb site is al"ays secure !hat should you do% A. Disable port >" on the $U$Admin !eb site. 1. Re6uire 12>21it $$4 on all directories related to the $U$Admin !eb site. .. .hange the default !eb site to re6uire 12>21it $$4. D. 3nable &5$ec on Test/ing2 with the Re6uest $ecurit &5sec template. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-G 2 SSA "or0s by using a combination o$ #ublic and #ri/ate 0eys The Session or Encry#tion 0ey that is used to encry#t communication "ith the ser/er and the client is created according to the security certi$icate The strength o$ the encry#tion a##lied is measured by the length o$ the encry#tion 0ey* or in bits The encry#tion strength selected "ould de#end on the sensiti/ity or im#ortance o$ the data Encry#tion strength can be 4=>+its or <29>+its Dequiring <29>+it SSA on all directories related to the SUS)dmin !eb site "ould ensure that communication to the SUS)dmin !eb site is al"ays secure !eb #age encry#tion is im#lemented using the Secure Soc0ets Aayer &SSA( #rotocol This #rotocol uses T'. #ort 44, I$ administrators can still connect to SUS)dmin through :TT.* then you should change the setting o$ the de$ault "ebsite to require <29>+it SSA i$ you "ant only SSA to be used to connect to SUS)dmin Incorrect )ns"ers: ): Disabling port >" will not mean that the $U$Admin site will sta secure. T.5 port >" handles !orld !ide !eb *!!!+ ser%ice. +: Re6uiring 12>2bit $$4 on all directories related to the U$Admin would be o%er/ill in this situation as all ou need to do is to change the default !eb site to re6uire 12>2bit $$4. D: 3nabling &5$ec in this situation would be irrele%ant. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. =;> Ton ,orthrup and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22==+9 &mplementing and Administering $ecurit in a Microsoft !indows $er%er 2""3 ,etwor/, .hapter 11 2 Deplo ing, .onfiguring, and Managing $$4 .ertificates QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single I. subnet )ll ser/ers are !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The cor#orate $ire"all bloc0s all requests $rom the local client com#uters to #ort 9= in the Internet Dequests sent o/er #ort 44, are allo"ed through the $ire"all Ser/er com#uters can communicate by using #ort 9= are 44, to the Internet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-> 2 You need to install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing5 Test0ing5 has limited hard dri/e s#ace and stores a minimal amount o$ in$ormation daily 'lient com#uters must install ?icroso$t critical u#dates You need to ensure that Test0ing5 does not run out o$ hard dri/e s#ace a$ter the installation o$ SUS !hat should you do% A. 'n Test/ingF, clear the selection of all locales not used on our networ/. 1. 'n Test/ingF, select the option to maintain the updates on a !indows Update ser%er. .. Modif the default home page for all client computers to https9HHwindowsupdate.microsoft.com. D. Modif the proB ser%er setting for all client computers to http9HHtest/ingF. )ns"er: )

E3#lanation: The o#tions "hen selecting a storage location $or u#dates are to maintain the u#dates on a ?icroso$t !indo"s U#date ser/er or to sa/e the u#dates to a local $older Each locale that is selected "ill increase the amount o$ storage s#ace necessary to maintain u#dates on your ser/er Thus i$ you clear the selection o$ all locales not used on your net"or0* you "ill #re/ent the SUS $rom using that s#eci$ic hard dri/e s#ace as "ell Incorrect ans"ers: +9 The options a%ailable are to maintain the updates on a Microsoft !indows Update ser%er or to sa%e the updates to a local folder. Aowe%er, deselecting locales after s nchroni0ation has alread occurred will not free up dis/ space because the pac/ages that ha%e alread been downloaded will remain on the $U$ ser%er. '9 Modif ing the default home page for all client computers to https9HHwindowsupdate.microsoft.com will not sol%e the problem because $U$ has to be installed on Test@ingF. D9 This problem will onl be sol%ed b clearing the selection of all locales not used on the networ/, not b modif ing the proB ser%er settings for the client computers to http9HHtest/ingF. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >"22>"3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-= 2 QUESTION NO: , :OTS.OT You are the net"or0 administrator $or TestBing You install and con$igure So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing2 You install the )utomatic U#dates client on all !indo"s @. .ro$essional com#uters )ll !indo"s @. .ro$essional com#uter accounts are in the 'lients organi1ation unit &OU( You need to con$igure )utomatic U#dates on all !indo"s @. .ro$essional com#uters to automatically do"nload and install u#dates "hether users log on to their com#uters "ith administrati/e credentials or nonadministrati/e credentials The day and time that u#dates are installed is not im#ortant !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F" 2 )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F1 2 QUESTION NO: 4 The net"or0 is connected to the Internet through a ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter named Test0ing4 Test0ing4 is set to automatically con$igure client #ro3y settings ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F2 2 Your su#er/isor tells you to install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing5 Test0ing5 is the only SUS ser/er on your net"or0 SUS installation must com#ly "ith the $ollo"ing limitations: 1. Use the least amount o$ dis0 s#ace on Test0ing5 2. )ll u#dates must be tested o$$line be$ore being de#loyed to the client com#uters 3. The I. addressing schemes in TestBing change o$ten Test0ing5 should return its Net+IOS name "hen client com#uters connect !hich action or actions should you #er$orm% &'hoose all that a##ly( A. .onfigure Test/ingF to maintain the updates on a !indows Update ser%er. 1. .onfigure Test/ingF to not automaticall appro%e new %ersions of pre%iousl appro%ed updates. .. .onfigure the $pecif the name that our clients use to locate this update ser%er setting to Test/ingF. D. .onfigure Test/ingF to not use a proB ser%er to access the &nternet. 3. .onfigure Test/ingF to s nchroni0e from a local $U$ ser%er. )ns"er: )* +* ' E3#lanation: !hen selecting a storage location "hile con$iguring a SUS ser/er* the o#tions are to store the u#dates on a ?icroso$t !indo"s U#date ser/er or to store the u#dates on a local $older !hen using the ?icroso$t !indo"s U#date ser/er

o#tion* you can control "hich u#dates your clients "ill recei/e This o#tion also leads to a reduction in the amount o$ $ree dis0 s#ace needed on the Test0ing5 SUS ser/er You ha/e to use the Set O#tions screen to con$igure the S#eci$y the name that your clients use to locate this u#date ser/er setting to Test0ing5 Incorrect )ns"ers: D: A proB ser%er acts on behalf of the client to establish an &5 connection with a remote machine. $ince Test/ing- is set to automaticall configure client proB settings as well as being the networ/Ks connection to the &nternet, this option will lea%e ou without an &nternet connection which must be used to download the updates. E: To ha%e Test/ingF s nchroni0ing from the local $U$ ser%er is impractical since Test/ingF is the onl $U$ ser%er in this scenario. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter, p. 3F1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F3 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >"22>"3 QUESTION NO: 5 You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s 2=== .ro$essional "ith Ser/ice .ac0 2 You install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing<* and you a##ro/e all do"nloaded u#dates You a##ly the a##ro#riate -rou# .olicy ob2ect &-.O( settings to con$igure domain com#uters to do"nload critical u#dates $rom Test0ing< You disco/er that no u#dates "ere a##lied since you installed SUS on Test0ing< You con$irm that all the !indo"s Ser/er 2==, com#uters recei/e u#dates $rom Test0ing< You need to ensure that all client com#uters recei/e u#dates $rom Test0ing< !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall $er%ice 5ac/ 3 on all client computers. 1. Mo%e all client computers out of the .omputers contain and into a new organi0ational unit *'U+. .. 3nable the ,o '%erride C5' setting. D. &nstall the Automatic Updates client on all client computers. 3. .onfigure Test/ing1 to authenticate against a proB ser%er to recei%e updates from the !indows Update ser%ers. )ns"er: )* D E3#lanation: )utomatic U#dates can be con$igured on client com#uters to access the local SUS ser/er in #lace o$ the !indo"s U#date site The client com#uters need the )utomatic U#date $eature installed in order to connect to the SUS ser/er* Test0ing<* to do"nload critical u#dates Ser/ers running !indo"s Ser/er 2==, and client com#uters running !indo"s 2=== Ser/ice .ac0 , can be con$igured to automatically recei/e their SUS u#dates ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F- 2 Incorrect )ns"ers: +: 'rgani0ational unit containers and default containers ser%e the same purpose. The organi0e ob)ects within a domain. Mo%ing all client computers into a new 'U will thus not ensure that all client computers recei%e their updates from Test/ing1. Iou need to ensure that client computers ha%e Automatic Updates installed in order to be connected to Test/ing1. ': The ,o '%erride C5' setting is irrele%ant is this case as there is alread an appropriate C5' to download updates. (urthermore the problem is that the client computers should also ha%e Automatic Updates installed. E: This is not necessar . All that is needed is to ha%e $er%ice 5ac/ 3 and Automatic Updates installed on the client computers since Test/ing1 is alread reconfigured. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, pp. 3F-, 3;2 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Ser/ers run either !indo"s

2=== Ser/er or !indo"s Ser/er 2==, 'lient com#uters run either !indo"s 2=== .ro$essional Ser/ice .ac0 2 or !indo"s @. .ro$essional You need to im#lement a ne" so$t"are u#date in$rastructure You disco/er that security #atches* critical u#dates* and ser/ice #ac0s ha/e ne/er been installed on any client com#uter on the net"or0 You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing5 You must ensure that all client com#uters recei/e all ?icroso$t security #atches* critical u#dates* and ser/ice #ac0s You "ant to achie/e this goal as quic0ly as #ossible !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. &nstall the Automatic Updates client on all !indows 2""" 5rofessional client computers. 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FF 2 &nstall the Automatic Updates client on all !indows <5 5rofessional client computers. .. &nstall $U$ on a !indows 2""" $er%er computer. D. Modif the !indows Update settings of the Default Domain .ontroller organi0ational unit *'U+ Croup 5olic ob)ect *C5'+ to point client computers to http9HHtest/ingF. 3. Modif the !indows Update settings of the Default Domain 5olic Croup 5olic ob)ect *C5'+ to point client computers to http9HHtest/ingF. (. Upgrade all !indows 2""" 5rofessional client computers to !indows <5 5rofessional. )ns"er: )* +* E E3#lanation: The Automatic Updates client software is necessar for some !indows 2""" and !indows <5 machines to use Microsoft $oftware Update $er%ices *$U$+. Iou onl need to install Automatic Updates on computers running !indows 2""" with $52 or earlier or !indows <5 without $51. Automatic Updates is a !indows feature that notifies ou when critical updates are a%ailable for our computer. This feature replaces .ritical Update ,otification, if it is alread installed. .ritical Update ,otification will no longer offer critical updates. Download and install to recei%e notifications of critical !indows updates. Incorrect )ns"ers: ': !e alread ha%e $U$ installed on windows 2""3. That will wor/ great. D: !e want all client computers to ha%e the updates. ,ot onl the domain controllers. E: There is no need to upgrade the windows 2""" machines. The automatic Updates client will be sufficient. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter QUESTION NO: 7 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s 2=== Ser/er )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F; 2 You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing2 You "ant all client com#uters on the net"or0 to use Test0ing2 to recei/e their so$t"are u#dates You decide to modi$y the De$ault Domain .olicy -rou# .olicy ob2ect &-.O( to set Test0ing2 as the SUS ser/er $or all com#uters in the domain !hen you o#en the De$ault Domain .olicy -.O* you notice that there are no settings $or !indo"s U#date You reali1e that you need to load an administrati/e tem#late to con$igure SUS by using -rou# .olicy You need to load the a##ro#riate administrati/e tem#late into the -rou# .olicy Ob2ect Editor !hich tem#late should you load% To ans"er* select the a##ro#riate tem#late in the dialog bo3 in the "or0 area )ns"er: E3#lanation: "uau adm ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FG 2 The !UAU.adm file holds !indows Update settings for !indows 2""" and !indows $er%er 2""3 clients. &t describes the new polic settings for the Automatic Updates client,

and is automaticall installed into the ZwindirZWinf folder when installing Automatic Updates. Iou should 4oad !UAU.adm as an administrati%e template in the Croup 5olic 'b)ect 3ditor. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, p. 3;QUESTION NO: 9 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e directory domain named test0ing com The domain contains 2= !indo"s Ser/er 2==, com#uters and 5*=== !indo"s @. .ro$essional com#uters )ll client com#uter accounts are in the 'lients organi1ational unit &OU( The client com#uters do not ha/e any ser/ice #ac0s installed You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing4 )ll client com#uters must do"nload security u#dates $rom TestBing4 You need to #re#are the client com#uters so they can connect to TestBing4 to do"nload !indo"s security u#dates !hat should you do% A. .reate a logon script that connects to the !indows Update .atalog !eb site, scans for a%ailable securit updates, and downloads securit updates to the client computes, 1. &nstall the automatic Updates client on all client computers. .onfigure the client computers to use Automatic Updates to connect to Test@ing-. .. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the clients 'U. .onfigure the C5' to create a software pac/age that assigns securit updates from Test@ing- to the client computers. D. Add http9HHTest@ing- as the %alue for !U$tatus$er%er registr entries on all client computers. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F> 2 ) local administrator can use the )utomatic U#dates a##let in the 'ontrol .anel to con$igure )utomatic U#date or to modi$y the settings I$ -rou# .olicy has been con$igured $or )utomatic U#dates* it "ill o/erride the local settings !ith Automatic Updates installed and configured on the client computers, securit updates can be automaticall downloaded from Test@ing-. 'nce the client computers are configured, !indows $er%er 2""3 will automaticall search for an !indows securit updates for our client computers from the !indows Update website and download these %ia 1ac/ground &ntelligent Transfer $er%ices *1&T$+. Incorrect )ns"ers: ): To prepare the client computers to be able to recei%e updates ou need to install the Automatic Updates client on them and not create log on scripts as if the client computers ha%e alread been installed. ': 4in/ing C5's to the clients as described in this option is not preparing them to recei%e updates from Test/ing-. D: Use!U$er%er 2 $et this to 1 to enable Automatic Updates to use the ser%er running $oftware Update $er%ices as specified in !U$er%er and sets the s $ets the $U$ ser%er as well as the $U$ statistics ser%er b ATT5 name thus this option will not wor/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure $tud Cuide and D?D Training $ stem, p. >1 QUESTION NO: ; You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains 25 !indo"s ser/er 2==, com#uters and 5*=== !indo"s 2=== .ro$essional com#uters You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBingSr/ )ll client com#uter accounts are in the 'lients organi1ational unit &OU( You create a -rou# .olicy ob2ect &-.O( named SUSu#dates and lin0 it to the 'lients OU You con$igure the SUSu#dates -.O so that client com#uters obtain security u#dates $rom TestBingSr/ Three days later* you e3amine the !indo"su#date log $ile on se/eral client com#uters and disco/er that they ha/e do"nloaded !indo"s security u#dates $rom only "indo"su#date microso$t com ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F= 2 You need to con$igure all client com#uters to do"nload !indo"s security u#dates $rom TestBingSr/

!hat should you do% A. 'pen the $U$updates C5' and configure the .onfigure Automatic Update polic to assign the Auto download and notif for install setting for !indows securit updates. 1. 'pen the $U$updates C5' and configure the .onfigure Automatic Update polic to assign the Auto download and schedule the install setting for !indows securit updates. .. .reate software distribution polic for the $U$updates C5' that assigns the pac/age !UAU22.msi to all client computers. Restart all client computers. D. 'n all client computers, configure the Use!U$er%er registr %alue to enable Automatic Updates to use Test@ing$r%. )ns"er: ' E3#lanation: The !indo"s 2=== clients arenJt able to use the -.O setting that con$igures "hich ser/er they should recei/e their u#dates $rom This is because they ha/e an early /ersion o$ the "indo"s u#date client so$t"are The /ersion o$ the "indo"s u#date client so$t"are that comes "ith !indo"s 2=== .re>S., can only do"nload u#dates $rom the ?icroso$t !indo"s U#date ser/ers There$ore the ans"er is to install the latest /ersion o$ the "indo"s u#date client so$t"are on the client com#uters This is the !U)U22 msi #ac0age !e can use a -.O to de#loy the so$t"are The SUSu#dates -.O settings "ill then be a##lied and the clients "ill then recei/e their u#dates $rom TestBingSr/ Incorrect )ns"ers: ): This wonKt affect which ser%er the clients download the updates from. The problem is that the settings in the C5' wonKt appl to the !indows 2""" clients because the ha%e an earl %ersion of the windows update client software. +: This wonKt affect which ser%er the clients download the updates from. The problem is that the settings in the C5' wonKt appl to the !indows 2""" clients because the ha%e an earl %ersion of the windows update client software. D: &t would be impractical to configure the registr settings on F""" computers. QUESTION NO: <= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;" 2 You are the domain administrator $or TestBingJs )cti/e Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional You need to im#lement a solution $or managing security u#dates on client com#uters You #lan to use a !indo"s Ser/er 2==, com#uter to manage security u#dates Your solution $or managing security u#dates must meet the $ollo"ing requirements: 1. You must not #urchase additional so$t"are or licences 2. Security u#dates must be installed automatically 3. You must be able to control "hich u#dates are a/ailable to install -. Security u#dates must synchroni1e automatically "ith the latest u#dates o$$ered by ?icroso$t You need to im#lement a solution $or managing security u#dates that meets the requirements !hat should you do% A. 5ublish the securit updates b using a Croup 5olic ob)ect *C5'+. Assign the C5' to the client computers that re6uire updates2 1. &nstall $oftware Update $er%ices *$U$+. .onfigure the $U$ software to s nchroni0e dail with Microsoft. Use Croup 5olic to configure the appropriate !indows Update settings on the client computers. .. &nstall Microsoft &nternet $ecurit and Acceleration *&$A+ $er%er on a !indows $er%er 2""3 computer. D. .reate a process to run !indows Update on all client computers. )ns"er: + E3#lanation: You can use So$t"are U#date Ser/ices to do"nload all critical u#dates to ser/ers and clients as soon as they are #osted to the !indo"s U#date !eb site Iou install the ser%er component of $oftware Update $er%ices on a ser%er running !indows 2""" $er%er, !indows <5, or !indows $er%er 2""3 inside our corporate firewall. A corporate ser%ice allows our internal ser%er to s nchroni0e content with the !indows Update !eb site whene%er critical updates for !indows are a%ailable. The s nchroni0ation can be automatic or the administrator can perform it manuall . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;1 2 1 s nchroni0ing with the !indows Update !eb site, our internal ser%er that is running $oftware Update $er%ices can pull the update pac/ages and store them until an

administrator decides which ones to publish. Then, all the clients that are configured to use the ser%er running $oftware Update $er%ices will install those updates. Iou can control which ser%er each client computer connects to and then schedule when the client performs all installations of critical updates either manuall b means of the registr or b using Croup 5olic from the Acti%e Director director ser%ice. Incorrect ans"ers: ): Assigning a C5' to update all client computers that re6uire updates does not necessaril mean that the updating will be s nchroni0ed. ': &nstalling &$A is more of a hea% dut firewall protection measure. D: .reating a process to run !indows Update on all client computers will not meet all re6uirements. De$erence: Michael .ross, Qeffer A. Martin and Todd A. !alls, M.$3 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, p ;=>. QUESTION NO: << You are the net"or0 administrator $or TestBing Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all 2== client com#uters run !indo"s @. .ro$essional So$t"are U#date Ser/ices &SUS( is installed "ith de$ault settings on a ser/er named TestBing5 You disco/er that a critical security u#date $or Internet E3#lorer is not installed on any client com#uter You /eri$y that the u#date "as do"nloaded $rom the Internet to TestBing5 You also /eri$y that more recent security u#dates are installed You need to in/estigate the cause o$ this #roblem You "ill use the SUS administration console on TestBing5 !hich data should you e/aluate% &'hoose t"o( A. The securit update in the s nchroni0ation log. 1. The securit update in the appro%al log. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;2 2 .. The status of &nternet 3Bplorer F.FB in the Monitor $er%er window. D. The status of &nternet 3Bplorer ;.B in the Monitor $er%er window. )ns"er: )* + E3#lanation: A s nchroni0ation log is maintained on each ser%er running $U$ to /eep trac/ of the content s nchroni0ations it has performed. This log contains the following s nchroni0ation information9 1. Time that the last s nchroni0ation was performed. 2. $uccess and (ailure notification information for the o%erall s nchroni0ation operation. 3. Time of the neBt s nchroni0ation if scheduled s nchroni0ation is enabled. -. The update pac/ages that ha%e been downloaded andHor updated since the last s nchroni0ation. F. The update pac/ages that failed s nchroni0ation. ;. The t pe of s nchroni0ation that was performed *Manual or Automatic+. The log can be accessed from the na%igation pane of the administratorKs $U$ user interface. Iou can also access this file directl using an teBt editor. An appro%al log is maintained on each ser%er running $U$ to /eep trac/ of the content that has been appro%ed or not appro%ed. This log contains the following information9 1. A record of each time the list of appro%ed pac/ages was changed. 2. The list of items that changed. 3. The new list of appro%ed items. -. s nchroni0ation ser%ice. The log can be accessed from the na%igation pane in the administrati%e user interface. Iou can also access this file directl using an teBt editor. QUESTION NO: <2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;3 2 )ll client com#uters run !indo"s @. .ro$essional* and all client com#uter ob2ects are store din the 'lients organi1ational unit &OU( 'lient com#uters recei/e critical security #atches $rom ser/ers at ?icroso$t ) ser/er named Test0ing< runs So$t"are U#date Ser/ices &SUS( You enable

Test0ing< to obtain and store security #atches $or distribution on the internal net"or0 No" you need to ensure that all client com#uters recei/e $uture security #atches $rom Test0ing< only You o#en the -rou# .olicy ob2ect &-.O( $or the 'lients OU !hich setting should you con$igure% A. .omputer .onfigurationW$oftware $ettingsW$oftware &nstallation 1. User .onfigurationW$oftware $ettingsW$oftware &nstallation .. .omputer .onfigurationWAdministrati%e TemplatesW!indows .omponentsW!indows &nstaller D. User .onfigurationWAdministrati%e TemplatesW!indows .omponentsW!indows &nstaller 3. .omputer .onfigurationWAdministrati%e TemplatesW!indows .omponentsW!indows Update (. User .onfigurationWAdministrati%e TemplatesW!indows .omponentsW!indows Update )ns"er: E E3#lanation9 Croup 5olic settings 2 Automatic Updates clients can be configured to s nchroni0e from an $U$ ser%er rather than the !indows Update ser%ers b modif ing the clientsK registries or, more efficientl , b configuring !indows Update policies in a Croup 5olic 'b)ect *C5'+. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. =9 -. QUESTION NO: <, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;- 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The in$ormation technology &IT( de#artment recently installed So$t"are U#date Ser/ices &SUS( to manage security u#dates The ser/er that runs SUS is con$igured to synchroni1e automatically e/ery day at 7:== ) ? Ne" critical u#dates "ere released today at ;:== ) ? You need to manually u#date the SUS ser/er !hat action should you ta0e% A. 4og on to the $U$ ser%er. Download the new securit updates from !indows Update. 1. Download the new securit updates from !indows Update to our local computer. .op and paste the updates on the $U$ ser%er. .. 'n the $U$ home page, s nchroni0e the ser%er. D. 4og on to the $U$ ser%er. Run !updmgr.eBe b using the appropriate command to manuall s nchroni0e the ser%er. )ns"er: ' E3#lanation9 An $U$ ser%er can retrie%e software updates directl from Microsoft, or it can retrie%e them from another $U$ ser%er. To ha%e the $U$ ser%er retrie%e updates from Microsoft, select $ nchroni0e Directl from the Microsoft !indows Update $er%ers. To ha%e the $U$ ser%er retrie%e updates from another $U$ ser%er, select $ nchroni0e from a 4ocal $oftware Update $er%ices $er%er and specif the name of the ser%er. An administrator can also change how the $U$ ser%er handles updated content. This enables ou to specif what the $U$ ser%er should do when software pac/ages that are pre%iousl appro%ed are updated. Iou can select from two options9 1. Automaticall Appro%e ,ew ?ersions of 5re%iousl Appro%ed Updates. 2. Do ,ot Automaticall Appro%e ,ew ?ersions of 5re%iousl Appro%ed Updates. & !ill Manuall Appro%e These 4ater. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;F 2 QUESTION NO: <4 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TB< is your global catalog ser/er TB2 runs So$t"are U#date Ser/ices &SUS( The Set O#tions console on TB2 uses all de$ault settings You con$igure the client com#uters to access the ser/ice on TB< and TB2

Three months later* ?icroso$t releases a critical security u#date $or !indo"s @. .ro$essional Erom a test client com#uter* you use !indo"s U#date to do"nload the u#date You test the u#date and recei/e no error messages No" you need to de#loy the u#date to all client com#uters as quic0ly as #ossible You must ensure that the u#date is not de#loyed to any ser/ers !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'n T@1, configure the Default Domain Croup 5olic ob)ect *C5'+ to distribute the securit update. 1. 'n T@1, initiate replication. .. 'n T@2, initiate s nchroni0ation. D. 'n T@2, appro%e the securit update. )ns"er: '* D E3#lanation: Only a##ro/ed u#dates can be installed on the client com#uters The t"o main tas0s that you can #er$orm "ith SUS are synchroni1ing content and a##ro/ing content +e$ore you can #er$orm those actions* you need to con$igure your ser/er You can con$igure all o$ your SUS o#tions a$ter running Setu# by using the SUS !eb administration tools $U$ is dependant on the &&$ ser%ices. &n this case the first step is to restart &&$ ser%ices and chec/ if all ser%ices start again. After that we will need to loo/ for error codes generated b $U$. During s nchroni0ation, the Aucatalog1.cab file is alwa s downloaded. As the administrator, ou ha%e the choice of whether or not to download the actual pac/age files referenced in the metadata. The file name for $ nchroni0ation log is named histor 2$ nc.Bml and it is stored in the S4ocation of $U$ !ebsiteTWAutoUpdateWAdministration director . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;; 2 The file name for Appro%al log is Aistor 2Appro%e.Bml and it is stored in the S4ocation of $U$ !ebsiteTWAutoUpdateWAdministration director . $U$ uses the 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to perform the download b using idle networ/ bandwidth. &f ou change our $U$configuration from Maintain the updates on a Microsoft !indows Update ser%er to $a%e the updates to a local folder, immediatel perform a s nchroni0ation to download the necessar pac/ages to the location that ou ha%e selected. The 6uestion mentions that the clients are configured to recei%e updates. !hen using $oftware Update $er%ices to deplo securit updates, the updates must be appro%ed before the will be downloaded b the clients and installed. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: <5 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing has se/eral branch o$$ices One branch o$$ice contains $our ser/ers* "hose roles and a##lications are sho"n in the "or0 area )ll ser/ers e3ce#t D'< are member ser/ers The same branch o$$ice contains 25= client com#uters )ll o$ them run !indo"s @. .ro$essional and ?icroso$t O$$ice @. The ?icroso$t !indo"s U#date !eb issues t"o u#dates U#date< is an ?SI $ile that a##lies to O$$ice @. U#date2 is a critical security u#date that a##lies to !indo"s @. .ro$essional You need to con$igure the a##ro#riate ser/ers to de#loy these u#dates !hat should you do% To ans"er* drag the a##ro#riate u#dates to the correct ser/ers in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;G 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;> 2 Update2 for !indows <5 will be deplo ed with $U$ ser%ices. Update1 for 'ffice will be deplo ed using a group polic from a domain controller. $ince all clients run on !indows <5 and Update1 is an M$& file that applies to 'ffice <5, the domain controller should be configured with Update1. &n accordance the $oftware Update $er%ices should be configured with Update2 that has a critical securit

update applicable to !indows <5 5rofessional. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F=-2F=F QUESTION NO: <6 You are the net"or0 administrator $or Test0ing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You install So$t"are U#date Ser/ices &SUS( on a ser/er named TestBingSr/ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;= 2 You scan the client com#uters to $ind out i$ any current hot$i3es are installed You notice that no client com#uters ha/e been u#dated during the #ast se/en days You are unable to access the synchroni1ation logs on TestBingSr/ You need to ensure that SUS is $unctioning #ro#erly !hat should you do on TestBingSr/% A. Delete the Aistor JAppro%e.Bml file and restart the computer. 1. Delete the Aucatalog.cab file and restart the computer. .. Restart the 1ac/ground &ntelligent Transfer $er%ice *1&T$+. D. Restart all &&$2related ser%ices. )ns"er: D E3#lanation: SUS is de#endant on the IIS ser/ices In this case the $irst ste# is to restart IIS ser/ices and chec0 i$ all ser/ices start again )$ter that "e "ill need to loo0 $or error codes generated by SUS During s nchroni0ation, the Aucatalog1.cab file is alwa s downloaded. As the administrator, ou ha%e the choice of whether or not to download the actual pac/age files referenced in the metadata. The file name for $ nchroni0ation log is named histor 2$ nc.Bml and it is stored in the S4ocation of $U$ !ebsiteTWAutoUpdateWAdministration director . The file name for Appro%al log is Aistor 2Appro%e.Bml and it is stored in the S4ocation of $U$ !ebsiteTWAutoUpdateWAdministration director . $U$ uses the 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to perform the download b using idle networ/ bandwidth. Incorrect ans"ers: ): Deleting the Aistor 2Appro%e.Bml file and restarting the computer will not ensure that $U$ functions properl as it is the file for the Appro%al log onl . This on its own is not enough. +: The Aucatalog1.cab file is alwa s downloaded during s nchroni0ation onl . This is but one aspect of $U$. ': Restarting the 1ac/ground &ntelligent Transfer $er%ice *1&T$+ is not going to ensure that $U$ functions properl because it is onl used to perform download using idle networ/ bandwidth. !hat is needed is to restart all &&$2related ser%ices. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G" 2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: <7 You are the net"or0 administrator $or Test0ing com The com#any has a main o$$ice at Toronto and se/eral branch o$$ices in North )merica You "or0 in Toronto The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters ) user named Tess "or0s in a branch o$$ice She re#orts that her client com#uters cannot connect to a remote 8.N ser/er You sus#ect that her client com#uter did not recei/e a recent hot$i3 You need to /eri$y "hich hot$i3es are installed on TessJs com#uter !hat should you do% A. (rom a command prompt, run the update.eBe command. 1. (rom a command prompt, run the wmic 6fe command. .. ?iew the Aistor 2s nch.Bml file. D. ?iew the Aistor 2appri%e.Bml file. )ns"er: + E3#lanation: !?I' e3tends !?I $or o#eration $rom se/eral command>line inter$aces and through batch scri#ts Incorrect ans"ers: ): Running the update.eBe command installs hotfiBes, it will not allow ou to see which hotfiBes has alread been installed.

': ?iewing the Aistor 2s nch.Bml file does not necessaril s nchroni0e the ser%er and ha%e connecting abilit with the ?5, ser%er. &t )ust gi%es ou the abilit to %iew the s nchroni0ation log. D: ?iewing the Aistor 2appro%e.Bml file will not enable Tess to connect to the ?5, ser%er. &t is the appro%al log that ou will be %iewing. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G1 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2"G QUESTION NO: <9 :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The "ritten com#any security #olicy states that unnecessary ser/ices must be disabled and that ser/ers must ha/e the most recent* com#any>a##ro/ed u#dates You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing+ You install !indo"s Ser/er 2==, Standard edition on a com#uter named TestBing) TestBing) is used only as a $ile and #rint ser/er TestBing) has t"o local user accounts* and the administrator account has been renamed You need to $ind out "hether TestBing) is running unnecessary ser/ices and "hether it has all a/ailable a##ro/ed security u#dates To reduce the amount o$ net"or0 band"idth and time requirements* you need to scan $or only the required in$ormation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G2 2 )ns"er: E3#lanation: .hec/ for windows %ulnerabilities .hec/ for securit updates &f ou ha%e this option to select .hec/ Use $U$ ser%ice and select ser%er http9HHTest@ing1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G3 2 The gi%e to ou three options on this combo boB and also in computer name combo boB Select bo3 'hec0 $or Unnecessary Ser/ices !indows chec/s .hec/ for missing securit updates and ser%ice pac/s .hec/ for account password eBpiration .hec/ for file s stem t pe on hard dri%es .hec/ if autologon feature is enabled .hec/ if the Cuest account is enabled .hec/ the RestrictAnon mous registr /e settings .hec/ the number of local Administrator accounts .hec/ for blan/ andHor simple local user account passwords .hec/ if unnecessar ser%ices are running 4ist the shares present on the computer .hec/ if auditing is enabled .hec/ the !indows %ersion running on the scanned computer ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G- 2 Select bo3 Security U#dates Scan > 1 default, a securit update scan eBecuted from the M1$A CU& or from mbsacli.eBe *M1$A2st le scan+ will scan and report missing updates mar/ed as critical securit updates in !indows Update *!U+, also referred to as 8baseline8 critical securit updates. !hen a securit update scan is eBecuted from mbsacli.eBe using the Hhf switch *A(,et.h/2st le scan+, all securit 2related securit updates will be scanned and reported on. A user running an A(,et.h/2st le scan would ha%e to use the 2b option to scan onl for !U critical securit updates. !hen the $U$ option is chosen, all securit updates mar/ed as appro%ed b the $U$ Administrator, including updates that ha%e been superseded, will be scanned and reported b M1$A. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 23", 2--

QUESTION NO: <; You are the net"or0 administrator $or Test0ing com TestBing has o$$ices in three countries The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The net"or0 is con$igured as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GF 2 So$t"are U#date Ser/ices &SUS( is installed on one ser/er in each o$$ice Each SUS ser/er is con$igured to synchroni1e by using the de$ault settings +ecause band"idth at each o$$ice is limited* you "ant to ensure that u#dates require the minimum amount o$ time !hat should you do% A. $ nchroni0e the updates with an $U$ ser%er at another office. 1. $elect onl the locales that are needed. .. .onfigure 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to limit file transfer si0e to = M1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G; 2 D. .onfigure 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to delete incomplete )obs after 2" minutes. )ns"er: + E3#lanation: !hen you con$igure SUS* you can select multi#le languages $or the u#dates according to your locale In this scenario* "e can reduce the band"idth used by the synchroni1ation by selecting only the required locales This "ill a/oid do"nloading and synchroni1ing multi#le co#ies o$ the same u#dates* but in di$$erent languages Incorrect )ns"ers: ): This will not reduce the si0e of the updates or minimi0e bandwidth usage. ': The updates ma be more than =M1, so we shouldnKt limit the transfer si0e. D: This will not reduce the si0e of the updates or minimi0e bandwidth usage. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 2= SI?UA)TION You are the net"or0 administrator $or Test0ing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You install So$t"are U#date Ser/ices on a ser/er named TestBing) You create a ne" -rou# .olicy ob2ect &-.O( at the domain le/el You need to #ro#erly con$igure the -.O so that all com#uters recei/e their u#dates $rom TestBing) :o" should you con$igure the -.O% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GG 2 )ns"er: Select the LEnabledL radio button In the LSet the intranet u#date ser/ice enter htt#:KKTestBing) You should also enter htt#:KKTestBing) as the address o$ the intranet statistics ser/er E3#lanation9 $ince the $oftware Update $er%ices has been installed on Test@ingA, the group polic ob)ect on the domain should enable the intranet update ser%ices to detect and set from Test@ingA. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, :ue 5ublishing, &ndianapolis, 2""3, .hapter ; QUESTION NO: 2< :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You are con$iguring )utomatic U#date on the ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G> 2 The "ritten com#any net"or0 security #olicy states that all u#dates must be re/ie"ed and a##ro/ed be$ore they are installed )ll u#dates are recei/ed $rom the ?icroso$t !indo"s U#date ser/ers You "ant to automate the u#dates as much as #ossible !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er:

E3#lanation: 'hec0 the LBee# my com#uter u# to dateL chec0bo3 Select the LDo"nload the u#dates automatically and noti$y me "hen they are ready to be installedL radio button The updates will be automaticall downloaded, but ou will be able to re%iew the updates before the are installed. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G= 2 QUESTION NO: 22 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2===,* and all client com#uters run !indo"s @. .ro$essional ) member ser/er named TestBingSr/) runs So$t"are U#date Ser/ices &SUS( TestBingSr/) is con$igured to synchroni1e directly $rom the ?icroso$t !indo"s U#date ser/ers e/ery day )ll client com#uters are con$igured to use the )utomatic U#dates client so$t"are to recei/e u#dates $rom TestBingSr/) )ll client com#uters are located in an organi1ational unit &OU( named 'lients ?icroso$t releases a critical security u#date $or !indo"s @. .ro$essional com#uters Ser/er< recei/es the u#date 'lient com#uters on the net"or0 do not recei/e this u#date :o"e/er* they recei/e other u#dates $rom TestBingSr/) You need to ensure that all client com#uters recei/e the critical security u#date !hat should you do% A. &n the $ stem 5roperties dialog boB on each client computer, enable the @eep m computer up to date option. 1. 3dit the Croup 5olic ob)ect *C5'+ for the .lients 'U b enabling the Reschedule Automatic Updates scheduled installations settings. .. 'n $er%er1, open the $U$ content folder. $elect the file that contains the securit update, and assign the Allow 2 Read permissions on the file to all client computer accounts. D. Use &nternet 3Bplorer to connect to the $U$ administration page. Appro%e the securit update. )ns"er: D E3#lanation: The question states that the clients are con$igured to recei/e u#dates !hen using So$t"are U#date Ser/ices to de#loy security u#dates* the u#dates must be a##ro/ed be$ore they "ill be do"nloaded by the clients and installed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>" 2 Incorrect )ns"ers: ): option is alread set. +: The Deschedule )utomatic U#dates scheduled installations setting means that a computer will re2run the update process if the computer was offline at the time of the last scheduled update. ': This is not a permissions problem. The update must be appro%ed before it can be installed. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters 2 L ; QUESTION NO: 2, E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) ne" lo">#riority u#date is released and is synchroni1ed "ith the So$t"are U#date Ser/ices &SUS( ser/er on the net"or0 You decide to a##ro/e the u#date "ithout testing )$ter the u#date is a##lied to client com#uters* users re#ort that they can no longer runt their account a##lication On the SUS ser/er* you /ie" the details o$ the u#date as sho"n in the e3hibit You need to remote the u#date $rom all client com#uters until you can test the u#date ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>1 2

!hat should you do% A. .lear the Automaticall appro%e new %ersions of pre%iousl appro%ed updates option on the $U$ ser%er. 1. .lear the update for appro%al on the $U$ ser%er, and the res nchroni0e the ser%er with the !indows Update ser%ers. .. Run the spuninst command from $ stemrootW`,tUninstall:31>13>`Wspuninst director on each client computer. D. Delete the $ stemrootW`,tUninstall:31>13>c director on each client computer. )ns"er: ' E3#lanation: This command "ill remo/e the u#date $rom all the client com#uters as this is "hat is necessary in this scenario Incorrect ans"ers: )9 This option in the light of this specific scenario is reactionar and the damage is alread done. .learing the Automaticall appro%e new %ersions of pre%iousl appro%ed updates option will not help. +9 Iou cannot clear an update for appro%al if it was alread applied to the ser%er as well as the client computers, what ou need to do is to uninstall it. D9 This option will not help as the update has to be uninstalled since it was alread applied to the client computers and the ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 $tud Cuide L D?D Training $ stem, pp. >112>1; QUESTION NO: 24 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 contains 25 ser/ers and <*=== client com#uters The net"or0 architect has designed a so$t"are u#date in$rastructure You need to con$igure the so$t"are u#date in$rastructure The con$iguration must meet the $ollo"ing requirements: 1. 'lient com#uters must recei/e critical u#dates $rom a So$t"are U#date Ser/ices &SuS( ser/er 2. Three SUS ser/ers must be a/ailable $or critical u#dates ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>2 2 3. Only ser/ers in the #erimeter net"or0 must be able to connect to the Internet -. 'lient com#uters must not be able to connect to ser/ers in the #erimeter net"or0 You install SUS on $our ser/ers on the net"or0 !hich con$iguration should you a##ly to the $our SUS ser/ers% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>3 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>- 2 )ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>F 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>; 2 1 default, $U$ ser%er s nchroni0ation is not defined. Iou can manuall s nchroni0e our ser%er with the !indows Update ser%er or ou can set a s nchroni0ation schedule to automate the process. &f ou want to meet the stated re6uirements then ou should ha%e onl Test@ing12 s nchroni0e directl from the !indows Update $er%ice and maintain the updates on !indows Update ser%er since it is the ser%er that is firewall protected and connected to the &nternet from whence it gets its updates. Test@ing 13, 21- and 21F should be configured to s nchroni0e directl from the local $U$ ser%er and to sa%e the updates to a local folder. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. ;"2;> QUESTION NO: 25 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a net"or0 ser/er named Test0ing<

!hen you attem#t to synchroni1e Test0ing< "ith the !indo"s U#date ser/ers* you recei/e an error message You sus#ect that your #ro3y ser/er requires authentication You o#en Internet E3#lorer and /eri$y that you can communicate "ith an e3ternal !eb site by using the #ro3y ser/er You need to ensure that Test0ing< can communicate "ith the !indo"s U#date ser/ers !hat should you do on Test0ing<% A. Restart the &&$ administration tool. 1. .onfigure the &nternet 3Bplorer settings to b pass the proB ser%er. .. &n the $U$ options, configure authentication to the proB ser%er. D. &nstall the Microsoft (irewall .lient. )ns"er: ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>G 2 E3#lanation9 &f ou are running !indows $er%er 2""3 as a proB ser%er so our internal clients can surf the !eb, or if ouKre running it as an e2mail ser%er, dial2up connections to the &nternet are an option worth loo/ing into. Incorrect ans"ers: )9 &nternet &nformation $er%ices *&&$+ is software that ser%es &nternet higher2le%el protocols such as ATT5 and (T5 to clients using web browsers. The &&$ software that is installed on a !indows $er%er 2""3 computer is a full functional web ser%er and is designed to support hea% &nternet usage. 1ut this is not the issue here. +9 &t is not necessar to b pass the proB ser%er. D9 $U$ is used to deplo a limited %ersion of !indows Update to a corporate ser%er, which in turn pro%ides the !indows updates to client computers within the corporate networ/. This allows clients that are limited to what the can access through a firewall to still /eep their !indows operating s stems up2to2date. Aowe%er, there is no need to install the Microsoft (irewall .lient in this case. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F= Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: 26 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <5 !indo"s Ser/er 2==, com#uters and ,*=== !indo"s @. .ro$essional com#uters )ll client com#uters are running the most recent ser/ice #ac0 You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named Test0ing< You install the )utomatic U#dates client on all client com#uters )ll client com#uter accounts are in the 'lients organi1ation unit &OU( 'urrently all client com#uters obtain their !indo"s security u#dates $rom !indo"s U#date You "ant all client com#uters* and no other com#uters* to obtain their u#dates $rom Test0ing< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>> 2 You need to con$igure all client com#uters to obtain !indo"s security u#dates $rom Test0ing< You need to accom#lish this tas0 "ith the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the .lients 'U. 'pen the $U$ C5' and enable the .onfigure Automatic Update polic to automaticall download updates. 1. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the .lients 'U. 'pen the $U$ C5' and enable the $pecif intranet Microsoft updates ser%ice location polic to use http9HHTest/ing1 as the %alue for the update and statistics ser%er. .. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ to the domain. 'pen the $U$ C5' and enable the $pecif intranet Microsoft update ser%ice location polic to use http9HHTest/ing1 as the %alue for the update and statistics ser%er. D. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the domain. 'pen the $U$ C5' and enable the .onfigure Automatic Update polic to automaticall download updates. )ns"er: + E3#lanation9 To configure which ser%er will pro%ide automatic updates, ou should clic/ the ,eBt $etting button in the .onfigure Automatic Updates 5roperties dialog boB. This brings up the $pecif &ntranet Microsoft Update $er%ice 4ocation 5roperties dialog boB. The properties that can be configured through group polic are as follows9 *1+ The status of the intranet Microsoft update ser%ice location as not configured, enabled, or

disabled, *2+ The ATT5 name of the ser%er that will pro%ide intranet ser%ice updates and *3+ The ATT5 name of the ser%er that will act as the intranet $U$ statistics ser%er. Thus if ou want to configure all client computers to obtain !indows securit updates from Test@ing1 with theleast amount of administrati%e effort, ou should create an appropriate C5' anf lin/ it to the .lients 'U *all the client computers are located in this 'U+, and then do the proper configuration regarding the $pecif intranet Microsoft updates ser%ice location. Incorrect ans"ers: )9 The first part of the option is correct, but ou should not enable the .onfigure Automatic Update polic to automaticall down load updates as this could result in the client computers not obtaining their updates from Test@ing1. '9 This option could wor/ but it would not be appropriate in this case as the C5' should be lin/ed to the .lients 'U and not the domain. D9 4in/ing the newl created C5' to the domain would be wrong in this case as well as enabling the .onfigure Automatic Updates polic to automaticall download updates. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>= 2 De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 1-G21-= QUESTION NO: 27 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional )ll ser/ers run either !indo"s 2=== Ser/er or !indo"s Ser/er 2==, There are no ser/ice #ac0s installed on any net"or0 com#uters You install So$t"are U#date Ser/ices &SUS( on a ser/er named Test0ing< You must ensure that all net"or0 com#uters can connect to Test0ing< !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall !indows 2""" $er%ice 5ac/ 3 on all !indows 2""" $er%er computers and !indows 2""" 5rofessional computers. &nstall the Automatic Updates client on all !indows <5 5rofessional computers. 1. &nstall !indows 2""" $er%ice 5ac/ 3 on all !indows 2""" $er%er computers and on all !indows 2""" 5rofessional computers. &nstall !indows <5 $er%ice 5ac/ 1 on all !indows <5 5rofessional computers. .. .onfigure the &nternet browser home page for all !indows <5 5rofessional computers to point to http9HHwindowsupdate.microsoft.com. &nstall the Acti%e Director client on all !indows 2""" $er%er computers and on all !indows 2""" 5rofessional computers. D. .onfigure the &nternet browser home page for all !indows 2""" 5rofessional computers to point to http9HHwindowsupdate.microsoft.com. &nstall !indows <5 $er%ice 5ac/ 1 on all !indows <5 5rofessional computers. 3. Upgrade all client computers to !indows <5 5rofessional. &nstall Acti%e Director on all !indows 2""" $er%er computers. (. Upgrade all client computers to !indows <5 5rofessional. &nstall $U$ on all !indows $er%er 2""3 computers. )ns"er: )* + E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=" 2 9 $U$ ser%er re6uirements include that ou should be running !indows 2""" $er%er with $er%ice 5ac/ 2 or higher or !indows $er%er 2""3 )9 (or $U$ to wor/ ou should also install Automatic Updates client on the !indows <5 5rofessinal computers. +9 $U$ supports !indows <5 Aome 3dition *with $er%ice 5ac/ 1 or higher+ and !indows <5 5rofessional *with $er%ice 5ac/ 1 or higher+ as client platforms. Incorrect ans"ers: ' L D9 .onfiguring the &nternet browser is not how $U$ is installed. E9 Acti%e Director *AD+ is a director ser%ice a%ailable with the !indows $er%er 2""3 platform. The Acti%e Director stores information in a central database and allows users to ha%e a single user account *called a domain user account or Acti%e Director user account+ for the networ/. Aowe%er, this option is not the solution. E9 $U$ is alread installed on Test@ing1. Iou would need to to install Automatic Updates client on the !indows <5 5rofessional computers. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er

2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 13> QUESTION NO: 29 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The com#any has o$$ices in +erlin* Dortmund* and Eran0$urt Each o$$ice is con$igured as a se#arate I. subnet DNS is the only method o$ name resolution on the net"or0 You need to im#lement a so$t"are u#date in$rastructure on the net"or0 You install So$t"are U#date Ser/ices &SUS( on a com#uter named TestBing, in the +erlin o$$ice You install on TestBing, "ith all de$ault settings You ha/e no #lans to install additional SUS ser/ers You con$igure all client com#uters a##ro#riately You must ensure that client com#uters can success$ully connect to the SUS ser/er !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=1 2 A. .onfigure the &nternet browser home page on all client computers to point to http9HHwindowsupdate.microsoft.com. 1. &n the $U$ Administrator, configure the $er%er ,ame propert to be the ser%erKs full 6ualified domain name *(:D,+. .. 'pen &&$ Manager and enable ATT5 o%er $$4. D. 3nable communication o%er port 13F between all client computers and the $U$ ser%er. )ns"er: + E3#lanation9 &t is generall a good idea to enter (:D,s so ou can control what name is submitted to the ser%er. !ith the $er%er ,ame propert to be the ser%erKs full 6ualified domain name configured in the $U$ Administrator ou should be assured that client computers will successfull connect to the $U$ ser%er. Incorrect ans"ers: )9 This option will not ensure that client computers will connect successfull to the $U$ ser%er. '9 3nabling ATT5 o%er $$4 will not wor/ as ou would need $$4 need ATT5$ to access the desired client. D9 This option does not necessaril means that client computers will successfull connect to the $U$ ser%er. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 3"> QUESTION NO: 2; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s 2=== .ro$essional "ith Ser/ice .ac0 4 or !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a com#uter named TestBing< You create a -.O that con$igures all client com#uters to recei/e their so$t"are u#date $rom TestBing< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=2 2 One "ee0 later* you run ?icroso$t +aseline Security )naly1er &?+S)( on all client com#uters to $ind out "hether all u#dates are being a##lied You disco/er that all the !indo"s 2=== .ro$essional client com#uter recei/ed u#dates* but the !indo"s @. .ro$essional client com#uters do not recei/e u#dates You /eri$y that the -.O setting "as a##lied on all !indo"s @. .ro$essional com#uters You need to ensure that the !indo"s @. .ro$essional client com#uters recei/e their u#dates $rom TestBing< !hat should you do% A. Ma/e all users of the !indows <5 5rofessional client computers members of the Administrators local group. 1. 'n all !indows <5 5rofessional client computers, install $er%ice 5ac/ 1. .. 'n all !indows <5 5rofessional client computers, restart Automatic Updates. D. 'n all !indows <5 5rofessional client computers, delete the ,oAutoUpdate %alue under A@3IJ4'.A4JMA.A&,3W$'(T!AR3W5oliciesWMicrosoftW!indowsW!indowsUpdateWAU.

)ns"er: + E3#lanation: To recei/e automatic u#dates $rom a local SUS ser/er* the client com#uters need the u#dated automatic u#dates client so$t"are installed This so$t"are doesnJt come "ith the original /ersion o$ !indo"s @.* but it is installed as #art o$ !indo"s @. ser/ice #ac0 < Incorrect )ns"ers: ): &t is not necessar to ma/e all users of the !indows <5 5rofessional client computers members of the Administrators local group. The automatic updates software runs under the securit conteBt of the local s stem account *the local s stem account has administrator rights+. ': The problem is that the updated automatic updates client software is not installed on the !indows <5 clients. Therefore, restarting Automatic Updates is not the correct solution. D: The problem is that the updated automatic updates client software is not installed on the !indows <5 clients. Therefore deleting a registr /e is not the correct solution. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=3 2 QUESTION NO: ,= :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TestBing com has <6 sales re#resentati/es* "ho are mobile users )ll <6 mobile users are member o$ the .o"er Users local grou# on their com#uters Erom 5:== . ? until ;:== ) ? * the sales re#resentati/esJ #ortable com#uters are usually turned o$$ and disconnected $rom the cor#orate net"or0 TestBing comJs "ritten security #olicy states that all #ortable com#uters that are used by the mobile sales re#resenti/ati/es must recei/e so$t"are u#dates $rom the !indo"s U#date ser/ers e/ery day User interaction "ith the u#date #rocess must be minimi1ed On a #ortable com#uter named TestBing2* you /eri$y the recent u#dates and notice that u#dates $rom the !indo"s U#date ser/ers "ere not a##lied You need to ensure that so$t"are u#dates are a##lied to TestBing2 in com#liance "ith the com#any #olicy !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=- 2 )ns"er: E3#lanation: Select the LBee# my com#uter u# to date !hen this setting enabled "indo"s u#date so$t"are may be automatically u#dated #rior to a##lying any other u#datesL chec/boB. Then select 8Automaticall download the updates and install them on the schedule that & specif 8. The time should be specified e%er da between =am and Fpm. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=F 2 Iou enable Automatic Updates b chec/ing the option @eep M .omputer Up To Date. !ith This $etting 3nabled, !indows Update $oftware Ma 1e Automaticall Updated 5rior To Appl ing An 'ther Updates. The settings that can be applied to Automatic Updates include the9 Automaticall Download The Updates, And &nstall Them 'n The $chedule That & $pecif .8 !hich allows ou to specif the da s and times ou want !indows to search for updates, e.g. during non2business hours. Iou still ha%e to %erif that ou want the updates installed prior to the updates being applied to our ser%er. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. FF QUESTION NO: ,< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains ,5 2*=== !indo"s 2=== .ro$essional com#uters You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing, You need to scan all com#uters in the domain to $ind out "hether they ha/e recei/ed all a##ro/ed u#dates that are located on the SUS ser/er !hat should you do% A. 'n a ser%er, install and run the mbsacli.eBe command with the appropriate

configuration switches. 1. 'n a ser%er that runs &&$, install and configure urlscan.eBe. .. 3dit and configure the Default Domain 5olic to enable the .onfigure Automatic Updates polic . D. (rom a command prompt on Test@ing3, run the netsh.eBe command to scan all computers in the domain. )ns"er: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=; 2 QUESTION NO: ,2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and ha/e the latest ser/ice #ac0 installed There are 5== client com#uters You manage a ser/er that has So$t"are U#date Ser/ices &SUS( installed The latest u#dates "ere synchroni1ed and a##ro/ed $or installation on the client com#uters You need to con$igure the client com#uters to do"nload the a##ro/ed u#dates !hat should you do% A. .reate a teBt file named Auto2Update.ini. .onfigure the correct Automatic Updates settings in the file. .op and paste the file into the $ stemroot folder on all client computers. 1. .reate a C5' that has the appropriate Automatic Updates settings configured. Appl the C5' to the client computers that ou to need to configure. .. &n Acti%e Director Users and .omputers, modif the settings for the client computer accounts. .onfigure the Managed 1 propert to specif the $U$ ser%er account. D. .reate a local group on the $U$ ser%er. Assign the group the Allow 2 Read and the Allow 2 !rite permissions for the AutoUpdate folder on the $U$ ser%er. Add all the users of the client computers to the local group. )ns"er: + E3#lanation9 The ad%antages of $U$ includes amongst others that Administrators ha%e selecti%e control o%er what updates are posted and deplo ed from the public !indows Update site. ,o updates are deplo ed to client computers unless the are first appro%ed b an administrator. And that Administrators can control the s nchroni0ation of updates from the public !indows Update site to the $U$ ser%er either manuall or automaticall . Thus if ou create an appropriate C5' and appl it to the client computers that need to be configured, then ou will be able to ensure that client computers on download appro%ed updates. Incorrect ans"ers: )9 This option is not the solution. '9 There is no need to modif the settings for the client computers accounts in the Acti%e Director Users and .omputers. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=G 2 9 This option is not to ensure that onl apprpo%ed updates are downloaded b the client computers. $U$ has two ma)or components9 the $U$ ser%er and Automatic Updates, both which has to be installed before ou can e%en thin/ of downloading updates. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F; QUESTION NO: ,, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You are required to accommodate $or $i/e ne" su##ort engineers The $i/e su##ort engineers "ill ha/e ha/e the $ollo"ing res#onsibilities: 1. Sto# and start #rinters* clear #rint 2obs $rom the #rinter queues* and set #ermissions on #rinters 2. +ac0 u# and restore all $iles on the ser/ers 3. ?a0e changes to T'.KI. settings -. 'reate and delete shared resources You need to assign the su##ort engineers the a##ro#riate #ermissions to #er$orm the required tas0s on the 2= member ser/ers O$ "hich grou# should you ma0ie the Su##ort Engineers grou# a member% A. the Administrators local group on one of the domain controllers. 1. the Administrators local group on each of the ser%ers. .. the $er%er 'perators local group on one of the domain controllers.

D. the 5ower Users local group on one of the ser%ers. 3. the 1ac/up 'perators local group on one of the domain controllers. (. the 1ac/up 'perators local group on each of the ser%ers. )ns"er: + E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=> 2 9 The Administrators group has full rights and pri%ileges on all domain controllers within the domain. &ts members can grant themsel%es an permissions the do not ha%e b default to manage all of the ob)ects on the computer. *'b)ects include the file s stem, printers, and account management.+ 1ecause of the permissions associated with this group, ou should add users to this group with caution. &f ou want the $upport 3ngineers to complete their tas/s then ou should ma/e the $upport 3ngineers group members of the Administrators local group on each of the ser%ers. Incorrect ans"ers: )9 Ma/ing the $upport 3ngineers members Administratores local on onl one of the domain conmtreollers will be too restricti%e for them to carr out their tas/s. '9 The $er%er 'perators group members can administer domain ser%ers.Administration tas/s include creating, managing, and deleting shared resources, starting and stopping ser%ices, formatting hard dis/s, bac/ing up and restoring the file s stem, and shutting down domain controllers. This is not enough. D9 1eing members of the 5ower Users group on one of the ser%ers will not be enough for this scenario. E L (9 !hether on one of the domain controllers or on each of the ser%ers, the members of the 1ac/up 'perators group ha%e rights to bac/ up and restore the file s stem, e%en if the file s stem is ,T($ and the ha%e not been assigned permissions to the file s stem. Aowe%er, this is not enough to enable them to carr out all their tas/s. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1;G21G" Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: ,4 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named TestBing6 You "ant all client com#uter on the net"or0 to use TestBing6 to recei/e their so$t"are u#dates You decide to modi$y the De$ault Domain .olicy -.O to set TestBing6 as the SUS ser/er $or all com#uters in the domain ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3== 2 !hen you o#en the De$ault Domain .olicy -.O* you notice that there are no settings $or !indo"s U#date You reali1e that you need to load an administrati/e tem#late into the -rou# .olicy Ob2ectg Editor !hich tem#late should you load% To ans"er* select the a##ro#riate tem#late in the dialog bo3 )ns"er: E3#lanation: "uau adm ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"" 2 The !UAU.adm file holds !indows Update settings for !indows 2""" and !indows $er%er 2""3 clients. &t describes the new polic settings for the Automatic Updates client, and is automaticall installed into the ZwindirZWinf folder when installing Automatic Updates. Iou should 4oad !UAU.adm as an administrati%e template in the Croup 5olic 'b)ect 3ditor. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, p. 3;QUESTION NO: ,5 You are the net"or0 administrator $or TestBing com )cti/e Directory )nother system administrator installs So$t"are U#date Ser/ices &SUS( on a #roduction !indo"s Ser/er 2==, com#uter You are assigned to manage the SUS com#uter You need to ensure that you can reco/er SUS i$ the ser/er $ails You need to bac0 u# all com#onents that are required to restore SUS to its current con$iguration +ecause o$ limited s#ace* you must not bac0 u# unnecessary data

!hat action or actions should you #er$orm% Select all that a##ly A. 1ac/ up the $U$ folder that contains s nchroni0ed content. 1. 1ac/ up the folder in which the $I$Admin site was created. .. 1ac/ up the $ stem $tate data fro the !indows $er%er 2""3 computer. D. 1ac/ up the &&$ metabase )ns"er: )* +* D E3#lanation9 To get the current $U$ comfiguration without bac/ing up unnecessar data due to limited space, then ou should bac/ up &&$ metabase which is necessar for $U$ since it pro%ides a wide range of options for configuring the content, performance, and access controls for our websites, the $U$ folder that has the s nchroni0ed content and the folder in which the $I$Admin was creates. Incorrect ans"ers: ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"1 2 9 $ stem $tate data is a set of data that is critical to the operating s stem booting and includes the Registr , the .'Ma registration database, and the s stem boot files. Thus to bac/ up the re6uired files to restore $U$ to its current configuration and due to limited space it is not necessar to bac/ up the $ stem $tate data freom the !indows $er%er 2""3 computer. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 31" 5art 39 Manage software site licensing.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing* "hich em#loys 5== users The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install Terminal Ser/ices on three ser/ers TestBing<* TestBing2* and TestBing, Initially* users can success$ully connect to all three terminal ser/ers by using Demote Des0to# connections ?onths later* users begin re#orting that they can no longer connect to any o$ the terminal ser/ers by using Demote Des0to# connections :o" should you sol/e this #roblem% A. 'n each terminal ser%er, change the licensing mode form 5er $er%er to 5er $eat. 1. Add additional Microsoft !indows licenses to the $ite 4icense ser%er for the domain. .. .onfigure and acti%ate an 3nterprise license ser%er. D. 'n each terminal ser%er, change the licensing mode from 5er De%ice to 5er User. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"2 2 The reason the users can no longer connect is that the time #eriod to use Terminal Ser/ices in a##lication mode has e3#ired ) terminal ser/er allo"s clients to connect "ithout license to0ens $or <2= days be$ore it requires communicating "ith a license ser/er The license ser/er grace #eriod ends a$ter <2= days* or "hen a license ser/er issues a #ermanent license to0en through the terminal ser/er* "hiche/er occurs $irst There$ore* i$ the license ser/er and terminal ser/er are de#loyed at the same time* the terminal ser/er grace #eriod "ill immediately e3#ire a$ter the $irst #ermanent license to0en has been issued Terminal ser%er running !indows $er%er 2""3 must be licensed with one of the following9 1. !indows $er%er 2""3 Terminal $er%er De%ice .lient Access 4icense. 2. !indows $er%er 2""3 Terminal $er%er User .lient Access 4icense. 3. !indows $er%er 2""3 Terminal $er%er 3Bternal .onnector. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. = QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing o#erates o$$ices in Aondon* .aris* and )msterdam Each o$$ice is con$igured as a se#arate )cti/e Directory site Each o$$ice has a $ile ser/er $or local users

'hiEile is the $ile ser/er in Aondon It hosts a shared $older Users re#ort that they can no longer connect to the shared $older ) hel# des0 technician "ho is a member o$ the .o"er Users grou# re#orts that he cannot connect to 'hiEile :o"e/er* you are able to ma0e a success$ul connection "ith 'hiEile by using Terminal Ser/ices :o" should you sol/e this #roblem% A. Add !indows $er%er 2""3 licenses to the $ite 4icense ser%er for 4ondon. 1. .hange the licensing mode on .hi(ile from 5er De%ice or User to 5er $er%er. .. .hange the licensing mode on .hi(ile from 5er $er%er to 5er De%ice or User. D. &nstall a Terminal $er%ices 3nterprise license ser%er on the 4ondon domain controller. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"3 2 )ns"er: ) E3#lanation: No more connections can be made to a ser/er #roduct because the number o$ userJs connections has reached the ma3imum that the ser/er can acce#t The ser%er product might be configured with 5er $er%er licensing and the number of licenses might be eBhausted. .hec/ license usage for the product on the ser%er. The user can wait until others stop accessing the product. Iou can purchase more licenses for the product in an effort to eliminate the problem. Incorrect ans"ers: +: 5er De%ice or 5er User mode *formerl called 85er $eat8 mode+ re6uires that each de%ice or user ha%e its own !indows .A4. (urthermore this will ha%e no effect on the situation. ': 5er $er%er mode re6uires a !indows .A4 for each connection. These are assigned to each ser%er and cannot be shared between ser%ers. And ou are onl allowed one .A4 D: This would be obsolete as ou can alread ma/e a successful connection through using Terminal $er%ices. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -;2-G QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBing<7 hosts se/eral shared $olders Users re#ort that they recei/e an error message "hen they try to connect to the shared $olders The error message states: LNo more connections can be made to this remote com#uter at this time because there are already as many connections as the com#uter can acce#t L :o" should you sol/e the #roblem% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"- 2 A. Add an additional networ/ adapter to Test@ing1G. .onfigure a networ/ bridge between the new networ/ adapter and the original networ/ adapter. 1. 5urchase additional per2seat licenses for Test@ing1G. &n .ontrol 5anel on Test@ing1G, run the 4icensing application. Add the additional licenses to Test@ing1G. .. Disable 6uota management on Test@ing1G. D. &n Acti%e Director $ites and $er%ices, select the site that contains Test@ing1G. Add an additional Acti%e Director connection ob)ect to the domain controller for the site. )ns"er: + E3#lanation: No more connections can be made to a ser/er #roduct because the number o$ userJs connections has reached the ma3imum that the ser/er can acce#t .ause9 The ser%er product might be configured with 5er $er%er licensing and the number of licenses might be eBhausted. $olution9 .hec/ license usage for the product on the ser%er. The user can wait until others stop accessing the product. To eliminate the problem, ou can purchase more licenses for the product. Incorrect ans"ers: )9 Adding in an additional networ/ adapter and configuring a bridge between the new adapter and the original adapter means that it is still connected to Test@ing1G which is alread saturated and cannot grant more connections. '9 Disabling 6uota management will not suffice as ou can appl a 6uota on a per2user, per2%olume basis onl . D9 1 adding an additional connection ob)ect to the domain controller for the site still means that Test@ing1G is saturated and this option will thus not allow more connections. De$erences:

Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 3G323>", --3 5art -9 Manage ser%ers remotel . A9 Manage a ser%er b using Remote Assistance and Remote Des/top.*> :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"F 2 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You manage a ser/er named Test0ing2 IIS is installed on Test0ing2 Test0ing2 hosts TestBingJs #ublic !eb site You need to con$igure Test0ing2 to allo" remote administration o$ all !eb sites In addition* you must be able to /ie" the system and a##lication e/ent logs remotely The remote administration must be done by using a !eb bro"ser The #rocedure $or remote administration must be encry#ted !hat should you do% A. 3nable Remote Des/top. 1. &nstall the Remote Administration *ATM4+ !indows component. .. &nstall the Remote Des/top !eb .onnection !indows component. D. .onfigure the startup t pe of the Telnet ser%ice to Automatic and start the Telnet ser%ice. )ns"er: ' E3#lanation: The Demote Des0to# !eb 'onnection )cti/e@ control allo"s you to access your com#uter through Demote Des0to# /ia the Internet* $rom another com#uter using Internet E3#lorer You must be using Internet In$ormation Ser/ices &IIS( to host a !eb site to use this $eature Demote Des0to# !eb 'onnection #ro/ides most o$ the same $unctionality as the Demote Des0to# 'onnection so$t"are Users of !indows $er%er 2""3 do not need to download this pac/age. The can manuall add this pac/age from AddHRemo%e in the .ontrol 5anel. This pac/age is offered as a con%enience to Microsoft customers. Incorrect )ns"ers: ): To administrate, %iew the s stem and application e%ent logs remotel , enabling Remote Des/top is not sufficient gi%en the circumstances. +: Iou need to install Remote Des/top !eb .onnection !indows component and nut )ust the Remote Administration *ATM4+ !indows component. D: This option will not wor/ because configuring the startup t pe of the Telnet ser%ice to Automatic is more a dependenc or reco%er option. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"; 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional @?A !eb ser/ices $or the internal net"or0 run on a member ser/er named TestBingSr/<* "hich is con$igured "ith de$ault settings You are a member o$ the local )dministrators grou# on TestBingSr/< You need the ability to remotely manage TestBingSr/< You ha/e no budget to #urchase any additional licensing $or your net"or0 until the ne3t $iscal year :o" should you recon$igure TestBingSr/<% A. &n the $ stem 5roperties dialog boB, enable Remote Des/top. 1. Add our user account to the Remote Des/top Users local group. .. &n the $ stem 5roperties dialog boB, enable Remote Assistance. D. &nstall Terminal $er%ices b using Add or Remo%e 5rograms. )ns"er: ) E3#lanation: Enabling users to connect remotely to the ser/er $or Demote Des0to# $or )dministration #ur#oses* you must ha/e the a##ro#riate #ermissions +y de$ault* members o$ the )dministrator grou# can connect remotely to the ser/er +ut Demote Des0to# Users grou# #o#ulation does not ha##en by de$ault You must decide "hich users and grou#s should ha/e #ermission to log on remotely* and then manually add them to the grou# Incorrect )ns"ers: +: Adding ou user account to the Remote Des/top Users local group does not gi%e ou administrati%e rights which is needed to reconfigure the ser%er, Test@ing$r%1.

': Remote Des/top should be enabled not Remote Assistance. D: &nstalling Terminal $er%ices is not the wa to remotel manage Test@ing$r%1. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. -G22-G?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"G 2 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+,.hapter F QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters )ll com#any net"or0 administrators need to ha/e the remote administrati/e tools a/ailable on any com#uter that they log on to )ll net"or0 administrators are members o$ the domain )dministrators grou# The net"or0 administrator accounts are located in multi#le organi1ational units &OUs( You need to ensure that the administrati/e tools are a/ailable to net"or0 administrators You also need to ensure that the administrati/e tools are al"ays installed on com#uters that ha/e <== ?+ or more $ree dis0s s#ace !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .reate a Croup 5olic ob)ect *C5'+ that will appl adminpa/.msi at the domain le%el. 1. .reate a Croup 5olic ob)ect *C5'+ that will lin/ adminpa/.msi to the Domain .ontrollers 'U. .. 3nsure that onl the domain Administrators group is assigned the Allow 2 Read permission and the Allow 2 Appl Croup 5olic permission for the new Croup 5olic ob)ect *C5'+. D. Assign the domain Users group the Den 2 Read permission on the Den 2 Appl Croup 5olic permission for the new Croup 5olic ob)ect *C5'+. 3. .reate a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for more than 1"" M1 of free space. (. .reate a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for less than 1"" M1 of free space. )ns"er: )* '* E E3#lanation: ): Iou can assign the administrati%e tools *contained in adminpa/.msi+ to the administrators using a group polic . ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"> 2 : Ensuring that only the domain )dministrators grou# is assigned the )llo" > Dead #ermission and the )llo" > )##ly -rou# .olicy permission for the new Croup 5olic ob)ect *C5'+ will ensure that onl the domain administrators recei%e the administrati%e tools. E9 .reating a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for more than 1"" M1 of free space will ensure that the tools are onl installed if there is more than 1""M1 of free dis/ space. Incorrect )ns"ers: +: This would onl install the tools on the domain controllers if a domain administrator logged in locall . The C5' needs to be assigned at domain le%el. Therefore, the tools are installed on an machine an administrator logs in to. D: The domain admins are members of the domain users group. This would pre%ent the C5' appl ing to all users including the domain admins. E: The software should be installed if there is more than 1""M1 of free dis/ space, not less than 1""M1. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. -"1 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) member ser/er named Test0ing< $unctions as a $ile and #rint ser/er Test0ing< is con$igured "ith de$ault o#erating system settings

) user named Tess is a member o$ the local +ac0u# O#erators grou# on Test0ing< She is res#onsible $or #er$orming bac0u#s on this com#uter You need to ensure that Tess can create Demote )ssistance in/itations $rom Test0ing< !hat are t"o #ossible "ays $or you to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 4og on to Test/ing1 with administrati%e pri%ileges. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"= 2 Use the $ stem 5roperties dialog boB to enable Remote Assistance. 1. Direct Tess to use the $ stem 5roperties dialog boB to enable Remote Assistance on Test/ing1. .. &n our Default Domain 5olic , enable the $olicit Remote Assistance setting. D. &n our Default Domain 5olic , enable the 'ffer Remote Assistance setting. 3. 4og on to Test/ing1 with administrati%e pri%ileges. Use C5edit.msc to enable the 'ffer Remote Assistance setting. )ns"er: )* ' E3#lanation: Demote )ssistance is installed "ith the o#erating system by de$ault but is disabled Thus* it must be enabled be$ore it can be used Demote )ssistance allo"s a user at one com#uter to as0 $or assistance $rom a user at another com#uter* on the net"or0 or across the Internet This request $or assistance can be made through !indo"s ?essenger* e>mail* or through a trans$erred $ile The assistant can also o$$er remote assistance "ithout recei/ing an e3#licit request i$ -rou# .olicy settings are con$igured to enable o$$ering o$ remote assistance and the assistant is listed in the O$$er Demote )ssistance #olicy* or is a local administrator :o"e/er* the user requiring assistance must grant the assistant #ermission to ta0e o/er the userJs com#uter The Solicit Demote )ssistance setting determines "hether remote assistance may be solicited $rom the !indo"s @. com#uters in your en/ironment Enabling this setting allo"s user to solicit remote assistance to their "or0stations $rom an IT Le3#ertL administrator To enable RA, go to .ontrol 5anel and select the Remote tab in the $ stem properties. $elect the chec/ boB neBt to Turn on Remote Assistance and allow in%itations to be sent from this computer, located in the Remote Assistance section of the tab. Incorrect ans"ers: +: This will not wor/ as Tess does not ha%e administrator pri%ileges. (urthermore she would ha%e to be logged on to Test/ing1. D: The 'ffer Remote Assistance C5' setting determines whether another user, referred to as the 8eBpert,8 is allowed to offer RA to the computer without the user re6uesting RA first. The eBpert user still cannot connect to the computer needing assistance without the userKs permission, e%en if this C5' setting is enabled. Therefore this option will not wor/. E: Iou need to enable the $olicit Remote Assistance setting, not the 'ffer Remote Assistance setting. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1" 2 QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all are members o$ the domain )ll client com#uters run !indo"s @. .ro$essional Ei/e !eb ser/ers host the content $or the internal net"or0 Each one runs IIS and has Demote Des0to# connections enabled !eb de/elo#ers are $requently required to u#date content on the !eb ser/ers You need to ensue that the !eb de/elo#ers can use Demote Des0to# 'onnection to trans$er !eb documents $rom their client com#uters to the $i/e !eb ser/ers !hat should you do% A. &nstall the Terminal $er%er option on all fi%e !eb ser%ers. Use Terminal $er%ices .onfiguration Manager to modif the session director setting. 1. &nstall the Terminal $er%er option on all fi%e !eb ser%ers. Use Terminal $er%ices .onfiguration Manager to create a new Microsoft RD5 F.2 connection. .. 'n each !eb de%eloperKs client computer, select the Dis/ Dri%es chec/ boB in the properties of Remote Des/top .onnection. D. 'n each !eb de%eloperKs client computer, select the Allow users to connect remotel to this computer chec/ boB in the $ stem 5roperties dialog boB.

)ns"er: ' E3#lanation: !hen this o#tion is enabled* you can o#en ?y 'om#uter on the remote ser/er* and /ie" the dis0 dri/es $rom the client com#uter listed alongside the dis0 dri/es $rom the ser/er )lso a connection to a !eb 'lient Net"or0 is attem#ted only "hen the $irst t"o #ro/iders $ail to res#ond The LDis0 Dri/esL o#tion "ill ma0e the !eb De/elo#erJs local dis0 dri/es a/ailable to them "hen they connect to the "eb ser/ers using a remote des0to# connection Incorrect )ns"ers: ): Using the Terminal $er%ices .onfiguration Manager to modif the session director setting will not wor/ +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -11 2 Terminal $er%ices pro%ides remote control capabilities but using the Terminal $er%ices .onfiguration Manager to create a new RD5 connection will not wor/. There is alread a connection. D: To select the Allow users to connect remotel to this computer chec/ boB in the $ stem 5roperties dialog boB will not ensure that !eb de%elopers will be able to ma/e use of Remote Des/top .onnections to transfer !eb documents from their client computers to the fi%e !eb ser%ers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, p. >93Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 3;, FG-, F>3 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists i$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional @?A !eb ser/ices $or the internal net"or0 run on a member ser/er named TB<* "hich is con$igured "ith de$ault settings You are a member o$ the local )dministrators grou# on TB< You need the ability to remotely manage TB< You ha/e no budget to #urchase any additional licensing $or your net"or0 until the ne3t $iscal year :o" should you recon$igure TB<% A. &n the $ stem 5roperties dialog boB, enable Remote Des/top. 1. Add our user account to the Remote Des/top Users local group. .. &n the $ stem 5roperties dialog boB, enable Remote Assistance. D. &nstall Terminal $er%ices b using Add or Remo%e 5rograms. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -12 2 To con$igure Demote Des0to# $or )dministration* select Start W 'ontrol .anel W System and clic0 the Demote tab To enable the $eature* sim#ly chec0 the bo3 ne3t to )llo" users to connect remotely to this com#uter located in the Demote Des0to# section o$ the tab Enabling the Demote Des0to# "ill allo" you to remotely manage the ser/er "hilst not necessitating an additional license Incorrect ans"ers: +: This will enable ou to connect to Terminal $er%ers in the domain. &t wonKt enable ou to connect to T@1. ': Remote Assistance for B>;2based computers allows ou to in%ite a trusted person *a friend or computer eBpert+ to remotel and interacti%el assist ou with a problem. Iou can also use Remote Assistance to remotel assist a user who trusts ou. This feature is useful in situations where detailed or length instructions are re6uired to reproduce or resol%e problems. D: &nstalling Terminal $er%ices will re6uire additional licensing. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -=G QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The com#any o#erates a main o$$ice and t"o branch o$$ices The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional

) ser/er named TestBingSr/) is located in one o$ the branch o$$ices* "here it is a member o$ a "or0grou# TestBingSr/) is con$igured "ith de$ault o#erating system settings Demote Des0to# and Demote )ssistance are enabled* and !indo"s ?essenger is installed The com#any intranet site is hosted on this ser/er ?r Bing is the local administrator "ho manages the intranet site :e requests your assistance in installing an a##lication on TestBingSr/) You need the ability to /ie" ?r BingJs des0to# during the installation #rocess !hat should you do% A. (rom our computer, open a Remote Des/top connection with Test@ing$r%A. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -13 2 1. Direct Mr @ing to create and send an in%itation for Remote Assistance from Test@ing$r%A. .. (rom our computer, offer Remote Assistance to Test@ing$r%A. D. Direct Mr @ing to start Application $haring from !indows Messenger. )ns"er: + E3#lanation: ha/e #ermission to connect to TestBingSr/) using Demote Des0to# :o"e/er* the administrator o$ TestBingSr/) can tem#orarily gi/e you #ermission to connect to the ser/er using Demote Des0to#* by sending you a Demote )ssistance in/itation !hen you recei/e and acce#t the in/itation* you "ill be able to connect to TestBingSr/) to obser/e andKor control the administrators session Incorrect )ns"ers: ): Iou do not ha%e permission to connect to Test@ing$r%A using Remote Des/top. Iou need an in%itation. ': Iou can onl offer remote assistance to computers in the same domain. Test@ing$r%A is not a member of the domain. Thus ou cannot offer Remote Assistance. D: This will not enable ou to connect to Test@ing$r%A using Remote Des/top. De$erence: http9HHwww.)siinc.comH$U1&Htip-1""Hrh-13>.htm Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 9 You are the net"or0 administrator $or TestBing* "hich em#loys <*5== users The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?ost client com#uters run !indo"s @. .ro$essional* and the rest run !indo"s NT 4 = !or0station T"o terminal ser/ers are a/ailable to net"or0 users You install a ne" a##lication on both terminal ser/ers E/eryone "ho uses the ne" a##lication to create data must sa/e the data directly to a $older on the local hard dis0 You need to ensure that client dis0 dri/es are al"ays a/ailable "hen em#loyees connect to the terminal ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1- 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a client connection ob)ect with default settings and deplo the ob)ect to each terminal ser%er. 1. 3dit the RD52Tcp properties b selecting the .onnect client dri%es at logon options. .. &nstall ,etMeeting on all client computers. .onfigure Remote Des/top $haring. D. &nstall the default !indows 2""" Terminal $er%er .lient software on the !indows ,T -." wor/stations. 3. &nstall Remote Des/top .onnections on the !indows ,T -." wor/stations. )ns"er: +* E E3#lanation: ) listener connection &also called the DD.>Tc# connection( must be con$igured and e3ist on the ser/er $or clients to success$ully establish Terminal Ser/ices sessions to that ser/er .onnect client dri%es at logon ma/es our mapped local clientKs dri%es accessible from within !indows 3Bplorer, $a%e As, and 'pen windows in the session. ,ote that this supported for other clients. Incorrect ans"ers: )9 Iou cannot o%erride the RD52Tcp settings b creating a client connection with default settings to a terminal ser%er. '9 ,etMeeting and Remote Des/top $haring is conferencing software for !indows => $3 machines. D9 &nstalling the default !indows 2""" Terminal $er%er .lient software will not necessaril ensure that client dis/ dri%es are alwa s a%ailable when emplo ees connect to the terminal ser%ers.

De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. G, F-G2FFF 19 Manage a ser%er b using Terminal $er%ices remote administration mode.*1 :uestion+ QUESTION NO: < E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1F 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) member ser/er named TestBing9 hosts all $ile and #rint ser/ices $or the net"or0 TestBing9 is accessible only by Demote Des0to# 'onnection On TestBing9* you con$igure the Terminal Ser/ices con$iguration settings sho"n in the e3hibit Shortly a$ter"ard* you disco/er that se/eral di$$erent members o$ the local )dministrators grou# on TestBing9 #eriodically ma0e critical modi$ications to the con$iguration settings You need to modi$y TestBing9 to ensure that multi#le administrators cannot modi$y the same con$iguration setting simultaneously !hat should you do% A. $elect Ies as the attribute for the Restrict each user to one session setting. 1. 3nable onl a single RD52Tcp connection at one time. .. Add onl the Administrator account to the Remote Des/top Users local group. D. $elect (ull $ecurit as the permissions compatibilit setting. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1; 2 )ns"er: + E3#lanation: ) terminal ser/er has one DD.>Tc# connection by de$ault* and can ha/e only one connection ob2ect #er net"or0 ada#ter* but i$ a terminal ser/er has multi#le ada#ters* you can create connections $or those ada#ters Each connection maintains #ro#erties that a$$ect all user sessions connected to that ser/er connection Thus i$ you "ant to ensure that multi#le administrators is not able to modi$y the same con$iguration setting on TestBing9 simultaneously* then you should enable only a single DD.>Tc# connection at one time Incorrect ans"ers: ): The restricting each user to one session will onl affect the user indi%iduall as it means that a particular user will be restricted to a single session at a time. This has no bearing on the problem that ou want to a%oid. ': Adding the Administrator account to the Remote Des/top Users local group will not address our concern. D: The permissions compatibilit setting, (ull $ecurit , is the default and protects certain operating s stem files and shared program files onl . This is not what is needed. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G .9 Manage a ser%er b using a%ailable support tools.*F :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional TestBing includes a main o$$ice and se/eral branch o$$ices You "or0 in the main o$$ice ) DNS ser/er named TESTBIN-< is located in one o$ the branch o$$ices You need to #er$orm DNS management on TESTBIN-< Eirst* you log on to a client com#uter :o"e/er* the com#uter does not ha/e the DNS sna#>in installed !hat should you do ne3t% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1G 2 A. &nstall the !indows $upport Tools on the client computer. 1. (rom a command prompt, start ,sloo/up.eBe. At the prompt, t pe install. .. Use !indows 3Bplorer to open the c` share on T3$T@&,C1. $elect WwindowsWs stem32 and install Adminpa/.msi. D. Use !indows 3Bplorer to cop .9WwindowsWs stem32Wdnsmgmt.msc from T3$T@&,C1 to .9WwindowsWs stem32 on the client computer. )ns"er: '

E3#lanation: )dmin#a0 msi installs the administrati/e tools including the DNS management console )ns"er D "ould "or0* but it "ouldnJt #lace a shortcut to the DNS sna#>in in the start menu &or any"here else(* so the user "ould ha/e to o#en the sna#>in using a command #rom#t The !indo"s Ser/er 2==, )dministration Tools .ac0 #ro/ides tools that an administrator can use to manage !indo"s Ser/er 2==, com#uters remotely $rom !indo"s @. .ro$essional "ith Ser/ice .ac0 < client com#uters These tools are #ac0aged as admin#a0 msi in the i,96 $older on the !indo"s Ser/er 2==, 'D>DO? The !indo"s Ser/er 2==, )dministration Tools .ac0 includes the DNS sna#>in This "ould thus ma0e the DNS sna#>in a/ailable on the client com#uter Incorrect )ns"ers: ): The !indows $upport Tools are located in the $upportHTools folder on the !indows $er%er 2""3 .D2R'M. Aowe%er, the $upport Tools does not include the D,$ snap2in. Thus installing the !indows $upport Tools will not gi%e us access to the D,$ snap2in. +: The ,sloo/up.eBe command2line utilit displa s information that we can use to diagnose the D,$ infrastructure. &n cannot be used to install the D,$ snap2in on a client computer. &ndeed, the ,sloo/up.eBe utilit does not support an install subcommand. This will not install the D,$ management snap2in. D: .op ing the dnsmgmt.msc from D,$1 to .9WwindowsWs stem32 on the client computer. !ould ma/e the D,$ snap2in a%ailable on the client computer. Aowe%er, we would need to use the command prompt to open the snap2in. &t would be easier to use the !indows graphical user interface *CU&+ than the command prompt. This is thus not the best option. Thus option D could wor/ because the Adminpa/.msi installs the administrati%e tools De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp F=-2F. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1> 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Your ne" assistant* Tess* "ill #er$orm basic administrati/e tas0s on a member ser/er named TestBingSr/' Tess is not a member o$ the local )dministrators grou# on TestBingSr/'* but she can log on to the ser/er console Tess re#orts that she recei/es an error message "hen she tries to use Demote Des0to# The error message states: LThe local #olicy o$ this system does not #ermit you to log on interacti/elyL You need to ensure that Tess can use Demote Des0to# to log on to TestBingSr/' !hat should you do% A. Add TessKs user account to the Remote Des/top Users domain local group. 1. Add TessKs user account to the Remote Des/top Users local group on Test@ing$r%.. .. 'n the Remote .ontrol tab of TessKs domain account, select the 3nable remote control option. D. 'n the $ecurit tab of TessKs domain account, add the Remote Des/top Users domain local group. Assign the Allow 2 (ull .ontrol permissions to this group. )ns"er: + E3#lanation: The Demote Des0to# Users local grou# on TestBingSr/' has the necessary #ermissions to connect to TestBingSr/' using a remote des0to# connection !e can enable Tess to connect using a remote des0to# connection by sim#ly adding her domain user account to this local grou# Incorrect )ns"ers: ): This would permit her to log on to an computer using a remote des/top connection. ': This allows an administrator to remotel control her session. &t doesnKt enable her to connect to Test@ing$r%. using a remote des/top connection. D: This tab doesnKt eBist. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1= 2 QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )nother system administrator* Tess Bing* needs your hel# in con$iguring the /olume shado" co#y settings on a member ser/er Tess is logged on to the ser/er console The settings are con$igured to allo" the #ro#er use o$ all a/ailable remote

tools You need to #ro/ide remote hel# to Tess by using a remote administration tool You also need to ensure that Tess can obser/e your actions $rom the console !hat should you do% A. Use Remote Des/top in !indows <5 5rofessional to establish a Remote Des/top connection to the member ser%er. 1. Use Aelp and $upport in !indows <5 5rofessional to offer Remote Assistance to the member ser%er. .. Use .omputer Management to connect remotel to the member ser%er. D. Use the Remote Registr tool to connect to the ser%er. )ns"er: + E3#lanation: Demote )ssistance allo"s $or a no/ice user to use !indo"s ?essenger to request #ersonal* interacti/e hel# $rom an e3#ert user !hen the hel# request is acce#ted and the remote session negotiated* the e3#ert is able to /ie" and* i$ allo"ed by the no/ice* control the des0to# In that time Tess should be able obser/e your actions #ro/ided that you ma0e use o$ :el# and Su##ort in !indo"s @. .ro$essional Incorrect ans"ers: )9 Remote Des/top is a different concept to Remote Assistance. !ith Remote Des/top for Administration or the terminal ser%er role, a user can connect from a wide range of client s stems without permission, pro%ided the user has a %alid username and password. Aowe%er this is not what is re6uired in this case. '9 To connect remotel to the member ser%er will not be pro%iding Tess with remote help and allow her to obser%e our actions. D9 The Remote Registr ser%ice is needed to determine whether sufficient pri%ileges eBist for remote connection. This is not what the 6uestion re6uires. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2" 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. -=3 QUESTION NO: 4 :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional You manage a member ser/er named Ser/er<* "hich runs !indo"s Ser/er 2==, Ser/er< is also managed by other net"or0 administrators at TestBing Erom your client com#uter* you o#en 'om#uter ?anagement and connect to Ser/er< :o"e/er* you recei/e the error message sho"n in the e3hibit You need to sol/e this #roblem Eirst* you log on locally to Ser/er< and o#en the Ser/ices sna#>in* as sho"n in the "or0 area !hich ser/ice should be modi$ied% To ans"er* select the a##ro#riate ser/ice in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -21 2 )ns"er: E3#lanation:Demote Degistry The Remote Registr ser%ice has to be started. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -22 2 !indows $er%er 2""3 relies on a number of ser%ices to wor/ in concert for a computer to be managed remotel using .omputer Management, such as the $er%er ser%ice and !indows Management &nstrumentation *!M&+ ser%ices. 'f the ser%ices displa ed in the wor/ area, the Remote Registr ser%ice is not started and must be running on the remote computer for the computer to be managed remotel . Ob2ecti/e: Managing and Maintaining a $er%er 3n%ironment Sub>Ob2ecti/e: Manage ser%ers remotel De$erences: !indows $er%er 2""3 'nline Aelp 2 .omputer Management !indows $er%er 2""3 'nline Aelp 2 5erformance 4ogs and Alerts Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G;> QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com )ll 4= net"or0 ser/ers run !indo"s Ser/er 2==,* and all <*5== client com#uters run !indo"s @. .ro$essional The ser/ers are located in se/en di$$erent buildings )ll are con$igured to allo" Demote Des0to# connections ) ne" administrator named Tess Bing is hired to hel# you con$igure a##lications and #er$orm dis0 de$ragmentation on all 4= ser/ers You need to enable Tess Bing to manage the ser/ers remotely by using Demote Des0to# $or )dministration !hat should you do% A. Add Tess @ing to the Administrators group. 1. Add Tess @ing to the 5ower Users group. .. Add Tess @ing to the Remote Des/top Users group. D. Delegate control of the Domain .ontrollers organi0ational unit *'U+ to Tess @ing. 3. Delegate control of the .omputers organi0ational unit *'U+ to Tess @ing. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -23 2 )ns"er: ) E3#lanation: Enabling users to connect remotely to the ser/er: +e$ore you can create a remote connection to Demote Des0to# $or )dministration you must ha/e the a##ro#riate #ermissions +y de$ault* members o$ the )dministrators grou# and the Demote Des0to# Users grou# can connect remotely to the ser/er :o"e/er* the Demote Des0to# Users grou# is not #o#ulated by de$ault Iou must decide which users and groups should ha%e permission to log on remotel , and then manuall add them to the appropriate group. To be able to use the Remote Des/top for Administration for the purpose of configuring applications and dis/ defragmentation, ou need to ma/e Tess part of the AdministratorKs group. Incorrect ans"ers: +9 1eing part of the 5ower Users group will not grant Tess the abilit to manage ser%ers remotel . ': authori0ed to connect using Remote Des/top for Administration. This is accomplished b adding a userKs account to the Remote Des/top Users group. Though, this is )ust connecting to the remote des/top not to manage ser%ers. D: Delegating control of the Domain .ontrollers organi0ational unit to Tess @ing will not grant her the abilit to fulfill her tas/. E: administratorKs rights to manage the ser%er. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. --"2--1 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 5art F9 Troubleshoot print 6ueues.*G :uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter named Test0ing< $unctions as a #rint ser/er on the net"or0 Test0ing< contains a single #rinter named Sales.rinter<2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2- 2 Se/eral users submit large #rint 2obs to Sales.rinter<2 ) user re#orts that the #rint 2obs $ails to com#lete You e3amine the #rint queue on Sales.rinter<2* and you disco/er that one o$ the #rint 2obs is sho"ing an error You attem#t to delete the 2ob* but you are unsuccess$ul You need to ensure that #rint 2obs submitted to Sales.rinter<2 com#lete success$ully !hat should you do% A. .onfigure $ales5rinter12 to use a T.5H&5 port. 1. &ncrease the priorit of $ales5rinter12. .. Delete all files from the .9W!indowsW$ stem32W$pool folder. D. Restart the spooler ser%ice on Test/ing1. )ns"er: D E3#lanation: The .rint S#ooler ser/ice loads $iles to memory $or #rinting Sometimes "e need to sto# and restart the ser/ice to delete the queues !e can do this by using the net sto# s#ooler command to sto# the ser/ice !e can delete the #rint ob2ects $rom the queue in ':Q!INDO!SQSystem,2Qs#oolQ.DINTEDS* and then start the ser/ice "ith the net start s#ooler command )$ter deleting the queues the users "ill need to resubmit their #rint 2obs

All printing is managed b the spooler ser%ice. &f this ser%ice is not running, users cannot print. The spooler has a number of configuration options. To change these, open the 5rinters and (aBes folder and select $er%er 5roperties from the (ile pull2down menu. This opens the 5rint $er%er 5roperties dialog boB containing four tabs9 (orms, 5orts, Dri%ers, and Ad%anced, which are used as follows9 1. Use the (orms tab to define custom paper si0es. 2. Use the 5orts tab to define new ports *especiall T.5H&5 ports+ and to configure properties of eBisting ports. 3. Use the Dri%ers tab to add new dri%ers or configure eBisting dri%ers. -. Use the Ad%anced tab to modif the beha%ior of the spooler ser%ice. &n particular, note the $pool (older under the Ad%anced tab. This location is where print )obs are stored until the are printed. Thus restarting the spooler ser%ice will reset it. Incorrect ans"ers: ): &f the printer is connected directl to the networ/, ou need to use a T.5H&5 port and specif the &5 address of the printer. Usuall , if ou connect a printer to a U$1 port, !indows uses 5lug and 5la to automaticall install the printer for ou. +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2F 2 Iou can use priorities to control the order in which print )obs are processed. ,ormall , )obs are printed in the order in which the are recei%ed. The priorit of a print )ob will be increased to ma/e it print neBt despite its position in the 6ueue. 1ut his has no bearing on the situation in the 6uestion because the )obs do print, but not completel . ': Deleting all files from the spooler will result in no )obs being printed. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;"2, ;"G, ;1". QUESTION NO: 2 Your com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 has a #rint ser/er running !indo"s 2==, Ser/er ) single #rinter is installed on the #rint ser/er Technicians in the IT Su##ort de#artment ha/e the necessary #ermissions to manage #rinters on the #rint ser/er You are a member o$ the Domain )dmins grou# ) user in the )ccounts de#artment re#orts that his documents are not #rinting ) technician named Hohn e3amines the #rint queue and $inds a list o$ documents "aiting to be #rinted Hohn tries to delete the documents $rom the queue but is unsuccess$ul You need to enable users to success$ully #rint !hat should you do% A. &nstall a new print de%ice. Reconfigure the printer to send print )obs to the new print de%ice. 1. $top and restart the 5rint $pooler ser%ice on the print ser%er. &nstruct users to resubmit their print )obs. .. &nstall a second instance of the printer. .onfigure the print 6ueue to hold mismatched documents. Redirect the original printer to the new printer. D. &nstall a second instance of the printer. Delete the original printer. &nstruct users to resubmit their print )obs. )ns"er: + E3#lanation: The .rint S#ooler ser/ice loads $iles to memory $or #rinting Sometimes "e need to sto# and restart the ser/ice to delete the queues ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2; 2 !e can do this b using the net stop spooler command to stop the ser%ice. !e can delete the printer ob)ects from the 6ueue in .9W!&,D'!$W$ stem32WspoolW5R&,T3R$, and then start the ser%ice with the net start spooler command. After deleting the 6ueues the users will need to resubmit their print )obs. Incorrect )ns"ers: ): &t is li/el that the print )obs in the print 6ueue ha%e become corrupted. The should be deleted. Redirecting them to a new printer will not wor/. ': This will not wor/. The )obs ha%e alread been submitted. D: The users need to resubmit their documents for printing, not Qohn. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 includes three

o$$ice locations Each o$$ice has one !indo"s Ser/er 2==, com#uter that $unctions as a $ile and #rint ser/er This ser/er hosts home $olders $or net"or0 users In each o$$ice* a single #rinter is installed on the $ile and #rint ser/er The local hel# des0 technicians ha/e the necessary #ermissions to manage #rinters ) user named Bing noti$ies the local hel# des0 that his documents are not #rinting ) hel# des0 technician $inds a list o$ documents "aiting in the #rint queue No user can success$ully #rint The technician cannot delete documents $rom the queue You need to restore #rinting ca#abilities !hat should you do% A. &nstall a second instance of the printer. Redirect the original printer to the new printer. 1. $top and restart the 5rint $pooler ser%ice. As/ users to resubmit the documents for printing. .. 5ause the printer. Reconfigure the print 6ueue to hold mismatched documents. Unpause the printer. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2G 2 D. &nstall a second instance of the printer. Delete the original printer. Direct @ing to resubmit the documents for printing. )ns"er: + E3#lanation: The .rint S#ooler ser/ice loads $iles to memory $or #rinting Sometimes "e need to sto# and restart the ser/ice to delete the queues !e can do this b using the net stop spooler command to stop the ser%ice. !e can delete the printer ob)ects from the 6ueue in .9W!&,D'!$W$ stem32WspoolW5R&,T3R$, and then start the ser%ice with the net start spooler command. After deleting the 6ueues the users will need to resubmit their print )obs. Incorrect )ns"ers: ): &t is li/el that the print )obs in the print 6ueue ha%e become corrupted. The should be deleted. Redirecting them to a new printer will not wor/. ': This will not wor/. The )obs ha%e alread been submitted. D: The users need to resubmit their documents for printing, not @ing. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 111 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named .rintTB< contains a #rint queue that is shared $or use by all users in your o$$ice ?arie is the o$$ice manager She re#orts that users $requently submit large #rint 2obs 2ust be$ore they lea/e $or lunch These #rint 2obs require long #rinting times They o$ten #re/ent users $rom #rinting other im#ortant documents You need to enable ?arie to delete #rint 2obs that are submitted to the #rinter by anyone in the o$$ice !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2> 2 A. .onfigure the printer permission to assign the Allow 2 Manage 5rinters permission to Marie. 1. .onfigure the printer permission to assign the Allow 2 Manage Documents permission to Marie. .. 'n MarieKs client computer, create a new print 6ueue that prints to the same print de%ice. .onfigure the permission on the print 6ueue to assign the Allow 2 Manage 5rinters permission to Marie. D. 'n MarieKs client computer, create a new print 6ueue that prints to the same print de%ice. .onfigure the permission on the print 6ueue to assign the Allow 2 Manage Documents permission to Marie. )ns"er: + E3#lanation: !indo"s Ser/er 2==, #ro/ides three le/els o$ #rinter #ermissions: .rint* ?anage .rinters* and ?anage Documents .rint #ermission is assigned to the E/eryone grou# 'hoosing this #ermission allo"s all users to send documents to the #rinter To restrict #rinter usage* remo/e this #ermission and assign )llo" .rint

#ermission to other grou#s or indi/idual users )lternati/ely* you can deny .rint #ermission to grou#s or users )s "ith $ile system )'As* denied #ermissions o/erride allo"ed #ermissions The ?anage Documents #ermission #ro/ides the ability to cancel* #ause* resume* or restart a #rint 2ob !hen multi#le #ermissions are granted to a grou# o$ users* the least restricti/e #ermission a##lies :o"e/er* "hen a Deny #ermission is a##lied* it ta0es #recedence o/er any #ermission Thus you need to grant ?arie the )llo">?anage Documents #ermission because it "ill enable her to com#lete her tas0s Incorrect ans"ers: )9 The Allow Manage 5rinters permission will enable Marie to modif printer settings and configuration, including the A.4 itself. &t will not enable her to complete her tas/s. ,ot e%en when configured on the printer permission. ': The Allow Manage 5rinters permission will enable Marie to modif printer settings and configuration, including the A.4 itself. &t will not enable her to complete her tas/s. D: The Allow 2 Manage Documents permission will enable Marie to complete her tas/s, but not when applied to the print 6ueue. &t should be configured on the printer permission. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2= 2 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. >9 1G, 31= QUESTION NO: 5 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named .rintTB< has a #rint de/ice directly connected to the #arallel #ort The #rint de/ice is shared $or use by all users .eter is the IT manager .eter re#orts that his documents are o$ten #rinted a$ter documents submitted by other users You need to ensure that .eterJs documents ta0e #recedence o/er documents submitted $or #rinting by other users :o"e/er* i$ a document is already #rinting* the #rinting must not be interru#ted !hat should you do% A. .onfigure the printer permissions to assign the Allow 2 Ta/e 'wnership permission to 5eter. Restart the 5rint $pooler ser%ice on 5rintT@1. 1. Ma/e 5eterKs user account the owner of the printer. Restart the 5rint $pooler ser%ice on 5rintT@1. .. .reate a new printer on 5rintT@1 and configure it to print to the print de%ice. &n the Ad%anced tab of the new printer properties, select the 5rint directl to the printer option. .onfigure 5eterKs computer to print to the new printer. D. .reate a new printer 5rintT@1 and configure it to print to the print de%ice. Modif the priorit of the new printer. .onfigure 5eterKs computer to print to the new printer. )ns"er: D E3#lanation: You may "ant to con$igure #rinter #riorities $or t"o #rinters that #rint to the same #rint de/ice This con$iguration guarantees that the #rinter "ith the highest #riority #rints to the #rint de/ice be$ore the #rinter "ith the lo"er #riority ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3" 2 This is a good strateg if the printer with the lower priorit is onl a%ailable to print during non2business hours and has man documents waiting to print. &f ou must print to the print de%ice, ou can select the printer with the higher print priorit , and our print )ob will mo%e to the top of the print 6ueue. To set priorities between printers, perform the following tas/s9 d 5oint two or more printers to the same print de%ice *the same port+. The port can be either a ph sical port on the print ser%er or a port that points to a networ/2interface print de%ice. d $et a different priorit for each printer that is connected to the print de%ice, and then ha%e different groups of users print to different printers. Iou can also ha%e users send high2priorit documents to the printer with higher priorit and low2priorit documents to the printer with lower priorit . &f 5eterKs computer is configured to print to the print ser%er, 5rint1, after it has been recreated, then ou can set the priorit of the printer to suit the situation. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;"G

QUESTION NO: 6 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -31 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing< $unctions as a #rint ser/er on the net"or0 ) high>s#eed color #rint de/ice is attached to TestBing< You con$igure a #rinter named 'olor.rinter on TestBing< Se/eral other #rinters are also con$igured on TestBing< The con$iguration o$ 'olor.ritner is sho"n in the e3hibit Users in the mar0eting de#artment re#ort that "hen they #rint large $iles that contain multi#le gra#hics* the documents #rint /ery slo"ly* #ausing $or se/eral seconds bet"een each #age ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -32 2 You need to minimi1e the im#act that large #rint 2obs ha/e on the #er$ormance o$ the #rinter You need to achie/e this goal by using the least administrati/e e$$ort !hat should you do% A. .reate a printer pool that includes an additional printer of the same t pe as .olor5rinter. 1. Add a second printer to Test@ing1 that prints to the same print de%ice as .olor5rinter. &nstruct mar/eting users to submit large print )obs to one de%ice and smaller print )obs to the other. .. .onfigure .olor5rinter to start printing after the last page is spooled. D. &ncrease the priorit of .olor5rinter so that it is higher than all other printers. )ns"er: ' E3#lanation9 !hen ou configure spooling options, ou specif whether print )obs are spooled or sent directl to the printer. $pooling means that print )obs are sa%ed to dis/ in a 6ueue before the are sent to the printer. .onsider spooling as the traffic controller of printing2it /eeps all of the print )obs from tr ing to print at the same time. &n the Ad%anced tab, ou can lea%e the $tart 5rinting &mmediatel option selected, or ou can choose the $tart 5rinting After 4ast 5age &s $pooled option. &f ou choose the latter option, a smaller print )ob that finishes spooling first will print before our print )ob, e%en if our )ob started spooling before it did. This option should minimi0e the impact large print )obs ha%e on the performance of the printer. Incorrect ans"ers: )9 This option will not ha%e the desired effect. +9 This option suggests too much administrati%e effort than is necessar . D9 &ncreasing the piorit of .olor5rinter so that it is higher than all other printers will the opposite of the desired effect. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 3F-23FF QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named .rint< that $unctions as a #rint ser/er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -33 2 .rint< contains a #rinter named ?ar0eting.rinter Users re#ort that #rint 2obs they submit to the ?ar0eting.rinter ta0e a long time to #rint You immediately e3amine .rint< and conclude that the ser/er is #er$orming at acce#table le/els You need to identi$y the #roblem !hat should your ne3t ste# be% A. Use Tas/ Manager to monitor processor and memor performance. 1. Use !indows 3Bplorer to monitor the si0e of the !indowsW$ stem32W$poolWprtprocs folder. .. Use $ stem Monitor to %iew the 5rint :ueueWQobs counter. D. Use $ stem Monitor to %iew the 5rint :ueueW3numerate ,etwor/ 5rinter .alls couner. )ns"er: ' E3#lanation9 The 5rint :ueueWQobs counter specifies the current number of print )obs that are pending in the print 6ueue. Incorrect ans"ers: )9 Tas/ Manager is a !indows $er%er 2""3 utilit that can be used to start, end, or prioriti0e applications. The Tas/ Manager shows the applications and processes that are

currentl running on the computer, as well as .5U and memor usage information. Iou can also %iew networ/ utili0ation and manage networ/ users. Aowe%er this is not the information needed in this case. +9 Monitoring the si0e of that particular folder will not ield the rele%ant information. D9 The 3numerate ,etwor/5rinter .alls counter specifies how man browser re6uests ha%e been made to the print ser%er from networ/ browse lists. The number is cumulati%e from when the ser%er was last started. This is not the counter to be using in these circumstances. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 3GF23G; 5art ;9 Monitor s stem performance.*11 :uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3- 2 QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Your ET. Ser/er is named TestBing, Eiles u#loaded to TestBing, are stored on D:Q +usiness rules require you to set an alert that "ill in$orm you "hen D:Q reaches 9= #ercent o$ ca#acity You o#en the .er$ormance console and create a ne" alert Ne" you need to add a #er$ormance counter to the alert !hich #er$ormance should you add% &'on$igure the $itting o#tion or o#tions in the dialog bo3( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3F 2 )ns"er: E3#lanation9 This counter trac/s how much free space is a%ailable on the hard dri%e. &t is a wa to trac/ dis/ space usage proacti%el so users do not eBperience 8out of dis/ space8 errors. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. -;1 QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3; 2 You are a domain administrator $or TestBing The net"or0 contains three !indo"s 2==, Ser/er domain controllers and one !indo"s 2==, Ser/er member ser/er The member ser/er contains three hard dis0s* "hich use so$t"are D)ID>5 The member ser/er also contains an IS) card that has <2 modems attached $or Douting and Demote )ccess dial>u# access Usage o$ the member ser/erJs dis0 subsystem is occasionally as much as 9= #ercent This le/el o$ usage results in slo" res#onse times $or dial>in users You run System ?onitor on the member ser/er The System ?onitor results are sho"n in the $ollo"ing table Ob2ect 'ounter )/erage /alue $ stem 5rocessor :ueue 4ength 1 5rocessor Z5rocessor Time F; 5rocessor &nterruptsHsec 32" 5h sicalDis/ Dis/ :ueue 4ength 1 5h sicalDis/ Dis/ 1 tesHsec 1="" @1 5h sicalDis/ ZDis/ Time GMemor 5age (aultsHsec 1" Memor 5age ReadsHsec = Memor 5agesHsec F" You "ant to ma3imi1e the #er$ormance o$ the member ser/er !hat should you do% A. &ncrease the number of hard dis/s in the RA&D2F s stem. 1. Upgrade the RAM. .. Upgrade the processor. D. Upgrade the &$A card to 5.&. )ns"er: + E3#lanation: The ?emory: .agesKsec counter is too high ) /alue o$ no more than 2= is recommended This counter sho"s that the #aging $ile is being used too much

!e can $i3 this by u#grading the D)? The question states that the usage o$ the member ser/erJs dis0 subsystem is occasionally as much as 9= #ercent This is due to the e3cessi/e #aging $ile usage ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3G 2 Incorrect )ns"ers: ): &ncreasing the number of hard dis/s wonKt reduce the page file usage. ': The 5rocessor counters are within acceptable limits. D: The &$A card would not cause eBcessi%e dis/ usage. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. F-" QUESTION NO: , You are one o$ the net"or0 administrators $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing o#erates a total o$ $our o$$ices The o$$ice "here you "or0 has <5 ser/ers You are res#onsible $or su##orting and maintaining all o$ these ser/ers You need to design a monitoring #lan that "ill achie/e the $ollo"ing goals: 1. Trac0 all #er$ormance changes on the ser/ers 2. Decord #er$ormance data to antici#ate the need $or $uture u#grades !hat should you do% A. 'n each ser%er in our office, use 5erformance 4ogs and Alerts to create a baseline log. .onfigure the log to collect data e%er fi%e minutes for one da . Use the same counters for each ser%er to create a log file. $chedule the log to run wee/l . 1. (rom a monitoring computer, use 5erformance 4ogs and Alerts to create a baseline log for each ser%er in our office. .onfigure the log to collect data e%er fi%e minutes for one da . Use the same counters for each ser%er to create a log file. $chedule the log to run wee/l . .. 'n each ser%er in our office, use 5erformance 4ogs and Alerts to create threshold2based alerts. .onfigure the alerts to send a message to our monitoring computer when the are triggered. $et each alert to start a new scan when the alert finishes. D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3> 2 (rom a monitoring computer use 5erformance 4ogs and Alerts to create a new counter set in $ stem Monitor. .onfigure the counters to run continuousl . )ns"er: + E3#lanation: .er$ormance Aogs and )lerts #ro/ide logging and alert ca#abilities $or both local and remote com#uters You use logging $or detailed analysis and record0ee#ing Detaining and analy1ing log data that is collected o/er time can be hel#$ul $or ca#acity and u#grade #lanning To #er$orm this #rocedure* you must be a member o$ the )dministrators grou#* or you must ha/e been delegated the a##ro#riate authority I$ the com#uter is connected to a domain* members o$ the Domain )dmins grou# might be able to #er$orm this #rocedure 5erformance Monitor Users 2 Members of this group can monitor performance counters on the ser%er locall and from remote clients without being a member of the Administrators or 5erformance 4og Users groups. 5erformance 4og Users 2 Members of this group can manage performance counters, logs and alerts on the ser%er locall and from remote clients without being a member of the Administrators group. The 5erformance 4ogs And Alerts snap2in can do no configuration, onl reporting data through .ounter 4ogs as reported b pro%iders *ob)ect counters+ on a configured inter%al, or through Trace 4ogs as reported b e%ent2dri%en pro%iders. The 5erformance 4ogs And Alerts snap2in is designed to write data to a file *log+ and report counter %alues that breach a threshold *alert+. 4ogs written b 5erformance 4ogs And Alerts can be loaded into $ stem Monitor for anal sis, and eBported to %arious file t pes *such as .$? and ATM4+ for reporting purposes. Incorrect ans"ers: ): Iou need to create the baseline log for each ser%er from a monitoring computer because members of the 5erformance Monitor users group can monitor performance counters on the ser%er locall and from remote clients without being a member of the

Administrators or 5erformance 4og Users groups ': .reating threshold2based alerts will not be sufficient for the purposes of trac/ing all performance changes. Also starting a new scan after each alert will not wor/ efficientl . D: .reating a new counter set in the $ stem Monitor will not pro%ide ou with the necessar data. Iou need to create a baseline log. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 129 11233. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3= 2 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com Your net"or0 contains a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, One o$ your a##lication ser/ers runs #ro#rietary so$t"are This ser/er sto#s res#onding )$ter hel# des0 technicians restart the ser/er* it a##ears to run normally T"o "ee0s later* the same ser/er sto#s res#onding again You need to gather and store data to diagnose the #roblem !hat should you do% A. 'pen 3%ent ?iewer and re%iew the securit logs on the ser%er. 1. .reate a $ stem Monitor log that uses memor counters and gather data o%er time. .. 'pen Tas/ Manager and gather memor usage statistics. D. Modif 1oot.ini to use HmaBmem91F3;. )ns"er: + E3#lanation: The System ?onitor is the #rimary tool $or monitoring system restart #er$ormed normally )$ter t"o "ee0s the same ser/er sto#s res#onding again Thus a memory counter that gathers data o/er time "ill hel# in troubleshooting the #roblem Incorrect ans"ers: ): 3%ent %iewer is more appropriate to use when doing securit auditing. &t is used to %iew information, warnings, and error e%ents raised b %arious components of the s stem, including de%ice dri%ers and the de%ice management ser%ices. As ou na%igate 3%ent ?iewer, ou might see e%ents that are generated b %arious de%ices. ': Tas/ Manager is a utilit program that displa s the current application programs and processes that are running on the computer. &t also monitors the s stemKs recent processor usage, recent memor usage, current networ/ utili0ation, and currentl logged2on users. Though, this is onl useful for shorter period monitoring as it monitors recent processor and memor usage. D9 This option is more suited to chec/ the startup en%ironment rather than gathering and storing data as is needed in this scenario. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --" 2 De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 21=, G2F2G3F. QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Your net"or0 includes domain controllers* $ile and #rint ser/ers* and a##lication ser/ers The a##lication ser/ers run a /ariety o$ #rograms* including ?icroso$t SQA Ser/er 2=== and ?icroso$t E3change Ser/er 2==, Your sta$$ are res#onsible $or monitoring current system #er$ormance on all ser/ers You need to enable your sta$$ to use System ?onitor to gather #er$ormance data $or each unique ser/er ty#e The data "ill be used $or trend analysis and $orecasting !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. (or each ser%er, add the most common performance counters and sa%e them as an ATM4 file. 1. (or each ser%er, add the most common performance counters and sa%e them as a counter report file. .. .reate trace logs based on the file and schedule and trace logs to gather data. D. .reate alerts on the file and schedule the alerts to gather data. 3. .reate counter logs based on the file and schedule the counter logs to gather data.

)ns"er: )* E E3#lanation: !ith System ?onitor* you can measure the #er$ormance o$ your o"n com#uter or other com#uters on a net"or0 5erformance .ounters are data items direct $ stem Monitor about which areas of performance to trac/ and displa . 3ach performance ob)ect has se%eral performance counters associated with it. 3.g. 5agesHsec, A%ailable 1 tes, and Z.ommitted 1 tes in Use are all eBamples of counters for the Memor performance ob)ect. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --1 2 Incorrect ans"ers: +: Adding the most common performance counters into a counter report file will not suffice as ou need to ta/e into account that there are se%eral different t pes of ser%ers in the networ/. ': The trace logs enable ou to trace applications and processes. Iou need to gather performance data. D: .reating alerts on the file is not the same as the counter logs which is actuall what is necessar . De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 22G, G2;, G2=, G332G3F. QUESTION NO: 6 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --2 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You manage a $ile ser/er named TestBing< You need to create a #er$ormance baseline $or TestBing< by using .er$ormance Aogs and )lerts You need to store the #er$ormance data in an e3isting ?icroso$t SQA Ser/er database on another com#uter You create a ne" counter log* and select SQA Database as the log $ile $ormat !hen you attem#t to sa/e your changes* you recei/e an error message that you must select a data source name You e3amine the con$iguration o$ the SQA logs* as sho"n in the e3hibit You need to con$igure the counter log to use a SQA database !hat should you do% A. Use the relog command2line utilit to configure a connection to our $:4 database. 1. Use Add or Remo%e programs to install .onnection 5oint $er%ices. .onfigure a connection to our $:4 database. .. Use the logman command2line utilit with the create switch to configure a connection to our $:4 database. D. Use Data $ources *'D1.+ to configure a connection to our $:4 database. )ns"er: D E3#lanation: Your #roblem "ill be best addressed by ma0ing use o$ Data Sources to con$igure a connection to the SQA database in order to create a ne" counter log that ma0es use o$ the SQA database as its $ile $ormat Only then "ill you not encounter the error message stating that you must select a data source name "hen you "ant to sa/e your changes Incorrect ans"ers: )9 Ma/ing use of the relog command will not ensure that the log file format will be in a $:4 database form. +9 This option will not wor/. '9 .reating a switch to the $:4 database b means of the logman command2line utilit does not ensure that our counter log will ma/e use of a $:4 database. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --3 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G31 QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing2 $unctions as an a##lication ser/er Users in the TestBing

mar0eting de#artment use an a##lication on TestBing2 to analy1e data The a##lication #roduces a high /olume o$ dis0 acti/ity You gi/e access to <5 ne" users $or the a##lication on TestBing2 Users in the TestBing mar0eting de#artment re#ort unacce#table delays "hen they use the a##lication during #eriods o$ #ea0 acti/ity You use System ?onitor to analy1e the #er$ormance o$ TestBing2 You need to ensure that TestBing2 can su##ort the ne" users !hich counter should you monitor% A. The Z Dis/ Time counter for the 5h sicalDis/ performance ob)ect 1. The .urrent Dis/ :ueue 4ength counter for the 5h sicalDis/ performance ob)ect .. The (ree Megab tes counter for the 4ogicalDis/ performance ob)ect D. The Dis/ TransfersHsec counter for the 4ogicalDis/ performance ob)ect )ns"er: ) E3#lanation: .hysicalDis0: R Dis0 Time and R Idle Time > These t"o counters indicate the #ercentage o$ time the dis0 "as used and the #ercentage o$ time the dis0 has been idle I$ the dis0 usage time is high* you should consider mo/ing some a##lications to other ser/ers Incorrect ans"ers: +9 This indicates the length of the 6ueue in%ol%ed in writing or reading from the dis/ in number of re6uests that are waiting when the counter is measured, including re6uests in ser%ice. This is not what ou want if ou want to ensure that Test@ing2 has the capacit to support the new users. ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --- 2 9 This gi%es ou the throughput of the dis/ acti%it . Iou need to monitor Z Dis/ Time counter for the 5h sicalDis/ performance ob)ect. D9 This counter describes how long the dis/ is ta/ing to fulfill the re6uests. The more time it spends on fulfilling the re6uests, the slower the dis/ controller is. Though this has nothing to do with wanting to ensure that Test@ing2 can support the new users or not. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G-> QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< contains a large number o$ $iles that are $requently accessed by net"or0 users Users re#ort unacce#table res#onse times on TB< You com#are the current #er$ormance o$ TB< to a system #er$ormance baseline that you created se/eral "ee0s ago You decide that TB< needs a higher>#er$ormance net"or0 ada#ter )$ter you add the a##ro#riate net"or0 ada#ter* users re#ort satis$actory #er$ormance You need to gather ne" ser/er #er$ormance data so you can establish a ne" #er$ormance baseline $or TB< You o#en the .er$ormance console !hat should you do ne3t% A. Add all counters for the ,etwor/ &nterface ob)ect to the $ stem Monitor ob)ect. 1. .reate a new trace log ob)ect. Under 3%ents logged b s stem pro%ider in the new ob)ect, select the ,etwor/ T.5H&5 setting. $tart the trace log. .. .reate a new counter log ob)ect. Add all counters for the ,etwor/ &nterface ob)ect to the new ob)ect. $tart the counter. D. .reate a new alert ob)ect. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --F 2 Add all counters for the ,etwor/ &nterface ob)ect to the new ob)ect. $tart the alert. )ns"er: ' E3#lanation9 .reating and maintaining a performance baseline is a good practice. Monitoring de%ices on a regular basis is important to maintaining a health s stem. .onsider capturing a baseline of /e performance metrics on our s stem during an 8a%erage8 timeframe using the 5erformance 4ogs feature of the 5erformance console. !hen it comes to troubleshooting issues or doing capacit planning, this data will go a long wa toward helping ou ma/e informed decisions.

The 5erformance Monitor application contains the $ stem Monitor Acti%e< control, counter logs, trace logs, and alerts. Incorrect ans"ers: )9 $ stem Monitor can be used to %iew real2time metric data in a graphical fashion, or logged data resulting from 5erformance 4ogs and Alerts. +9 The trace logs enable ou to trace applications and processes and ou want to establish a new performance baseline. D9 Iou need to start the counter not the alert. A .ounter log ob)ect is what is needed for establish a performance baseline. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 23", G3F, G>F QUESTION NO: ; You are the net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter named TestBing6 $unctions as a $ile ser/er Dri/e ' on TestBing6 is running lo" on $ree dis0 s#ace You need to ensure that an e/ent is "ritten to the a##lication log on Dri/e ' "hen <= #ercent o$ the a/ailable $ree s#ace on the ser/er remains !hat should you do% A. 'pen 3%ent ?iewer and eBpand the application log. $elect ,ew 4og ?iew. 1. 'pen .omputer Management and eBpand $torage. Right2clic/ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --; 2 Dis/ Management, and then select Rescan Dis/s. .. 'pen 5erformance and eBpand 5erformance 4ogs and Alerts. Right2clic/ .ounter 4ogs, and then select ,ew 4og $ettings. D. 'pen 5erformance and eBpand 5erformance 4ogs and Alerts. Right2clic/ Alerts, and then select ,ew Alert $ettings. )ns"er: D E3#lanation9 The 5erformance 4ogs And Alerts utilit is used to create reports, which can then be %iewed with the $ stem Monitor utilit . The ,ew Alert $ettings is used to create an alert. Incorrect ans"ers: )9 This is not the solution. +9 $canning the dis/s will not influence where the e%ent is written to. '9 This setting is used to create a new baseline report. This is not what is re6uired in this 6uestion. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. -;3 QUESTION NO: <= You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing4 hosts all shared documents $or the legal and human resources de#artments TestBing4 is $requently accessed and u#dated throughout the business day Users re#ort e3tremely slo" res#onse times "hen they try to o#en the shared documents You log on to TestBing4 and obser/e real>time data indicating that the #rocessor is o#erating at <== #ercent o$ ca#acity No" you need to gather additional data to diagnose the cause o$ the #roblem ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --G 2 !hat should you do% A. &n $ stem Monitor, create an alert that will be triggered when processor usage eBceeds >" percent for more than fi%e minutes. 1. &n 3%ent ?iewer, open and re%iew the application log for the $ stem Monitor e%ents. .. &n Tas/ Manager, re%iew the 5rocesses tab to see the percentage of processor capacit used b each application. D. &n the 5erformance console, create a counter log to trac/ processor usage. )ns"er: ' E3#lanation9 Tas/ Manager is a !indows $er%er 2""3 utilit that can be used to start, end, or prioriti0e applications. The Tas/ Manager shows the applications and processes that are currentl running on the computer, as well as .5U and memor usage information. Iou can also %iew networ/ utili0ation and manage networ/ users. All this is

can be %iewed in real time. The 5rocesses tab of Tas/ Manager can be used to manage process priorities. To change the priorit of a process that is alread running, right2clic/ the process ou want to manage and select $et 5riorit . Iou can select from Realtime, Aigh, Abo%e,ormal, ,ormal, 1elow,ormal, and 4ow priorities. Incorrect ans"ers: )9 $ stem Monitor is a !indows $er%er 2""3 utilit used to monitor real2time s stem acti%it or %iew data from a log file. An alert is a s stem2monitoring feature that is generated when a specific counter eBceeds or falls below a specified %alue. Through the 5erformance 4ogs and Alerts utilit , administrators can configure alerts so that a message is sent, a program is run, or a more detailed log file is generated. This is not necessar . +9 Application log is a log that trac/s e%ents that are related to applications running on the computer. The Application log can be %iewed in the 3%ent ?iewer utilit . Aowe%er, this is not what is needed. D9 .ounter logs record data about hardware usage and the acti%it of s stem ser%ices. This is not he solution. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. --;, ->3 QUESTION NO: << E3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --> 2 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, System ?onitor logs are created "ee0ly $or each ser/er TestBing2* one o$ your ser/ers* runs ?icroso$t SQA Ser/er 2=== and hosts se/eral databases TestBing2 is $requently u#dated throughout the day Users re#ort e3tremely slo" res#onse times "hen they try to access the databases Using the System ?onitor logs* you create the chart sho"n in the e3hibit !hat is the cause o$ the slo" res#onse times% A. insufficient memor ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --= 2 1. insufficient processor speed .. eBcess networ/ traffic D. insufficient dis/ subs stem )ns"er: D E3#lanation9 The main subs stems that should be monitored on a !indows $er%er 2""3 computer are memor , processor, processes, dis/ subs stem, and the networ/ subs stem. Dis/ access is the amount of time it ta/es our dis/ subs stem to retrie%e data that is re6uested b the operating s stem. The two factors that determine how 6uic/l our dis/ subs stem will respond to s stem re6uests are the a%erage dis/ access time on our hard dri%e and the speed of our dis/ controller. 'n writes, the '$ writes onl to the controller. Therefore, high2speed writes mandate a %er fast controller. 'n reads, the data is accessed from the dis/ to the controller. Therefore, on reads the dis/ access speed is critical. Using high2speed dis/ controllers and dri%es in a stripe set, ou can attain a dis/ access time of approBimatel F.1 to ;.- milliseconds. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. -F=2-;" 5art G9 Monitor file and print ser%ers. Tools might include Tas/ Manager, 3%ent ?iewer, and $ stem Monitor. A9 Monitor dis/ 6uotas.*1 :uestion+ QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Your ET. ser/er is named Test0ing, Eile u#loaded to Test0ing, are stored on D:Q +usiness rules require you to set an alert that "ill in$orm you "hen D:Q reaches 9= #ercent o$ ca#acity You o#en the .er$ormance console and create a ne" alert No" you need to add a #er$ormance counter to the alert !hich #er$ormance counter should you add% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F" 2 To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3

)ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F1 2 E3#lanation: Ser/er, the ET. ser/er is stored on dri/e D* thus you ha/e to chec0 D: by running the #er$ormance counter on D The s#eci$ic counter in this scenario "ould be the amount o$ $ree s#ace a/ailable De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 22=223" 19 Monitor print 6ueues.*1 :uestion+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F2 2 You are the net"or0 administrator $or Test0ing com The net"or0 is distributed across $i/e countries in Euro#e* namely S#ain* Italy* :ungary* )ustria* and -ermany )ll net"or0 ser/ers run !indo"s Ser/er 2==, Each location has three #rint ser/ers You need to monitor usage o$ #rint queues on all #rint ser/ers on the net"or0 You #lan to enable monitoring $or each #rint ser/er in the same "ay ?onitoring data must be stored in a central location and archi/ed $or $i/e years to enable data com#arison !hat should you do% A. .reate a counter log and specif $:4 Database as the log file t pe. 1. .reate a trace log and specif .ircular Trace (ile as the log file t pe. .. .reate a counter log and specif 1inar .ircular (ile as the log file t pe. D. .reate a trace log and specif $e6uential Trace (ile as the log file t pe. )ns"er: ) E3#lanation: Aogging to a relational database instead o$ a standard te3t $ile has the ad/antage that relationshi#s bet"een data tables enable the $le3ible creation o$ dynamic data /ie"s by using queries and re#orts 'ounter logs record data about hard"are usage* o$ "hich the #rint queue is an e3am#le* as "ell as the acti/ity o$ system ser/ices !e should there$ore create a counter log to monitor #rint queue usage Eurthermore* "e "ant to store the data generated by the counter log in a central location 'ounter logs can be created in a number $or $ile ty#es These are: comma>delimited & cs/( te3t $iles* tab>delimited & ts/( te3t $iles* binary>$ormat & blg( log $iles* circular* binary>$ormat & blg( log $iles* to a SQA database O$ these only the stored on the local com#uter !e should thus use SQA database as the $ile ty#e Incorrect O#tions: +: Trace logs trac/ applications and processes. The print 6ueue usage is not applications and processes and thus cannot be trac/ed using a trace log. .ounter logs on the other hand record data about hardware usage, of which the print 6ueue is an eBample. !e should therefore create a counter log rather than a trace log to monitor print 6ueue usage. (urthermore, a circular trace log 2 file records data continuousl to the same log file, o%erwriting pre%ious records with new data when the file reaches its maBimum si0e. This thus does not allow us to archi%e the data for F ears. &n addition, a circular trace log file can onl be written to the local computer. !e must store the data in a central location. !e therefore cannot use a circular trace log file. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F3 2 ': The counter logs record data about hardware usage, of which the print 6ueue is an eBample, as well as the acti%it of s stem ser%ices. !e should therefore create a counter log to monitor print 6ueue usage. Aowe%er, a circular, binar 2format trace log file also records data continuousl to the same log file, o%erwriting pre%ious records with new data when the file reaches its maBimum si0e. This thus does not allow us to archi%e the data for F ears. (urthermore, a circular, binar 2format trace log file can onl be written to the local computer. !e must store the data in a central location. !e therefore cannot use a circular, binar 2format trace log file. D: Trace logs trac/ applications and processes. The print 6ueue usage is not applications and processes and thus cannot be trac/ed using a trace log. .ounter logs on the other hand record data about hardware usage, of which the print 6ueue is an eBample. !e should therefore create a counter log rather than a trace log to monitor print 6ueue usage. (urthermore, a se6uential trace log file collects data until it reaches its maBimum si0e and then closes and starts a new file. Aowe%er, se6uential trace log file can onl be written to the local computer. !e must store the data in a central location. !e therefore cannot use a se6uential trace log file. De$erences:

Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp G332;. 4isa Donald with $u0an $age 4ondon and Qames .hellis, M.$AHM.$39 !indows $er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, pp 3G-2=, --;2F1 .9 Monitor ser%er hardware for bottlenec/s.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing* "hich o#erates $i/e branch o$$ices The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The net"or0 includes a member ser/er that runs ?icroso$t SQA Ser/er and hosts an in/entory database The database is continually u#dated during business hours by users $rom all branch o$$ices Users re#ort e3tremely slo" res#onse times "hen they query the database You in/estigate the #roblem and use System ?onitor to create the chart sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F- 2 You need to bring res#onse times "ithin acce#table limits !hat should you do% A. Add additional RAM. 1. Add a second processor. .. Add an additional networ/ adapter. D. Upgrade the dis/ subs stem. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FF 2 )ns"er: ) E3#lanation: The out#ut as illustrated by the System ?onitor sho"s that there is too little memory a/ailable +y adding D)? you can bring the res#onse time "ithin acce#table limits E3cessi/e s"a##ing as "ell as u#dating o$ data degrades the #er$ormance o$ the com#uter inso$ar as res#onse time is concerned This can be addressed either by reducing the demands on the com#uter or increasing the amount o$ #hysical D)? In this case it is a matter o$ additional D)? that is needed Incorrect ans"ers: +: Adding a second processor will not necessaril speed up 6uer ing performance. &t will probabl onl increase the cache. ': Due to the database being updated continuall ou will not sol%e the problem b adding in an additional networ/ adapter. D: Upgrading the dis/ subs stem will not address the problem of slow response times when 6uer ing the database because the database is not stagnant. &t is updated continuall . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;> QUESTION NO: 2 You are the net"or0 administrator $or your com#any The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Terminal Ser/er is installed on a member ser/er named Ser/er<* "hich is located in an organi1ation unit &OU( named Ser/ers User o$ Ser/er< re#ort unacce#table res#onse times To in/estigate* you start Tas0 ?anager on Ser/er< You disco/er that the a/erage '.U usage is 9= #ercent :o"e/er* "hen you select the .rocesses tab* none o$ the #rocesses sho" signi$icant '.U usage You need to identi$y the #rocess that is res#onsible $or the '.U usage ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F; 2 !hat should you do% A. &n Tas/ Manager, select the $how processes from all users option. 1. (rom a command prompt, run the 6uer process command. .. 'pen the Terminal $er%ices Manager. $elect $er%er1 from the list of ser%ers, and then select the 5rocesses tab. D. 3dit the Croup polic ob)ect *C5'+ for the $er%ers 'U b adding our user account to the 5rofile a single process polic . Then use Tas/ Manager to re2eBamine $er%er1. )ns"er: )

E3#lanation: You 0no" something eats u# most o$ your '.U* but you are unable to see it through Tas0 ?anager +y de$ault* !indo" Tas0 ?anager only dis#lays tas0s "hich are o"ned by you Since the system is running Terminal ser/ices* that means the system is used by more than one user You need to /ie" .rocesses $rom all users Incorrect )ns"er: +: Running the 6uer process is wrong, because 86uer process8 command onl displa s something li/e9 process, &D, 5&D, image. ': 'pening the Terminal $er%ices Manager. $electing $er%er1 from the list of ser%ers, and then selecting the 5rocesses tab will not suffice, because it onl displa s9 user, session, &D, 5&D, image. D: 3diting the Croup polic ob)ect *C5'+ for the $er%ers 'U b adding our user account to the 5rofile a single process polic . Then using Tas/ Manager to re2eBamine $er%er1 would be obsolete. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. FG;2F>" QUESTION NO: , You are the net"or0 administrator $or Test Bing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBingSr/ hosts a##lications $or net"or0 users ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FG 2 TestBingSr/ contains a motherboard that can su##ort t"o '.Us One '.U is currently installed TestBingSr/ has 5<2 ?+ o$ D)? and a single ,6 > -+ integrated de/ice electronics &IDE( hard dis0 It has a <= ?+ Ethernet card connected to a <=K<== ?b s"itch )$ter TestBingSr/ is in use $or $i/e months* net"or0 users re#ort unacce#table res#onse times on their a##lications You o#en System ?onitor on TestBingSr/ and see the in$ormation sho"n in the $ollo"ing table 'ounter ?inimum ?a3imum )/erage Memor 2 5agesHsec "."" 31.=G 1.22 4ogical Dis/ 2 A%g. Dis/ :ueue 4ength .;= 2".;1 =.G3 5rocessor 2 Z 5rocessor Time 3."" 1""."" F.1F ,etwor/ &nterface 2 1 tesHsec 1>=.G2 2=2G.>- 3G=.-; You need to im#ro/e the #er$ormance o$ Ser/er < !hat should you do% A. Add an additional .5U. 1. Add an additional F12 M1 of RAM. .. Replace the eBisting hard dis/ with a faster one. D. Replace the 1"2Mb 3thernet card with a 1""2Mb 3thernet card. )ns"er: ' E3#lanation: The a/erage dis0 queue length should not e3ceed t"o )ccording to the table all the other counters are "ithin an acce#table range Incorrect ans"ers: ): According to the $ stem Monitor table the .5U figures does not indicate a problem. +: Additional RAM will not enhance the performance time for the users who connect to Test@ing$r%. &t will at best impro%e onl the performance of the ser%er itself and not that of the client computers. D: Most 3thernet2based networ/s run at 1""Mbps or below. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F> 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G-F 5art >9 Monitor and optimi0e a ser%er en%ironment for application performance. A9 Monitor memor performance ob)ects.*1 :uestion+

QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TestBing com #urchases a host>connecti/ity gate"ay a##lication de/elo#ed by an inde#endent so$t"are /endor You need to install the a##lication on a !indo"s Ser/er 2==, com#uter named TestBing2 ) su##ort technician named ?arie is assigned to install the a##lication ?arieJs user account is not a member o$ the )dministratorJs grou# on TestBing2 The installation $ails and dis#lays an error message stating the user account used $or installing the a##lication needs to be a member o$ the local )dministrators grou# Your user account is a member o$ the Domain )dmins grou# You "ant to enable ?arie to install a##lications* but you do not "ant her to be able to ma0e other changes on TestBing2 !hat should you do% A. 4og on locall on Test@ing2 as the local administrator. 'n Test@ing2, in .ontrol 5anel, start Add or Remo%e 5rograms. &nstruct Marie to install the application. 1. Use the Run as option to start the Add or Remo%e 5rograms .ontrol 5anel item on Test@ing2. 5ro%ide the credentials of the local Administrator account. &nstruct Marie to install the application. .. Ma/e MarieKs user account a member of the local Administrators group on Test@ing2. &nstruct him to log on locall b using his user account and to install the application. D. &nstruct Marie to log on locall and to send a Remote Assistance re6uest to ou. Accept the re6uest, and ta/e remote control of the session. 'n Test@ing2, in .ontrol 5anel, start Add or Remo%e 5rograms. &nstruct Marie to install the application. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F= 2 )ns"er: + E3#lanation9 The Run As option allows ou to use a secondar logon process to log on to a computer using administrati%e credentials in order to perform a specific tas/. (or securit purposes, it is recommended that ou use the Run As option when performing administrati%e tas/s as opposed to logging into a computer or domain with an administrati%e account. Iou can use the Run As option through most !indows programs, some .ontrol 5anel items, and the Microsoft Management .onsole *MM.+. Iou can also use the Run As option with command2line utilities. The Domain Admins group has complete administrati%e rights o%er the domain. 1 default, the Administrator user account is a member of this group. $ince Marie is not a member of the AdministratorKs group on Test@ing2, ou should follow option 1 to enable Marie to install the application from her user account. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1;F 19 Monitor networ/ performance ob)ects.*3 :uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing6 runs an a##lication named )##< Test0ing6 has one net"or0 ada#ter installed )##< uses a large amount o$ net"or0 band"idth #er client connection You sus#ect the net"or0 connection on Test0ing6 is running out o$ a/ailable net"or0 ca#acity You need to /ie" ho" much total net"or0 band"idth is being used on Test0ing6 !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Use $ stem Monitor to configure the ,etwor/ &nterface ob)ect. 1. Run the netstat command. .. &n Tas/ Manager, monitor the ,etwor/ing tab. D. Use ,etwor/ Monitor to configure a capture filter for the local area connection. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;" 2 )ns"er: )* ' E3#lanation: It is im#ortant to monitor the net"or0 usage o$ your ser/ers so that you can detect net"or0 bottlenec0s You "ill be able to monitor net"or0 usage by using either the .er$ormance console or Tas0 ?anager The ,etwor/ing tab displa s networ/ acti%it . This tab is displa ed onl if one or more networ/ adapters are present. This tab pro%ides information on the a%ailabilit and the 6ualit of networ/ resources. A graph indicates the amount of associated traffic when ou select each networ/ resource.

1. Iou should be using the ,etwor/ Monitor tool to manage large networ/ traffic situations. *This is not installed b default in the !indows $er%er 2""3 installation. Iou might need to install it %ia AddHRemo%e 5rograms in .ontrol 5anel in order to use it.+ Incorrect ans"ers: +: Ma/ing use of the netstat command will not ield the proper results for ou with which to see how much bandwidth is being used on Test/ing;. D: .onfiguring a capture filter for the local area connection through the ,etwor/ Monitor will not suffice as ou should be using 3%ent ?iewer instead. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G2F, G-;. QUESTION NO: 2 You are the net"or0 administrator $or your com#any )ll net"or0 ser/ers run !indo"s Ser/er 2==, +usiness hours are 9 ) ? to 5 . ? You #ro/ide net"or0 assistance during business hours only ) ser/er named Ser/er< stores #ersonal $iles $or all net"or0 users ?obile users access Ser/er< by using the com#anyJs 8.N They must ha/e 24>hour access to the $iles on Ser/er< You need to be able to identi$y the source o$ the recurring slo"do"ns in 8.N access Eirst* you log on to Ser/er< !hat should you do ne3t% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;1 2 A. Use Tas/ Manager to re%iew networ/ utili0ation of the ?5, adapter. 1. Use the 5erformance console to create a log of networ/ utili0ation outside of business hours. .. Use $ stem Monitor to re%iew networ/ utili0ation of the ?5, connection. D. Use Tas/ Manager to select 1 tes $ent as the ,etwor/ Adapter Aistor setting. )ns"er: ' E3#lanation: !e are required to monitor the net"or0 utili1ation o$ the 8.N connection o/er a #eriod o$ time &at least 24 hours( This can be done by ma0ing use o$ System ?onitor Incorrect )ns"ers: ): Tas/ Manager doesnKt log performance. &t onl displa s a real time set of %alues, thus ou cannot %iew networ/ utili0ation of the ?5, adapter. +: !e need to log networ/ utili0ation throughout the whole da , not )ust out of business hours. D: Tas/ Manager onl displa s a real time set of %alues is does not log performance. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;2-2;2> QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Terminal Ser/ices is installed on three ser/ers running !indo"s 2=== Ser/er Demote users use the terminal ser/ers to access the com#any intranet so they can read e>mail and submit time sheets To ma0e a connection* users choose a terminal ser/er $rom a list This #rocess generates hel# des0 requests O/er time* the remote user load increases The e3isting terminal ser/er cannot su##ort the number o$ concurrent connections You need to create a ne" terminal ser/er to assist in handling the load :o"e/er* you must not add any ne" ser/er names to the list o$ terminal ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;2 2 Eirst* you u#grade all three ser/ers to !indo"s Ser/er 2==, "ith Terminal Ser/er installed !hat should you do ne3t% A. .reate a $ession Director terminal ser%er farm. 1. .onfigure the !indows .luster $er%ices on each terminal ser%er. .. &nstall and configure ,etwor/ 4oad 1alancing. D. &nstall and configure round robin D,$. )ns"er: ' E3#lanation: Net"or0 Aoad +alancing &NA+( is a technology that allo"s $or e$$icient utili1ation o$ multi#le net"or0 cards

A cluster is a set of computers )oined together in such a wa that the beha%e as a single s stem. .lustering is used for networ/ load balancing as well as fault tolerance. &n data storage, a cluster is the smallest amount of dis/ space that can be allocated for a file. Round Robin wor/s b creating multiple host records in D,$ for one machine. 3ach record points to a different &5 address. As clients ma/e re6uests, D,$ rotates through its list of records. &n addition to the before mentioned, to configure a terminal ser%er cluster, ou need a load2balancing technolog such as ,etwor/ 4oad 1alancing *,41+ or D,$ round2robin. The load2balancing solution will distribute client connections to each of the terminal ser%ers. ,ow, /eeping this in mind ou will find that this is a rather tric/ 6uestion9 because Answer A is needed to run terminal ser%ices on multiple terminal ser%ers in a ,etwor/ 4oad 1alancing .luster. Terminal $er%er $ession Director is a feature that allows users to easil and automaticall reconnect to a disconnected session in a load balanced Terminal $er%er farm. The session director /eeps a list of sessions indeBed b user name and ser%er name. This enables a user, after disconnecting a session, to reconnect to the correct terminal ser%er where the disconnected session resides to resume wor/ing in that session. This reconnection will wor/ e%en if the user connects from a different client computer. Aowe%er, the 6uestion pertinentl as/s, 8!hat should ou do neBt[8 The neBt step is to install and configure ,etwor/ 4oad 1alancing. ,41 is a prere6uisite for creating a $ession Director terminal ser%er farm. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. GF", GFG, G;; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;3 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. >>3 .9 Monitor process performance ob)ects.*3 :uestions+ QUESTION NO: < E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing< runs an a##lication named TestBing)##, Users re#ort that TestBing)##, is #er$orming slo"ly You sus#ect that an unauthori1ed a##lication is installed on TestBing< You run the netstat command and e3amine the out#ut* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;- 2 You need to identi$y the unauthori1ed a##lication by using the out#ut $rom the netstat command !hich tool should you use to identi$y the a##lication% A. 5erformance console 1. $ stem monitor .. ,etwor/ Monitor D. Tas/ manager )ns"er: D E3#lanation9 Tas/ Manager offers ou a 6uic/ glimpse at the following items9 Applications currentl in use, 5rocesses currentl running, current processor usage, .urrent paging file usage, o%erall current memor usage, .urrent networ/ utili0ation and currentl logged2on users. Incorrect ans"ers: ): 5erformance MM. snap2in is a utilit for monitoring, trac/ing, and displa ing a computerKs performance statistics, both in real time and o%er an eBtended period for establishing a s stem baseline. This console includes the $ stem Monitor node and the 5erformance 4ogs and Alerts node. +: $ stem Monitor is a node in the 5erformance MM. snap2in for monitoring and logging computer performance statistics using performance ob)ects, counters, and instances. ': Iou should be using the ,etwor/ Monitor tool to manage large networ/ traffic situations. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 2

You are a net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing< $unctions as an a##lication ser/er Test0ing< runs se/eral a##lications Test0ing< is located on TestBingJs #erimeter net"or0 You allo" communication to Test0ing< only o/er #ort 9= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;F 2 Users re#ort that a##lications on Test0ing< #er$orm #oorly during #eriods o$ #ea0 acti/ity You monitor Test0ing< The results are sho"n in the e3hibit You need to identi$y "hich #rocess is causing Test0ing< to #er$orm #oorly !hich t"o tools can you use to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 3%ent ?iewer 1. Tas/ Manager .. ,etwor/ Monitor ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;; 2 D. $ stem Monitor )ns"er: +* D E3#lanation9 Administrators often must perform situational real2time monitoring to answer 6uestions about ser%er performance from users, management, other s stems administrators, and s stems engineers. Tas/ Manager is %aluable when ou must 6uic/l e%aluate processor usage, page file usage, and networ/ usage. 5erformance monitor pro%ides ou with additional counters that can ou can use to anal 0e problems as ou %iew interrupts per second, 6ueue lengths, pages per second, and so on. The Tas/ Manager displa s all the applications and processes on the !indows $er%er 2""3 computer. &t also displa s some common performance measures. The Tas/ Manager can be in%o/ed in man wa s. The $ stem Monitor is the primar tool for monitoring s stem performance. Incorrect ans"ers: ): 3%ent ?iewer is a MM. snap2in that displa s the !indows $er%er 2""3 e%ent logs for s stem, application, securit , director ser%ices, D,$ ser%er, and (ile Replication $er%ice log files. ': $ stem Monitor is a node in the 5erformance MM. snap2in for monitoring and logging computer performance statistics using performance ob)ects, counters, and instances. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: , You are a net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing4* "hich $unctions as a $ile ser/er Test0ing4 contains se/eral a##lications One a##lication is named )##< )nother a##lication is named )##2 Users re#ort that )##2 is #er$orming #oorly You e3amine Test0ing4 and disco/er that )##< "as started by using the start a##< Krealtime command You need to ensure that no other a##lication "as started by using the Krealtime s"itch !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;G 2 A. Use 5erformance Monitor to create a trace log. Trace 5rocess creationsHdeletions. 1. Use 5erformance Monitor to create a trace log. Trace Thread creationsHdeletions. .. Use Tas/ Manager to %iew processes. ?iew the 1ase 5riorit column. D. Use Tas/ Manager to %iew performance. 'n the ?iew menu, select $how @ernel Times. )ns"er: ' E3#lanation: I$ "e "ant to chec0 this "e must use Tas0 ?anager to /ie" #rocesses 8ie" the +ase .riority column The Tas0 ?anager #ro/ides a sna#shot o$ the a##lications and the #rocesses running on the system You can /ie" the '.U acti/ity and the memory utili1ation using gra#hs You can also /ie"* start* and sto# a##lications using the Tas0 ?anager Some other bene$its include mani#ulating #rocesses* monitoring net"or0 tra$$ic* and monitoring user acti/ity The Tas0 ?anager enables you to manage the a##lications and the #rocesses o$ the system

You can monitor memory and '.U acti/ity using gra#hs Incorrect ans"ers: ): Iou must %iew processes through the tas/ Manager b chec/ing the 1ase 5riorit column. .reating a trace log to trace creationsHdeletion will not wor/ in this scenario. +9 &n this particular case ou are re6uired to %iew processes through the tas/ Manager b chec/ing the 1ase 5riorit column. .reating a trace log to thread creationsHdeletion is not what is re6uired. D: Iou must %iew processes not performance. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. G>- 2 G>F. D9 Monitor dis/ performance ob)ects.*1 :uestion+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;> 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< contains a single S'SI hard dis0 Users re#ort that ser/er #er$ormance is slo" You con$igure System ?onitor to re#ort #er$ormance /alues $or TB< at regular inter/als System ?onitor re#orts the $ollo"ing /alues o/er si3 ,=>second inter/als 'om#uter name Inter/al < Inter/al 2 Inter/al , Inter/al 4 Inter/al 5 Inter/al 6 5h sicalDis/, L Dis/ Read Time F2>3"1 5h cialDis/, Z Dis/ !rite Time 2" 3" F 1F 3F 3" You need to im#ro/e dis0 #er$ormance !hat should you do% A. Replace the eBisting hard dis/ with a striped %olume that uses dis/s with performance characteristics similar to those of the eBisting hard dis/. 1. Replace the eBisting hard dis/ with a RA&D2F dis/ arra that uses dis/s with performance characteristics similar to those of the eBisting hard dis/. .. Use Dis/ Management to clear the .ompress dri%e to sa%e dis/ space option on the d namic %olume. D. Use Dis/ Management to disable write caching on the ph sical dis/. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;= 2 ) stri#ed /olume is "here data is "ritten to 2 to ,2 #hysical dis0s at the same rate It o$$ers ma3imum #er$ormance and ca#acity but no $ault tolerance Stri#ed /olumes use D)ID>=* "hich stri#es data across multi#le dis0s Stri#ed /olumes cannot be e3tended or mirrored* and do not o$$er $ault tolerance I$ one o$ the dis0s containing a stri#ed /olume $ails* the entire /olume $ails !hen creating stri#ed /olumes* it is best to use dis0s that are the same si1e* model* and manu$acturer !ith a striped %olume, data is di%ided into bloc/s and spread in a fiBed order among all the dis/s in the arra , similar to spanned %olumes. $triping writes files across all dis/s so that data is added to all dis/s at the same rate. Despite their lac/ of fault tolerance, striped %olumes offer the best performance of all the !indows dis/ management strategies and pro%ide increased &H' performance b distributing &H' re6uests across dis/s. (or eBample, striped %olumes offer impro%ed performance when9 1. Reading from or writing to large databases. 2. .ollecting data from eBternal sources at %er high transfer rates. 3. 4oading program images, d namic2lin/ libraries *D44s+, or run2time libraries. Incorrect ans"ers: +: A RA&D2F %olume is where data is written to 3 to 32 ph sical dis/s at the same rate,

and is interlaced with parit to pro%ide fault tolerance for a single dis/ failure. Cood read utili0ation and write performance as parit must be calculated during write operations. ': .ompression is usuall implemented in cases where space needs to be conser%ed. The 6uestion does not mention or as/ for space to be used or sa%ed. D: .aching is process used to enhance performance b retaining pre%iousl 2accessed information in a location that pro%ides faster response than the original location. Aard dis/ caching is used b the (ile and 5rint $haring for Microsoft ,etwor/s ser%ice, which stores recentl accessed dis/ information in memor for faster retrie%al. Thus disabling caching on the ph sical dis/ will result in slower performance. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 2>1, 11.-= 5art =9 Manage a !eb ser%er. A9 Manage &nternet &nformation $er%ices *&&$+.*1F :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G" 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named Test0ing< runs IIS and hosts all content $or com#any !eb sites One !eb site is redesigned !hen you bro"se the redesigned site* you select a hy#erlin0 and recei/e the $ollo"ing error message: L:TT. Error 4=4 > Eile or directory not $ound L You /eri$y that a necessary content $ile is missing $rom Test0ing< You need to disco/er "hether the same error "as generated by any other !eb ser/er requests !hat should you do% A. 'pen the most recent file in .9WwindowsWs stem32Winetsr%WAistor . $earch for error entries of t pe -"-. 1. 'pen the most recent file in .9WwindowsWs stem32W4og(ilesW!3$?.1. $earch for error entries of t pe -"-. .. 'pen 3%ent ?iewer and connect to Test/ing1. (ilter the s stem e%ent log to displa onl e%ents from the &&$4'C e%ent source with e%ent &D -"-. D. 'pen 3%ent ?iewer and connect to Test/ing1. (ilter the application e%ent log to displa onl e%ents from the !eb.lient e%ent source with e%ent &D -"-. )ns"er: + E3#lanation: Not Eound Ob2ects generate the 4=4 Not Eound error IIS logs ty#ically reside in R!indirRQSystem,2QAog$ilesQ!,s/c< +y searching $or the error ty#e 4=4 $ile in the most recent $ile "ould be the logical ste# to ta0e in chec0ing $or the same error by other !eb ser/er requests The !eb ser%er cannot find the file or script ou as/ed for. 5lease chec/ the UR4 to ensure that the path is correct. .ontact the ser%erKs administrator if this problem persists. 1 re%iewing the &&$ logs at a later time, ou can identif these errors and ta/e necessar actions to fiB them. These logs are stored b default in .9WwindowsWs stem32W4og(ilesW!3$?.1. Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G1 2 ): The &&$ logs are not stored in .9WwindowsWs stem32Winetsr%WAistor . ': The errors are not stored in the s stem log. D: The errors are not stored in the application log. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. =9 1F. QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com In #articular you administer a !indo"s 2==, ser/er named TestBing, TestBing, $unctions as an a##lication ser/er and runs IIS You disco/er that one o$ the IIS sites on TestBing, is corru#ted You need to reco/er the IIS site settings You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do%

A. Restore the &&$ configuration settings b running the iisweb.%bs Hcreate command. 1. 'pen &&$ Manager, and restore a pre%ious %ersion of the site. .. Restore the &&$ configuration settings b running the iisbac/.%bs Hrestore command. D. Restore the &&$ configuration settings b running the iisbac/.%bs Hbac/up command. )ns"er: ' E3#lanation: ?a0ing use o$ the iisbac0 /bs Krestore command "ill reco/er your site settings "ith the least amount o$ administrati/e e$$ort Incorrect ans"ers: )9 Iou do not restore settings b creating new ones. This in%ol%es too much administrati%e effort. +9 Iou need to restore the &&$ configuration settings and not a pre%ious %ersion of the site. D9 This option states the wrong parameter on the command, ou need to restore not bac/up. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G2 2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: , E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You install the Demote )dministration tools on ser/er named TestBing6* selecting all de$ault settings In Internet E3#lorer* you ty#e htt#s:KKTestBing6Kadmin You recei/e the $ollo"ing error message: 8ATT5 3rror -"- 2 (ile or director not found.8 You o#en IIS ?anager and see the con$iguration sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G3 2 You need to ensure that you can use Internet E3#lorer to administer TestBing6 !hat should you do% A. &n &nternet 3Bplorer, t pe http9HHtest/ing;9>"== 1. &n &nternet 3Bplorer, t pe http9HHtest/ing; .. &nstall the Remote Des/top .onnection subcomponent of the !orld !ide !eb ser%ices. D. &n &nternet 3Bplorer, t pe https9HHtest/ing;9>"=> 3. &n &nternet 3Bplorer, t pe https9HHtest/ing; )ns"er: D E3#lanation: You should ty#e htt#s:KKtest0ing6:9=;9 to ma0e sure that you can ma0e use o$ the Internet E3#lorer to administer TestBing6 since the SSA #ort is 9=;9 as sho"n in the e3hibit You must use a secure connection The :9=;9 in the UDA directs the bro"ser to connect to #ort 9=;9 on the ser/er instead o$ the de$ault #ort 9= You can change your ser/er to "or0 on a di$$erent #ort in Internet In$ormation Ser/ices &IIS( ?anager )$ter youJ/e connected to the ser/er* youJll see the !elcome #age Incorrect ans"ers: )* +* E9 These are incorrect UR4s. These options will not ensure that ou can use the &nternet 3Bplorer to administer Test@ing; since it is ad%isable to use a secure connection. '9 This option is irrele%ant in this scenario. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F=12F=3,;-G QUESTION NO: 4 You are the net"or0 administrator $or Test0ing com You manage a com#uter named TestBing, that runs !indo"s Ser/er 2==, "ith the de$ault settings You install Terminal Ser/ices on TestBing, You attem#t to connect to TestBing, by using the UDA htt#:KKTestBing,KTestBing"eb You cannot connect to TestBing, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G- 2 You need to be able to access Terminal Ser/ices on TestBing, by using Internet E3#lorer 6 = !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o (

A. .reate a new !eb site named Test@ingweb. 1. .reate a new %irtual director named Test@ingweb. .. &nstall &&$. D. &nstall the Remote Administration &&$ subcomponent. 3. &nstall the Remote Des/top !eb .onnection &&$ subcomponent. )ns"er: '* E E3#lanation: Internet In$ormation Ser/ices &IIS( is a grou# o$ ser/ices that host Internet and intranet>related $eatures on !indo"s Ser/er 2==, com#uters such as Eile Trans$er .rotocol &ET.( and the !orld !ide !eb &!!!( ser/ice under IIS $eatures are installed by de$ault On the other hand* Demote Des0to# 'onnection is 'lient so$t"are that enables you to access a Terminal Ser/ices session that is running on a remote com#uter "hile you are sitting at another com#uter in a di$$erent location Thus by installing IIS and the Demote Des0to# !eb 'onnection IIS subcom#onent you "ill be able to access Terminal Ser/ices o$ TestBing, by ma0ing use o$ Internet E3#lorer 6 = Incorrect ans"ers: ): .reating a new !eb site will not address our concern. +: A %irtual director is a folder that does not ha%e to be located on the &&$ ser%er. .reating a %irtual director named Test@ing!eb is not the same as being granted access to Terminal $er%ices on T3st@ing3 which is what is re6uired in this 6uestion. D: &nstalling Remote Administration &&$ subcomponent allows up to two remote connections to a ser%er for remote administration purposes. This is not what is needed. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;9 3>2-= Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GF 2 QUESTION NO: 5 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll com#any !eb sites are hosted on a ser/er named TestBing5* "hich runs IIS You create t"o ne" !eb sites* ?ar0eting and Sales You create the a##ro#riate host records on the DNS ser/er You test both !eb sites o$$line and success$ully access all content :o"e/er* "hen you test the !eb site online* you cannot access either site You are directed to #ages on the de$ault !eb site You o#en IIS ?anager and see the dis#lay sho"n in the e3hibit: You need to ensure that you can start all !eb sites on TestBing5 !hat are three #ossible "ays $or you to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose three( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G; 2 A. $pecif Mar/eting.Test/ing.com and $ales.Test/ing.com as the host header names for the two new !eb sites. 1. (or each new !eb site, create a file named Default.htm in the director path. .. (or each new !eb site, specif a uni6ue T.5 port. 3nsure that all client computers use the appropriate port to connect to each site, D. (or all !eb sites, create custom ATT5 headers. 3. (or all !eb sites, specif uni6ue &5 addresses. Modif the appropriate host records on the D,$ ser%er. (. (or all !eb sites, enable anon mous access. )ns"er: )* '* E E3#lanation: To create and host multi#le !eb sites* you must $irst ensure that each site has a unique identi$ication There are three "ays to do this: 1. Iou can obtain multiple &5 addresses and assign a different &5 address to each site. 2. Iou can assign different host header names to each site and use a single &5 address. Aost header names are the 8friendl 8 names for !eb sites, such as www.microsoft.com. 3. Iou can use ,onstandard T.5 port numbers, and assign a different port number to each site. This is generall not recommended. This method can be used for pri%ate !eb site de%elopment and testing purposes but is rarel used on production !eb ser%ers, because this method re6uires clients to t pe in the name or &5 address followed b a non standard port number to reach the site. Incorrect )ns"ers: +: This can be used to set a default page for each site. Aowe%er, this will not enable ou

to host multiple web sites. D: .ustom ATT5 headers can not be used to host multiple web sites. E: Anon mous access will allow an one to connect to a website. Aowe%er, this will not enable ou to host multiple web sites. &t is also a securit ris/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;-;, ;;3 QUESTION NO: 6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GG 2 You are the net"or0 administrator $or Test0ing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s 2=== .ro$essional You install !indo"s Ser/er 2==, "ith de$ault settings on a ne" com#uter named TestBingSr/< You install and share se/eral #rinters on TestBingSr/< You instruct all users to connect to these #rinters by using the address htt#:KKTestBingSr/<K.rinters :o"e/er* users re#ort that they cannot connect to this address You need to ensure that all users can connect to the #rinters by using :TT. !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 5ublish all shared printers that are installed on Test@ing$r%1. 1. .reate a %irtual director named 5rinters on Test@ing$r%1. .. &nstall &&$ with default settings on Test@ing$r%1. D. Reshare all printers on Test@ing$r%1. 3. &nstall the &nternet 5rinting component of &&$. (. T pe ,et $tat !3$?. at a command prompt. )ns"er: '* E E3#lanation: The !indo"s Ser/er 2==, $amily o$ o#erating systems and !indo"s @. can #rocess #rint 2obs sent to UDAs !indo"s Ser/er 2==, must be running ?icroso$t Internet In$ormation Ser/ices &IIS( &nternet printing uses &nternet 5rinting 5rotocol *&55+ as its low2le%el protocol which is encapsulated within ATT5, using it as a carrier. !hen accessing a printer through a browser, the s stem first attempts to connect using R5. *on &ntranets and 4A,s+, which is fast and efficient. Incorrect )ns"ers: ): The printers do not ha%e to be published in Acti%e Director . +: .reating a %irtual director named printers will not wor/. D: The printers do not need to be reshared. E: This command will not enable internet printing. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G> 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. FG" QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run either !indo"s 2=== Ser/er or !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) com#uter named Ser/er2 runs !indo"s Ser/er 2==, "ith IIS 6 = installed On Ser/er2* you create a /irtual directory named !ebEolder You use IIS ?anager to enable the $ollo"ing #ermissions on !ebEolder: Dead* !rite* and Directory +ro"sing !hen users try to access !ebEolder as a !eb $older $rom Internet E3#lorer* they recei/e the error message sho"n in the e3hibit You need to ensure that all users can access !ebEolder as a !eb $older !hat should you do% A. Restart the !orld !ide !eb 5ublishing $er%ice on $er%er2. 1. 3nable anon mous access to !eb(older. .. Modif the 3Becute permissions to allow scripts and eBecutable files. D. 3nable the !ebDA? !eb ser%ice eBtension on $er%er2. )ns"er: D E3#lanation: L!eb EoldersL is ?icroso$tJs im#lementation o$ !ebD)8 !ebD)8 is disabled by de$ault and so needs to be enabled Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G= 2 ): This will not sol%e the problem. !ebDA? needs to be enabled. +: This is an unnecessar securit ris/ and is not re6uired. ': &t is not necessar to modif the permissions. !e )ust need to enable !ebDA? to ensure that all users can access !eb(older. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;F> QUESTION NO: 9 E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, Your IIS ser/er is named TestBing2 Its con$iguration is sho"n in the e3hibit Users access the internal net"or0 by connecting to htt#:KKtest0ing2 test0ing intra ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->" 2 ) $older TestBingSData stores the !eb inter$ace $or TestBing comJs client management tool 'urrently* users in the mar0eting can access this tool by connecting to htt#:KKtest0ing2 test0ing intraKTestBingS!eb You share TestBingSData on a ser/er named TestBing6 You need to modi$y TestBing2 to ensure that mar0eting users can access TestBingSdata through the internal net"or0 !hat should you do% A. .reate a new %irtual director named Test@ingJ!eb under the default !eb site. $pecif WWtest/ing;WTest@ingJdata as the !eb site content director . 1. .reate a new !eb site named Test@ingJDta. $pecif WWtest/ing;WTest@ingJdata as the !eb site home director . .. .reate a new !eb site named Test@ingJDta. $pecif Test@ingJData as the host head name of the !eb site. D. Redirect the default !eb site home director to http9HHtest/ing;HTest@ingJData. $pecif Test@ingJData as the host header name of the default !eb site. )ns"er: ) E3#lanation: The iis/dir /bs command enables us to create /irtual directories $or a s#eci$ic !eb site !e can use create* delete* and query s"itches on this scri#t It is im#ortant to clari$y that this command does not generate any ne" code or #hysical directories This command "ill basically instruct the IIS con$iguration to #oint at e3isting directories and re$er to it as a local directory o$ the !eb site 'reating a ne" /irtual directory named TestBingS!eb under the de$ault !eb site and then s#eci$ying TestBingSdata on test0ing6 as the "eb site content directory "ill ensure that the mar0eting users "ill be able to access TestBing2* the IIS ser/er Incorrect ans"ers: +* '9 There is no need to create a new !eb site. D9 This is not necessar . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;=;2;== ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->1 2 QUESTION NO: ; :OTS.OT You are the net"or0 administrator $or TestBing com ) com#uter named !ebser/erTB< runs !indo"s Ser/er 2==, !ebser/erTB< gi/es users access to TestBingJs internal !eb site ) $older named D:Q!eb$oldersQSales on !ebser/erTB< contains TestBingJs sales re#orts The NTES #ermissions $or the Sales Eolder are set as sho"n in the $ollo"ing table -rou# Name .ermissions Administrators (ull .ontrol $ales Modif Users Read L 3Becute You need to create a ne" /irtual directory $or the sales de#artment on !ebser/erTB< and con$igure it to meet the $ollo"ing requirements: 1. The ne" /irtual directory must be accessible as a !eb $older 2. ?embers o$ the Sales grou# must be able to u#load ?icroso$t !ord documents and :T?A $iles

3. No dynamic content is allo"ed to be run $rom the /irtual directory !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->2 2 )ns"er: E3#lanation: Select the Dead* !rite and +ro"se chec0bo3es $elect the access permissions from the ?irtual Director Access 5ermissions window. The default is Read and Run $cripts. The options are %er similar to !eb site creation options. These options will allow members of the $ales Croup to upload Microsoft !ord documents and ATM4 files as well as not allowing an d namic content to be run from the %irtual director . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;=G QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->3 2 ) member ser/er named TB< has IIS installed You are directed to #ro/ide Internet>based users "ith a hierarchical list o$ $iles that they can do"nload You co#y the list to ':Qinet#ubQ"""rootQdata on TB< You create a ne" /irtual directory named AistData* and you s#eci$y its #ath as ':Qinet#ubQ"""rootQdata !hen users try to access AistData* they recei/e the $ollo"ing error message: LDirectory Aisting DeniedL This 8irtual Directory does not allo" contents to be listedL You need to ensure that users can success$ully access AistData !hat should you do% A. Assign the Allow 2 Read permission on .9WinetpubWwwwrootWdata to the Anon mous user account. 1. Use &&$ Manager to enable director browsing. .. 3dit the properties of the Director 4isting Denial error code with T@1. .hange the message t pe to (ile and specif the file name as indeB.htm. D. Use &&$ manager to allow anon mous access. )ns"er: + E3#lanation: Directory +ro"sing dis#lays a list o$ $iles and sub$olders in the home directory i$ a de$ault "eb #age is not de$ined or is absent Enabling !eb Ser/ice E3tensions > !eb Ser/ice E3tensions is a ne" $eature in IIS 6 = This utility "ill gi/e a 'ontrol .anel>li0e $unctionality on your IIS com#onents !e "ill be able to allo"* #rohibit* or change IIS #ro#erties using this tool This "ill also enable you to add ne" IIS e3tensions &IS).I a##lications and third>#arty IIS tools( to the IIS 6 = ser/er You can also enable or disable )ll !eb Ser/ice E3tensions by using this management console :ere is a list o$ com#onents the !eb ser/ice e3tensions can enable or disable 1. A$5.,3T eBecutions 2. A$5 eBecutions 3. .C& and &$A5& Applications -. (ront 5age $er%er 3Btensions 2""" and 2""2 F. !ebDA? support for &&$ directories !e can get to the !eb $er%ice 3Btensions b using $tart ^ Administrati%e Tools ^ &&$ Manager and clic/ing on !eb $er%er 3Btensions node on a selected ser%er name. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->- 2 &&$ Manager is the CU& interface for all &&$ management functions. Iou can also perform these management functions b using command2line tools. All these command line tools are ?1$cript functions with d.?1$ file eBtensions. 1. The insweb.%bs utilit is used to create and manage !eb sites in &&$ ;.". 2. The iis%dir.%bs command enables us to create %irtual directories for a specific !eb site. !e can use create, delete, and 6uer switches on this script. &t is important to clarif that this command does not generate an new code or ph sical directories. This command will basicall instruct the &&$ configuration to point at eBisting directories and refer to it as a local director of the !eb site.

Incorrect ans"ers: ): Assigning the Allow 2 Read permission will not wor/ because ou need to ma/e use of the insweb.%bs utilit . ': 3diting the properties of the Director 4isting Denial error code with T@1 will not enable access to the director . D: This option will not wor/ as users will ha%e to authenticate to get access. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;GG, ;=2 QUESTION NO: << You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, TestBingJs main o$$ice is locate din Ne" Yor0 'ity* and $our branch o$$ices are located in /arious North )merican cities The net"or0 is con$igured as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->F 2 )ccess to the Internet is #ro/ided by a Net"or0 )ddress Translation &N)T( ser/er locate din the ?ontreal o$$ice The I. address o$ the N)T ser/er is <;2 <69 <= 254 Users in the Aos )ngeles o$$ice re#ort that they cannot connect to the Internet Users in the Ne" Yor0 o$$ice re#ort that they can success$ully connect to the Internet Erom a com#uter in the Aos )ngeles o$$ice* you cannot connect to ser/ers located in the ?ontreal o$$ice by using their I. address You "ant to $ind out "here the communication $ailure resides by running a command #rom#t on a com#uter in the Aos )ngeles o$$ice !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Run the pathping 1=2.1;>.1".2F- command. 1. Run the net %iew WW1=2.1;>.1".2F- command. .. Run the tracert 1=2.1;>.1".2F- command. D. Run the nsloo/up 1=2.1;>.1".2F- command. )ns"er: )* ' E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->; 2 9 5ing is a command used to send an &nternet .ontrol Message 5rotocol *&.M5+ echo re6uest and echo repl to %erif that a remote computer is a%ailable. Tracert is a tool used to map out the path that the pac/ets are ta/ing as the flow to a remote s stem. The pathping tool pro%ides the functionalit of both ping and tracert and adds some of its own features into the miB as well. The first list in the output is the route that the pac/et ta/es to reach the destination. This is similar to the output of the tracert command. These two commands will enable ou to find where the communication failure resides. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO$er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. >1 QUESTION NO: <2 You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, T"enty TestBing em#loyees connect to a terminal ser/er named Test0ing2 to run a##lications and to gain access to the Internet The 2= em#loyees re#ort that they recei/e security messages "hile bro"sing Internet !eb sites The em#loyees re#ort that they cannot modi$y the Internet E3#lorer security settings on their client com#uters "hile connected to Test0ing2 You need to allo" these 2= em#loyees to modi$y the Internet E3#lorer security settings in their client com#uters "hile connected to Test0ing2 !hat should you do% A. 4og on to Test/ing2 as Administrator and add http9HH to the list of trusted sites in &nternet 3Bplorer. 1. &nstruct the 2" emplo ees to add http9HH to the list of trusted sites in &nternet 3Bplorer on their client computers. .. &nstruct the 2" emplo ees to change the &nternet 3Bplorer pri%ac settings on their client computers to 4ow. D. Uninstall &nternet 3Bplorer 3nhanced $ecurit .onfiguration on Test/ing2. )ns"er: D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->G 2 QUESTION NO: <, E3hibit You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You install !indo"s Ser/er 2==, on a com#uter named TestBing5 TestBing5 has IIS installed and is a member o$ the test0ing com domain You create a ne" !eb site $or the sales de#artment on TestBing4 The home directory $or the sales !eb site is ':QInet#ubQSales ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->> 2 Users $rom the sales de#artment re#ort that they are #rom#ted $or credentials "hen they attem#t to connect to the sales !eb site )$ter they enter their login in$ormation* they are denied access to the Sales !eb site Users $rom other de#artments obser/e the same beha/ior "hen they attem#t to access the Sales !eb site You e3amine the directory security $or the sales !eb site* as sho"n in the e3hibit You need to ensure that users $rom sales de#artment can access the sales !eb site You also need to ensure that no other users can access the Sales !eb site !hat should you do% A. .lear the 3nable anon mous access chec/ boB. 1. $elect the Digest authentication for !indows domain ser%ers chec/ boB. .. .lear the 1asic authentication chec/ boB. D. .hange the %alue of the Default domain to test/ing.com. 3. Modif the ,T($ permissions on the .9W&netpubW$ales folder. )ns"er: E E3#lanation9 !hen ou appl ,T($ permissions to a folder with subfolders, the default is to allow inheritable permissions to propagate from the parent to this ob)ect. This means that whate%er permissions ha%e been applied to the parent folder will be automaticall applied to subfolders. &f ou want to ma/e sure that $ales department users can access the website while assuring that other users cannot access the $ales !eb site, then ou should appl the appropriate ,T($ permissions on the .9W&netpubW$ales folder. Incorrect ans"ers: )9 .learing the 3nable Anon mous Access chec/ boB is not the solution in this case. +9 The Digest Authentication (or !indows Domain $er%ers option wor/s onl with Acti%e Director accounts and sends a hash %alue rather than a clear2teBt password. &t wor/s across proB ser%ers and other firewalls. Digest authentication re6uires !indows 2""" or later client computers. This is not what is desired. '9 The 1asic Authentication option re6uires a !indows 2""" or !indows $er%er 2""3 user account. &f anon mous access is disabled or the anon mous account tries to access data that the account does not ha%e permission to access, the s stem will prompt the user for a %alid user account. !ith this method, all passwords are sent as clear teBt. Iou should use this option with eBtreme caution since it poses a securit ris/. Aowe%er this option is not the answer. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->= 2 9 .hanging the %alue of the Default domain to Test/ing.com will not ensure that other users will not be able to access the $ales !eb site. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 3"G, 32;232G QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Site Aicense Aogging is enabled in the domain )dministrators re#ort that they cannot manage 'lient )ccess Aicenses !hen they attem#t to o#en Aicensing* they recei/e the $ollo"ing error: LD.' Ser/er too busy L You sus#ect there is a #roblem on the domain controller that $unctions as the site license ser/er You do not 0no" "hich domain controller is the site license ser/er You need to locate the site license ser/er !hat should you do% A. 'pen 4icensing, clic/ the $er%er 1rowser tab, and eBpand our domain. &nspect the properties of each ser%er. 1. 'pen Acti%e Director $ites and $er%ices, open the properties for the site name. &nspect the contents of the 4ocation tab.

.. 'pen the Acti%e Director Users and .omputers, clic/ our domain name, clic/ Action, and select 'perations Masters. &nspect the contents of the &nfrastructure tab. D. 'pen Acti%e Director $ites and $er%ices, and clic/ our site name. &nspect the properties of the 4icensing $ite $ettings. )ns"er: D E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=" 2 9 The site license ser%er is responsible for managing all of the !indows licenses for the site. The default license ser%er is the first domain controller in the site. The site license ser%er does not ha%e to be a domain controller but for best performance it is recommended that site license ser%er and domain controller be in the same site. !hen ou inspect properties under 4icensing .omputer, ou will see the ser%er that has been designated the site license ser%er.Thus if ou want to locate the site license ser%er, then ou should inspect the properties of the 4icensing site settings. Incorrect ans"ers: )9 Iou should be inspecting the 4icensing $ite $ettings properties and not the properties of each ser%er. +9 This tab will not ield the proper information. '9 &nspecting the contents of the &nfrastructure tab under the operations masters of the Action tab, will not ield the necessar information. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p -QUESTION NO: <5 E3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=1 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e/ Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll users log on to the domain to access resources 'ontent $or internal !eb sites is hosted on a member ser/er named TestBing2* "hich runs IIS Each de#artment in the com#any has a #ri/ate !eb site on Test0ing2 Users in the mar0eting de#artment re#ort that they are #rom#ted to enter their logon credentials "hen they to access their de#artmentJs !eb site !hen they enter their credentials* they are granted access ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=2 2 You re/ie" the authentication methods $or the mar0eting !eb site* as sho"n in the e3hibit You need to modi$y TestBing2 so that the mar0eting users can access the !eb site "ithout being #rom#ted $or credentials !hat should you do% A. Disable anon mous access. 1. $pecif the name of the Acti%e Director domain as the default domain name. .. Disable 1asic authentication. D. Disable Digest authentication for !indows domain ser%ers. 3. 3nable &ntegrated !indows authentication. )ns"er: E E3#lanation9 The &ntegrated !indows Authentication option emplo s a cr ptographic eBchange between the web ser%er and the userKs &nternet 3Bplorer web browser to confirm the userKs identit . This option should be acticated together with the 1asic Authentication as well as Digest Authentication for !indows domain ser%ers. Incorrect ans"ers: )9 Disabing Anon mous access is not the solution. +9 This option will not enable the mar/eting users to access the !eb site without being prompted for credentials. '9 The 1asic Authentication *5assword &s $ent &n .lear TeBt+ option re6uires a !indows 2""" or !indows $er%er 2""3 user account. &f anon mous access is disabled or the anon mous account tries to access data that the account does not ha%e permission to access, the s stem will prompt the user for a %alid !indows 2""" user or !indows $er%er 2""3 user account. !ith this method, all passwords are sent as clear teBt. Iou should use this option with eBtreme caution since it poses a securit ris/. D9 The Digest Authentication (or !indows Domain $er%ers option wor/s onl with

Acti%e Director accounts and sends a hash %alue rather than a clear2teBt password. This option should be left enabled. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p 32= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=3 2 QUESTION NO: <6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, ) member ser/er named TestBing, has IIS installed TestBing, hosts all content $or com#any "eb sites The ser/er is bac0ed u# on magnetic ta#e once each month To re#lace the "eb $unctionality o$ TestBing,* the com#any acquires a ne" com#uter You con$igure the com#uter as a member ser/er named TestBing4 and install IIS You trans$er all content $rom TestBing, to TestBing4 and start the IIS ser/ice on TestBing4 You disco/er that TestBing4 is not con$igured "ith the IIS settings that "ere de$ined on TestBing, You need to ensure that TestBing4 has the same IIS settings that "ere de$ined on TestBing, !hat should you do% A. Use the most recent bac/up tape of Test@ing3 to restore the $ stem $tate data on Test@ing-. 1. Use the most recent bac/up tape of Test@ing3 to restore .9WwindowsWs stem32Winetsr%WAistor on Test@ing-. .. Use &&$ manager on Test@ing3 to select the $a%e .onfiguration to Dis/ option. 3dit the files to replace s stem2specific information. Use the edited files to restore the &&$ metabase on Test@ing-. D. Use &&$ manager on Test@ing3 to select the 1ac/upHRestore .onfiguration option. 3dit the files to replace s stem2specific information. Use the edited files to restore the &&$ metabase on Test@ing-. )ns"er: D QUESTION NO: <7 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=- 2 )nother Systems )dministrator recently installed So$t"are U#date Ser/ices &SUS( on a ser/er on the net"or0 You need to troubleshoot a #roblem that in/ol/es SUS You need to /ie" the SUS a##ro/al log to /eri$y that the latest u#dates are a/ailable to client com#uters !hat should you do% A. 'pen the most recent &&$ log file on the $U$ ser%er. ?iew the data in the log file. 1. 'pen the AotfiBes.tBt file on the $U$ ser%er. ?iew the data in the AotfiBes.tBt file. .. Run the wmic 6fe T Appro%al.tBt command on the $U$ ser%er. ?iew the data in Appro%al.tBt file D. 'pen the file named Aistor 2Appro%e.Bml on the $U$ ser%er. ?iew the data in the log file. )ns"er: D 19 Manage securit for &&$.*F :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< runs IIS You install a !eb>enabled a##lication on TB< The a##lication includes a security $eature that detects unauthori1ed attem#ts to access the ser/er !hene/er an authori1ed attem#t is detected* the a##lication automatically modi$ies the IIS con$iguration $ile to restrict the unauthori1ed userJs access To test the security $eature* you try to gain unauthori1ed access to TB< T"enty seconds a$ter your $irst attem#t* you try again :o"e/er* TB< does not restrict your access on the second attem#t You "ait $i/e minutes* and then you e3amine the IIS con$iguration $ile You /eri$y that it "as correctly modi$ied by the a##lication to restrict your access ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=F 2 You need to con$igure IIS to ensure that changes in the IIS con$iguration $ile "ill result in immediate changes in the beha/iour o$ IIS !hat should you do% A. $elect the 3nable Direct Metabase 3dit option. 1. $pecif the ser%ice account for the Application 5ool as the &&$ ser%ice account. .. $elect the 3nable Rapid2(ail protection option. D. $pecif the status of the &nternet Data .onnector !eb ser%ice eBtension as Allow. )ns"er: ) E3#lanation: The IIS con$iguration is stored in the ?etabase To get immediate changes to the IIS con$iguration $ile "e need to enable the Direct ?etabase Edit o#tion Incorrect ans"ers: +: Application pooling enables !eb sites to run together in one or more processes, as long as the share the same pool designation. !eb sites that are assigned different application pools ne%er run in the same process. ': &&$ initiates rapid2fail protection when too man application pool errors are generated for a specified time frame. The default is fi%e errors occurring in fi%e minutes. This scenario will trigger the &&$ to restart and issue a F"3 error to the client. D: $pecif ing the status of the &nternet Data .onnector !eb ser%ice eBtension as allow will not ha%e the desired effect, what is wanted is the immediate change in the beha%ior of &&$. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;;3, ;>= QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The intranet !eb site is hosted on a !indo"s Ser/er 2==, com#uter named TestBing4* "hich is a member o$ a "or0grou# )ll client com#uters are members o$ the domain and are enabled $or I.Sec ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=; 2 The net"or0 security administrator creates a ne" security #olicy $or TestBing4 The #olicy states that only :TT. tra$$ic is #ermitted* that :TT. tra$$ic must be encry#ted* and that all com#uters must be authenticated The ne" security #olicy is im#lemented Domain users re#ort that they are not able to connect to TestBing4 You load the I. Security ?onitor sna#>in* and you /ie" the details sho"n in the $ollo"ing "indo" You need to ensure that all domain users can securely connect to TestBing4 !hat should you do% A. &nstall a digital certificate on Test@ing-. 1. Ma/e Test@ing- a member of the domain. .. .hange the source and destination ports for outbound traffic. D. .hange the source and destination ports for inbound traffic. )ns"er: + E3#lanation: TestBing4* is a member o$ a "or0grou# and must manage domain users #ermissions* )s a Ser/er in a "or0grou#* you can not manage users member o$ a domain* In that "ay you need to do TestBing4 ser/er member o$ domain TestBing &n order to authenticate all computers must be authenticated the ser%er need to use @erberos %F this is the second reason because Test@ing- need to be a member of Test@ing domain Incorrect ans"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=G 2 A digital certificate is a public2/e cr ptograph that authenticates the integrit and originator of a communication. &n this scenario one would rather ma/e Test@ing- a member of the domain because as a ser%er in a wor/group ou can not manage user members of a domain. '* D: The rules are correct. Thus there is no need to modif the source and destination ports for either in2 or outbound traffic. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D

Training $ stem, pp. -;"2-;1 QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters )ll con$idential com#any $iles are stored on a $ile ser/er named TestBing< The "ritten com#any security states that all con$idential data must be stored and transmitted in a secure manner To com#ly "ith the security #olicy* you enable Encry#ting Eile System &EES( on the con$idential $iles You also add EES certi$icates to the data decry#tion $ield &DDE( o$ the con$idential $iles $or the users "ho need to access them !hile #er$orming net"or0 monitoring* you notice that the con$idential $iles that are stored on TestBing< are being transmitted o/er the net"or0 "ithout encry#tion You must ensure that encry#tion is al"ays used "hen the con$idential $iles on TestBing< are stored and transmitted o/er the net"or0 !hat are t"o #ossible "ays to accom#lish this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 3nable offline files for the confidential files that are stored on Test@ing1, and select the 3ncr pt offline files to secure data chec/ boB on the client computers of the users who need to access the files. 1. Use &5$ec encr ption between Test@ing1 and the client computers of the users who need to access the confidential files. .. Use $er%er Message 1loc/ *$M1+ signing between Test@ing1 and the client computers of the users who need to access the confidential files. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=> 2 D. Disable all 4M and ,T4M authentication methods on Test@ing1. 3. Use &&$ to publish the confidential files. 3nable $$4 on the &&$ ser%er. 'pen the files as a !eb folder. )ns"er: +* E E3#lanation: !e can use I.SE' or S?+ to encry#t net"or0 tra$$ic !e can use SSA to secure the $iles &5$ec is a T.5H&5 securit mechanism that pro%ides machine2le%el authentication, as well as data encr ption, for %irtual pri%ate networ/ *?5,+ connections that use 4a er 2 Tunneling 5rotocol *42T5+. &5$ec negotiates between a computer and its remote tunnel ser%er before an 42T5 connection is established, which secures both passwords and data. M$ TAUM1 RU43 is less administrati%e effort. According to M$ (A:$ some 6uestions can ha%e two %alid answers. &n this case . and 3 can both be %alid answers. !hat should be /ept in mind is that whether $M1 signing is a %alid option or not, because the do not tell us if the are forcing the set $ecure channel in the clients or ser%er9 $ecure channel9 Digitall encr pt or sign secure channel data *alwa s+ 3nabled $M1 signing9 1 default, domain controllers running !indows $er%er 2""3 re6uire that all clients digitall sign $M12based communications. The $M1 protocol pro%ides file sharing, printer sharing, %arious remote administration functions, and logon authentication. 3Bamples include confirming the source and integrit of information, such as %erif ing a digital signature or %erif ing the identit of a user or computer for some clients running older operating s stem %ersions. .lient computers running !indows for !or/groups, !indows =F without the Acti%e Director client, and !indows ,T -." $er%ice 5ac/ 2 *or earlier+ do not support $M1 signing. The cannot connect to domain controllers running !indows $er%er 2""3 b default. and 3. De$erence9 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. G;3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -== 2 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains a !eb ser/er that runs IIS 6 = and hosts a secure intranet site )ll users are required to connect to the intranet site by authenticating and using :TT.S :o"e/er* because an automated !eb a##lication must connect to the !eb site by using :TT.* you cannot con$igure the intranet site to require :TT.S

You need to collect in$ormation about "hich users are connecting to the !eb site by using :TT.S !hat should you do% A. .hec/ the application log on the !eb ser%er. 1. Use ,etwor/ Monitor to capture networ/ traffic on the !eb ser%er. .. Re%iew the log files created b &&$ on the !eb ser%er. D. .onfigure a performance log to capture all !eb ser%ice counters. Re%iew the performance log data. )ns"er: ' E3#lanation9 4ogging can be enabled on the !eb $ite tab b chec/ing the 3nable 4ogging option. There are four log file formats, which ou can configure to suit an third2part trac/ing software used to measure and chart website performance counters. The log files generated b &&$ on the !ebser%er will re%eal the proper information necessar . De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 32"232; QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"" 2 One domain controller on the net"or0 is con$igured as a certi$ication authority &')( The net"or0 contains a !eb ser/er that runs IIS 6 = and hosts a secure intranet site The ser/er also hosts other sites that do not require :TT.S You con$igure a ser/er certi$icate on the IIS ser/er by using a certi$icate $rom your internal ') )ll users are required to connect to the intranet site by using :TT.S Some users re#ort that they cannot connect to the secure intranet site by using :TT.S You con$irm that all users can connect to the nonsecure sites hosted on the !eb ser/er by using :TT. You "ant to /ie" the $ailed :TT.S requests !hat should you do% A. Re%iew the log files created b &&$ on the !eb ser%er. 1. Re%iew the securit log in 3%ent ?iewer on the !eb ser%er. .. Re%iew the securit log in 3%ent ?iewer on the .A. D. Re%iew the contents of the (ailed Re6uests folder on the .A. )ns"er: ) E3#lanation9 4ogging can be enabled on the !eb $ite tab b chec/ing the 3nable 4ogging option. There are four log file formats, which ou can configure to suit an third2part trac/ing software used to measure and chart website performance counters. The log files generated b &&$ on the !ebser%er will re%eal the proper information necessar . De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 32"232; Topic F9 Managing and &mplementing Disaster Reco%er *>; :uestions+ 5art 19 5erform s stem reco%er for a ser%er. A9 &mplement Automated $ stem Reco%er *A$R+.*1" :uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"1 2 QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Deco/ery 'onsole is installed on each domain controller The dis0 con$iguration $or each domain controller is sho"n in the $ollo"ing table ?)INis con$igured "ith both the system #artition and the boot #artition E/ery Eriday at 6:== . ? * you run the )utomated System Deco/ery &)SD( "i1ard in con2unction "ith remo/able storage media E/ery night at midnight* you use third>#arty so$t"are to #er$orm $ull bac0u#s o$ user #ro$iles and user data on remo/able storage media One Eriday at 9:== . ? * an administrator re#orts that the ') database on a domain controller named D'< is corru#ted You need to restore the database as quic0ly as #ossible

!hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Restart D.1 b using Director $er%ices Restore Mode. 1. Restart D.1 b using the installation .D2R'M. .. 5erform a nonauthorati%e restoration of Acti%e Director . D. 5erform an authoritati%e restoration of Acti%e Director . 3. Use the A$R dis/ to restore the content of the A$R bac/ file. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"2 2 )ns"er: )* ' E3#lanation: To restore the ') database* "e must restart the ser/er in Directory Ser/ices Destore ?ode Directory Ser/ices Destore mode is a s#ecial mode that can be used to reco/er the )cti/e Directory database Erom Directory Ser/ices Destore mode the administrator can choose "hether to do an authoritati/e or non>authoritati/e restore o$ the )cti/e Directory database This is similar to Sa$e ?ode and "ill not start any )cti/e Directory ser/ices During a normal restore operation, 1ac/up operates in non authoritati%e restore mode. That is, an data that ou restore, including Acti%e Director ob)ects, will ha%e their original update se6uence number. The Acti%e Director replication s stem uses this number to detect and propagate Acti%e Director changes among the ser%ers in our organi0ation. Thus an data that is restored non2authoritati%el will appear to the Acti%e Director replication s stem as though it is old, which means the data will ne%er get replicated to our other ser%ers. &nstead, if newer data is a%ailable from our other ser%ers, the Acti%e Director replication s stem will use this to update the restored data. Incorrect )ns"ers: +: Due to it not being necessar to use A$R, ou do not need to start with the .D2R'M. D: normal AD replication from other D.s. E: !e do not need to use A$R because the ser%er is operational. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. F22, G"2 QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBing) contains t"o /olumes You need to #er$orm a com#lete bac0u# o$ the data on TestBing) You must ensure that TestBing) can be com#letely restored in case o$ hard"are $ailure ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"3 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate an Automated $ stem Reco%er *A$R+ bac/up. 1. .reate a bac/up of user data. .. .reate a !indows $er%er 2""3 bootable flopp dis/. D. .reate a D'$ bootable flopp dis/. 3. .op all !indows $er%er 2""3 boot files to the !indows $er%er 2""3 bootable flopp dis/. (. .op onl 1oot.ini to the !indows $er%er 2""3 bootable flopp dis/. )ns"er: )* + E3#lanation: !e need to #er$orm a com#lete bac0u# o$ the data !e need to ensure that TestBing) can be com#letely restored in case o$ hard"are $ailure The )SD bac0u# "ill accom#lish this The )SD has t"o #arts>bac0u# and reco/ery Destoring an )SD bac0u# brings the ser/er bac0 to the state at the #oint in time "hen the )SD set "as originally created !hene/er you #er$orm an o#eration that is #otentially damaging to the o#erating system &installing ser/ice #ac0s* dri/er u#grades* hard"are u#grades* and so on(* consider creating an )SD bac0u# set I$ anything goes "rong* you can quic0ly restore the ser/er bac0 to its original con$iguration "ithout much trouble Incorrect )ns"ers: ': A bootable flopp dis/ is not necessar . D: !e donKt need a bootable flopp dis/. E: This will not bac/ up the user data because it is a bootable dis/ with !indows $er%er 2""3 boot files E: This will not ha%e the abilit to bac/ up the user data. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3

3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter > QUESTION NO: , You are the net"or0 administrator $or Test0ing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Each domain controller contains one dis0 that is con$igured "ith both the system #artition and the boot #artition ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"- 2 E/ery day* you use custom so$t"are to #er$orm a $all bac0u# o$ user #ro$iles and user data The custom bac0u# so$t"are #ro/ides a bootable $lo##y dis0 that includes the dri/ers $or the bac0u# media E/ery Sunday* you run the )utomated System Deco/ery &)SD( "i1ard on your domain controllers in con2unction "ith remo/able bac0u# media Data is bac0ed u# in a $ile named +ac0u#< b0$ One ?onday morning* you install a ne" a##lication on a domain controller named TESTBIN-D'< !hen you restart TESTBIN-D'<* you recei/e the $ollo"ing error: LNTADD is missing .res any 0ey to restart L You need to bring TESTBIN-D'< bac0 online as quic0ly as #ossible !hat should you do% A. Restart T3$T@&,CD.1 b using the installation .D2R'M. Reinstall the operating s stem and restore the contents of the latest full bac/up b using the Restore wi0ard. Restart T3$T@&,CD.1. 1. Restart T3$T@&,CD.1 b using the installation .D2R'M. Restore the contents of 1ac/up1.b/f b using the A$R dis/. Restart T3$T@&,CD.1. .. Restart T3$T@&,CD.1 b using the bootable flopp dis/. .op the contents of 1ac/up1.b/f from the bac/up media to .9Wwinnt. Restart T3$T@&,CD.1. D. Restart T3$T@&,CD.1 b using the bootable flopp dis/. .op the contents of the A$R dis/ to .9W. Restart T3$T@&,CD.1. )ns"er: + E3#lanation: In re#aration $or )SD reco/ery* you must run the )utomated System Deco/ery !i1ard* "hich is #art o$ +ac0u# To access this "i1ard "hen you are running +ac0u# in )d/anced ?ode* clic0 Tools and select )SD !i1ard ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"F 2 !hen an A$R restore is initiated, A$R first reads the dis/ configurations from the A$R flopp dis/ and restores all dis/ signatures and %olumes on the dis/s from which the s stem boots. &n the A$R process, these are /nown as critical dis/s, because the are re6uired b the operating s stem. ,oncritical dis/s 2 dis/s that might store user or application data 2 are not bac/ed up as a part of a normal A$R bac/up, and are not included in an A$R restore. &f these dis/s are not corrupted, their data will still be accessible after the A$R restore completes. &f ou want to secure data on noncritical dis/s from dis/ failure, ou can do so b bac/ing it up separatel . After the critical dis/s are recreated, A$R performs a simple installation of !indows $er%er2""3 and automaticall starts a restore from bac/up using the bac/up media originall created b the A$R !i0ard. During an A$R restore, an 5lug and 5la de%ices on the s stem are detected and installed. Iou thus need to restart the domain controller b using the installation .D2R'M. Restore the contents of the bac/up file and thenrestarting the domain controller. Incorrect )ns"ers: ): &t is unnecessar to reinstall the operating s stem, because A$R is a much easier wa to reco%er the s stem. ': Manuall cop ing the contents of 1ac/up1.b/f from the bac/up media to .9Wwinnt will not wor/. Iou must run the A$R restore process. Iou also ha%e to be cogni0ant of the fact that there is no bootable flopp dis/. D: Manuall cop ing the contents of the A$R dis/ to .9W will not wor/. Iou must run the A$R restore process. (urthermore, the 6uestion states that there is no bootable flopp dis/. De$erence: http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3HproddocsH QUESTION NO: 4 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 includes a $ile ser/er named TestBing4<* "hich runs !indo"s Ser/er 2==, You create a )utomated System Deco/ery &)SD( dis0 $or TestBing4< You bac0 u#

the System State data on a bac0u# ser/er Three "ee0s later* the data on the system dri/e $or TestBing4< becomes corru#ted by a /irus !hen you restart TestBing4<* you cannot access the +oot menu You need to begin the reco/ery #rocess $or TestBing4< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"; 2 !hich three actions should you #er$orm% To ans"er* drag the a##ro#riate action that you should #er$orm $irst to the Eirst )ction bo3 'ontinue dragging actions to the a##ro#riate numbered bo3es until you list all three required actions in the correct order )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"G 2 (ollowing is the procedure to reco%er from a s stem failure using A$R9 1. .ollect the following9 1. The !indows 2""3 .D2R'M. 2. The A$R flopp dis/. 3. The A$R bac/up media. 2. 1oot from the !indows <5 .D2R'M. 3. 5ress (2 at the beginning of teBt mode setup, when prompted. -. !hen prompted, insert the A$R flopp dis/. F. (ollow the on2screen instructions. ;. .ontinue to follow the on2screen instructions. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. F">2F1QUESTION NO: 5 :OTS.OT ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"> 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, One o$ the domain controllers is named D'< You use the )utomated System Deco/ery &)SD( "i1ard on D'< to create an )SD $lo##y dis0 on a bac0u# set named c:Qbac0u#Qbac0u# b0$ Three "ee0s later* you disco/er that the )SD $lo##y dis0 is missing To re#lace it* you start the )SD !i1ard and access the catalog* as sho"n in the "or0 area You need to restore only the necessary $iles to the )SD $lo##y dis0 !hich $older should you restore% )ns"er: E3#lanation: Na/igate to the ':Q"indo"sQre#air $older 'o#y the asr si$ and asr#n# si$ $iles to the $lo##y dis0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"= 2 The A$R !i0ard helps ou create a two2part bac/up of our essential s stem components9 a flopp dis/ containing s stem settings and a bac/up of the local s stem partition on other media. !hen ou perform a !indows Automated $ stem Reco%er bac/up, three files are written to the flopp dis/. These are asr.sif, asrpnp.sif and a log file. The Repair subfolder under the second .9W!&,D'!$ folder contains the asr.sif and asrpnp.sif files. Note: The Repair subfolder under the first .9W!&,D'!$ folder also contains the asr.sif and asrpnp.sif files together with a number of other s stem files which would be too big to fit on a flopp dis/. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. G=> QUESTION NO: 6 You are the net"or0 administrator $or TestBing com You are res#onsible $or all bac0u# #rocedures Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, T"o ser/ers D'<* and D'2* are con$igured as domain controllers User home $olders are stored on dri/e D:Q o$ each ser/er

You install a ne" ser/er named Test0ing< to manage bac0u# o#erations No" you need to ensure that o#erating system con$iguration and user home $olders can be restored in case o$ ser/er $ailure Erom Test0ing<* you con$igure the +ac0u# utility as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1" 2 !hat should you do ne3t% A. 'n Test/ing1, select the $ stem State chec/ boB. 1. 'n D.1 and D.2, start the Automated $ stem Reco%er *A$R+ wi0ard. .. 'n Test/ing1, bac/ up WWD.1W,3T4'C', and WWD.2W,3T4'C',. D. 'n D.1 and D.2, run the ntdsutil command from a command prompt. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F11 2 )ns"er: + E3#lanation9 To safeguard our s stem against a serious failure, ou can use the 1ac/up tool to create an Automated $ stem Reco%er *A$R+ set on a regular basis. The Automated $ stem Reco%er !i0ard creates a two2part bac/up that ou can use to reco%er our s stem after all other reco%er attempts ha%e failed, or after ou ha%e replaced the hard dis/. A$R bac/s up the s stem state, s stem ser%ices, and all dis/s associated with the operating s stem components. &t also creates a startup dis/ that contains information about the bac/up, the dis/ configurations *including basic and d namic %olumes+, and how to accomplish a restore. Iou should create a new A$R set after an ma)or change to the s stem and also on a regular schedule as part of a comprehensi%e bac/up plan. Incorrect ans"ers: ): $ stem $tate 2 The $ stem $tate data includes the registr , .'Ma .lass Registration database, files under !indows (ile 5rotection, and s stem boot files. Depending on the configuration of the ser%er, other data ma be included in the $ stem $tate data. (or eBample, if the ser%er is a certificate ser%er, the $ stem $tate will also contain the .ertificate $er%ices database. &f the ser%er is a domain controller, Acti%e Director and the $I$?'4 director are also contained in the $ stem $tate data. ': ,3T4'C', is used for bac/ward compatibilit with !indows ,T -." and !indows =B computers that do not ha%e the Acti%e Director client software installed. D: ,TD$util is used to reco%er deleted ob)ects in Acti%e Director b mar/ing those ob)ects as authoritati%e, following a normal, or non2authoritati%e, restore of the $ stem $tate with the 1ac/up Utilit . The ntdsutil command is used to perform an authoritati%e restore of Acti%e Director . The ntdsutil is used to mar/ the restored Acti%e Director need to run the ntdsutil command. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp 321;, 322", -213, 132;. QUESTION NO: 7 You are the net"or0 administrator $or your domain at TestBing com )ll ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F12 2 You manage a ser/er named TestBing7 You create a scri#t named TestBingData+ac0u# cmd on TestBing7 that contains Ntbac0u# commands $or <= se#arate bac0u# 2obs You use the )T command $rom your client com#uter to schedule and run bac0u#s on TestBing7 You also use )utomated System &)SD( on TestBing7 ) user* Tess Bing* re#orts that se/eral directories are missing $rom TestBing7 You establish that you need to restore all <= bac0u# 2obs You need to restore the data "ith the least amount o$ administrati/e e$$ort !hat should you do% A. (rom our client computer, modif the Test@ingData1ac/up.cmd script to restore data. Use the AT command to run the script. 1. 4og on to Test@ingG and use the 1ac/up utilit to restore the first bac/up )ob. Repeat for each )ob. .. 4og on to Test@ingG and modif the Test@ingData1ac/up.cmd script to restore data. Use the AT command to run the script. D. Use A$R to restore the s stem. )ns"er: + E3#lanation: This is a tric0y question )ns"er ) "ould be an easy solution :o"e/er* it is not #ossible to restore $iles using the NTbac0u# command* so modi$ying the scri#t "ill not "or0 There$ore* the only #ossible solution is to log on

to the machine and use the +ac0u# utility to restore the $iles QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Each domain ser/er has a locally attached ta#e de/ice You need to bac0 u# each domain controller Your bac0u# #rocess must $ul$ill the $ollo"ing requirements: 1. System reco/ery must be #ossible in the e/ent o$ ser/er $ailure 2. The system con$iguration and all current dynamic dis0 con$igurations must be bac0ed u# 3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F13 2 Other data #artitions and all current dynamic dis0 con$igurations must be bac0ed u# -. Other data #artitions do not need to be bac0ed u# !hat should you do% A. Use the 1ac/up utilit to bac/ up the s stem files and to create an Automated $ stem Reco%er *A$R+ dis/. 1. Use the 1ac/up utilit to bac/ up the contents of all mounted dri%es. .. Use the 1ac/up utilit to bac/ up onl the $ stem $tate data. D. Use the .op command to cop .9Wwindows and its subfolders to a shared folder on the networ/. 3. Use the <cop command to cop .9Wwindows and its subfolders to a shared folder on the networ/. )ns"er: ) E3#lanation: +ac0u# Utility is a !indo"s Ser/er 2==, utility that hel#s you #lan $or and reco/er $rom data loss by allo"ing you to create bac0u# co#ies o$ data as "ell as restore $iles* $olders* and System State data &"hich includes the Degistry( manually or on a schedule The !indo"s Ser/er 2==, +ac0u# Utility allo"s you to bac0 u# data to a /ariety o$ media ty#es besides ta#e You can also run bac0u#s $rom the command line using ntbac0u# e3e and s#eci$ying the a##ro#riate command>line o#tions !e need to perform a complete bac/up of the data. !e need to ensure that the domain controllers can be completel restored in case of hardware failure. The A$R bac/up will accomplish this. The A$R has two parts2bac/up and reco%er . Restoring an A$R bac/up brings the ser%er bac/ to the state at the point in time when the A$R set was originall created. !hene%er ou perform an operation that is potentiall damaging to the operating s stem *installing ser%ice pac/s, dri%er upgrades, hardware upgrades, and so on+, consider creating an A$R bac/up set. &f an thing goes wrong, ou can 6uic/l restore the ser%er bac/ to its original configuration without much trouble. An A$R bac/up bac/s up the s stem files necessar to reco%er a failed s stem. &t will not bac/up user data. Incorrect ans"ers: +9 &t will be unnecessar to bac/up the contents of all the mounted dri%es because in the re6uirements it is mentioned that not all data partitions need to be bac/ed up. '9 1ac/ing up onl $ stem $tate data will not compl with all the stated re6uirements. D9 Using the .op command copies a single file to another location. This will not satisf all the stated re6uirements. E9 Using the <cop command will not wor/ in this scenario. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1- 2 De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2>1 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter > QUESTION NO: ; SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ $i/e )cti/e Directory domains in a single $orest ) total o$ <= domain controllers are distributed across $i/e sites )ll domains controllers run !indo"s Ser/er 2==, )cti/e Directory hosts se/eral a##lication #artitions TestBing, is a re#resentati/e domain controller Its dis0 con$iguration is sho"n in the $ollo"ing table 8olume Dri/e Eile $ormat Dis0

con$iguration 'a#acity Eree S#ace 'ontents MA&, .9 ,T($ RA&D21 > C1 1"Z 'perating s stem files and logs DATA D9 ,T($ RA&D1a" 3;C1 1FZ ,tds.dit .D2R! 39 .D($ ,HA ,HA ,HA ,HA (4'55I A9 ,HA ,HA ,HA ,HA ,HA $AAR3 R9 ,T($ RA&D2F ;" C1 >"Z $hared (olders You are required to create an )utomated System Deco/ery &)SD( dis0 and dis0 set $or TestBing, Eirst* you insert a blan0 'D>DO? and a blan0 $lo##y dis0 into TestBing, Then* you start the )utomated System Deco/ery .re#aration "i1ard No" you need to indicate "here the bac0u# data "ill be stored ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1F 2 !hat should you do% To ans"er* con$igure the a##ro#riate o#tion in the dialog bo3 )ns"er: Enter a bac0u# #ath o$ LD:Qbac0u# b0$L E3#lanation: The NTbac0u# utility does not su##ort bac0ing u# to a 'DD! There$ore* "e "ill need to select a local hard dis0 as the location $or the bac0u# $ile QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 a !indo"s Ser/er 2==, com#uter named TestBing6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1; 2 Ser/er bac0u#s occur each night at <=:== . ? Each bac0u# is stored on a se#arate bac0u# ta#e )ll bac0u#s are #er$ormed according to the schedule sho"n in the $ollo"ing table Day +ac0u# Ty#e $unda ,ormal Monda &ncremental Tuesda &ncremental !ednesda &ncremental Thursda &ncremental (rida &ncremental $aturda &ncremental ) critical hard"are $ailure occurs on TestBing6 on !ednesday at 9:== . ? You need to restore the most recent bac0u# o$ TestBing6 You "ant to achie/e this goal by using the minimum number o$ bac0u# ta#es !hat should you do% A. Restore Test@ing; b using $unda Ks normal bac/up tape, and Tuesda Ks incremental bac/up tape. 1. Restore Test@ing; b using $unda Ks normal bac/up tape, Monda Ks incremental bac/up tape, and Tuesda Ks incremental bac/up tape. .. Restore Test@ing; b using Tuesda Ks incremental bac/up tape. D. Restore Test@ing; b using $unda Ks incremental bac/up tape. )ns"er: + E3#lanation9 An incremental bac/up is a bac/up t pe that bac/s up onl the files that ha%e changed since the last normal or incremental bac/up. &t sets the archi%e attribute *indicating that the file has been bac/ed up+ on the files that are bac/ed up. A normal bac/up is a bac/up t pe that bac/s up all selected folders and files and then mar/s each file that has been bac/ed up as archi%ed. $ince the failure occurred on Test@ing; on !ednesda ar >9"" pm, the $unda Ks normal bac/up tape together with the Monda and Tuesda incremental bac/up tapes that follows on the $unda will be necessar to restore the most recent bac/up of Test@ing; with the least bac/up tapes in use. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1G 2 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e

Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and each one has a locally attached ta#e de/ice You need to bac0 u# each domain controller Your bac0u# #rocess must $ul$il the $ollo"ing requirements: System reco/ery must be #ossible in the e/ent o$ ser/er $ailure The system con$iguration and all current dynamic dis0 con$igurations must be bac0ed u# Other data #artitions do not need to be bac0ed u# !hat should you do% A. Use the 1ac/up utilit to bac/ up the s stem files and to create an Automated $ stem Reco%er *A$R+ dis/. 1. Use the 1ac/up utilit to bac/ up the contents of all mounted dri%es. .. Use the 1ac/up utilit to bac/ up onl the $ stem $tate data. D. Use the .op command to cop .9Wwindows and its subfolders to a shared folder on the networ/. 3. Use the <cop command to cop .9Wwindows and its subfolders to a shared folder on the networ/. )ns"er: ) 19 &mplementing shadow cop ing *G :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1> 2 You are the net"or0 administrator $or Test Bing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll users are members o$ the Users global grou# )ll ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) member ser/er named TestBing< contains a data /olume named Dis0<* "hich hosts a shared $older named TestBing Data )ll members o$ the Users grou# ha/e #ermissions to read and modi$y the contents o$ TestBing Data You create a shado" co#y o$ Dis0< :o"e/er* users re#ort that they cannot access any #re/ious /ersion o$ any o$ the $ile in TestBing Data Erom TestBing<* you access a $ile named data mdb* "hich resides in TestBing Data You success$ully access #re/ious /ersions o$ data mdb Then* you log on to a re#resentati/e client com#uter You o#en the .ro#erties dialog bo3 $or data mdb* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1= 2 You need to enable all users to access #re/ious /ersions o$ the $iles in the TestBing Data !hat should you do% A. 3nable all members of the Users group to ta/e ownership of the files in Test@ing Data. 1. Assign the Allow 2 (ull .ontrol share permission on Test@ing Data to the Users group. .. Use Croup 5olic to deplo the application pac/age from Test@ing1WwindowsWs stem32WclientsWtsclient to all client computers. D. Use Croup 5olic to deplo the application pac/age from Test@ing1WwindowsWs stem32WclientsWtwclient to all client computers. )ns"er: D E3#lanation: To access #re/ious /ersions o$ $iles* the client com#uters need the J.re/ious 8ersionsJ client installed on their machines The .re/ious 8ersions 'lient must be installed or the .re/ious 8ersions tab does not a##ear in the #ro#erties o$ a shared $ile The .re/ious 8ersions tab a##ears only "hen /ie"ing $iles across the net"or0 It does not a##ear i$ you /ie" $iles on the local hard dis0 &f ou want to replace the current %ersion of a file with an older %ersion, ou can use the Restore button on the 5re%ious ?ersions tab. De#loying the client so$t"are $or shado" co#ies > The client software for $hadow .opies of $hared (olders is installed on the ser%er, in the WWZs stemrootZWs stem32WclientsWtwclient director . Ma/ing use of Croup 5olic will enable ou to deplo the application pac/age, in this case the deplo ment of client software for shadow copies, from Test@ing1 to all client computers. Incorrect )ns"ers: ): The ownership of the file has no rele%ance to pre%ious %ersions and the 6uestion as/s for the a%ailabilit and accessibilit of pre%ious files for all the users. +: (ull .ontrol share permission is not necessar to access the pre%ious %ersions of files. Iou need the client software installed to be able to access those specific %ersions of the files. ': This is the Terminal $er%ices client software, not the pre%ious %ersions client

software. Thus this will not resol%e the problem De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >;-2>;; QUESTION NO: 2 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBingSr/ is con$igured to run shado" co#ies "ithout a storage limit TestBingSr/ has the dis0 con$iguration sho"n in the $ollo"ing table You need to create additional $ree s#ace on TESTBIN-D)T)< You also need to im#ro/e the #er$ormance o$ TestBingSr/ and ensure it has su$$icient s#ace $or shado" co#ies in the $uture !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Delete the shadow copies on T3$T@&,CDATA1. 1. Delete 1ac/up.b/f on T3$T@&,CDATA3. .. &n the properties of T3$T@&,CDATA1, relocate the shadow copies to T3$T@&,CDATA2. D. &n the properties of T3$T@&,CDATA1, relocate the shadow copies to T3$T@&,CDATA3. 3. Delete T3$T@&,CDATA3 and eBtend the T3$T@&,CDATA1 partition to include the space on T3$T@&,CDATA3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F21 2 )ns"er: )* D E3#lanation: The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies to ma0e sure that all o#en $iles are bac0ed u# Iou can create additional free space on Test/ingdata1 b configuring the ?olume $hadow $er%ice to store the shadow copies on another %olume. Iou perform this b first deleting the eBisting shadow copies on Test/ingdata1 b disabling $hadow .opies. The shadow copies then need to be relocated to Test/ingdata3 when ou re2enable $hadow .opies on Test/ingdata1. Incorrect )ns"ers: +: 1ac/up.b/f is used b the A$R process to restore a damaged s stem. Iou should not delete this file. ': (or performance reasons, ou should relocate the shadow copies to Test/ingdata3, not Test/ingdata2. E: Deleting Test/ingdata3 will result in a loss of data, this being the 1ac/up.b/f file. De$erences: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 2=2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2;. QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create a shared $older named TestBing Docs on a member ser/er named TestBing, TestBing Docs "ill store #ro2ect documents You need to ensure that users can access #re/ious /ersion o$ the documents in TestBing Docs ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F22 2 !hat should you do% A. Modif the 'ffline $ettings option for Test@ing Docs to ma/e all files a%ailable offline. 1. .onfigure shadow copies of the %olume containing Test@ing Docs. .. Use Tas/ $cheduler to create a )ob that uses the .op command to cop all changed documents to another folder e%er da . D. Use the 1ac/up utilit to schedule a bac/up of all changed documents e%er hour.

)ns"er: + E3#lanation: Shado" 'o#ies o$ Shared Eolders: Shado" 'o#ies o$ Shared Eolders #ro/ides #oint>in>time co#ies o$ $iles that are located on shared resources such as a $ile ser/er !ith Shado" 'o#ies o$ Shared Eolders* you can /ie" shared $iles and $olders as they e3isted at a #oint o$ time in the #ast )ccessing #re/ious /ersions o$ your $iles* or shado" co#ies* is use$ul because you can: Deco/er $iles that "ere accidentally deleted* Deco/er $rom accidentally o/er"riting a $ile* and 'om#are /ersions o$ a $ile "hile "or0ing 1 default .opies are scheduled to be ta/en at G9"" A.M. and 129"" noon, Monda through (rida . Restoring a pre%ious %ersion will delete the current %ersion. &f ou choose to restore a pre%ious %ersion of a folder, the folder will be restored to its state at the date and time of the %ersion ou selected. Iou will lose an changes that ou ha%e made to files in the folder since that time. &f ou do not want to delete the current %ersion of a file or folder, use .op to cop the pre%ious %ersion to a different location. Incorrect )ns"ers: ): Ma/ing files a%ailable 'ffline is irrele%ant in this scenario. ': schtas/s.eBe 2 Iou use schtas/s.eBe to set programs to run at scheduled inter%als, delete or change eBisting scheduled tas/s, and stop or run a scheduled tas/ immediatel . schtas/s does not pro%ide as much control o%er scheduled tas/s as using the graphical interface D: Using the 1ac/up Utilit to ma/e bac/ups e%er hour of changed documents does not necessaril ma/e these bac/ups accessible to the users. &t will first ha%e to be restored. Ma/ing use of shadow copies is a better option. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;1=2;2". ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F23 2 QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) member ser/er named TestBing) runs !indo"s Ser/er 2==, You need to use the +ac0u# utility to bac0 u# all data on TestBing) three times #er day Eiles that are currently o#ened by a##lications must not be bac0ed u# !hat should you do% A. Run a differential bac/up. 1. Disable %olume shadow copies. .. $elect the 3Bclude (iles option. D. $elect the .ompute selection information before bac/up and restore operations option. )ns"er: + E3#lanation: The +ac0u# #rogram "ill bac0 u# any o#en $iles "hen /olume shado" co#ies are enabled It does this by tem#orarily J$ree1ingJ the a##lication running the $ile "hile it bac0s it u# !hile the $ile is J$ro1enJ* any "rites to the $ile are stored in a bu$$er* until the $ile is bac0ed u# and un$ro1en You can #re/ent o#en $iles $rom being bac0ed u# by disabling /olume shado" co#ies The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies to ma0e sure that all o#en $iles are bac0ed u# !hen performing a bac/up, the !indows $er%er 2""3 1ac/up utilit b default creates a %olume shadow cop , which is a duplicate of the %olume at the time the cop process began. This enables the 1ac/up utilit to bac/ up all selected files, including those that are currentl open b users or the operating s stem. 1ecause the 1ac/up utilit uses a %olume shadow cop , it ensures that all selected data is bac/ed up and an open files are not corrupted during the process. &f this chec/ boB is chec/ed, files that is open or in use is s/ipped when the bac/up is performed. Incorrect )ns"ers: ): Differential 1ac/up is a ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2- 2 bac/up that copies files created or changed since the last normal or incremental bac/up. A differential bac/up does not mar/ files as ha%ing been bac/ed up. *&n other words, the archi%e attribute is not cleared.+ &f ou are performing a combination of normal and differential bac/ups, when ou restore files and folders, ou need the last normal bac/up

as well as the last differential bac/up. A differential bac/up bac/s up open files if shadow copies are enabled. ': Iou cannot select the 3Bclude files option at the time the bac/up runs because ou do not /now which files would be open. D: !hen this option is selected, information about the si0e of the bac/up etc is calculated. This does not pre%ent open files from being bac/ed up. De$erences: http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2;. QUESTION NO: 5 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The net"or0 includes a member ser/er named TestBingSr/+ You need to create a shared $older on TestBingSr/+ to store #ro2ect documents You must $ul$il the $ollo"ing requirements: 1. Users must be able to access #re/ious /ersions o$ the documents in the shared $older 2. 'o#ies o$ the documents must be retained e/ery hour during business hours 3. ) history o$ the last <= /ersions o$ each document must be maintained -. Documents that are not contained in the shared $older must not be retained !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate the shared folder in the root of the s stem dis/ on Test@ing$r%1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2F 2 1. .reate a new %olume on Test@ing$r%1. .reate the shared folder on the new %olume. .. 3nable the 'ffline (iles option to ma/e the shared folder a%ailable offline. D. 3nable the 'ffline (iles option to ma/e the shared folder automaticall a%ailable offline. 3. Use Dis/ Management to configure shadow copies of the %olume that contains the shared folder. )ns"er: +* E E3#lanation: To be able to sa/e #re/ious /ersion o$ $iles* you need to enable Shado" 'o#ies !hene/er changes to a $ile are sa/ed* a co#y o$ the #re/ious /ersion o$ the $ile is automatically sa/ed The shared $older must be on a ne" /olume on the member ser/er* TestBingSr/+ )$ter you enable shado" co#ies on the ser/er and install the shado" co#y client so$t"are on the des0to# com#uter* end users can right>clic0 on a $ile and /ie" #re/ious /ersions that "ere bac0ed u# /ia shado" co#ies They can then 0ee# the current /ersion o$ the $ile or roll bac0 to an early /ersion Incorrect )ns"ers: ): !e should a%oid using the s stem dis/ to configure $hadow .opies for better performance and to not waste dis/ space. !e should create a new %olume and configure the shared folder in that %olume for pro)ect documents. ': !e need to enable $hadow .opies, not offline files. 'ffline files is a feature in !indows $er%er 2""3, !indows <5, and !indows 2""" that allows users to continue to wor/ with networ/ files and programs e%en when the are not connected to the networ/. !hen a networ/ connection is restored or when users doc/ their mobile computers, an changes that were made while users were wor/ing offline are updated to the networ/. !hen more than one user on the networ/ has made changes to the same file, users are gi%en the option of sa%ing their specific %ersion of the file to the networ/, /eeping the other %ersion, or sa%ing both. D: !e need to enable $hadow .opies, not offline files. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2= Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2; 2 QUESTION NO: 6

You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, +usiness hours are ;:== ) ? to 5:== . ?* ?onday through Eriday Users cannot access net"or0 ser/ers outside o$ business hours The net"or0 includes a member ser/er named TestBingSr/' Dis0 E:Q on TestBingSr/' hosts shared $olders $or TestBing com#any users 'urrently* E:Q contains <= -+ o$ data Its total dis0 ca#acity is 9= -+ You need to ensure that shado" co#ies o$ the $iles on E:Q are created e/ery day ) ma3imum o$ $our hoursJ "orth o$ data can be lost Users must be able to access #re/ious /ersions o$ $iles $rom the #receding ,= days !hen should you schedule shado" co#ies% A. F9"" A.M. onl 1. =9"" A.M. and F9"" 5.M. .. =9"" A.M. and 19"" 5.M. D. F9"" A.M., 19"" 5.M., and F9"" 5.M. )ns"er: ' E3#lanation: !e cannot lose more than $our hours o$ data The $iles can be a shado" co#y at no more than 4 hour inter/als during the "or0ing day The $iles "onJt be modi$ied a$ter 5 ==#m so "e can ta0e a co#y o$ them at ; ==)? the ne3t day The ne3t co#y must be 4 hours later &< ==#m( Incorrect )ns"ers: ): !e must ta/e a shadow cop at no more than - hour inter%als during the wor/ing da . !e can lose up to > hours wor/ with this answer. +: !e must ta/e a shadow cop at no more than - hour inter%als during the wor/ing da . !e can lose up to > hours wor/ with this answer. D: This would wor/ but it will waste dis/ space because the F.""am cop will be the same as the F.""pm cop from the pre%ious da . QUESTION NO: 7 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2G 2 You are the net"or0 administrator $or Test Bing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll users are members o$ the Users global grou# )ll ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) member ser/er named TestBing< contains a data /olume named Dis0<* "hich hosts a shared $older named TestBing Data )ll members o$ the Users grou# ha/e #ermissions to read and modi$y the contents o$ TestBing Data You create a shado" co#y o$ Dis0< :o"e/er* users re#ort that they cannot access any #re/ious /ersion o$ any o$ the $ile in TestBing Data Erom TestBing<* you access a $ile named data mdb* "hich resides in TestBing Data You success$ully access #re/ious /ersions o$ data mdb Then* you log on to a re#resentati/e client com#uter You o#en the .ro#erties dialog bo3 $or data mdb* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2> 2 You need to enable all users to access #re/ious /ersions o$ the $iles in the TestBing Data !hat should you do% A. 3nable all members of the Users group to ta/e ownership of the files in Test@ing Data. 1. Assign the Allow 2 (ull .ontrol share permission on Test@ing Data to the Users group. .. Use Croup 5olic to deplo the application pac/age from Test@ing1WwindowsWs stem32WclientsWtsclient to all client computers. D. Use Croup 5olic to deplo the application pac/age from Test@ing1WwindowsWs stem32WclientsWtwclient to all client computers. )ns"er: D E3#lanation: To access #re/ious /ersions o$ $iles* the client com#uters need the J.re/ious 8ersionsJ client installed on their machines The .re/ious 8ersions 'lient must be installed or the .re/ious 8ersions tab does not a##ear in the #ro#erties o$ a shared $ile The .re/ious 8ersions tab a##ears only "hen /ie"ing $iles across the net"or0 It does not a##ear i$ you /ie" $iles on the local hard dis0 &f ou want to replace the current %ersion of a file with an older %ersion, ou can use the Restore button on the 5re%ious ?ersions tab. De#loying the client so$t"are $or shado" co#ies > The client software for $hadow .opies of $hared (olders is installed on the ser%er, in the WWZs stemrootZWs stem32WclientsWtwclient director . Ma/ing use of Croup 5olic will enable ou to deplo the application pac/age, in this case the deplo ment of client software for shadow copies, from Test@ing1 to all client computers.

Incorrect )ns"ers: ): The ownership of the file has no rele%ance to pre%ious %ersions and the 6uestion as/s for the a%ailabilit and accessibilit of pre%ious files for all the users. +: (ull .ontrol share permission is not necessar to access the pre%ious %ersions of files. Iou need the client software installed to be able to access those specific %ersions of the files. ': This is the Terminal $er%ices client software, not the pre%ious %ersions client software. Thus this will not resol%e the problem. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2= 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >;-2>;; .9 Restore data from shadow cop %olumes.*1 :uestion+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named TestBing, $unctions as a $ile ser/er TestBing, has t"o data /olumes: /olume E and 8olume E 8olume E contains user data The E:QUserData $older is shared as Users The 8olume Shado" 'o#y ser/ice is scheduled to create a shado" co#y bac0u# t"ice a day on /olume E* using the de$ault storage area Users re#ort that only the most recent $iles /ersions are a/ailable in the .re/ious 8ersions #ro#erty o$ the Users share You disco/er that /olume E does not ha/e enough s#ace and is discarding old shado" co#ies too soon You decide to mo/e the shado" co#y storage area to /olume E :o"e/er* "hen you o#en the settings $or /olume E shado" co#y* you cannot change the storage location You need to mo/e the shado" co#y storage area to /olume E so that there is enough s#ace $or additional co#ies !hat should you do% A. Add a shadow cop to %olume ( b using the ?$$Admin command .reate $hadow. Then remote the old shadow cop storage association b using the ?$$Admin command Delete $hadows. 1. .hange the folder properties on %olume 3 so that ou can %iew protected operating s stem files. .op the $ stem %olume information folder to ?olume (. Then change the shadow cop storage area of %olume 3 to %olume (. .. Add a shadow cop storage association to %olume ( b using the ?$$Admin command Add $hadow$torage. Then remo%e the old shadow cop storage association b using the ?$$Admin command Delete $hadow$torage. D. 1ac/ up and delete all current shadow copies for ?olume 3. Mo%e the shadow cop storage area of %olume 3 to %olume (. Then restore the bac/up cop to the new location. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3" 2 )ns"er: D E3#lanation: You need to change the storing location $or the shado" co#ies to /olume E since there is enough s#ace a/ailable on /olume E in this scenario This can be done by mo/ing the current shado" co#ies $rom /olume E to /olume E a$ter it has been bac0ed u# and deleted $rom /olume E you ob/iously then also ha/e to restore the mo/ed shado" co#ies on /olume E Incorrect ans"ers: ): This option does not sol%e the problem of changing the location for the storage of shadow copies. The copies will still be sa%ed to %olume 3. +: This option is not the answer. ': A storage association with %olume ( as described in this option will not sol%e the problem of too little space. 1esides ou need to pre%ent the discarding of old shadow copies until the are obsolete. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. >;2 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 D9 1ac/ up files and $ stem$tatedata to media. *1G :uestions+ QUESTION NO: < :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 includes a !indo"s Ser/er 2==, com#uter that $unctions as a $ile ser/er $or all net"or0 users The $iles on this ser/er consist o$ large re#orts generated by another ser/er running

?icroso$t SQA Ser/er 2==, The $iles are re#laced daily You need to im#lement a bac0u# strategy $or the ser/er This strategy must $ul$ill the $ollo"ing requirements: 1. +ac0u#s must occur e/ery day 2. )ll o#en $iles in the bac0u# set must be #rocessed as quic0ly as #ossible 3. Destoration o$ the ser/er must occur as quic0ly as #ossible and must require the smallest #ossible number o$ ta#es to be retrie/ed $rom an o$$site $acility ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F31 2 -. )rchi/e bits on the $iles must not be cleared !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: 'hec0 the LDisable /olume shado" co#yL chec0 bo3 Select L'o#yL as the bac0u# ty#e Disable %olume shadow cop 2 !hen performing a bac/up, the !indows $er%er 2""3 1ac/up utilit b default creates a %olume shadow cop , which is a duplicate of the %olume at the time the cop process began. This enables the 1ac/up utilit to bac/ up all selected files, including those that are currentl open b users or the operating s stem. 1ecause the 1ac/up utilit uses a %olume shadow cop , it ensures that all selected data is bac/ed up and an open files are not corrupted during the process. &f this chec/ boB is chec/ed, files that is open or in use is s/ipped when the bac/up is performed. .op bac/up copies all the files ou select, but does not mar/ each file as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. .op ing is useful if ou want to bac/ up files between normal and incremental bac/ups because cop ing does not affect these other bac/up operations. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F32 2 De$erence: $er%er Aelp Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. >2; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named Ser/erTB< is con$igured to run shado" co#ies "ithout a storage limit Ser/erTB< has the dis0 con$iguration sho"n in the $ollo"ing table 8olume Dis0 'a#acity 'ontents Eree s#ace MA&, T@" F 1C $ stem files -F percent DATA1 T@1 3" C1 User data, shadow copies F percent DATA2 T@2 F C1 Databases 2" percent DATA3 T@3 3" C1 1ac/up.b/f >" percent You need to create additional $ree s#ace on D)T)< You also need to im#ro/e the #er$ormance o$ Ser/erTB< and ensure that it has su$$icient s#ace $or shado" co#ies in the $uture !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Delete the shadow copies of DATA1. 1. Delete 1ac/up.b/f on DATA3. .. &n the properties of DATA1, relocate the shadow copies to DATA2. D. &n the properties of DATA1, relocate the shadow copies to DATA3. 3. Delete DATA3 and eBtend the DATA1 partition to include the space on DATA3. )ns"er: )* D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F33 2 !e can $ree u# some s#ace on data< by con$iguring the 8olume Shado" Ser/ice to store the shado" co#ies on another /olume To do this* "e must $irst delete the e3isting shado" co#ies on data< by disabling Shado" 'o#ies and then relocate the shado" co#ies to data, "hen "e re>enable Shado" 'o#ies on data< The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies

to ma0e sure that all o#en $iles are bac0ed u# Incorrect )ns"ers: +: 1ac/up.b/f is used b the A$R process to restore a damaged s stem. This file should ne%er be deleted. ': (or performance reasons and also /eep in mind that ou ha%e to create space, we should relocate the shadow copies to data3, not data2. E: should not be deleted. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2; QUESTION NO: , You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You #er$orm normal bac0u#s o$ all ser/ers e/ery day During ser/er maintenance* you re/ie" the bac0u# log $or a ser/er named TB< You notice that some $iles are not bac0ed u# The bac0u# log is sho"n in the e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3- 2 You need to ensure that all $iles on TB< are a/ailable $or restoration a$ter the bac0u# is com#lete !hat should you do% A. Disable the 3%ent 4og ser%ice. 1. Disable the (ile Replication ser%ice. .. 3nable the ?irtual Dis/ ser%ice. D. 1ac/ up b using ?olume $hadow .op . )ns"er: D E3#lanation: This #roblem is caused by the $ile being o#en at the time o$ the bac0u# !ith ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3F 2 $hadow copies enabled, the 1ac/up program will bac/ up an open files. &t does this b temporaril Kfree0ingK the application running the file while it bac/s it up. !hile the file is Kfro0enK, an writes to the file are stored in a buffer until the file is bac/ed up and then unfro0en. &f ?olume $hadow .op is disabled, an open files will not be bac/ed up properl . Incorrect ans"ers: ): Disabling the 3%ent 4og ser%ice will not ensure that all files will be a%ailable. +: Disabling the (ile Replication ser%ice will not ensure that all T@1 files will be a%ailable for restoration as this ser%ice log records acti%ities related to the (ile Replication $er%ice, files li/e errors or significant e%ents reported b the (ile Replication $er%ice related to the cop ing of information between Domain .ontrollers during a replication c cle, onl . ': 3nabling the ?irtual Dis/ ser%ice will not ensure that all files will be a%ailable. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2; Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 4 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 includes 2= member ser/ers running !indo"s Ser/er 2==, and 4 domain controllers running !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) member ser/er named TestBingSr/) $unctions as a $ile ser/er TestBingSr/) has a locally attached ta#e de/ice You need to create a bac0u# schedule $or TestBingSr/) )ll data on TestBingSr/) must be bac0ed u# once a "ee0 E/ery day* you need to bac0 u# only the data that "as changed a$ter the last "ee0ly bac0u# You need to minimi1e the amount o$ time ta0en to restore the data in the e/ent o$ a hard"are $ailure !hat should you do% &'hoose t"o( A. 5erform a normal bac/up e%er wee/. 1. 5erform a cop bac/up e%er wee/. .. 5erform a differential bac/up e%er wee/. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F3; 2 D. 5erform an incremental bac/up e%er wee/. 3. 5erform a normal bac/up e%er da . (. 5erform a cop bac/up e%er da . C. 5erform a differential bac/up e%er da . A. 5erform an incremental bac/up e%er da . )ns"er: )* E3#lanation: Use a di$$erential bac0u# to bac0 u# all $iles that ha/e changed since the last normal or incremental bac0u# :o"e/er* "hen this ty#e o$ bac0u# is #er$ormed* the archi/e attribute isnJt cleared This means that the data on one di$$erential bac0u# contains the same in$ormation as the #re/ious di$$erential bac0u#* #lus any additional $iles that ha/e changed Since unchanged data is continually being bac0ed u# "ith this method* di$$erential bac0u#s ta0e longer to #er$orm than incremental bac0u#s :o"e/er* "hen restoring bac0ed u# data* only the last normal bac0u# and the last di$$erential bac0u# need to be restored This ma0es the time it ta0es to $ully restore a system $aster than "ith a combined normal and incremental bac0u# method Use a normal bac/up when ou want to bac/ up all the files ou select in a single bac/up )ob. !hen ou select this t pe of bac/up, the 1ac/up utilit bac/s up the selected files to a file or tape, ignoring whether the archi%e attribute is set or cleared. &n other words, it After bac/ing up a file, it then changes the archi%e attribute to indicate that the file was bac/ed up. ,ormal bac/ups are commonl selected when ou are performing full bac/ups, in which all files on a %olume are bac/ed up. De$erences: http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 QUESTION NO: 5 :OTS.OT You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You need to #er$orm bac0u#s o/er the net"or0 e/ery day You also need to ensure that $ull reco/ery can occur as quic0ly as #ossible :o"e/er* band"idth limitations #re/ent you $rom bac0ing u# all $iles e/ery day ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3G 2 You con$igure a normal bac0u# to run "ee0ly !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: Select LDi$$erentialL $or the bac0u# ty#e A differential bac/up copies files that ha%e been created or changed since the last normal or incremental bac/up. &t does not mar/ files as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3> 2 &f ou are performing a combination of normal and differential bac/ups, restoring files and folders re6uires that ou ha%e the last normal as well as the last differential bac/up. Use a differential bac/up to bac/ up all files that ha%e changed since the last normal or incremental bac/up. Aowe%er, when this t pe of bac/up is performed, the archi%e attribute is not cleared. This means that the data on one differential bac/up contains the same information as the pre%ious differential bac/up, plus an additional files that ha%e changed. $ince unchanged data is continuall being bac/ed up with this method, differential bac/ups ta/e longer to perform than incremental bac/ups. Aowe%er, when restoring bac/ed up data, onl the last normal bac/up and the last differential bac/up need to be restored. This ma/es the time it ta/es to full restore a s stem faster than with a combined normal and incremental bac/up method. De$erence: $er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TB< hosts se/eral hundred $olders* "hich are located on

multi#le /olumes on the ser/er ) bac0u# 2ob on TB< is con$igured to run a normal bac0u# o$ the $olders e/ery Saturday at <:== ) ? On !ednesday morning* you disco/er that you need to install a ne" a##lication on TB< be$ore the close o$ business that day You need to bac0 u# all $olders on TB< as quic0ly as #ossible so you can install the ne" a##lication !hat should you do% A. .reate a new bac/up )ob that specifies the folders and runs once onl . 1. Run the eBisting bac/up )ob. .. 3nable ?olume $hadow .op for the %olumes that contain the folders. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3= 2 D. .reate an Automated $ stem Reco%er *A$R+ set. )ns"er: + E3#lanation: There is an e3isting bac0u# 2ob "hich is con$igured to bac0 u# the se/eral hundred $olders* in other "ords the normal bac0u# on $olders that are set $or e/ery Saturday It "ould ta0e a long time to con$igure another bac0u# 2ob and select all the $olders again The question states that you are #ressed $or time on the the Saturday #ast ) much easier solution "ould be to run the e3isting bac0u# 2ob Incorrect )ns"ers: ): &t would ta/e a long time to configure another bac/up )ob and select all the folders again. A much easier solution would be to run the eBisting bac/up )ob. ': 3nabling ?olume $hadow .op for the %olumes that contain the folders will not bac/up the folders. !ith $hadow copies enabled, the 1ac/up program will bac/ up an open files. &t does this b temporaril Kfree0ingK the application running the file while it bac/s it up. !hile the file is Kfro0enK, an writes to the file are stored in a buffer until the file is bac/ed up and then unfro0en. &f ?olume $hadow .op is disabled, an open files will not be bac/ed up properl . D: An A$R bac/up bac/s up the s stem files necessar to reco%er a failed s stem. &t will not bac/up user data. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2>1 QUESTION NO: 7 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 includes 2= member ser/ers running !indo"s Ser/er 2==, and 4 domain controllers running !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-" 2 ) member ser/er named TestBingSr/) $unctions as a $ile ser/er TestBingSr/) has a locally attached ta#e de/ice You need to create a bac0u# schedule $or TestBingSr/) )ll data on TestBingSr/) must be bac0ed u# once a "ee0 E/ery day* you need to bac0 u# only the data that "as changed a$ter the last bac0u# You need to minimi1e the amount o$ data that must be bac0ed u# e/ery day !hat should you do% &'hoose t"o( A. 5erform a normal bac/up e%er wee/. 1. 5erform a cop bac/up e%er wee/. .. 5erform a differential bac/up e%er wee/. D. 5erform an incremental bac/up e%er wee/. 3. 5erform a normal bac/up e%er da . (. 5erform a cop bac/up e%er da . C. 5erform a differential bac/up e%er da . A. 5erform an incremental bac/up e%er da . )ns"er: )* : E3#lanation: Use an incremental bac0u# to bac0 u# all $iles that ha/e changed since the last normal or incremental bac0u# !hen each $ile is bac0ed u#* the archi/e attribute is cleared +ecause only $iles that ha/e changed are bac0ed u#* this ty#e o$ bac0u# ta0es the least amount o$ time to #er$orm :o"e/er* it also ta0es the most amount o$ time to restore* because the last normal bac0u# and e/ery subsequent incremental bac0u# must be restored to $ully restore all data and ma0e the contents o$ the com#uter as u#>to>date as #ossible Use a normal bac/up when ou want to bac/ up all the files ou select in a single bac/up )ob. !hen ou select this t pe of bac/up, the 1ac/up utilit bac/s up the selected files to a file or tape, ignoring whether the archi%e attribute is set or cleared. &n other words, it After bac/ing up a file, it then changes the archi%e attribute to indicate that the file was bac/ed up. ,ormal bac/ups are commonl selected when ou are performing full

bac/ups, in which all files on a %olume are bac/ed up. De$erences: http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-1 2 QUESTION NO: 9 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The domain contains $i/e domain controllers and $i/e member ser/ers ) member ser/er named TestBing) has a locally attached ta#e de/ice You ha/e a total o$ se/en bac0u# ta#es to use $or TestBing) You need to bac0 u# all data on TestBing) e/ery "ee0 You do not need to bac0 u# all data e/ery day You must ha/e the ability to com#letely restore TestBing) to its state on the #re/ious day by using a ma3imum o$ t"o ta#es !hich bac0u# ty#es should you use% To ans"er* drag the a##ro#riate bac0u# ty#e to the corres#onding bac0u# schedule )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-2 2 Differential 1ac/up is a bac/up that copies files created or changed since the last normal or incremental bac/up. A differential bac/up does not mar/ files as ha%ing been bac/ed up. *&n other words, the archi%e attribute is not cleared.+ &f ou are performing a combination of normal and differential bac/ups, when ou restore files and folders, ou need the last normal bac/up as well as the last differential bac/up. A normal bac/up is a bac/up that copies all files and mar/s those files as ha%ing been bac/ed up *&n other words, the archi%e attribute is cleared.+. A normal bac/up is the most complete form of bac/up. De$erence9 http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = QUESTION NO: ; You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBingSr/< $unctions as the bac0u# ser/er E/ery night* TestBingSr/< #er$orms a normal bac0u# o$ all $iles on dri/e D:Q o$ all ser/ers in the domain Eiles are stored on magnetic ta#e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-3 2 ) ne" "ritten com#any security #olicy states that all ser/ers must be #rotected $rom registry corru#tion You need to ensure that a current co#y o$ the registry $rom e/ery ser/er on the net"or0 is automatically bac0ed u# daily on magnetic ta#e !hat should you do% A. 'n Test@ing$r%1, create a new bac/up )ob that runs e%er da . .onfigure the )ob to bac/ up dri%e .9W on e%er networ/ ser%er. 1. 'n Test@ing$r%1, select 'ptions, and then select the 3Bclusions tab. Remo%e all eBclusions for files of the Registr !riter application t pe. .. 'n each networ/ ser%er, start Registr 3ditor. 'n the (ile menu, select 3Bport. $pecif All as the eBport range. 3Bport the registr to dri%e D9W. D. 'n each networ/ ser%er, configure a new bac/up )ob that runs e%er da . .onfigure the )ob to bac/ up each ser%erKs $ stem $tate data in a file on dri%e D9W. )ns"er: D E3#lanation9 'n a !indows $er%er 2""3 ser%er, the $ stem $tate Data consists of the Registr , the .'Ma .lass Registration database, the s stem boot files, if the ser%er a certificate ser%er, the $ stem $tate Data will also include the .ertificate $er%ices database, and if the ser%er is a domain controller, the $ stem $tate Data will include the Acti%e Director ser%ices database and the $I$?'4 director . Thus, b configuring a

bac/up )ob to bac/up the $ stem $tate Data we will ensure that the registr is automaticall bac/ed up to Dri%e D e%er da . The data will then be bac/ed up to tape, when the bac/up of Dri%e D is made. Incorrect )ns"ers: ): Assuming that Dri%e . contains the s stem %olume, configuring a bac/up )ob of Dri%e . will ensure that the registr is bac/ed up as the registr resides in the s stem %olume. Aowe%er, we do not need to bac/ up the whole Dri%e ., onl the registr . Therefore this is not the best option as Dri%e .9W doesnKt get bac/ed up to tape. 'nl dri%e D9W gets bac/ed up. +: !indows $er%er 2""3 the 'ptions dialog boB is located on the Tools menu of the 1ac/up Utilit . The 'ptions dialog boB, howe%er, does not ha%e an 3Bclusions tab but has an ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-- 2 3Bclude (iles tab. This tab specifies the file t pes that must be eBcluded from the bac/up operation. Remo%ing file t pes from this list will ensure that files of those file t pes will be bac/ed up if the are on the %olume being bac/ed up. Aowe%er, we cannot be sure that the registr is located on Dri%e D. Therefore this will not help as it will not bac/ up the registr . ': This could wor/ but it is a manual process. 3Bporting the registr of each ser%er to Dri%e D on that ser%er will ensure that the registr is bac/ed up when the dail bac/up of the dri%e D on all ser%ers is performed. Aowe%er, eBporting the registr is a manual process. .onfiguring scheduled bac/up operation *which is automated+ would be the better solution. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp 1323 QUESTION NO: <= You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You are res#onsible $or de$ining the #rocedures $or bac0ing u# and restoring all ser/ers TestBing uses the +ac0u# utility To enhance security* The IT de#artment de#loys certi$icates to all net"or0 users Smart cards "ill be required to log on to the domain ) domain controller named TestBingD'< is con$igured as the certi$icate ser/er You need to create a bac0u# #lan $or TestBingD'< The bac0u# must include only the minimum amount o$ data needed to restore )cti/e Directory and the certi$icate ser/er !hich action or actions should you #er$orm% &'hoose all that a##ly( A. 1ac/ up the $ stem $tate data. 1. 1ac/ up .9WwindowsWntds. .. 1ac/ up .9WwindowsWs s%ol. D. 1ac/ up .9WwindowsWs stem32Wcertsr%. )ns"er: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-F 2 E3#lanation: $ stem $tate 2 The $ stem $tate data includes the registr , .'Ma .lass Registration database, files under !indows (ile 5rotection, and s stem boot files. Depending on the configuration of the ser%er, other data ma be included in the $ stem $tate data. (or eBample, if the ser%er is a certificate ser%er, the $ stem $tate will also contain the .ertificate $er%ices database. &f the ser%er is a domain controller, Acti%e Director and the $I$?'4 director are also contained in the $ stem $tate data. QUESTION NO: << You are the net"or0 administrator $or Test0ing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, TestBing consists o$ a main o$$ice and t"o branch o$$ices The com#any e3#ands to an additional branch o$$ice This branch o$$ice has /ery little a/ailable net"or0 band"idth You need to install a ne" domain controller named D'; at the ne" branch o$$ice Your installation must minimi1e costs and net"or0 tra$$ic !hat should you do% A. 1ac/ up the $ stem $tate data of an eBisting domain controller on remo%able media. Mail a ph sical cop of the bac/up to the branch office. Use the bac/up to install Acti%e Director on D.=.

1. (or the branch office, create a new Acti%e Director site that contains no other domain controllers. &nstall Acti%e Director on D.=. .. 5lace D.= on an &5 subnet that alread contains a domain controller. &nstall Acti%e Director on D.=. 5h sicall transport D.= to the branch office. D. 1ac/ up the $ stem $tate data of an eBisting domain controller. .ompress the bac/up. .op the bac/up to D.= at the branch office. Uncompress the bac/up. Use the bac/up to install Acti%e Director on D.=. )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-; 2 !hen you install a domain controller $or the ne" branch o$$ice* the D'.DO?O #rocess needs to re#licate a co#y o$ the )cti/e Directory $rom an e3isting domain controller Due to the need to minimi1e net"or0 tra$$ic* !indo" Ser/er 2==, o$$ers the D'.DO?O K)D8 o#tion This is used to #romote a domain controller and co#y the )cti/e Directory $rom a bac0u# co#y To de#loy an additional domain controller in an e3isting domain* you can either let re#lication co#y domain in$ormation $rom an e3isting source domain controller o/er the net"or0 or you can use the install $rom media $eature* ne" in !indo"s Ser/er 2==, Install $rom media allo"s you to #re>#o#ulate )cti/e Directory "ith System State data bac0ed u# $rom an e3isting domain controller This bac0u# can be #resent on local 'D* D8D* or hard dis0 #artition Installing $rom media drastically reduces the time required to install directory in$ormation by reducing the amount o$ data that is re#licated o/er the net"or0 Installing $rom media is most bene$icial in en/ironments "ith /ery large domains or $or installing ne" domain controllers that are connected by a slo" net"or0 lin0 To use the install $rom media $eature* you $irst create a bac0u# o$ System State $rom the e3isting domain controller* and then restore it to the ne" domain controller by using the Destore to: )lternate location o#tion To install Acti%e Director on the second domain controller 1. 4og on to the !indows $er%er 2""32based member ser%er. 2. &f ou want to cop domain information from restored bac/up files, at the command line, t pe9 dcpromo Had% De$erences: http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HallHdeplo guideHen2usHDefault.asp[url\ QUESTION NO: <2 You are a net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< You need to install an a##lication on Test0ing< The installation "ill cause se/eral changes to the registry You #lan to use the +ac0u# utility to create a bac0u# that "ill enable you to restore the registry TestBing requirements $or net"or0 management state that all bac0u#s must be #er$ormed during an eight>hour #eriod at night +ecause o$ this time constraint* you need to ensure that the bac0u# can be reco/ered as quic0ly as #ossible ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-G 2 You need to create a bac0u# that meets the requirements !hat should you do% A. .reate a bac/up of the s stem partition. 1. .reate a bac/up of the boot partition. .. .reate a bac/up of the $ stem $tate. D. .reate an Automated $ stem Reco%er *A$R+ bac/up. 3. .reate a bac/up of the $ stemrootW$ stem32W.onfig folder. )ns"er: ' E3#lanation: System state bac0u#s are #er$ormed using the !indo"s Ser/er 2==, +ac0u# utility The +ac0u# tab o$ this utility has #anes that list the dri/es and directories that can be included in a bac0u# One o$ the items that a##ear in the list under ?y 'om#uter is System State +y chec0ing the chec0 bo3 beside this item* you can designate that the System State data be included in a bac0u# System State data can be bac0ed u# using the !indo"s Ser/er 2==, +ac0u# utility )cti/e Directory and the SYS8OA directory are included in the System State only on domain controllers $ stem $tate 2 The $ stem $tate data includes the registr , .'Ma .lass Registration database, files under !indows (ile 5rotection, and s stem boot files. Depending on the configuration of the ser%er, other data ma be included in the $ stem $tate data. (or eBample, if the ser%er is a certificate ser%er, the $ stem $tate will also contain the .ertificate $er%ices database. &f the ser%er is a domain controller, Acti%e Director and the $I$?'4 director are also contained in the $ stem $tate data. De$erences:

Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >2>, >->, >G1, =F2 QUESTION NO: <, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com* that contains t"o domain controllers The domain controllers run !indo"s Ser/er 2==, and 'erti$icate Ser/ices Each domain controller has a single mirrored had dis0 that contains a single NTES /olume ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-> 2 You are res#onsible $or bac0ing u# all ser/ers TestBing requirements state that bac0u#s must be #er$ormed only bet"een the hours o$ <:== ) ? and 6:== ) ? )ll ser/ers share a single bac0u# de/ice +ecause a large amount o$ data must be bac0ed u#* you need to com#lete the required bac0u#s as quic0ly as #ossible in order to com#lete the bac0u#s "ithin the allotted time You need to bac0 u# )cti/e Directory and 'erti$icate Ser/ices on the t"o domain controllers The bac0u# must include only the minimum amount o$ data necessary !hich action or actions should you #er$orm% &'hoose all that a##ly( A. 5erform a bac/up of the $ stem $tate b using the 1ac/up utilit . 1. 5erform a shadow cop bac/up of the .9W!indowsW,tds folder b using the 1ac/up utilit . .. 5erform a shadow cop bac/up of the .9W!indowsW$ s%ol folder b using the 1ac/up utilit . D. 5erform a shadow cop of the .9W!indowsW$ stem32W.ertsr% folder b using the 1ac/up utilit . )ns"er: ) E3#lanation: System state bac0u#s are #er$ormed using the !indo"s Ser/er 2==, +ac0u# utility The +ac0u# tab o$ this utility has #anes that list the dri/es and directories that can be included in a bac0u# One o$ the items that a##ear in the list under ?y 'om#uter is System State +y chec0ing the chec0 bo3 beside this item* you can designate that the System State data be included in a bac0u# System State data can be bac0ed u# using the !indo"s Ser/er 2==, +ac0u# utility )cti/e Directory and the SYS8OA directory are included in the System State only on domain controllers $ stem $tate 2 The $ stem $tate data includes the registr , .'Ma .lass Registration database, files under !indows (ile 5rotection, and s stem boot files. Depending on the configuration of the ser%er, other data ma be included in the $ stem $tate data. (or eBample, if the ser%er is a certificate ser%er, the $ stem $tate will also contain the .ertificate $er%ices database. &f the ser%er is a domain controller, Acti%e Director and the $I$?'4 director are also contained in the $ stem $tate data. Incorrect ans"ers: +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-= 2 $hadow cop bac/ups allow applications to continue to write data to a %olume during bac/up, and allow administrators to perform bac/ups at an time without loc/ing out users or ris/ing s/ipped files. The ntds folder is used to reco%er deleted ob)ects in Acti%e Director b mar/ing those ob)ects as authoritati%e, following a normal, or non2authoritati%e, restore of the $ stem $tate with the 1ac/up Utilit . This will result in unnecessar files being bac/ed up as well. ': $hadow cop bac/ups allow applications to continue to write data to a %olume during bac/up, and allow administrators to perform bac/ups at an time without loc/ing out users or ris/ing s/ipped files. The s s%ol folder is included in the s stem state since the ser%er is a domain controller. D: $hadow cop bac/ups allow applications to continue to write data to a %olume during bac/up, and allow administrators to perform bac/ups at an time without loc/ing out users or ris/ing s/ipped files. &f the .9W!indowsW$ stem32W.ertsr% folder is also bac/ed up, ou will end up with unnecessar files again. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2G;, >2>, >->, >G1, =F2 QUESTION NO: <4 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBingSr/) has a locally attached ta#e de/ice

You need to bac0 u# all data on TestBingSr/) at least once e/ery "ee0 E/ery day* you need to bac0 u# only the data that "as changed a$ter the last bac0u# You need to minimi1e the amount o$ data that must be bac0ed u# e/ery day !hich bac0u# ty#es should you use% To ans"er* drag the a##ro#riate bac0u# ty#e to the corres#onding bac0u# schedule ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF" 2 )ns"er: E3#lanation: The 1ac/up utilit supports fi%e methods of bac/ing up data on our computer or networ/. .op bac/up, Dail bac/up, Differential bac/up, &ncremental bac/up as well as normal bac/up. &n this scenario ou would need to ma/e use of &ncremental and normal bac/ups. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF1 2 'nce a wee/ a normal bac/up is performed, and on Monda through (rida incremental bac/ups are performed. &ncremental bac/ups clear the archi%e attribute, which means that each bac/up includes onl the files that changed since the pre%ious bac/up. &f data becomes corrupt on (rida , ou need to restore the normal bac/up from $unda and each of the incremental bac/ups, from Monda through (rida . 1ac/ing up our data using a combination of normal bac/ups and incremental bac/ups re6uires the least amount of storage space and is the 6uic/est bac/up method. Aowe%er, reco%ering files can be time2consuming and difficult because the bac/up set might be stored on se%eral dis/s or tapes. 1ac/ing up our data using a combination of normal bac/ups and differential bac/ups is more time2consuming, especiall if our data changes fre6uentl it is easier to restore the data because the bac/up set is usuall stored on onl a few dis/s or tapes. De$erence: $er%er Aelp Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2;QUESTION NO: <5 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You install So$t"are U#date Ser/ices &SUS( on one ser/er You con$igure the $ollo"ing settings: 1. Do not use a #ro3y ser/er $or Internet access 2. Synchroni1e directly $rom the ?icroso$t !indo"s U#date ser/ers 3. )utomatically a##ro/e ne" /ersions o$ #re/iously a##ro/ed u#dates -. Sa/e u#dates in a local $older You #er$orm a manual synchroni1ation No" you need to bac0 u# the critical in$ormation that is related to your installation o$ SUS !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF2 2 A. (irst, use the 1ac/up utilit to bac/ up the $ stem $tate data. Then, use the &&$ administration tool to bac/ up the default !eb site. 1. (irst, use the &&$ administration tool to bac/ up the default !eb site. Then, use the 1ac/up utilit to bac/ up the $ stem $tate data. .. (irst, use the &&$ administration tool to bac/ up the &&$ metabase. Then, use the 1ac/up utilit to bac/ up the &&$ metabase file, the default !eb site, and the content storage location. D. (irst, use the 1ac/up utilit to bac/ up the &&$ metabase file, the default !eb site, and the content storage location. Then, use the &&$ administration tool to bac/ up the &&$ metabase. )ns"er: ' E3#lanation: You need to bac0u# the !eb site directory that the administration site "as created in* the SUS directory that contains the content* and the IIS metabase !hen you install SUS on a !indo"s Ser/er 2==, com#uter* a SUS $older is created &on the NTES /olume "ith the most $ree s#ace by de$ault( as the content storage location $or the u#dates* an IIS !eb site that ser/ices u#date requests $rom )utomatic U#dates clients is created &in the de$ault !eb site by de$ault( and numerous changes are made to the IIS metabase There$ore* to bac0u# the critical in$ormation that is related to our SUS installation* "e must bac0 u# the SUS $older*

the !eb site that holds the IIS !eb site &the de$ault !eb site by de$ault(* and the IIS metabase To bac0u# the IIS metabase* "e must use the IIS administration tool to a $ile and then use the +ac0u# utility to bac0u# that $ile Incorrect )ns"ers: ): Iou donKt need to bac/ up the s stem state data. The installation of $U$ ma/es changes to the &&$ metabase. The &&$ metabase is part of the $ stem $tate Data in &&$ computers. Thus bac/ing up the $ stem $tate Data will bac/ up the &&$ metabase. Aowe%er, we must also bac/ up the $U$ folder and the !eb site that holds the &&$ !eb site that ser%ices update re6uests from Automatic Updates clients. (urthermore, the !eb site that holds the &&$ !eb site cannot be bac/ed up using the &&$ Administration tool. +: Iou donKt need to bac/ up the s stem state data. The !eb site that holds the &&$ !eb site cannot be bac/ed up using the &&$ Administration tool. (urthermore, we must also bac/up the $U$ folder and the &&$ metabase. The &&$ metabase is part of the $ stem $tate Data in &&$ computers. Thus bac/ing up the $ stem $tate Data will bac/ up the &&$ metabase. Aowe%er, we must also bac/ up the $U$ folder. D: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF3 2 Iou must use &&$ to bac/ up the metabase to a file before ou can bac/ up the file with the 1ac/up program. To bac/up the critical information that is related to our $U$ installation, we must bac/ up the $U$ folder, the default !eb site, and the &&$ metabase. Aowe%er, to bac/up the &&$ metabase, we must use the &&$ administration tool to a file and then use the 1ac/up utilit to bac/up that file, not the other wa around. De$erence: M$ !hite 5aper9 Deplo ing Microsoft $oftware Update $er%ices Michael .ross and Qeffer A. Martin, M.$3 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, p ;=> QUESTION NO: <6 E3hibit* table You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll ser/ers in the domain are bac0ed u# according to the schedule sho"n in the table Ser/er bac0u#s occur each night at <<:== . ? ) co#y o$ each nightJs bac0u# is stored on a se#arate bac0u# ta#e ) ser/er named TestBing, $unctions as the main $ile ser/er You "ant to /alidate a restoration o$ TestBing, in your lab en/ironment You need to restore Test0ing, on Thursday a$ternoon to its most current state ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF- 2 !hich bac0u# ta#e or ta#es should you use &'hoose all that a##ly ( A. $unda Ks normal bac/up tape 1. Monda Ks differential bac/up tape .. Tuesda Ks differential bac/up tape D. !ednesda Ks differential bac/up tape )ns"er: )* D E3#lanation9 A normal bac/up is a bac/up t pe that bac/s up all selected folders and files and then mar/s each file that has been bac/ed up as archi%ed. A differential bac/up is bac/up t pe that copies onl the files that ha%e been changed since the last normal bac/up *full bac/up+, and does not reset the archi%e bit *indicating that the file has been bac/ed up+. &n the 6uestion it is stated that normal bac/ups occur on $unda s and is combined with Differential bac/up from Monda thrugh $aturda . Thus for ou to restore Test@ing3 to its most current state on the Thirsdat afternoon then ou should ma/e use of the $unda normal bac/up tape as well as the !ednesda differential bac/up tape. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F>1 QUESTION NO: <7 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Decently* another net"or0 administrator create a scheduled tas0 to #er$orm a normal bac0u# o$ ?icroso$t E3change Ser/er 2==, com#uer e/ery Saturday night You need to #er$orm maintenance tas0s on the E3change ser/er on this Saturday night only I$ the bac0u# starts "hile you are #er$orming the maintenance tas0s* data might be corru#ted You need to ensure that the bac0u# tas0 does not start "hile you #er$orm the

maintenance tas0s !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FFF 2 A. &n the 1ac/up utilit , clear the 3nabled *scheduled tas/s runs at specified time+ chec/ boB. 1. &n .ontrol 5anel, use $cheduled Tas/s to pause Tas/ $cheduler. .. Run the $chtas/s command with the Hend Hp parameters. D. Use the $er%ices snap2in to change the startup t pe of the Tas/ $cheduler ser%ice from Automatic to Manual. )ns"er: )* + E3#lanation95ausing the Tas/ $cheduler as well as clearing the 3nabled*scheduled tas/s run at specified time+ chec/ boB will allow ou time to perform maintenance tas/s before bac/ ups starts. Incorrect ans"ers: '9 Running the $chtas/s command with the HendHp parameters is not the answer. D9 This option is unnecessar . De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. F3F2F3; 39 .onfigure securit for bac/up operations.*1 :uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing com On a "indo"s Ser/er 2==, com#uter named TestBingE* you use the bac0u# #rogram to automatically bac0 u# eight ser/ers You use a schedule tas0 named )uto+ac0 The tas0 runs in the security conte3t o$ a domain account named Night+ac0u# The De$ault Domain .olicy -rou# .olicy ob2ect &-.O( is con$igured "ith the $ollo"ing account #olicies settings: 1. ?inimum #ass"ord length: 9 characters 2. .ass"ord e3#iration: ,= days 3. En$orce #ass"ord history: <2 #ass"ords remembered -. )ccount loc0out threshold: , in/alid logon attem#ts ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF; 2 F. )ccount loc0out duration: ,= minutes The bac0u# #rogram runs success$ully $or $our "ee0s )$ter $our "ee0s* you notice that nightly bac0u#s no longer occur ) success$ul bac0u# occurs "hen you log on the TestBingE "ith your o"n user account and #er$orm a local bac0u# Your user account is member o$ the Domain )dmins grou# You "ant the )uto+ac0 scheduled tas0 to #er$orm unattended bac0u#s e/ery night at <<:== . ? !hich t"o actions should you #er$orm in order to resume the nightly bac0u#s by using the )uto+ac0 scheduled tas0% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Unloc/ the ,ight1ac/up user account. 1. 3nable the ,ight1ac/up user account. .. 'ne the properties sheet for the Auto1ac/. Qob scheduled tas/, reset the password. D. Reset the password for the ,ight1ac/up user account. 3. .onfigure the local securit polic on Test@ing( to grant the ser%ice account the 4ogon locall right. (. .onfigure the local securit polic on Test@ing( to grant the ser%ice account the 4ogon as a ser%ice right. )ns"er: '* D E3#lanation: The question states that the bac0u# #rogram ran success$ully $or $our "ee0s* "hich is more or less ,= days +ecause o$ the #ass"ord e3#iration being ,= days* the #ass"ords listed in ' and D has to be reset Incorrect )ns"ers: ): The problem is not a case where ou could unloc/ the account to be able to resume 5olic group polic ob)ect. +: Disabled accounts ha%e as a conse6uence the inabilit to log on with the account. &t does not alter or modif password settings. Thus enabling an account also has nothing to do with the password that has to be reset for ou to be able to ha%e Auto1ac/ running its scheduled bac/ups. E* E: These options are irrele%ant to the problem stated here. De$erence:

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FFG 2 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter 3, pp. 123212> 5art 29 Manage bac/up procedures. A9 ?erif bac/up )obs and bac/up data.*12 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all are con$igured to run normal bac0u#s ) database ser/er named TestBingSQA runs ?icroso$t SQA Ser/er 7 = You disco/er that some database $iles on TestBingSQA are not bac0ed u# during scheduled bac0u#s You o#en the Scheduled Hob O#tions dialog bo3 $or one o$ the scheduled bac0u#s* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF> 2 You need to modi$y the #ro#erties o$ the scheduled bac0u# 2ob to ensure that all database $iles on TestBingSQA are bac0ed u#* e/en "hen users are accessing those $iles !hat should you do% A. 3nable the H$,A5 switch on the run command. 1. 3nable the H? switch on the run command. .. .onfigure a cop bac/up. D. .onfigure a dail bac/up. )ns"er: ) E3#lanation: The eBhibit shows that shadows copies are disabled. !e need to enable the bac/up to use a shadow cop in order to bac/ up the open files. The H$,A59]on ^ off_ switch specifies whether or not the bac/up should use a %olume shadow cop . Incorrect )ns"ers: +: The H? switch is used to %erif the data after the bac/up is complete. &t doesnKt enable a shadow cop . ': !e need to configure the bac/up to use a shadow cop . D: !e need to configure the bac/up to use a shadow cop . QUESTION NO: 2 You are a net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, ) net"or0 ser/er named Test0ing< $unctions as the main $ile ser/er Test0ing< is bac0ed u# each night by using the +ac0u# utility You #er$orm a test restoration o$ Test0ing< by using the +ac0u# utility You disco/er that $iles that are o#en during the bac0u# #rocess are not being bac0ed u# You need to ensure that o#en $iles are bac0ed u# success$ully !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF= 2 A. 3nable %olume shadow copies on the partitions that are being bac/ed up. 1. Disable %olume shadow copies on the partitions that are being bac/ed up. .. $elect the ?erif data after bac/up chec/ boB in the Ad%anced bac/up options of the bac/up )ob. D. .lear the Disable %olume shadow cop chec/ boB in the Ad%anced bac/up options of the bac/up )ob. )ns"er: D E3#lanation: This #roblem is #robably caused by the $ile being o#en at the time o$ the bac0u# !ith Shado" co#ies enabled* the +ac0u# #rogram "ill bac0 u# any o#en $iles It does this by tem#orarily J$ree1ingJ the a##lication running the $ile "hile it bac0s it u# !hile the $ile is J$ro1enJ* any "rites to the $ile are stored in a bu$$er until the $ile is bac0ed u# and then un$ro1en I$ 8olume Shado" 'o#y is disabled* any o#en $iles "ill not be bac0ed u# #ro#erly The ?olume $hadow .op $er%ices allows ou to create a snapshot *an eBact cop + of %olumes on our $A,. .lients can then perform shadow cop restores on their own. &n other words, clients can loo/ at a list of shadow copies performed on their data and choose to restore their own data from a gi%en snapshot. ,T1ac/up also uses shadow copies to ma/e sure that all open files are bac/ed up. Disable volume shadow copy - When performing a backup, the Windows Server 2003 ackup utility by default creates a volume shadow copy, which is a duplicate of the volume at

the time the copy process began! "his enables the ackup utility to back up all selected files, including those that are currently open by users or the operating system! ecause the ackup utility uses a volume shadow copy, it ensures that all selected data is backed up and any open files are not corrupted during the process! #f this check bo$ is checked, files that is open or in use is skipped when the backup is performed! Incorrect ans"ers: ): !ith shadow copies enabled, ou will get to bac/up all the files e%en those that are open. Though, this is onl the case if it is done in the Ad%anced 1ac/up option of the 1ac/up )ob. +: Disabling shadow %olume copies in an circumstance will not bac/up open files. ': Iour tas/ is not to %erif data at the moment but rather to bac/up all data. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;" 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2;. QUESTION NO: , You are the net"or0 administrator $or Test0ing com You administer a !indo"s Ser/er 2==, com#uter named TestBing2 TestBing2 contains a shared $older named TestBing.ro2ects You use the +ac0u# utility once each day to bac0 u# the TestBing.ro2ects $older You disco/er that a database $ile in the TestBing.ro2ects $older is corru#t You con$irm that the $ile corru#tion is not the result o$ a /irus You need to re#lace the corru#ted $ile by using the latest bac0u# You do not 0no" "hether the $ile "as corru#ted be$ore or a$ter the latest bac0u# "as com#leted You need to /eri$y that the $ile in the bac0u# can be o#ened success$ully be$ore you o/er"rite the e3isting $ile !hat should you do% A. &n the 1ac/up utilit , select the ?erif data after bac/up option. 1. Run the ,tbac/up WWTest@ing2WTest@ing5ro)ects H%9 es command. .. Restore the file to a temporar folder. ?erif that the database file contains the correct data. .op the restored file to the Test@ing5ro)ects folder. D. Restore the file to a temporar folder. Use the !indiff utilit to compare the file in the temporar folder to the file in the Test@ing5ro)ects folder. .op the restored file to the Test@ing5ro)ects folder. )ns"er: ' E3#lanation: To /eri$y bac0u# and restore #rocedures* many administrators "ill #er$orm a test restore o$ a bac0u# set So as not to damage #roduction data that test restore is targeted not at the original location o$ the data* but at another $older* "hich can then be discarded $ollo"ing the test% Thus i$ you a##ly this in$ormation on the scenario in the question then you should restore the $ile to a tem#orary $older* /eri$y "hether the correct data is contained in the database $ile and then co#y the restored $ile to the TestBing.ro2ects $older Incorrect ans"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;1 2 ?erif Data After The 1ac/up .ompletes is where the s stem compares the contents of the bac/up media to the original files and logs an discrepancies. This option ob%iousl adds a significant amount of time for completing the bac/up )ob. Discrepancies are li/el if data changes fre6uentl during bac/up or %erification, and it is not recommended to %erif s stem bac/ups because of the number of changes that happen to s stem files on a continual basis. Iou do not want to %erif data after bac/up, but rather %erif whether the file can be opened successfull . +: Running the ntbac/up command as suggested in this option is not the same as chec/ing whether a file can open successfull when bac/ed up before o%erwriting the eBisting file. D: Restoring the file to a temporar folder is correct, but when this option mentions comparison[ The 6uestion does not as/ for comparing the 8temporar 8 file. The 6uestion pertinentl states %erif whether the file can be opened successfull after being bac/ed up before o%erwriting the eBisting file. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft

5ress, pp. G91-21= Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = QUESTION NO: 4 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBing, hosts $iles and $olders On TestBing,* you con$igure a normal bac0u# to run e/ery night The bac0u# data "ill be sa/ed to magnetic ta#e* and a detailed log $ile "ill be generated The bac0u# 2ob "ill use an account named +ac0u#User* "hich is a member o$ the +ac0u# O#erators grou# One "ee0 later* you use your )dministrator account credentials to log on to TestBing, You start the +ac0u# utility :o"e/er* no bac0u# logs are a/ailable You need to /eri$y that the bac0u# 2obs are com#leting success$ully !hat should you do% A. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;2 2 Use a teBt editor to open .9WwindowsWsecurit WlogsW1ac/up.log. $earch for the dates when bac/ups were scheduled. 1. $tart the 1ac/up utilit b using the Run As option. 5ro%ide the account credentials of 1ac/upUser. (rom the Tools menu, select Report, and then select the most recent report. .. 'pen the Remo%able $torage snap2in. 3Bamine the properties of the most recentl completed !or/ :ueue ob)ect. D. 'pen the Remo%able $torage snap2in, and then open the properties of the 'perator Re6uests ob)ect. 'n the Ceneral tab, clear the Automaticall delete completed re6uests option. )ns"er: + E3#lanation: To be able to /eri$y that 2obs are bac0ed u# success$ully* and ma0ing use o$ the )dministrator account details* you $irst ha/e to start the bac0u# Utility "ith the run as o#tion* then #ro/ide the account credentials o$ +ac0u#User since the bac0u# 2ob is con$igured to use the +ac0u#User account 'hoose the O#tions command $rom the Tools menu and clic0 the Destore tab No" you can identi$y "hether any #roblems occurred Incorrect o#tions: ): 'ption A will not wor/ since there are no bac/up logs a%ailable. '* D: 1oth these options mention the Remo%able storage snap2in and eBamining the properties of either the most recentl completed !or/ :ueue ob)ect or 'perator re6uests, both these will not ield the necessar information since the 6uestion states that there are no bac/up logs a%ailable. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. G91321; Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters 3 L = QUESTION NO: 5 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;3 2 ) ser/er named TB< hosts user home $olders* "hich occu#y <2 -+ o$ dis0 s#ace You install a bac0u# ta#e de/ice on TB< You create a batch $ile that "ill automatically bac0 u# TB< by running Ntbac0u# e3e e/ery day at <:== ) ? One "ee0 later* you test your restoration #rocedure $or home $olders on TB< You notice that your bac0u# data occu#ies only ; ?+ o$ dis0 s#ace You re/ie" the bac0u# batch $ile: %&' ( ackup atch )ile( *" +,-./!&0& +,-./ D123m daily 341s 3v1yes 3k ( +,-./5"-4( You need to ensure that all e3isting and $uture data on TB< is bac0ed u# success$ully !hat should you do% A. $pecif Hb in the command line of the batch file. 1. .hange Hm dail to Hm normal in the command line of the batch file. .. Modif the ,T($ permissions on the user home folders to assign the Allow 2 (ull .ontrol permission to the Administrators group.

D. Add the local Administrator account for T@1 to the local 1ac/up 'perators group. )ns"er: + E3#lanation: K? V+ac0u#Ty#eX s#eci$ies the bac0u# ty#e* "hich must be one o$ the $ollo"ing: normal* co#y* di$$erential* incremental* or daily Use a normal bac0u# "hen you "ant to bac0 u# all the $iles you select in a single bac0u# 2ob !hen you ta#e* ignoring "hether the archi/e attribute is set or cleared In other "ords* it does )$ter bac0ing u# a $ile* it then changes the archi/e attribute to indicate that the $ile "as bac0ed u# Normal bac0u#s are commonly selected "hen you are #er$orming $ull bac0u#s* in "hich all $iles on a /olume are bac0ed u# De$erences: $er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;- 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 QUESTION NO: 6 You are the net"or0 administrator $or your com#any Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You success$ully install a ne" ser/er named Ser/er; Immediately a$ter"ard* you #er$orm the $irst bac0u# o$ the ser/er The date is Hanuary 25* 2==, Ne3t* you add a user named )nna to the local +ac0u# O#erators grou# You direct )nne to #er$orm nightly bac0u#s o$ Ser/er; One "ee0 later* you try to re/ie" the bac0u# logs $or Ser/er; The +ac0u# utility dis#lays the in$ormation sho" in the e3hibit E3hibit: 1ac/up Reports Report date, time and bac/up )ob name9 1H2FH2""3 -912 5M 2 &nteracti%e You /eri$y that )nne is #er$orming nightly bac0u#s You need to be able to re/ie" the bac0u# logs $or the #re/ious "ee0 !hat should you do% A. Add our user account to the local 1ac/up 'perators group. 1. Direct Anne to use her user account to log on and open the 1ac/up utilit . .. &n the 1ac/up utilit , select the %erif data after the bac/up completes chec/ boB. D. 'pen ZwindirZW$ stem32W4og(iles. .reate a new subfolder named 1ac/up4ogs. )ns"er: + E3#lanation: You ha/e to instruct )nne to log on to her user account and then o#en the +ac0u# Utility Once you login "ith the user account o$ the #erson "ho #er$orms the bac0u#* you can /ie" the bac0u# log through +ac0u# utility ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;F 2 Incorrect )ns"er: ): Adding our user account to the local 1ac/up 'perators group will not help ou re%iew the log since it is Anne who runs the bac/up from her user account. ': ?erif ing the data after the bac/up is completed has no influence on re%iewing the bac/up log. Also, the ?erif data after the bac/up completes setting will not be used until the neBt bac/up. Iou onl use the %erification of data after bac/up completes before the neBt bac/up )ob. D: The bac/up log is not stored in the ZwindirZW$ stem32W4og(iles director it is stored in the Documents and $ettingWSusernameTW4ocal$ettingsWApplication DataWMicrosoftW!indows ,TW,T1ac/upWDataW director . Also creating a new subfolder named 1ac/up4ogs will not allow ou to re%iew the eBisting bac/up log. Therefore, this answer cannot be right. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. F">2F11 QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You are directed to bac0 u# all $iles in $older named c:QData on one o$ the ser/ers You use the +ac0u# utility to #er$orm a normal bac0u# o$ c:QData !hen the bac0u# is com#lete* you re/ie" the bac0u# log $ile and disco/er the $ollo"ing message:

L!)DNIN-: .ortions o$ JQDataQAetter docJ cannot be read The bac0ed u# data is corru#t or incom#lete This $ile "ill not restore correctlyL You need to ensure that all documents in c:QData can be restored success$ully !hat should you do% A. &n the 1ac/up utilit , specif an incremental bac/up. Run the bac/up again. 1. &n the 1ac/up utilit , clear the Disable %olume shadow cop option. Run the bac/up again. .. &n the attribute properties of c9WDataW4etter.doc, select the (ile is read for archi%ing option. Run the bac/up again. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;; 2 D. &n the 'ffline settings dialog boB of c9WData, select the All files and programs that users open from the share will be automaticall a%ailable offline option. Run the bac/up again. )ns"er: + E3#lanation9 Iou need to disable shadow %olume cop before running the bac/up. This problem described in this scenario is probabl caused b the file being open at the time of the bac/up. !ith $hadow copies enabled, the 1ac/up program will bac/ up an open files. &t does this b temporaril Kfree0ingK the application running the file while it bac/s it up. !hile the file is Kfro0enK, an writes to the file are stored in a buffer until the file is bac/ed up and then unfro0en. &f ?olume $hadow .op is disabled, an open files will not be bac/ed up properl . Incorrect )ns"ers: ): $pecif ing an incremental bac/up *without %olume shadow cop enabled+ will manifest the same problem. ': A normal bac/up is a bac/up that copies all files and mar/s those files as ha%ing been bac/ed up *&n other words, the archi%e attribute is cleared.+. A normal bac/up is the most complete form of bac/up. 1ut selecting (ile is read for archi%ing will ha%e no effect on a normal bac/up. A normal bac/up will still attempt to bac/up the file. D: 'ffline settings are irrele%ant to this scenario and this option will not sol%e our problem. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2;3 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional ) user named Bing uses a client com#uter named TestBing< This com#uter has a locally attached ta#e de/ice ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;G 2 You grant Bing the necessary #ermission to #er$orm bac0u#s o$ a member ser/er named TestBingSr/+ Bing runs the +ac0u# utility on TestBing< to bac0 u# the $iles located on TestBingSr/+ You need to use your client com#uter to /ie" the most recent bac0u# logs $or TestBingSr/+ !hat should you do% A. Use ,otepad to %iew the contents of the bac/up report located on Test@ing$r%1. 1. Use ,otepad to %iew the contents of the bac/up report located on Test@ing1. .. Use 3%ent ?iewer to %iew the contents of the application log located on Test@ing$r%1. D. Use 3%ent ?iewer to %iew the contents of the application log located on Test@ing1. )ns"er: + E3#lanation: The bac0u# logs are stored in the userJs #ro$ile The de$ault location is ':QDocuments and SettingsQRusernameRQAocal SettingsQ)##lication DataQ ?icroso$tQ!indo"s NTQNT+ac0u#Qdata The question does not mention "hether stored on his client com#uter "hich "ould be TestBing< in this case Incorrect )ns"ers: ): The bac/up logs are usuall stored in the userKs profile. The 6uestion does not profile is stored on his client computer which would be Test@ing1 in this case. ': The Application log in 3%ent ?iewer will log e%ents such as the bac/up starting and finishing. This is not the same as the bac/up logs. &n fact, if ou loo/ at a bac/up e%ent in 3%ent ?iewer, it will displa the following message,8 .onsult the bac/up report for more

details.8 D: The Application log in 3%ent ?iewer will log e%ents such as the bac/up starting and finishing. This is not the same as the bac/up logs. &n fact, if ou loo/ at a bac/up e%ent in 3%ent ?iewer, it will displa the following message,8 .onsult the bac/up report for more details.8 De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. 2G;22G= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;> 2 QUESTION NO: ; You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, One member ser/er hosts a $older named E:QTestBingData Thousands o$ users constantly request and u#dates $iles in E:QTestBingData You use the +ac0u# utility to #er$orm an incremental bac0u# o$ E:QTestBingData on magnetic ta#e The bac0u# com#letes normally* but you see an error indicator illuminated on the ta#e ser/er You need to /eri$y that you can restore E:QTestBingData $rom the bac0u# ta#e The /eri$ication #rocess must not a$$ect e3isting $iles !hat should you do% A. &n the 1ac/up utilit , use the Restore and Manage Media tab to select the original tape media. 3nsure that files will be restored to their original location. $tart the restoration and %erif that all files are restored successfull . 1. &n the 1ac/up utilit , use the Restore and Manage Media tab to select the original tape media. 3nsure that files will be restored to a new location. $tart the restoration and %erif that all files are restored successfull . .. &n the 1ac/up utilit , select the ?erif data after the bac/up completes option. Use the original bac/up tape to perform another incremental bac/up. 3nsure that all files are %erifies successfull . D. &n the 1ac/up utilit , select the ?erif data after the bac/up completes option. Use a new bac/up tape to perform another incremental bac/up. !hen the %erification phase of the bac/up begins, replace the new tape with the original tape. 3nsure that all files are %erified successfull . )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;= 2 !e need to ensure "e can restore the contents o$ the bac0u# media The only "ay to test this is to restore the data to another location To /eri$y bac0u# and restore #rocedures* many administrators "ill #er$orm a test restore o$ a bac0u# set So as not to damage #roduction data that test restore is targeted not at the original location o$ the data* but at another $older* this s#eci$ic $older can then be discarded $ollo"ing the test That "ill ensure that the /eri$ication #rocess does not a$$ect the e3isting $iles Incorrect )ns"ers: ): !e donKt need to restore the bac/up to the original location o%erwriting an later %ersions of the files. That will definitel affect the eBisting files. ': option suggests a new bac/up on the original bac/up tape which will not onl affect the eBisting files but which is also not necessar . D: testing restore procedures, it is common to select Alternate 4ocation as the restore location and not the original location, so that ou do not affect the original copies of the bac/ed2up files and folders. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. 2G"22G; QUESTION NO: <= You are the net"or0 administrator $or TestBing com You currently automate bac0u#s o$ the System State data on the ser/ers in your net"or0 by using NT+ac0u# Your manager instructs you to document the #rocedure $or restoring a

ser/er $rom a bac0u# o$ the System State data You need to select the correct method $or #er$orming a restoration o$ a bac0u# o$ the System State data !hat should you do% A. Run the following command9 ntbac/up.eBe bac/up H( ]8(ile,ame8_ 1. Run the following command9 ntbac/up.eBe bac/up s stemstate H( ]8(ile,ame8_ .. &n .ontrol 5anel, open $ stem, and configure the $tartup and Reco%er settings on the Ad%anced tab. D. Use ,T1ac/up interacti%el . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG" 2 )ns"er: D E3#lanation9 The ,tbac/up command2line utilit can be used to bac/ up and restore !indows $er%er 2""3 data using command2line switches. ,tbac/up onl supports bac/ing up of folders unless ou create a bac/up selection file. &t is also important to note that ,tbac/up does not allow ou to bac/ up data based on wildcards *for eBample, d.doc+. Iou can use ,tbac/up to schedule bac/up )obs. &f ou run the ,tbac/up command without an command2line switches, it opens the 1ac/up and Restore !i0ard. Thus ou should use ,T1ac/up interacti%el . De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F3= QUESTION NO: << You are the net"or0 administrator $or TestBing com The sales de#artment stores data on a ser/er that runs !indo"s Ser/er 2==, The bac0u# schedule $or the ser/er includes a normal bac0u# on Sundays and incremental bac0u#s on e/ery other day o$ the "ee0 The sales de#artment data includes a re#ort that is created by an automated #rocess The re#ort is included in the standard bac0u# schedule $or the ser/er The automated #rocess runs on !ednesdays and Sundays The #rocess o/er"rites the #re/ious /ersion o$ the re#ort You need to be able to restore the re#ort i$ the standard bac0u# is una/ailable You need to create an additional bac0u# $or the re#ort The bac0u# $or the re#ort cannot inter$ere "ith other bac0u# 2obs !hat should you do% A. 5erform a normal bac/up on !ednesda night and on $unda night. 1. 5erform a differential bac/up on !ednesda night and on $unda night. .. 5erform a incremental bac/up on !ednesda night and on $unda night. D. 5erform a cop bac/up on !ednesda night and on $unda night. )ns"er: D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG1 2 E3#lanation9 A cop bac/up bac/s up all files and does not set the archi%e bit as mar/ed for each file that is bac/ed up. Re6uires onl one tape set for the restore process. This should be done on !ednesda night as well as $unda night so as not to interfere with other bac/ up )obs. Incorrect ans"ers: )9 A normal bac/up is bac/up t pe that bac/s up all selected folders and files and then mar/s each file that has been bac/ed up as archi%ed. This is not what is needed. +9 A differential bac/up is a bac/up t pe that copies onl the files that ha%e been changed since the last normal bac/up *full bac/up+, and does not reset the archi%e bit *indicating that the file has been bac/ed up+. This is not the solution. '9 1ac/s up onl the files that ha%e not been mar/ed as archi%ed and sets the archi%e bit for each file that is bac/ed up. &t re6uires the last normal bac/up set and all of the incremental tapes that ha%e been created since the last normal bac/up for the restore process. .learl this is not the solution. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. F3", F>1 QUESTION NO: <2 You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing, Test0ing, contains a $older named D:QTestBingData* "hich contains im#ortant com#any data The hard"are>monitoring so$t"are re#orts that the dis0 that contains 8olume D is in danger o$ imminent dis0 $ailure You order a re#lacement dis0* but you must "ait at least one day $or the dis0 to be deli/ered You disco/er

that you do not ha/e a bac0u# o$ the D:QTestBingData $older because a recent bac0u# "as con$igured incorrectly You need to bac0 u# the D:QTestBingData $older so that you can restore the data i$ the dis0 $ails You need to achie/e this goal as quic0ly as #ossible !hat should you do% A. 5erform a normal bac/up of the D9WTest@ingData folder. 1. 5erform a incremental bac/up of the D9WTest@ingData folder. .. 5erform a differential bac/up of the D9WTest@ingData folder. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG2 2 D. 5erform a dail bac/up of the D9WTest@ingData folder. 3. 3nable $hadow .opies on %olume D. .onfigure the shadow cop location as .9W. )ns"er: ) E3#lanation9 A normal bac/up is a bac/up t pe that bac/s up all selected folders and files and then mar/s each file that has been bac/ed up as archi%ed. This is the option to follow if ou need to bac/up the folder so as to restore the data if the dis/ fails as 6uic/l as possible. Incorrect ans"ers: +9 An &ncremental bac/up bac/s up onl the files that ha%e not been mar/ed as archi%ed and sets the archi%e bit for each file that is bac/ed up. &t re6uires the last normal bac/up set and all of the incremental tapes that ha%e been created since the last normal bac/up for the restore process. This is not as 6uic/ as possible. '9 A differential bac/up is a bac/up t pe that copies onl the files that ha%e been changed since the last normal bac/up *full bac/up+, and does not reset the archi%e bit *indicating that the file has been bac/ed up+. This is not the solution in this case. D9 A dail bac/up seems li/e an ongoing process and not as 6uic/l as possible as the 6uestion as/s for. E9 $hadow copies are used to create copies of shared folders and files at specified points in time. This is not what is re6uired. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F3" 19 Manage bac/up storage media.*2 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< contains t"o NTES /olumes* on se#arate dis0s* that use dri/e letters ' and D Dri/e ' has Shado" 'o#ies enabled The storage area $or the shado" co#ies o$ dri/e ' is located on the same /olume Dri/e ' is running out o$ dis0 s#ace Dri/e D is em#ty You decide to mo/e the storage area $or the shado" co#ies to dri/e D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG3 2 You need to mo/e the storage area $or the shado" co#ies o$ dri/e ' to dri/e D !hat should you do $irst on Test0ing<% A. Delete all eBisting shadow copies from dri%e .. 1. Run the ?ssadmin add shadowstorage command. .. 5erform a normal bac/up if the entire dri%e ., and then restore the bac/up to dri%e D. D. 3nable $hadow .opies on dri%e D, but do not schedule shadow cop creation for dri%e D. 3. $top the ?olume $hadow .op ser%ice. )ns"er: ) E3#lanation: The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies to ma0e sure that all o#en $iles are bac0ed u# Iou can also store shadow copies on a different storage %olume. Aowe%er, changing the storage %olume deletes the shadow copies. To a%oid this problem, %erif that the storage %olume that ou initiall select is large enough to handle our growing business needs. Incorrect ans"ers: +: ?olume $hadow .op $er%ice *?$$+ allows a user to access pre%ious %ersions of files and folders in networ/ shares. !ith those pre%ious %ersions, users can restore deleted or damaged files or compare %ersions of files. 1ut this is not what is re6uired. ': A normal bac/up includes all selected files. &t is the baseline from which ou begin to reco%er from data loss. ,ormal bac/ups are the most time2consuming and re6uire the most storage capacit of an bac/up t pe. Aowe%er, because the generate a complete bac/up, normal bac/ups are the most efficient t pe from which to restore a s stem. Iou

do not need to restore multiple )obs. ,ormal bac/ups clear the archi%e attribute from all selected files. Aowe%er, dri%e .9W has shadow copies enabled. D: 3nabling shadow copies on Dri%e D9W will not accomplish an thing as et because Dri%e D9W is empt . E: Disabling shadow %olume copies enables the 1ac/up utilit to bac/ up all selected files, including those that are currentl open b users or the operating s stem. 1ecause the 1ac/up utilit uses a %olume shadow cop , it ensures that all selected data is bac/ed up and an open files are not corrupted during the process. &f this chec/ boB is chec/ed, files that is open or in use is s/ipped when the bac/up is performed. De$erences: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG- 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2; QUESTION NO: 2 SI?UA)TION You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, TestBing comJs "ritten security #olicy state that a com#lete bac0u# o$ all $iles must be #er$ormed e/ery Saturday You also #er$orm bac0u#s on the other si3 days o$ the "ee0 )ll bac0u#s are #er$ormed o/er the net"or0 You need to minimi1e the si1e o$ the bac0u#s that occur on days other than Saturday !hat should you do% To ans"er* ty#e the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FGF 2 )ns"er: Select LIncrementalL as the bac0u# ty#e 5art 39 Reco%er from ser%er hardware failure.*11 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG; 2 The domain contains three domain controllers: D'<* D'2* and D', Each one hosts user data D'< e3#eriences hard dis0 $ailure You need to tem#orary restore the user data to D'2 !hich ty#e o$ restoration should you #er$orm% A. Automated $ stem Reco%er *A$R+ 1. ,ormal .. 5rimar D. Authoritati%e )ns"er: + E3#lanation: !e are restoring user data so "e can do a normal restoration ) normal bac0u# co#ies all the $iles you select and mar0s each $ile as ha/ing been bac0ed u# &in other "ords* the archi/e attribute is cleared( !ith normal bac0u#s* you only need the most recent co#y o$ the bac0u# $ile or ta#e to restore all o$ the $iles Iou usuall perform a normal bac/up the first time ou create a bac/up set. 1ac/ing up our data using a combination of normal bac/ups and incremental bac/ups re6uires the least amount of storage space and is the 6uic/est bac/up method. Aowe%er, reco%ering files can be time2consuming and difficult because the bac/up set might be stored on se%eral dis/s or tapes. 1ac/ing up our data using a combination of normal bac/ups and differential bac/ups is more time consuming, especiall if our data changes fre6uentl it is easier to restore the data because the bac/up set is usuall stored on onl a few dis/s or tapes. Incorrect ans"ers: ): Iou should create an A$R set each time a ma)or hardware change or a change to the operating s stem is made on the computer running !indows $er%er 2""3. (or eBample, if ou install a new hard dis/ or networ/ card, or appl a securit patch or $er%ice 5ac/, an A$R set should be created. Then if a problem occurs after upgrading the s stem in such wa s, the A$R set can be used to restore the s stem to its pre%ious state after other methods of s stem reco%er ha%e been attempted. An A$R should not be used as the first step in reco%ering an operating s stem. &n fact, Microsoft recommends that it be the last possible option for s stem reco%er , to be used

onl after ouK%e attempted other methods. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FGG 2 Use a primar restore when ou are restoring Acti%e Director to the onl domain controller on our networ/ or the first of multiple domain controllers being restored. This t pe of restore is commonl used when all of the domain controllers are no longer a%ailable *such as when a disaster has destro ed all ser%ers or data+, and ou are rebuilding the networ/ from scratch. D: An authoritati%e restore is similar to a nonauthoritati%e restore, in that Acti%e Director is restored to domain controllers participating in replication. The difference is that when it is restored, it is gi%en a higher update se6uence number, so it has the highest number in the Acti%e Director replication s stem. 1ecause of this, other domain controllers are updated through replication with the restored data. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >-=2>F" QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You #er$orm a $ull bac0u# o$ the net"or0 e/ery ?onday You #er$orm incremental bac0u#s e/ery Tuesday* !ednesday* Thursday* and Eriday +ac0u#s are al"ays #er$ormed at <:== ) ? On !ednesday at noon* one ser/er e3#eriences hard dis0 $ailure You need to restore all data on this ser/er !hat should you do% A. Restore the !ednesda bac/up, then restore the Tuesda bac/up, and then restore the Monda bac/up. 1. Restore the !ednesda bac/up, and then restore the Monda bac/up. .. Restore the Monda bac/up, then restore the Tuesda bac/up, and then restore the !ednesda bac/up. D. Restore the Monda bac/ups, and then restore the !ednesda bac/up. )ns"er: ' E3#lanation: Incremental bac0u# > ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG> 2 )n incremental bac0u# bac0s u# only those $iles that ha/e been created or changed since the last normal or incremental bac0u# It mar0s $iles as ha/ing been bac0ed u# &in other "ords* the archi/e attribute is cleared( &f ou use a combination of normal and incremental bac/ups, ou will need to ha%e the last normal bac/up set as well as all incremental bac/up sets to restore our data. Incremental +ac0u# > &ncludes files that were created or changed since the last bac/up. Archi%e bit is reset. Ad%antages 2 1etter use of media. 'nl files that were created or changed since the last bac/up are included, so there is much less data storage space re6uired. 4ess time re6uired, since it onl bac/s up the files that ha%e been modified since the last bac/up. Disad%antages 2 Multiple tapes needed for restore. The files can be spread o%er all the tapes in use since the last full bac/up. Iou ma ha%e to search se%eral tapes to find the file ou wish to restore. Incorrect ans"ers: ): Restoring the !ednesda bac/up on the !ednesda that the ser%er fails will not restore all the data because incremental bac/ups are being used. +: !hen wor/ing with incremental bac/ups and ou wanting to restore the data, ou cannot ma/e use of the !ednesda bac/up first before restoring the Monda bac/up as ou will lose data. D: Iou will miss out on the data that was generated on the Tuesda and the 6uestion as/s for all data to be restored. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23. $er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html QUESTION NO: , You are the net"or0 administrator $or your com#any Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) total o$ three ser/ers are con$igured as domain controllers You need to restore a $ailed domain controller named D', The last bac0u# $or any

domain controller on the net"or0 occurred one "ee0 ago ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG= 2 Eirst* you reinstall !indo"s Ser/er 2==, on D', !hat should you do ne3t% A. $tart D.3 and select Director $er%ices Restore Mode. 5erform a nonauthoriati%e restoration. 1. $tart D.3 and select the Reco%er .onsole. 5erform a nonauthoriati%e restoration. .. Run ,tbac/up.eBe on D.3 to restore the $ stem $tate data. D. Run the Acti%e Director &nstallation !i0ard on D.3. )ns"er: D E3#lanation: )$ter installing !indo"s Ser/er 2==, on the ne" ser/er* "e can sim#ly run the )cti/e Directory Installation !i1ard &D'.DO?O( to #romote the ser/er to a domain controller During the dc#romo #rocess* a co#y o$ the )cti/e Directory database is re#licated $rom an e3isting domain controller Incorrect )ns"ers: ): The last bac/up of an domain controller was ta/en a wee/ ago. There is thus no need to restore a bac/up cop of the Acti%e Director database. During the dcpromo process, a current cop of the Acti%e Director database is replicated from an eBisting domain controller. +: Iou do not need to restore a bac/up cop of the Acti%e Director database. During the dcpromo process, a current cop of the Acti%e Director database is replicated from an eBisting domain controller. (urthermore, ou would ha%e to restart into Director $er%ices Restore Mode, not the Reco%er .onsole to restore the Acti%e Director . ': Iou do not ha%e to restore a bac/up cop of the $ stem $tate Data. The $ stem $tate data contains the Acti%e Director database. During the dcpromo process, a current cop of the Acti%e Director database is replicated from an eBisting domain controller. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp 321;, 322", -213, 132; Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. >-3 QUESTION NO: 4 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>" 2 You are the net"or0 administrator $or TestBing com You manage a !indo"s 2==, com#uter named TestBing, that $unctions as a $ile ser/er The data /olume on TestBing, is con$igured as a so$t"are D)ID>5 array One o$ the dis0s that contains the data /olume $ails You disco/er that the $ailure "as caused by a $aulty S'SI cable You re#lace the S'SI cable You need to restore the data /olume to its #re/ious state You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Run the dis/part acti%e command on the failed %olume 1. $elect an %olume in the RA&D2F arra and reacti%ate the %olume. .. &mport the dis/ that contains the failed %olume. D. Run the ch/ds/ Hf command on the dri%e letter that represents the RA&D2F arra . )ns"er: + E3#lanation: Since it is not the /olume that is $aulty but rather the S'SI cable* you only need to reacti/ate the /olume to restore it to its #re/ious state a$ter the cable has been re#laced This is the quic0est most e$$icient "ay to restore the data /olume to its #re/ious state Incorrect ans"ers: ): Running the dis/part acti%e command will not sol%e the problem. ': ,o need to import the failed %olume, the problem was a fault $.$& cable. D: Running the ch/ds/ Hf command will not sol%e the problem of a fault cable. De$erence9 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 QUESTION NO: 5 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>1 2 ) ser/er named TB< contains a mirrored /olume that consists o$ t"o ,6>-+ dis0s

+oth dis0s are used $or data storage TB< also contains a third unallocated dynamic dis0 Ne3t "ee0* a database that currently requires 45 -+ o$ dis0 s#ace "ill be installed on TB< This database "ill gro" at a rate o$ <= #ercent e/ery 6 months You need to realocate dis0 s#ace on TB< Your realocation must satis$y the s#ace requirements o$ the ne" database* and it must also ensure that data "ill remain a/ailable in case o$ dis0 $ailure Eirst* you brea0 the mirror and delete all /olumes on the dis0s !hat should you do ne3t% A. .reate a spanned %olume. 1. .reate a stripped %olume. .. .reate a mirrored %olume. D. .reate a RA&D2F %olume. )ns"er: D E3#lanation: D)ID>5 /olume is "here data is "ritten to , to ,2 #hysical dis0s at the same rate* and is interlaced "ith #arity to #ro/ide $ault tolerance $or a single dis0 terms o$ #rocessor utili1ation and "rite #er$ormance as #arity must be calculated during "rite o#erations Incorrect ans"ers: ): $panned %olume is a spanned %olume includes space on more than one ph sical dis/. 1ecause their si0e tends to be greater, and because multiple ph sical dis/s are in%ol%ed, the ris/ for failure increases, and spanned %olumes are not fault tolerant. +: $triped %olume is where data is written to 2 to 32 ph sical dis/s at the same rate. &t offers maBimum performance and capacit but no fault tolerance. ': Mirrored %olume is where two dis/s contain identical copies of data. The onl %olumeKs potential capacit is used for data redundanc . De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.-= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>2 2 QUESTION NO: 6 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, One o$ your ser/ers* TestBingSr/<* contains a D)ID>5 /olume Doutine monitoring re/eals a $ailed dis0 in the set TestBingSr/< is running and users are connecting to shared $olders on the D)ID>5 /olume You shut do"n the ser/er and re#lace the $ailed dis0 No" you need to ensure that the D)ID>5 /olume is redundant !hat should you do% A. &mport the foreign dis/ that is to replace the failed dis/. $elect the failed region and then select the Repair ?olume option. 1. &nitiali0e the new dis/ that is to replace the failed dis/. $elect the failed region and then select the Reacti%e Dis/ option. .. &nitiali0e the new dis/ that is to replace the failed dis/. $elect the failed region and then select the Repair ?olume option. D. &mport the foreign dis/ that is to replace the failed dis/. $elect the failed region and then select the Reacti%e Dis/ option. )ns"er: ' E3#lanation: D)ID &Dedundant )rray o$ Inde#endent Dis0s(>5 /olume or stri#ed set "ith #arity /olume is a $ault>tolerant collection o$ equal>si1ed #artitions on at least three #hysical dis0s* in "hich the data is stri#ed and includes #arity data The #arity data hel#s reco/er a member o$ the stri#ed set i$ the member $ails I$ a single dis0 $ails in a D)ID>5 /olume* data can continue to be accessed as is the case here During read o#erations* any missing data is regenerated on the $ly through a calculation in/ol/ing remaining data and #arity in$ormation thus ta0ing care o$ redundancy in the sense that "or0 "ill continue and no in$ormation "ill be lost D)ID>5 can only sustain a single dri/e $ailure &f ou ha%e to replace the dis/, ou ma need to rescan, initiali0e the new dis/, con%ert it to d namic, then right2clic/ the %olume and choose Repair ?olume. Iou will be as/edH prompted to select the dis/ where the missing %olume member should be recreated. $elect the new dis/ and the s stem will regenerate the missing data. Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>3 2 ): (oreign dis/s are usuall utili0ed when mo%ing between ser%ers. &n this scenario it is a case of repairing a failed dis/. &n addition we need to initiali0e the dis/, not import it. +: Reacti%ation assumes that the same fault dis/ will be used again. The %olume needs to be repaired, not reacti%ated.

D: The solution to the problem here is not to import a foreign dis/ as foreign dis/s are used to mo%e between ser%ers. &n this scenario, it is one ser%er that is problematic. &n this case we need to repair the %olume, not reacti%ate it. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.3> QUESTION NO: 7 DD)- DDO. You are the administrator $or TestBingJs net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er contains three hard dis0s: Dis0=* Dis0<* and Dis02 Test0ing= contains the boot #artition Dis0< and Dis02 com#rise a single so$t"are D)ID>< /olume Dis02 e3#eriences hard"are $ailure During the ser/erJs ne3t scheduled do"ntime #eriod* you re#lace the $ailed dis0 "ith a ne" dis0 Then* you o#en 'om#uter ?anagement and select Dis0 ?anagement You e3amine the current status o$ all dis0s and /olumes on the ser/er The status is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>- 2 You need to restore the redundant /olume to :ealthy status !hich three actions should you #er$orm% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>F 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>; 2 &f ou ha%e to replace the dis/, ou ma need to rescan, initiali0e the new dis/, con%ert it to d namic, then right2clic/ the %olume and choose Repair ?olume. Iou will be as/edH prompted to select the dis/ where the missing %olume member should be recreated. $elect the new dis/ and the s stem will regenerate the missing data. !hen ou attach a new dis/ to our computer, ou must first initiali0e the dis/ before ou can create partitions. !hen ou first start Dis/ Management after installing a new dis/, a wi0ard appears that pro%ides a list of the new dis/s that are detected b the operating s stem. A mirrored %olume is where two dis/s contain identical copies of data. The onl software potential capacit is used for data redundanc . Incorrect )ns"ers: The mirror has to be remo%ed from the missing dis/ and not Dis/1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>G 2 Deleting the %olumes on Dis/1 will not be ad%isable as it is Dis/2 that needs replacement not Dis/1. Deleting the %olume on the missing dis/ would not be possible as this would be 8missing8. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 11.1" QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing7 runs ?icroso$t SQA Ser/er and hosts se/eral mission critical databases TestBing7 contains a mirrored /olume ) routine re/ie" o$ TestBing7 sho"s $ailed redundancy on the mirrored /olume TestBing7 is still running and the databases are still $unctioning correctly You need to correct the error and restore redundancy !hat should you do $irst% A. &nitiali0e the failed dis/. 1. $elect the failed dis/ and reacti%ate the dis/ .. Defragment the mirrored %olume. D. 5erform a dis/ cleanup on the mirrored %olume. )ns"er: + E3#lanation: You can reacti/ate only dynamic dis0s>not basic dis0s This being a mirrored /olume means that it is a dynamic dis0 Since a mirrored /olume "ill also

#ro/ide redundancy* you need to select the $ailed dis0 and reacti/ate it Incorrect ans"ers: ): 'ne onl initiali0es a dis/ when no signature has been written to the dis/ b which !indows can identif it. Aowe%er, this is a dis/ that was in use and also the 6uestion states that it is )ust failed redundanc on the mirrored %olume. Thus initiali0ing the dis/ is not going to wor/ in this scenario. &t is a matter of reacti%ating the failed dis/. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>> 2 ': Defragmenting fiBes performance issues b reorgani0ing the raw data on our hard dri%e so that it can be accessed faster. This is not necessar in this case because ou need to restore redundanc . D: The dis/ cleanup utilit is used in cases where ou ha%e a 84ow Dis/ $pace8 e%ent generated to eBtensi%e logging information generated b &nternet &nformation $er%er *&&$+ traffic. Iou need to correct the errors and restore redundanc . De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter 3 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 1G2 QUESTION NO: ; DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er has a normal bac0u# e/ery ?onday night and incremental bac0u#s e/ery Tuesday* !ednesday* Thursday* and Eriday nights )ll bac0u#s are stored on magnetic ta#e On Thursday morning* a user re#orts that a $older containing se/eral $iles is missing $rom a shared $older on the ser/er The $older "as #resent on Tuesday a$ternoon You e3amine the bac0u# logs $or the most recent ?onday* Tuesday* and !ednesday bac0u#s You disco/er that each bac0u# log contains the $older and the $iles that are no" missing You need to restore the most recent /ersion o$ the missing $older and $iles by using the minimum amount o$ administrati/e e$$ort !hich action or actions should you #er$orm% To ans"er* drag the action that you should #er$orm $irst to the Eirst )ction bo3 'ontinue dragging actions to the corres#onding numbered bo3es* as needed* until you list all required actions in the correct order ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>= 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=" 2 An incremental bac/up is a bac/up t pe that bac/s up onl the files that ha%e changed since the last normal or incremental bac/up. &t sets the archi%e attribute *indicating that the file has been bac/ed up+ on the files that are bac/ed up. Thus ou should restore the folder from the incremental bac/up performed on the !ednesda since the folder that was present on the Tuesda still was missing on the Thursda morning. This option represents the least effort and tapes to use when restoring that particular folder. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2;?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=1 2 QUESTION NO: <= You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains 4= !indo"s Ser/er 2==, com#uters The $unctional le/el o$ the domain is !indo"s Ser/er 2==, Eour ser/ers are con$igured as domain controllers The in$ormation technology &IT( de#artment has #ositions $or three trainee net"or0 administrators !hen their training #eriod is com#lete* the trainees mo/e the other roles* and ne" trainees are a##ointed

The trainee administrators are res#onsible $or bac0ing u# and restoring all ser/ers TestBing comJs "ritten security #olicy states that each trainee must ha/e a unique user account The traineesJ domain user accounts are members o$ a global grou# named Trainee)dmins You need to ensure that trainees ha/e the required rights to log on locally* to shut do"n* and to bac0u# and restore all ser/ers !hen ne" trainees are a##ointed* you need to assign their user accounts the required rights !hat should you do% A. Add the TraineeAdmins group to the 5ower Users group on each ser%er. 1. Add the TraineeAdmins group to the $er%er 'perators group on a domain controller. .. Add the TraineeAdmins group to the 1ac/up 'perators group on each ser%er. D. Add the TraineeAdmins group to the 1ac/up 'perators group on a domain controller. )ns"er: ' E3#lanation9 The members of the 1ac/up 'perators group ha%e rights to bac/ up and restore the file s stem, e%en if the file s stem is ,T($ and the ha%e not been assigned permissions to the file s stem. Aowe%er, the members of 1ac/up 'perators can access the file s stem onl through the 1ac/up utilit . To be able to directl access the file s stem, the must ha%e eBplicit permissions assigned. 1 default, there are no members of the 1ac/up 'perators local group. To ensure that all the trainees ha%e the necessar rights to complete their tas/s, ou should add them to the 1ac/up 'perators group on each ser%er. Incorrect ans"ers: )9 Adding the trainees to the 5ower U$ersgroup on each ser%er will not ensure that the get the appropriate rights to performs ther assignments. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=2 2 +9 The $er%er 'perators group members can administer domain ser%ers. Administration tas/s include creating, managing, and deleting shared resources, starting and stopping ser%ices, formatting hard dis/s, bac/ing up and restoring the file s stem, and shutting down domain controllers. 1 default, there are no members in this group. This is not what is re6uired, especiall not on a domain controller. D9 This would be adding the trainees to the correct group but on the wrong terrain. Iou should add the trainee to the 1ac/up 'perators group on each ser%er and not on a domain controller. 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, pp. 1;>2= QUESTION NO: << You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing<9 $unctions as a domain controller You bac0 u# TestBing<9 and generate a detailed bac0u# log You need to /ie" the $ull bac0u# log !hat should you do% A. Run the ntbac/up command with the H4 option. 1. Run the ntbac/up command with the H( option. .. 'pen the 1ac/up utilit . 'n the Tools menu, clic/ Report. D. 'pen 3%ent ?iewer. &n the application log, %iew ,tbac/up e%ents. )ns"er: ' E3#lanation9 3%er time ou bac/ up, the 1ac/up application creates a bac/up log. To see the contents of these logs, ou can clic/ the Report button in the dialog boB that tells ou that the bac/up is complete. Alternati%el , to pic/ an log to %iew, choose Report from the Tools menu in 1ac/up. IouKll see a list of bac/ups. This is the wa a %iew the full bac/up log. Incorrect ans"ers: ) ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=3 2 9 The ,T1ac/up command with the H4 option tells ,T1A.@U5 what /ind of log file to create. &f ou ma/e use of this command then ou should specif H49f for a full bac/up log. +9 The ,T1ac/up command with the H( option specifies the path and name of the file in which the bac/up will be copied. This is not that is needed. D9 This is not what is re6uired in this 6uestion. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, 5art -9 Restore bac/up data.*1- :uestions+ QUESTION NO: <

You are a net"or0 administrator $or TestBing Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) hel# des0 user re#orts that a user ob2ect "as accidentally deleted and the user can no longer log on to the domain and access resources You con$irm that the user ob2ect "as included in the most recent bac0u# You need to enable the user to log on to the domain You must ensure that the user retains access to resources !hat should you do% A. &nstall a new domain controller. &nstall Acti%e Director from media b using the most recent bac/up. Manuall initiate replication. 1. Decrease the garbage collection inter%al. 5erform a nonauthorati%e restoration of Acti%e Director b using the most recent bac/up. .. 5erform a nonauthorati%e restoration of Acti%e Director b using the most recent bac/up. Authoritati%el restore the user ob)ect that was deleted. D. Re2create a user ob)ect that has the same user principal name *U5,+ as the user ob)ect that was deleted. Authoritati%el restore this user ob)ect. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=- 2 )ns"er: ' E3#lanation: I$ you inad/ertently delete or modi$y ob2ects stored in the )cti/e Directory directory ser/ice* and those ob2ects are re#licated or distributed to other ser/ers* you "ill need to authoritati/ely restore those ob2ects so they are re#licated or distributed to the other ser/ers I$ you do not authoritati/ely restore the ob2ects* they "ill ne/er get re#licated or distributed to your other ser/ers because they "ill a##ear to be older than the ob2ects currently on your other ser/ers Using the Ntdsutil utility to mar0 ob2ects $or authoritati/e restore ensures that the data you "ant to restore gets re#licated or distributed throughout your organi1ation On the other hand* i$ your system dis0 has $ailed or the )cti/e Directory database is corru#ted* then you can sim#ly restore the data nonauthoritati/ely "ithout using the Ntdsutil utility Acti%e Director gi%es networ/ users access to permitted resources an where on the networ/ using a single logon process. &t pro%ides networ/ administrators with an intuiti%e, hierarchical %iew of the networ/ and a single point of administration for all networ/ ob)ects. Acti%e director ser%ice data can be restored using one of three restore methods9 1. 5rimar restore 2. ,ormal *nonauthoritati%e+ restore 3. Authoritati%e restore &n 1ac/up, a t pe of restore operation performed on an Acti%e Director domain controller in which the ob)ects in the restored director are treated as authoritati%e, replacing *through replication+ all eBisting copies of those ob)ects. !e need to restore the Acti%e Director database non2authoritati%el , then from the restored cop of the database, we need to authoritati%el restore the user ob)ect. Incorrect )ns"ers: ): &t isnKt necessar to install a new domain controller. +: !e need to authoritati%el restore the user ob)ect, otherwise AD replication will delete the user ob)ect again. D: .reating a new user account wonKt wor/ because the new user account will ha%e a different $&D from the deleted account. QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=F 2 You are the administrator o$ an )cti/e Directory domain named test0ing com ) user re#orts that he cannot log on to a !indo"s Ser/er 2==, com#uter that contains a critical a##lication You disco/er that the organi1ational unit &OU( in "hich the ser/er is located "as deleted You disco/er that the user rights $or this ser/er are controlled by -rou# .olicy You need to restore access to the ser/er You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 5erform a normal restoration of the $ stem $tate data for the domain controller. (orce replication.

1. 5erform an authoritati%e restoration of the $ stem $tate data for the domain controller. Mar/ the 'U for replication. .. Re2create the 'U that was deleted. Reappl Croup 5olic , and then add the computer account and an necessar users or groups. D. 5erform an Automated $ stem Reco%er *A$R+ restoration on the domain controller. )ns"er: + E3#lanation: !ith an authoritati/e restore the )cti/e Directory is restored to domain controllers #artici#ating in re#lication !hen it is restored* it is gi/en a higher u#date sequence number* so it has the highest number in the )cti/e Directory re#lication system +ecause o$ this* other domain controllers are u#dated through re#lication "ith the restored data To authoritati/ely restore )cti/e Directory data* you need to run the Ntdsutil utility a$ter you ha/e restored the System State data but be$ore you restart the ser/er The Ntdsutil utility lets you mar0 )cti/e Directory ob2ects $or authoritati/e restore !hen an ob2ect is mar0ed $or authoritati/e restore its u#date sequence number is changed so that it is higher than any other u#date sequence number in the )cti/e Directory re#lication system This "ill ensure that any re#licated or distributed data that you restore is #ro#erly re#licated or distributed throughout your organi1ation (or eBample, if ou inad%ertentl delete or modif ob)ects stored in the Acti%e Director director ser%ice, and those ob)ects are replicated or distributed to other ser%ers, ou will need to authoritati%el restore those ob)ects so the are replicated or distributed to the other ser%ers. &f ou do not authoritati%el restore the ob)ects, the will ne%er get replicated or distributed to our other ser%ers because the will appear to be older than the ob)ects currentl on our other ser%ers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=; 2 Incorrect ans"ers: ): Iou need an authoritati%e restoration of the $ stem $tate data and not a normal restoration. (urthermore the 'U must be mar/ed for replication rather than forcing replication. 3speciall since the option does not state what has to be forced to be replicated. ': There is no need to re2create the 'U, onl need to restore the 'U. D: 5erforming an A$R on the domain controller is not the wa to go if ou are to put in the least amount of administrati%e effort. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >2>, >->, >F", >G1 QUESTION NO: , You are a net"or0 administrator $or TestBing com You manage a !indo"s Ser/er 2==, com#uter named Test0ing< Eolder Dedirection is enabled $or the usersJ ?y Documents $olders ) user named .eter deletes all the $iles and $olders in his ?y Documents $older be$ore he lea/es TestBing .eterJs manager as0s you to reco/er documents You do not 0no" i$ .eter made modi$ications to the #ermissions on the $iles You need to restore .eterJs ?y Documents $older so that his manager can access the $iles You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 5erform a default restoration. 1. Run the Automated $ stem Reco%er *A$R+ wi0ard. .. 5erform a restoration, and enable the Restore securit option. D. 5erform a restoration, and disable the Restore securit option. )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=G 2 You $irst need to restore the $older since .eter deleted all the $iles and $olders !hen you disable the Destore Security o#tion* then it "ill allo" you access to .eterJs $iles regardless o$ "hether .eter e$$ected any changes to the #ermissions on the $iles $electing Restore securit will restore securit settings for each file and folder. $ecurit settings include permissions, audit entries, and ownership. This option is a%ailable onl if ou ha%e bac/ed up data from an ,T($ %olume. !e must disable the Restore $ecurit option to enable the manager to read the files. Incorrect ans"ers: ): Iou can configure how the restore operation will treat securit settings on the

bac/ed2up files b clic/ing Ad%anced in the .onfirm Restore dialog boB and selecting the Restore $ecurit option. &f data was bac/ed up from, and is being restored to, an ,T($ %olume, the default setting will restore permissions, audit settings, and ownership information. Thus if ou perform a default restoration the manager might not be able to access the files and folders. +: A$R bac/ups donKt bac/up user data. Therefore, this answer is irrele%ant to this scenario. ': 3nabling the Restore securit will pre%ent the manager from accessing the files and folders. &t will put into effect whate%er changes and permissions 5eter might ha%e made on the files. De$erences: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. 2G"22G3 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll user $iles are stored in home $olders on a member ser/er named Test0ing, Eull bac0u#s are #er$ormed on Test0ing, e/ery day ) user named ?ar0 lea/es the com#any ) technical su##ort s#ecialist deletes ?ar0Js user account and his $iles You need to restore certain $iles $rom ?ar0Js $older and enable another user named )nne to access them ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=> 2 !hat should you do% A. .lear the Restore securit chec/ boB. Use the 1ac/up utilit to restore Mar/Ks files to the original location. 1. $elect the Restore securit chec/ boB. Use the 1ac/up utilit to restore Mar/Ks files to the original location. .. .lear the Restore securit chec/ boB. Use the 1ac/up utilit to restore Mar/Ks files to AnneKs home folder. D. $elect the Restore securit chec/ boB. Use the 1ac/up utilit to restore Mar/Ks files to AnneKs home folder. )ns"er: ' E3#lanation: Selecting Destore security "ill restore security settings $or each $ile and $older Security settings include #ermissions* audit entries* and o"nershi# This o#tion is a/ailable only i$ you ha/e bac0ed u# data $rom an NTES /olume !e must disable the Destore Security o#tion to enable )nne to read the $iles Restore (iles And Directories user right will enable the transfer of ownership. After opening the 1ac/up Utilit and clic/ing the Restore And Manage Media tab ou will be able to select the bac/up set from which to restore. !indows $er%er 2""3 will then displa the files and folders that the bac/up set contains b eBamining the bac/up setKs catalog. Iou can then select the specific files or folders ou wish to restore. As with the bac/up selection, a blue chec/ mar/ indicates that a file or folder will be full restored. A dimmed chec/ mar/ on a folder means that some, but not all, of its contents will be restored. (iles and folders will be restored to a folder ou designate in the Alternate 4ocation boB. The original folder structure is preser%ed and created beneath that folder, where the designated alternate location is e6ui%alent to the root *%olume+ of the bac/ed up data. $o, for eBample, if ou bac/ed up a folder .9WDataW(inance and ou restored the folder to .9WRestore, ou would find the (inance folder in .9WRestoreWDataW(inance. Incorrect ans"ers: ): Though the Restore $ecurit boB should be cleared, restoring Mar/Ks files to the original state will result in all Mar/Ks files inheriting the permissions of Mar/Ks home folder so Anne wonKt be able to access them. +: Restoring Mar/Ks files to the original state will result in all Mar/Ks files being restored and Anne not ha%ing permissions to access them. D: Restoring Mar/Ks files to the original state will result in all Mar/Ks files being restored and Anne not ha%ing permissions to access them. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F== 2 De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2G2.

QUESTION NO: 5 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named Test0ing< has a normal bac0u# e/ery Eriday night and incremental bac0u#s e/ery ?onday night through Thursday night )ll bac0u#s are stored on magnetic ta#e One !ednesday a$ternoon* you #er$orm a daily bac0u# o$ Test0ing< Then you install a ne" a##lication on Test0ing< :o"e/er* you immediately disco/er that the a##lication corru#ts data on Test0ing< You uninstall the ne" a##lication No" you need to restore all $iles on Test0ing< to their original state !hich actions should you #er$orm% To ans"er* drag the action that you should #er$orm $irst to the Eirst )ction bo3 'ontinue dragging actions to the corres#onding numbered bo3es until you list all required actions in the correct order ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"" 2 )ns"er: E3#lanation: The abilit to restore files and folders correctl from bac/up sets is also important. &n general, if incremental or differential bac/ups are used, restore first from the older bac/up set and then o%erwrite with data from the newer bac/up set. &n this scenario9 ,ormal and incremental bac/ups 2 'n (rida a normal bac/up is performed, and on $aturda through Thursda incremental bac/ups are performed. &ncremental bac/ups clear the archi%e attribute, which means that each bac/up includes onl the files that changed since the pre%ious bac/up. &f data becomes corrupt on !ednesda , ou need to restore the normal bac/up from (rida and each of the incremental bac/ups, from $aturda through Thursda . This strateg ta/es less time to bac/ up but more time to restore. De$erence: $er%er Aelp Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. ;=3 QUESTION NO: 6 :OTS.OT ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"1 2 You are the net"or0 administrator $or TestBing com )ll your net"or0 ser/ers run !indo"s 2==, The net"or0 includes a $ile ser/er named TestBingE On Hanuary <* you enable shado" co#ies on TestBingE You also install the .re/ious 8ersions client so$t"are On the same day* you create a ?icroso$t )ccess database and im#ort data into it You sa/e the database as data mdb in a shared $older on TestBingE On Hanuary ,* you o#en data mdb and ma0e signi$icant additions and deletions On Hanuary 4* you need to access and edit data that you deleted $rom data mdb the #re/ious day You must ensure that your additions o$ the #re/ious day are not lost !hat should you do% To ans"er* select the a##ro#riate o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"2 2 )ns"er: E3#lanation: Select the LYesterday* Hanuary =,* 2==,L $ile and then select L'o#yL $ince the data was significantl changed on Qanuar "3, it stands to reason that before ou opened the file on Qanuar "3, there were no changes to the file that was loaded then. Thus ou need to load the Qanuar "3 file. 'ne howe%er has to be careful when rolling bac/9 &f ou want to replace the current %ersion of a file with an older %ersion, ou can use the Restore button on the 5re%ious ?ersions tab. !hen this button is clic/ed, a warning message appears, as/ing if ouKre sure ou want to roll bac/ the current %ersion to the pre%ious %ersion of the file. &f ou clic/ Ies, the current file is o%erwritten with the older one. $ometimes, when using the 5re%ious ?ersions tab, ou might find that no pre%ious %ersions of files are listed, or the 5re%ious ?ersions tab itself doesnKt appear. !hen no pre%ious %ersions are listed, it means that no changes ha%e been made to the file. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >;F2>;>

QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing7 TestBing7 contains t"o NTES /olumes named Data and TestBingEiles The /olumes are located on se#arate hard dis0s The Data /olume is allocated the dri/e letter D The Data /olume is shared as QQTestBing7QData The TestBing$iles /olume is mounted on the Data /olume as /olume mount #oint The TestBingEiles /olume is dis#layed as the D:QTestBingEiles $older "hen you /ie" the local dis0 dri/es by using !indo"s E3#lorer on TestBing7 The D:QTestBing$iles $olders is shared as QQTestBing7QTestBing$iles The $iles on the TestBingEiles /olume change e/ery day Users $requently as0 you to #ro/ide them "ith #re/ious /ersions o$ $iles You enable and con$igure Shado" 'o#ies o$ the Data /olume You schedule shado" co#ies to be created once a day ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"3 2 Users re#ort that they cannot reco/er #re/ious /ersions o$ the $iles on the TestBingEiles /olume !hat should you do% A. Assign Dri%e 3 to Test@ing(iles. 3nable $hadow .opies on the Test@ing(iles %olume. 1. .on%ert the dis/ that contains the Data %olume to a d namic dis/. .. .on%ert the dis/ that contains the Test@ingfiles %olume to a d namic dis/. D. &nstruct users to connect to WWTest@ingGWData when the attempt to access pre%ious %ersions of files in the D9WTest@ing(iles folder. 3. &nstruct users to connect to WWTest@ingGWD` when the attempt to access pre%ious %ersions of files on the Data %olume. )ns"er: ) E3#lanation: Enabling users to access #re/ious /ersions o$ their $iles is a t"o ste# #rocess The clients need the J#re/ious /ersionsJ client so$t"are installed and the /olume hosting the shared $older must ha/e Shado" 'o#ies enabled To be able to sa%e pre%ious %ersion of files, ou need to enable $hadow .opies. !hene%er changes to a file are sa%ed, a cop of the pre%ious %ersion of the file is automaticall sa%ed. Incorrect ans"ers: +9 .on%erting the dis/ with the Data ?olume to be d namic will not address this problem. Iou need shadow copies enabled. '9 This will also not address the issue at hand. D* E9 &t is not a matter of connecting to WWTest@ingGWData or WWTest@ingGWD` that will Test@ing(iles %olume. .urrentl shadow copies are onl enabled on the Data %olume. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2=, 1-" QUESTION NO: 9 You are the net"or0 administrator $or Test0ing com You administer a !indo"s Ser/er 2==, com#uter named TestBing2 User #ro$iles are stored on TestBing2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"- 2 ) user named Sandra re#orts that she accidentally deleted a $older named TestBingStu$$ $rom her user #ro$ile She needs to ha/e her TestBingStu$$ $older restored Other users are accessing TestBing2* and you do not "ant to negati/ely a$$ect their "or0 You locate the latest bac0u# that contains the $iles that you need to restore You need to restore SandraJs TestBingStu$$ $older You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Restore $andraKs Test@ing$tuff folder, and clear the Restore )unction points, but not the folders and the file data the reference chec/ boB. 1. Restore the Documents and $ettings folder that contains the Test@ing$tuff folder. .. Restore $andraKs Test@ing$tuff folder, and choose an alternate location for the restoration. D. Restore $andraKs Test@ing$tuff folder, and choose the original location for the restoration. )ns"er: D E3#lanation9 !ith this option (iles and folders will be restored to the location from which the were bac/ed up. The original folder structure will be maintained or, if folders were deleted, re2created. Thus, if ou do not want to affect the other users that are accessing the Test@ing2 then ou need to choose the original location for the restoration.

Incorrect ans"ers: )9 This in%ol%es too much administrati%e effort. +9 This option will affect the other users as well. D9 &t is common to select Alternate 4ocation as the restore location and not the original location, but in this case this is not what is needed. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. 2G"22G; QUESTION NO: ; You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"F 2 Aaura and .aul are technical su##ort s#ecialists .aul uses the +ac0u# utility to bac0 u# his #ersonal $iles on a ser/er named TB< Aater* one o$ .aulJs $iles is accidentally deleted $rom TB< Aaura tries to restore the $ile $rom the bac0u# She recei/es the error message sho"n in the e3hibit You need to ensure that the $ile is restored !hat should you do% A. As/ 5aul to restore the file. 1. 4og on to the networ/ b using a user account that is a member of the 1ac/up 'perators group. Restore the file. .. Reconfigure the ,T($ permissions on the bac/up file to assign the Allow 2 Modif permissions to 4aura. D. Reconfigure the ,T($ permissions on the bac/up file to assign the Allow 2 (ull .ontrol permission to 4aura. )ns"er: + E3#lanation: .aul has made a #ersonal bac0u# o$ his $iles )s a result Aaura cannot restore the $iles because the security #rinci#les do not match &she does not ha/e #ermission to restore the $iles( Therefore we need to use a user account that is member of the 1ac/up 'perators group. $uch an account will ha%e the necessar permissions to restore the files.!ithout the proper pri%ileges ou cannot restore the file. To be able to restore 5aulKs file, ou need to be a member of the 1ac/up 'perators. 1ac/up 'perators is a predefined user group whose members ha%e authorit to perform bac/up of data regardless of the ob)ectKs attribute. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"; 2 Incorrect ans"ers: ): 5aul cannot restore his file as he is not part of the predefined user group, the 1ac/up 'perators group, who has the authorit to conduct bac/up and restore regardless of permissions on those files and folders. ': .hange permissions enable ob)ects to perform all actions associated with the Read permission, plus create new files and folders, modif file contents, delete files and folders, and modif file attributes. 1ut this is on shared files. The 6uestion mentions personal files. D: 5aulKs files that was accidentall deleted is not a shared file, but rather a personal file De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -232-2QUESTION NO: <= You are the net"or0 administrator $or your com#any )ll net"or0 ser/ers run !indo"s Ser/er 2==, You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named Ser/er< You con$igure the $ollo"ing settings: 1. Do not use a #ro3y ser/er $or Internet access 2. Synchroni1e directly $rom the ?icroso$t !indo"s U#date ser/ers 3. )utomatically a##ro/e ne" /ersions o$ #re/iously a##ro/ed u#dates -. Sa/e u#dates in a local $older You bac0 u# the SUS con$iguration and schedule a daily synchroni1ation #rocedure $or Ser/er< Aater the same day* Ser/er< $ails You use the original names and locations to restore !indo"s Ser/er 2==,* IIS 6 =* and SUS No" you need to $ully restore the SUS con$iguration* "ithout o/er"riting any other data

!hat should you do% A. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"G 2 (irst, use the 1ac/up utilit to restore the &&$ metabase file, the default !eb site, and the content storage location. Then, use the &&$ administration tool to restore the &&$ metabase. 1. (irst, use the &&$ administration tool to restore the &&$ metabase. Then, use the 1ac/up utilit to restore the &&$ metabase file, the default !eb site, and the content storage location. .. (irst, use the 1ac/up utilit to restore the &&$ metabase file, the default !eb site, and the Downloaded 5rogram (iles folder. Then, use the &&$ administration tool to recreate the $U$ Administration !eb site. D. (irst, use the &&$ administration tool to recreate the $U$ Administration !eb site. Then, use the 1ac/up utilit to restore the &&$ metabase file, the default !eb site, and the Downloaded 5rogram (iles folder. )ns"er: ) E3#lanation: )$ter installing So$t"are U#date Ser/ices: 1. Run ,T1ac/up to restore the most recent bac/up of the ser%er running $U$. 'pen ,T1ac/up and select the Restore tab. &t ma be necessar to catalog the bac/up before ,T1ac/up will displa the data in the bac/up set. To do so, eBpand the bac/up media *in (igure 1;, this would be $U$ 1ac/up -H2-H2""2 at 2921 a.m.+, right clic/ the bac/up data *in this eBample .9+, and select .atalog. 2. 'nce the data has been catalogued, select the data to restore. This will be the $U$ content director , the &&$ site that contains the $U$Admin and AutoUpdate %irtual directories, and the &&$ metabase bac/up. De$erences: Microsoft $oftware Update $er%ices Deplo ment !hite 5aper Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22=", .hapter = QUESTION NO: << You are the net"or0 administrator $or Test0ing com )ll net"or0 se/ers run !indo"s Ser/er 2==, +usiness hours are ;:== ) ? to 5:== . ? * ?onday through Eriday ) $ile ser/er named TestBing+ is con$igured to create a shado" co#y e/ery morning at <:== ) ? TestBing+ hosts se/eral shared $olders One shared $older has the con$iguration sho"n in the $ollo"ing table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"> 2 Eolder Aocation 'ontents Test@ing'rders D9WTest@ing'rders (iles Recei%ables.mdb, 5a ables.mdb Eor se/eral months* users $requently access both databases in TestBingOrders One ?onday morning* a user tells you that she needs to edit Decei/ables mdb as it e3isted at 5:== . ? on the #re/ious Thursday You need to modi$y TestBing+ to enable the a##ro#riate editing You must ensure that other users can continue to access current data "ithout interru#tion Eirst* you ma# a dri/e to QQTestBing+QTestBingOrders !hich t"o additional actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Access the properties of WWTest@ing1WTest@ing'rders. 1. Access the properties of WWTest@ing1WTest@ing'rdersWRecei%ables.mdb. .. Restore the (rida %ersion of Recei%ables.mdb. D. Restore the Thursda %ersion of the Recei%ables.mdb. 3. .op the (rida %ersion of Recei%ables.mdb. (. .op the Thursda %ersion of Recei%ables.mdb. )ns"er: +* E E3#lanation: The $irst shado" co#y o$ the $ile a$ter 5 ==#m on Thursday is the co#y question $urther states that users must be able to access the current /ersion o$ the $ile* so "e must co#y EridayJs /ersion o$ the $ile to an alternate location To access the pre%ious %ersion of Recei%ables.mdb, we need to access the properties of the file, and then select the 5re%ious ?ersions tab. !e can then select (rida Ks %ersion of the file, then clic/ .op to cop the file to another location. Incorrect )ns"ers: ): !e need to access the properties of the file, not Test@ing'rders which is the shared folder. ': The 6uestion states that users must be able to access the current %ersion of the file, so we must cop (rida Ks %ersion of the file to an alternate location, rather than restore the file to the original location.

D: The 6uestion states that users must be able to access the current %ersion of the file, so we must cop (rida Ks %ersion of the file to an alternate location, rather than restore the file to the original location. (urthermore, this is the wrong %ersion of the file. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"= 2 E: This is the wrong %ersion of the file. Thursda s cop was ta/en at 1.""am 2 it is li/el that the file was modified during Thursda Ks wor/ing hours. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2; QUESTION NO: <2 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er has di$$erential bac0u#s e/ery ?onday* Tuesday* !ednesday* and Thursday nights The ser/er has a normal bac0u# e/ery Eriday night On !ednesday* you #er$orm a co#y bac0u# o$ the ser/er Then you install a ne" a##lication :o"e/er* you immediately disco/er that the ne" a##lication corru#ts $iles located on the ser/er You uninstall the a##lication No" you need to restore the $iles on the ser/er to their original state as quic0ly as #ossible !hich action or actions should you #er$orm% To ans"er* drag the action that you should #er$orm $irst to the Eirst )ction bo3 'ontinue dragging actions to the corres#onding numbered bo3es* as needed* until you list all required actions in the correct order ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1" 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;11 2 A Kcop K bac/up is a full bac/up. &t bac/s up all the files. The difference between a cop bac/up and a full bac/up is that the full bac/up clears the archi%e bits. The 1ac/up utilit supports fi%e methods of bac/ing up data on our computer or networ/. .op bac/up, Dail bac/up, Differential bac/up, &ncremental bac/up as well as normal bac/up. The Differential bac/up onl bac/s up files that ha%e their archi%e bits set *turned on+ to indicate that the ha%e been modified since the last normal or can perform other t pes of bac/ups on these files at a later time. And a ,ormal bac/up is where all files that are selected for bac/up are bac/ed up and each bac/ed2up fileKs archi%e bit is cleared. De$erence: $er%er Aelp Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;12 2 QUESTION NO: <, You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You use the +ac0u# utility to schedule a $ull bac0u# o$ TESTBIN-D'< e/ery night You ensure that the )cti/e Directory con$iguration is also bac0ed u# One "ee0 later* TESTBIN-D'< sto#s acce#ting logon requests On in/estigation* you disco/er that the )cti/e Directory con$iguration is corru#t You need to restore TESTBIN-D'< as a $unctioning domain controller !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Restart T3$T@&,CD.1 in Director $er%ices Restore Mode. 1. Demote T3$T@&,CD.1 to a member ser%er. .. Run the ntbac/up s stemstate command on T3$T@&,CD.1. D. Run the 1ac/up utilit and select the option to restore the $ stem $tate data. 3. Run the ntdsutil command on T3$T@&,CD.1. )ns"er: )* D E3#lanation: !e need to restore the System State Data* because it includes the )cti/e Directory :o"e/er* you cannot restore the System State Data "hile the

)cti/e Directory is running Thus you need to boot the com#uter into Directory Ser/ices Destore ?ode This is similar to Sa$e ?ode and "ill not start the )cti/e Directory +e a"are that during this time the machine "onJt act as a D' and "onJt #er$orm $unctions such as authentication To restore the System State Data a$ter starting the com#uter in Directory Ser/ices Destore ?ode: 1. $tart ,T 1ac/up. 2. $elect the Restore tab. 3. $elect the bac/up media, and select $ stem $tate. -. .lic/ $tart Restore. F. .lic/ '@ in the confirmation dialog boB. ;. Reboot the computer into normal mode. Incorrect )ns"ers: +: &t is not necessar to demote the computer to a member ser%er. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;13 2 The 8ntbac/up s stemstate8 command is an incomplete command to bac/up the s stem state data, the s ntaB is not complete. Also what is needed is to restore the data, not bac/ it up. E: ntdsutil command. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: <4 You are the net"or0 administrator $or Test Bing )ll net"or0 ser/ers run !indo"s Ser/er 2==, You #er$orm a $ull bac0u# o$ the net"or0 e/ery ?onday You #er$orm incremental bac0u#s on Tuesday* !ednesday* Thursday* and Eriday +ac0u#s are al"ays #er$ormed at <:== ) ? On Eriday a$ternoon* a user accidentally deletes a $ile You need to restore the $ile !hat should you do% A. 'pen each bac/up log, beginning with Monda and mo%ing forward through the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. 1. 'pen each bac/up log, beginning with (rida and mo%ing bac/ward through the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. .. 'pen each bac/up log, beginning with Tuesda and mo%ing forward through the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. D. 'pen the bac/up log for Monda . $earch for a bac/up of the file. &f ou find a bac/up, restore the file. &f ou do not find a bac/up, open the bac/up log for (rida and search there. &f ou find a bac/up, restore the file. &f ou do not find a bac/up, continue opening bac/up logs, mo%ing bac/ward through the wee/ from (rida . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1- 2 Restore the first bac/up that ou find. )ns"er: + E3#lanation: ?onday through Eriday incremental bac0u#s are #er$ormed Incremental bac0u#s clear the archi/e attribute* "hich means that each bac0u# includes only the $iles that changed since the #re/ious bac0u# I$ data becomes corru#t on Eriday* you need to restore the normal bac0u# $rom Sunday and each o$ the incremental bac0u#s* $rom ?onday through Eriday This strategy ta0es less time to bac0 u# but more time to restore In this scenario you "ant to restore the most recent co#y o$ the $ile I$ the $ile has changed during the "ee0* it "ill be bac0ed u# the $ollo"ing night Eor this reason* "e start "ith EridaysJ bac0u# and search bac0"ards !hen searching bac0"ards* the $irst co#y o$ the $ile "e $ind "ill be the latest /ersion Incorrect )ns"ers: ): This could result in an earlier %ersion of the file being restored. !e want the last

bac/up of the file. Mo%ing forward through the wee/ might cause ou to find an old %ersion of the file that could ha%e been updated or e%en renewed at a later stage. ': This could result in an earlier %ersion of the file being restored. !e want the last bac/up of the file. Again this would be mo%ing forward through the logs instead of starting with the latest date bac/up and mo%ing bac/wards. D: &t is not necessar to loo/ at Monda Ks bac/up first. Iou could sa%e a lot of time b mo%ing bac/wards from the latest bac/up. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2;5art F9 $chedule bac/up )obs*1" :uestions+ QUESTION NO: < You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< $unctions as an a##lication ser/er Test0ing< is being used $or de/elo#ment The ser/er is used hea/ily bet"een the hours o$ 9:== ) ? and 5:== . ? * and the hours o$ 6:,= . ? and 2:,= ) ? ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1F 2 TestBing requires a com#lete bac0u# o$ Test0ing< daily ) com#lete bac0u# o$ all data on the ser/er ta0es a##ro3imately $our hours to com#lete ) bac0u# o$ the daily changes to the data on the ser/er ta0es a##ro3imately ,= minutes to com#lete You need to ensure that data changed bet"een 9:== ) ? and 5:== . ? is bac0ed u# as soon as #ossible The bac0u#s cannot a$$ect the ser/er #er$ormance during #eriods o$ hea/y use You need to automate the bac0u#s o$ Test0ing< to meet the business requirements !hat should you do% A. .reate two scheduled bac/up )obs9 one normal bac/up and one incremental bac/up. $chedule the normal bac/up to start at F93" 5.M. and to end fi%e hours later. $chedule the incremental bac/up to start at 39"" A.M. and to end one hour later. 1. .reate two scheduled bac/up )obs9 one normal bac/up and one differential bac/up. $chedule the normal bac/up to start at 3."" A.M. and to end fi%e hours later. $chedule the differential bac/up to start at F93" 5.M. and to end one hour later. .. .reate a dail )ob. $chedule the bac/up to start at F.-" 5.M. and to end one hour later, and then to start at 39"" A.M. and to end fi%e hours later. D. .reate a cop bac/up )ob. $chedule the bac/up to start at F93" 5.M. and to end one hour later, and then to start at 39"" A.M. and to end fi%e hours later. )ns"er: + E3#lanation: Use a normal bac0u# "hen you "ant to bac0 u# all the $iles you select bac0s u# the selected $iles to a $ile or ta#e* ignoring "hether the archi/e attribute is set or cleared In other "ords* it does not matter "hether the $ile has been bac0ed archi/e attribute to indicate that the $ile "as bac0ed u# Normal bac0u#s are commonly selected "hen you are #er$orming $ull bac0u#s* in "hich all $iles on a /olume are bac0ed u# Use a ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1; 2 differential bac/up to bac/ up all files that ha%e changed since the last normal or incremental bac/up. Aowe%er, when this t pe of bac/up is performed, the archi%e attribute is not cleared. This means that the data on one differential bac/up contains the same information as the pre%ious differential bac/up, plus an additional files that ha%e changed. $ince unchanged data is continuall being bac/ed up with this method, differential bac/ups ta/e longer to perform than incremental bac/ups. Aowe%er, when restoring bac/ed up data, onl the last normal bac/up and the last differential bac/up need to be restored. This ma/es the time it ta/es to full restore a s stem faster than with a combined normal and incremental bac/up method. Incorrect ans"ers: ): The incremental bac/up method will be too time2consuming because ou ha%e a limited time in which to complete our tas/. ': A Dail bac/up )ob is used to bac/up all selected files and folders that ha%e changed during the da are bac/ed up, based on the filesK modif date. The archi%e attribute is neither used nor cleared. &f ou want to bac/ up all files and folders that change during the da without affecting a bac/up schedule, use a dail bac/up. D: .op bac/ups are not used for t pical or scheduled bac/ups. &nstead, cop bac/ups are useful to mo%e data between s stems. De$erences:

$er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You are required to im#lement a bac0u# strategy $or all $i/e ser/ers on the net"or0 You use the +ac0u# Utility to schedule nightly bac0u# 2obs You create a domain user account named +ac0u#S/c* and add it to the local +ac0u# O#erators grou# on all $ile ser/ers The scheduled bac0u# 2obs "ill use +ac0u#S/c to log on to the net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1G 2 Nightly bac0u#s occur success$ully $or si3 "ee0s Then* nightly bac0u#s $ail on all ser/ers !hen you e3amine the e/ent log o$ one ser/er* you disco/er that the #ass"ord $or +ac0u#S/c is e3#ired You reset the #ass"ord and select the .ass"ord ne/er e3#ires o#tion $or +ac0u#S/c The ne3t day* you disco/er that the #re/ious nightJs bac0u# $ailed on all $ile ser/ers You need to ensure that the ne3t nightJs bac0u# is success$ul !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. $top and restart e%er file ser%er. 1. $top and restart the bac/up application on e%er file ser%er. .. .hange the password for the bac/up )ob on e%er file ser%er. D. &n Acti%e Director Users and .omputers, increase the %alue of the Account loc/out threshold option. 3. Unloc/ the 1ac/up$%c account. )ns"er: '* E E3#lanation: The bac0u# 2ob schedule #ro#erties ha/e not been changed* lea/ing it con$igured "ith the old username and #ass"ord combination )s a result o$ this the +ac0u#S/c account is loc0ed out There$ore "e need to change the #ass"ord $or the bac0u# 2ob on e/ery $ile ser/er and unloc0 the +ac0u#S/c account to let it "or0 again &t could be that the password for the bac/up )obs could ha%e eBpired causing the failure to bac/up. Incorrect ans"ers: ): $topping and restarting the file ser%ers will )ust reset the ser%ers itself and not cause the bac/up to occur as the password was onl set on the 1ac/up$%c. +: $topping and restarting the bac/up application is not sufficient as the password also needs to be reset. D: &ncreasing the %alue of the threshold of Account 4oc/outs will not ha%e the desired effect. Iou need to unloc/ the 1ac/up$%c account first. De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. G912213 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1> 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. QUESTION NO: , You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You are creating a bac0u# schedule $or the main $ile ser/er You need to create a schedule so that bac0u# 2obs are com#leted in the shortest amount o$ time #ossible !hat should you do% A. $chedule a normal bac/up e%er $unda . $chedule incremental bac/ups e%er Monda through $aturda . 1. $chedule a normal bac/up e%er $unda . $chedule differential bac/ups e%er Monda through $aturda . .. $chedule a cop bac/up e%er da . D. $chedule a normal bac/up e%er da . )ns"er: ) E3#lanation: ) normal bac0u# is a bac0u# that co#ies all $iles and mar0s those $iles

as ha/ing been bac0ed u# &In other "ords* the archi/e attribute is cleared ( ) normal bac0u# is the most com#lete $orm o$ bac0u# 'nce a wee/ a normal bac/up is performed, and on Monda through $aturda incremental bac/ups are performed. &ncremental bac/ups clear the archi%e attribute, which means that each bac/up includes onl the files that changed since the pre%ious bac/up. &f data becomes corrupt on (rida , ou need to restore the normal bac/up from $unda and each of the incremental bac/ups, from Monda through $aturda . Incremental bac0u# > An incremental bac/up bac/s up onl those files that ha%e been created or changed since the last normal or incremental bac/up. &t mar/s files as ha%ing been bac/ed up *in other words, the archi%e attribute is cleared+. &f ou use a combination of normal and incremental bac/ups, ou will need to ha%e the last normal bac/up set as well as all incremental bac/up sets to restore our data. Incremental +ac0u# > &ncludes files that were created or changed since the last bac/up. Archi%e bit is reset. Ad%antages 2 1etter use of media. 'nl files that were created or changed since the last bac/up are included, so there is much less data storage space re6uired. 4ess time re6uired, since it onl bac/s up the files that ha%e been modified since the last bac/up. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1= 2 Incorrect ans"ers: +: ,ormal bac/ups in con)unction with differential bac/ups is more time2consuming, especiall if our data changes fre6uentl it is easier to restore the data because the bac/up set is usuall stored on onl a few dis/s or tapes. ': A cop bac/up on a dail basis copies all the files ou select, but does not mar/ each file as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. .op ing is useful if ou want to bac/ up files between normal and incremental bac/ups because cop ing does not affect these other bac/up operations. Aowe%er in this scenario it is not what is needed. D: A normal bac/up on a dail basis alone is not practical in this scenario. De$erence9 http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2;QUESTION NO: 4 You are the net"or0 administrator $or your com#any )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) member ser/er named Ser/er< is located at a branch o$$ice that does not #ermit the use o$ Demote Des0to# .rotocol )nother administrator uses the +ac0u# utility to create a scheduled bac0u# 2ob on Ser/er< The bac0u# 2ob #er$orms a normal bac0u# o$ an a##lication ser/er The a##lication ser/er is remo/ed $rom the net"or0 You need to use a client com#uter to remo/e the bac0u# 2ob $rom Ser/er< You cannot tra/el to the branch o$$ice !hat should you do% A. Use the RU,A$ feature to run the at Hdelete command as the $er%er1WAdministrator account. 1. 4og on b using our Administrator account and run the ntbac/up HD command. .. 4og on b using our Administrator account and run the schtas/s Hdelete command. D. Use the RU,A$ feature to run the tas//ill command as the $er%er1WAdministrator account. )ns"er: ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2" 2 The correct s ntaB is9 schtasks 3delete 3tn 6 "ask*ame 7 8 9 :3f; :3s computer :3u :domain2;user 3p password;; :3<; Incorrect ans"ers: ): As an administrator, ou should log on using an ordinar user account and when ou need to perform an administrati%e tas/ ou can use the Run as option to choose an administrator account. 1ut that will in%ol%e ou tra%elling to the branch office. +: The ntbac/up HD command specifies the label to use for the bac/up set. &t will not help in remo%ing the bac/up )ob from $er%er1. D: The runas command enables ou to run a command with the credentials of a different user, in this case the administrator with the in%ol%ement of tra%eling. De$erences: http9HHwww.microsoft.comHresourcesHdocumentationHwindowsHBpHallHproddocsHen2usHschtas/s.mspB Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter =

QUESTION NO: 5 You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< +ac0u#s o$ the System State data o$ Test0ing< occur each day by using the local )dministrator account ) ne" TestBing com requirement restricts you $rom running ser/ices by using the )dministrator account To meet the requirement* you create a ne" ser/ice account named +ac0u#Test0ing< to be used $or bac0u#s You "ant this account to ha/e the minimum #ermissions necessary to #er$orm bac0u#s You need to grant the a##ro#riate #ermissions to the +ac0u#Test0ing< account and to con$igure the bac0u# 2ob to use the +ac0u#Test0ing< account !hat should you do% A. Add the 1ac/upTest/ing1 account to the $er%er 'perators group. Modif the bac/up $cheduled Tas/ to use the 1ac/upTest/ing1 account. 1. Add the 1ac/upTest/ing1 account to the 1ac/up 'perators group. Modif the bac/up $cheduled Tas/ to use the 1ac/upTes/ing1 account. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;21 2 .. Add the 1ac/upTest/ing1 account to the $er%er 'perators group. Modif the Tas/ $cheduler ser%ice to use the 1ac/upTest/ing1 account. D. Add the 1ac/upTest/ing1 account to the 1ac/up 'perators group. Modif the Tas/ $cheduler ser%ice to use the 1ac/upTest/ing1 account. )ns"er: + E3#lanation: To success$ully bac0 u# and restore data on a com#uter running !indo"s Ser/er 2==,* you must ha/e the a##ro#riate #ermissions and user rights* as described in the $ollo"ing list: 1. All users can bac/ up their own files and folders. The can also bac/ up files for which the ha%e the Read permission. 2. Members of the Administrators, 1ac/up 'perators, and $er%er 'perators groups can bac/ up and restore all files, regardless of the assigned permissions. 1 default, members of these groups ha%e the following user rights9 1ac/up (iles and Directories and the Restore (iles and Directories as well as Modif and (ull .ontrol permissions. Therefore we must add the 1ac/upTest/ing1 account to the 1ac/up 'perators group and modif the bac/up $cheduled Tas/ to use the 1ac/upTes/ing1 account. Iou use schtas/s.eBe to set programs to run at scheduled inter%als, delete or change eBisting scheduled tas/s, and stop or run a scheduled tas/ immediatel . (ollowing is a list of the siB options for schtas/s. $chtas/s does not pro%ide as much control o%er scheduled tas/s as using the graphical interface. Schtas0s o#tion Use schtasks create ,reate a new scheduled task! schtasks change ,hange the properties of a scheduled task but not the actual schedule! schtasks run %un a scheduled task immediately! schtasks end Stop a scheduled task that is currently running! schtasks delete Delete a scheduled task! schtasks =uery >ist all the scheduled tasks on the local or a remote computer! De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;1=2;2". QUESTION NO: 6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;22 2 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBingSr/) hosts se/eral hundred $olders* "hich reside in /arious locations on the ser/er TestBingSr/) is con$igured to run a co#y bac0u# o$ the $older e/ery Saturday at <:== ) ? On Tuesday* you are directed to schedule an additional bac0u# 2ob $or all $iles on TestBingSr/) The 2ob must run the $ollo"ing day at <:== ) ? You need to use the +ac0u# utility to ensure that the bac0u# 2ob runs on !ednesday at <:== ) ? * and that the normal bac0u# schedule resumes a$ter"ard You must achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. $pecif !ednesda as the start date of the )ob. 'n Thursda , specif $aturda as the start date. 1. .onfigure the )ob schedule to perform the bac/up e%er !ednesda at 19"" A.M.

'n Thursda , reconfigure the schedule to perform the bac/up e%er $aturda at 19"" A.M. .. Use the $how Multiple $chedules option to add an additional schedule to the )ob. .onfigure the additional schedule to run the )ob once on !ednesda at 19"" A.M. D. Use the Repeat Tas/ option to configure the eBisting )ob to repeat at e%er =; hours until an inter%al of 1;> hours passes. )ns"er: ' E3#lanation: There is no need to modi$y the e3isting schedule You can sim#ly select the e3isting bac0u# 2ob* and ma0e an additional schedule In this scenario* "e already ha/e a bac0u# schedule o$ all the $olders that runs e/ery Saturday at <:== )? !e no" need to ma0e an additional schedule $or the same $iles using the least amount o$ administrati/e e$$ort )dding an additional schedule to the e3isting bac0u# 2ob "ould be the o#tion that requires the least amount o$ administrati/e e$$ort Incorrect )ns"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;23 2 &n this option, we are reconfiguring the schedule to start on !ednesda and then reconfiguring it on Thursda to start on $aturda . Aowe%er, the start date does not determine on what da the actual bac/up is performed, but the date from which the neBt bac/up will be scheduled. Thus setting the start date to !ednesda does not mean that the bac/up will be performed on !ednesda but on the da specified in the schedule that follows after !ednesda . &n other words, the bac/up will still be performed on $aturda because that is the da it is scheduled to run. .hanging the start date will not change the da on which the )ob is run. The start date of the )ob wonKt change the da on which the )ob is run. +: !e want the )ob to run on !ednesda onl once, not e%er !ednesda . &n this option, we are reconfiguring the schedule to run e%er !ednesda , then on Thursda , we are reconfiguring the )ob to run e%er $aturda . This would meet our ob)ecti%es of performing a bac/up on !ednesda and then re%erting bac/ to the scheduled bac/up e%er $aturda . Aowe%er, this is not the best option as it. &t would be easier to add a second schedule to the )ob and specif that schedule to run once on !ednesda . !e would then not need to reconfigure the schedule on Thursda again. D: !e want the )ob to run on !ednesda once and e%er $aturda , not e%er =; hours. $pecif ing that the )ob must run e%er =; hours will not meet our ob)ecti%es. !e must configure the )ob to run the neBt morning a 19"" a.m. this is in less than 2- hourKs time. Thus, using this option, the )ob will not run on !ednesda . De$erences: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp G23 to G2G 4isa Donald with $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indows $er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, pp F2"2F QUESTION NO: 7 You are the net"or0 administrator $or Test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TESTBIN-< hosts se/eral hundred $olders* "hich reside in /arious locations on the ser/er TESTBIN-< is con$igured to run a normal bac0u# o$ the $older e/ery Saturday at <:== ) ? You disco/er that users edit the contents o$ the $olders on Saturday and Sunday ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2- 2 You need to use the +ac0u# utility to reschedule the bac0u# 2ob so that it runs e/ery ?onday at <:== ) ? instead o$ e/ery Saturday at <:== ) ? You must achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. $pecif Monda as the start date of the )ob. 1. Reconfigure the )ob schedule to run the bac/up e%er Monda at 19"" A.M. .. Add an additional schedule to the )ob. .onfigure the additional schedule to run the bac/up on Monda at 19"" A.M. D. Use the Repeat Tas/ option to configure the eBisting )ob to repeat e%er -> hours until an inter%al of 33; hours passes. )ns"er: + E3#lanation: You can easily schedule bac0u# 2obs to run automatically at #redetermined times using the gra#hical +ac0u# Utility To change the schedule o$ the bac0u#* select the bac0u# ob2ect* select #ro#erties and enter the ne" schedule Incorrect )ns"ers:

): The start date wonKt change what da the bac/up )ob runs on. 'nce a )ob has been scheduled, ou can edit the schedule b clic/ing the $chedule Qobs tab of the 1ac/up Utilit . Qobs are listed on a calendar. ': because bac/up schedules can be edited. D: The bac/up should run wee/l , not e%er -> hours. Ma/ing the schedule to run e%er -> hours will result in too man bac/ups being made and a lot more administrati%e effort. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter = Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, p. 2>F QUESTION NO: 9 DD)- DDO. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2F 2 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You are res#onsible $or bac0ing u# all ser/ers Each ser/er is con$igured to bac0 u# its data on a centrally located ta#e de/ice The ta#es created on this de/ice are collected daily and stored o$$>site E/ery time a bac0u# ta#e must be retrie/ed $rom o$$>site storage* a charge is incurred ) ne" ser/er is currently in #roduction ) share on this ser/er "illb e the re#ository $or con$idential legal and $inancial $iles You need to ensure that all modi$ied $iles on the ne" share "ill be bac0ed u# You also need to ensure that the entire share can be restored quic0ly* requiring only the minimum number o$ ta#es to be retrie/ed $rom o$$>site storage !hich bac0u# ty#es should you schedule% To ans"er* drag the a##ro#riate bac0u# ty#e to the correct day o$ the "ee0 in the "or0 area Drag and dro# )ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2; 2 ,ormal 1ac/up bac/s up all files and sets the archi%e bit as mar/ed for each file that is bac/ed up. Re6uires onl one tape set for the restore process. To ensure that all modified files on the new share will be bac/ed upas well as that the entire share can be restored 6uic/l , re6uiring onl the minimum number of tapes to be retrie%ed from off2site storage, ou should ma/e use of normal bac/ups under the circumstances as described in the 6uestion. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, p. F3" QUESTION NO: ; You are the net"or0 administrator $or TestBing com You manage a !indo"s Ser/er 2==, com#uter named TestBing< There are multi#le scheduled tas0s con$igure on TestBing< One tas0 is a scheduled bac0u# 2ob You need to tem#orarily disable the bac0u# 2ob $rom running so that you can troubleshoot a #roblem You must not inter$ere "ith any other scheduled tas0s You need to disable the scheduled bac0u# 2ob You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2G 2 A. 5ause the Tas/ $cheduler ser%ice. 1. Delete the scheduled bac/up )ob. Re2create the bac/up after ou finish troubleshooting. .. Modif the properties of the scheduled bac/up )ob and clear the 3nabled chec/ boB. D. Run the ntbac/up Hp command on the ser%er. )ns"er: ' E3#lanation9 Iou use schtas/s.eBe to set programs to run at scheduled inter%als, delete or change eBisting scheduled tas/s, and stop or run a scheduled tas/ immediatel . (ollowing is a list of the siB options for schtas/s. $chtas/s does not pro%ide as much control o%er scheduled tas/s as using the graphical interface.

Aowe%er, if ou modif the properties of the schedules bac/up )ob and merel clear the 3nabled chec/ boB, ou will get the desired effect to disable the scheduled bac/up )ob with the least amount of administrati%e effort. Incorrect ans"ers: )9 5ausing is not the same as disabling, it is )ust postponing. +9 Deleting and then rescheduling a bac/up )ob as described at the times in option 1 will wor/, but it amounts to too much administrati%e effort than is necessar . D9 The ntbac/up Hp command on the ser%er will tell ,T1A.@U5 which media pool *a logical grouping of remo%able media, such as a tape librar + to cop the bac/up files to. &f ouKre using 1ac/up, this will be the 1ac/up media pool. Iou wonKt use this option to a specific tape, not an entire media pool. This is not to disable the scheduled bacup )ob. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;1=2;2". QUESTION NO: <= You are the net"or0 administrator $or TestBing You manage a !indo"s Ser/er 2==, com#uter named TestBing4 that $unctions as an a##lication ser/er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2> 2 TestBing4 "ill be used $or de/elo#ment during the ne3t ,= days You need to bac0 u# all data on TestBing4 e/ery day $or the ne3t ,= days You need to automate the bac0u#s o$ TestBing4 to meet these business requirements You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a scheduled bac/up )ob as a normal bac/up. .op the bac/up )ob, and modif the start date so that one )ob starts e%er da for the neBt 3" da s. 1. .reate a scheduled bac/up )ob as a dail bac/up. $et the start date of the )ob for toda , and set the end date for 3" da s from toda . .. .reate a scheduled bac/up )ob as a cop bac/up. .op the bac/up )ob, and modif the start date so that one )ob starts e%er da for the neBt 3" da s. D. .reate a scheduled bac/up )ob as a normal bac/up. $et the start date of the )ob for toda , and set the end date for 3" da s from toda . )ns"er: D E3#lanation9 A ,ormal 1ac/up bac/s up all files and sets the archi%e bit as mar/ed for each file that is bac/ed up. Re6uires onl one tape set for the restore process. (urthermore $cheduled Tas/s allows ou to configure tas/s to be run at specific times or inter%als and can thus be automated to suit our re6uirements. $ince Test@ing- is to used for de%elopment o%er 3" da s, ou need to ma/e bac/ups of all the data on Test@ing- for e%er da of the neBt 3"da s with the least amount of administrati%e effort, then ou should schedule a normal bac/up )ob, set the start2date as toda and the end2date for 3" da s from toda . Incorrect ans"ers: )9 $etting a )ob to start one )ob starts e%er da amounts to too much administrati%e effort. +9 A scheduled bac/up )ob schedules as Dail bac/ups is not the answer. '9 A cop bac/ up bac/s up all files and does not set the archi%e bit as mar/ed for each file that is bac/ed up. Re6uires onl one tape set for the restore process.this is not what is re6uired in this case. De$erence9 4isa Donald L $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO $er%er 2""3 3n%ironment Management and Maintenance9 $tud Cuide, $ beB &nc, Alameda, 2""3, pp. 11;, F3" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2= 2 Topic ;9 Miscellaneous *3; :uestions+ QUESTION NO: < You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single DNS domain named test0ing com You re#lace a UNI@ ser/er "ith a !indo"s Ser/er 2==, com#uter named TestBing< TestBing< is the DNS ser/er and start authority &SO)( $or test0ing com ) UNI@ ser/er named TestBing2 is the mail ser/er $or test0ing com You recei/e re#orts that Internet users cannot send e>mail to the test0ing com domain The host addresses are sho"n in the $ollo"ing "indo" You need to ensure that Internet users can send e>mail to the test0ing com domain

!hat should you do% A. Add an Jsmtp ser%ice locator *$R?+ D,$ record for Test@ing2. 1. Add a mail eBchange *M<+ D,$ record for Test@ing2. .. Add an alias *.,AM3+ record for mail.test/ing.com. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3" 2 D. 3nable the $MT5 ser%ice on Test@ing1. )ns"er: + E3#lanation: Email ser/ers on the internet query Test0ing< $or the address o$ the mail ser/er $or the domain The address o$ the mail ser/er is held in an ?@ &?ail E3change( record Incorrect )ns"ers: ): 3mail ser%ers find other email ser%ers b using M< records, not $R? records. ': 3mail ser%ers find other email ser%ers b using .,AM3 records D: The $MT5 ser%ice should be running on the mail ser%er, not the D,$ ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;2G QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You con$igure a ne" !indo"s Ser/er 2==, $ile ser/er named TestBingSr/< You restore user $iles $rom a ta#e bac0u#* and you create a logon scri#t that ma#s dri/e letters to shared $iles on TestBingSr/< Users re#ort that they cannot access TestBingSr/< through the dri/e ma##ings you created Users also re#ort that TestBingSr/< does not a##ear in ?y Net"or0 .laces You log on to TestBingSr/< and con$irm that the $iles are #resent and that the NTES #ermissions and share #ermissions are correct You cannot access any net"or0 resources You run the i#con$ig command and see the $ollo"ing out#ut ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;31 2 You need to con$igure the T'.KI. #ro#erties on TestBingSr/< to resol/e the #roblem !hat should you do% A. Add test/ing.com to the D,$ suffiB for this connection field. 1. .onfigure the default gatewa . .. .onfigure the D,$ ser%er address. D. .onfigure a static &5 address. )ns"er: D E3#lanation: The I. address sho"n in the e3hibit is an ).I.) &automatic #ri/ate I. addressing( address This means that the ser/er is con$igured to use D:'. $or its I. con$iguration but is unable to contact a D:'. ser/er &a li0ely cause $or this is that there isnJt a D:'. ser/er on the net"or0( Thus "hen there is no D:'. ser/er a/ailable to issue I. addresses* then a static I. address in the same range as the rest o$ the net"or0 should be assigned to resol/e the #roblem Incorrect )ns"ers: A9 A D,$ suffiB isnKt necessar as it will not resol%e the problem for the users. 19 A default gatewa obsolete unless this is a routed networ/. .9 The ser%er not ha%ing a D,$ ser%er address wouldnKt pre%ent clients connecting to the ser%er. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;32 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;2= QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named contoso com The net"or0 contains <== !indo"s 2=== .ro$essional com#uters and three !indo"s Ser/er 2==, com#uters In$ormation about the three ser/ers is sho"n in the $ollo"ing table You add a net"or0 inter$ace #rint de/ice named TestBing.rinter< to the net"or0 You manually con$igure the I. address $or TestBing.rinter< TestBing.rinter< is not currently registered on the DNS ser/er The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;33 2 You need to ensure that client com#uters can connect to TestBing.rinter< by using its name !hat should you do% A. 'n Test@ing$r%A, add an alias *.,AM3+ record that references Test@ing5rinter1. 1. &n the Aosts file on Test@ing$r%., add a line that references Test@ing5rinter1. .. 'n Test@ing$r%A, add a ser%ice locator *$R?+ record that references Test@ing5rinter1. D. 'n Test@ing$r%A, add a host *A+ record that references Test@ing5rinter1. 3. &n the Aosts file on Test@ing$r%1, add a line that references Test@ing5rinter1. )ns"er: D E3#lanation: The clientsJ #rinter so$t"are needs to 0no" the I. address o$ the #rinter Eor this* "e can sim#ly enter a host &)( record in the DNS 1one )n ) record ma#s a hostname to an I. address Incorrect )ns"ers: ): An alias *.,AM3+ can onl point to an A record. !e need to create the A record. +: !e should use D,$, not a hosts file. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3- 2 !e donKt need an $R? record for a printer. $R? records are used for computers pro%iding a ser%ice, li/e a domain controller for eBample. E: !e should use D,$, not a hosts file. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. F3 QUESTION NO: 4 You are the net"or0 administrator in the Ne" Yor0 o$$ice o$ TestBing The com#any net"or0 consists o$ a single )cti/e Directory domain test0ing com The Ne" Yor0 o$$ice currently contains one !indo"s Ser/er 2==, $ile ser/er named TestBing) )ll $ile ser/ers in the Ne" Yor0 o$$ice are in an organi1ational unit &OU( named Ne" Yor0 Ser/ers You ha/e been assigned the )llo" > 'hange #ermission $or a -rou# .olicy ob2ect &-.O( named NYSer/ers-.O* "hich is lin0ed to the Ne" Yor0 Ser/ers OU The "ritten com#any security #olicy states that all ne" ser/ers must be con$igured "ith s#eci$ied #rede$ined security settings "hen the ser/ers 2oin the domain These settings di$$er slightly $or the /arious com#any o$$ices You #lan to install !indo"s Se/er 2==,* on <5 ne" com#uters* "hich all $unctions as $ile ser/ers You "ill need to con$igure the s#eci$ied security settings on the ne" $ile ser/ers TestBing) currently has the s#eci$ied security settings con$igured in its local security #olicy You need to ensure that the security con$iguration o$ the ne" $ile ser/ers is identical to that o$ TestBing) You e3#ort a co#y o$ TestBing)Js local security #olicy settings to a tem#late $ile You need to con$igure the security settings o$ the ne" ser/ers* and you "ant to use the minimum amount o$ administrati/e e$$ort !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3F 2 A. Use the $ecurit .onfiguration and Anal sis tool on one of the new ser%ers to import the template file. 1. Use the default Domain $ecurit 5olic console on one of the new ser%ers to import the template file. .. Use the Croup 5olic 3ditor console to open ,I$er%ersC5' and import the template file. D. Use the default 4ocal $ecurit 5olic console on one of the new ser%ers to import the template file. )ns"er: ' E3#lanation: -rou# #olicy #ro/ides us "ith a sim#le "ay o$ a##lying settings to multi#le com#uters or users In this case* "e ha/e a tem#late $ile "ith the required security settings !e can sim#ly im#ort this $ile into a grou# #olicy ob2ect and a##ly the grou# #olicy to the ser/ers that has to be con$igured "ith the security settings Incorrect )ns"ers: ): This would configure the re6uired settings, but onl on one ser%er. Thus it would

result in ou ha%ing to put in more administrati%e effort. +: This would appl the settings to all computers in the domain. !e onl want the settings to appl to the ser%ers. D: This cannot be done. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;-= QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, 'on$idential $iles are stored on a member ser/er named TB< The com#uter ob2ect $or TB< resides in an organi1ational unit &OU( named 'on$idential ) -rou# .olicy ob2ect &-.O( named -.O< is lin0ed to the 'on$idential OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3; 2 To audit access to the con$idential $iles* you enable auditing on all #ri/ate $olders on TB< Se/eral days later* you re/ie" the audit logs You disco/er that auditing is not success$ul You need to ensure that auditing occurs success$ully !hat should you do% A. $tart the $ stem 3%ent ,otification $er%ice *$3,$+ on T@1. 1. $tart the 3rror Reporting ser%ice on T@1. .. Modif the Default Domain .ontrollers C5' b selecting $uccess and (ailure as the Audit 'b)ect Access setting. D. Modif C5'1 b selecting $uccess and (ailure as the Audit 'b)ect Access setting. )ns"er: D E3#lanation: )udit Ob2ect )ccess > Determines "hether to audit the e/ent o$ a user accessing an ob2ect>>$or e3am#le* a $ile* $older* registry 0ey* #rinter* and so $orth>>that has its o"n system access control list &S)'A( s#eci$ied I$ you de$ine this #olicy setting* you can s#eci$y "hether to audit successes* audit $ailures* or not audit the e/ent ty#e at all Success audits generate an audit entry "hen a user success$ully accesses an ob2ect that has a S)'A s#eci$ied Eailure audits generate an audit entry "hen a user unsuccess$ully attem#ts to access an ob2ect that has a S)'A s#eci$ied To set this /alue to no auditing* in the .ro#erties dialog bo3 $or this #olicy setting* select the De$ine these #olicy settings chec0 bo3 and clear the Success and Eailure chec0 bo3es Note that you can set a S)'A on a $ile system ob2ect using the Security tab in that ob2ectJs .ro#erties dialog bo3 !e want to audit a ser%er that resides in the .onfidential 'U. !e do not want to audit domain controllers. $ince C5'1 is lin/ed to the confidential 'U, it has to be modified as the Audit 'b)ect Access setting will be applicable to the confidential files. Incorrect ans"ers: ): $ stem 3%ent ,otification $er%ice 2 Trac/s s stem e%ents such as !indows logon, networ/, and power e%ents. &t notifies .'Ma 3%ent $ stem subscribers of these e%ents. +: 3rror Reporting $er%ice 2 Allows error reporting for ser%ices and applications running in non2standard en%ironments. ': Modif ing the Default Domain .ontrollers C5' b selecting ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3G 2 $uccess and (ailure as the Audit 'b)ect Access setting will not sol%e our problem as ou need to monitor and modif the access setting to the confidential files. Also, we do not want to edit domain controllers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p, 3;QUESTION NO: 6 You are the net"or0 administrator $or the +ei2ing o$$ice o$ TestBing ) branch o$$ice is located in 'airo The DNS ser/ers in both locations run !indo"s Ser/er 2==, The net"or0 uses t"o DNS names#aces internally They are named #ublishing test0ing com and test0ing com The locations o$ the #rimary name ser/ers are sho"n in the $ollo"ing table Names#ace Aocation o$ #rimary name ser/er 5ublishing.test/ing.com .airo office

Test/ing.com 1ei)ing office The +ei2ing o$$ice contains some ser/ers that are registered in the test0ing com 1one and other that are registered in the #ublishing test0ing com 1one )ll com#uters in the +ei2ing o$$ice are con$igured to use the local DNS ser/er as their #re$erred DNS ser/er The t"o o$$ices are connected only by using a 8.N through the Internet 8arious net"or0 #roblems occasionally result in loss o$ connecti/ity bet"een the t"o o$$ices Eire"alls #re/ent the DNS ser/ers in both o$$ices $rom recei/ing queries $rom the Internet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3> 2 You need to con$igure the DNS ser/er in the +ei2ing o$$ice to allo" success$ul resolution o$ all queries $rom the +ei2ing o$$ice $or names in the #ublishing test0ing com names#ace* e/en "hen the 8.N lin0 bet"een the +ei2ing and 'airo o$$ices $ails !hat should you con$igure on the DNS ser/er in the +ei2ing o$$ice% A. &n the test/ing.com 0one, create a delegated subdomain named publishing. $pecif the D,$ ser%er in the .airo office as a name ser%er. 1. .reate a secondar 0one name publishing.test/ing.com. $pecif the D,$ ser%er in the .airo office as a master ser%er. .. .onfigure conditional forwarding for the publishing.test/ing.com namespace. $pecif the D,$ ser%er in the .airo office as a target ser%er. D. .reate a stub 0one named publishing.test/ing.com. $pecif the D,$ ser%er in the .airo office as a master ser%er. )ns"er: + E3#lanation: !e must be able to loo0u# in the +ei2ing test0ing com $or records in 'airo#ublishing test0ing com "ithout a net"or0 connection +ei2ing o$$ice &test0ing com( uses the local DNS ser/er as their #re$erred DNS ser/er 1ei)ing office needs to allow successful resolution of all 6ueries from the 1ei)ing office for names in the publishing.test/ing.com namespace, *.airo ser%er+ e%en when the ?5, lin/ between the 1ei)ing and .airo offices fails. !e 2ust ha/e one o#tion is use delegation and #oint Secondary DNS ser/er A D,$ ser%er that hosts a read2onl cop of 0one data. A secondar D,$ ser%er periodicall chec/s for changes made to the 0one on its configured primar D,$ ser%er, and performs full or incremental 0one transfers, as needed. A secondar 0one contains a complete cop of a 0one. After transfers the secondar 0one from the child domain we can set the name ser%er of .airo D,$ in this wa Delegationis the process of using resource records to pro%ide pointers from parent 0ones to child 0ones in a namespace hierarch . This enable D,$ ser%ers in a parent 0one to route 6ueries to D,$ ser%ers in a child 0one for names within their branch of the D,$ namespace. 3ach delegation corresponds to at least one 0one. Incorrect )ns"ers: ) !e can not delegate a child 0one to a principal 0one we can delegate to another ser%er in the child 0one ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3= 2 &f ou are deplo ing D,$ on a large enterprise networ/, or if ou eBpect our networ/ to eBpand to include additional subnets and sites, consider distributing the management of portions of our D,$ namespace to the administrators for the different subnets and sites in our networ/. To distribute the management of our D,$ namespace, create subdomains of our initial D,$ domain and delegate the authorit for these subdomains to D,$ ser%ers located on different subnets or sites. &n this wa , ou can create an number of separate and autonomous entities within a D,$ namespace, each of which is authoritati%e for a portion of the o%erall namespace. ': !e can not (orward 6ueries that are not in the .airo D,$ cache for publishing.test/ing.com o%er a 1ro/en 4in/ D: !e can not use a stub 0one. A partial cop of a 0one that can be hosted b a D,$ ser%er and used to resol%e recursi%e or iterati%e 6ueries. $tub 0ones contain the $tart of Authorit *$'A+ resource records of the 0one, the D,$ resource records that list the 0oneKs authoritati%e ser%ers, and the glue address *A+ resource records that are re6uired for contacting the 0oneKs authoritati%e ser%ers. $tub 0ones are used to reduce the number of D,$ 6ueries on a networ/, and to decrease the networ/ load on the primar D,$ ser%ers hosting a particular name. De$erence: $3R?3R A345 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Three thousand client com#uters run !indo"s 2=== .ro$essional* and <*5== client com#uters run !indo"s @. .ro$essional ) ne" em#loyee named Dr Bing is hired to assist you in installing !indo"s @. .ro$essional on <5= ne" client com#uters You need to ensure that Dr Bing has only the minimum #ermissions required to add ne" com#uter accounts to the domain and to o"n the accounts that he creates Dr Bing must not be able to delete com#uter accounts !hat should you do% A. Add Dr @ingKs user account to the $er%er 'perators group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-" 2 1. Add Dr @ingKs user account to the Account 'perators group. .. Use the Delegation of .ontrol !i0ard to permit Dr @ingKs user account to create new computer ob)ects in the .omputers container. D. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the domain. .onfigure the C5' to permit Dr @ingKs user account to add client computers to the domain. )ns"er: ' E3#lanation: )cti/e Directory enables you to e$$iciently manage ob2ects by delegating administrati/e control o$ the ob2ects You can use the Delegation o$ 'ontrol !i1ard and customi1ed consoles in ?icroso$t ?anagement 'onsole &??'( to grant s#eci$ic users the #ermissions to #er$orm /arious administrati/e and management tas0s Iou use the Delegation of .ontrol !i0ard to select the user or group to which ou want to delegate control. Iou also use the wi0ard to grant users permissions to control organi0ational units and ob)ects and to access and modif ob)ects. The Delegation tab enables ou to use the computer for delegation. There are three choices for delegation9 1. Do not trust this computer for delegation 2 This is the default for !indows $er%er 2""3 machines. 2. Trust this computer for delegation to an ser%ice *@erberos onl + 2 This option ma/es all ser%ices under the 4ocal $ stem account trusted for delegation. &n other words, an installed ser%ice has the capabilit to access an networ/ resource b impersonating a user. 3. Trust this computer for delegation to specified ser%ices onl 2 This feature was not a%ailable in pre%ious %ersions of !indows. &t enables an administrator to choose the ser%ices that are delegated b selecting a specific ser%ice or computer account. This is commonl referred to as constrained delegation. Delegation of control can be done through the Delegation of .ontrol !i0ard or %ia Croup 5olic settings. Incorrect ans"ers: )9 The $er%er operators group has the following abilities9 shut down the ser%er from the console, restore files and directories from a bac/up de%ise, can change s stem time and date, and log on to the ser%er console interacti%el , though the 6uestion onl as/s for the minimum permissions to add new computer accounts. +: The account operators group has the following abilities9 shut down the ser%er from the console and log on to the ser%er console interacti%el , though the 6uestion onl as/s for the minimum permissions to add new computer accounts D9 .reating a C5' and lin/ing it to the domain will be obsolete in this case. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-1 2 De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3FF, --1, >3". QUESTION NO: 9 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains t"o !indo"s Ser/er 2==, domain controllers named TestBing) and TestBing+ TestBing) and TestBing+ ha/e the DNS ser/ice installed TestBing) is located in the main o$$ice in Toronto TestBing+ is located in a branch o$$ice in ?e3ico 'ity The branch o$$ice net"or0 contains an I. subnet "ith the net"or0 address <;2 <69 < =K24 You #lan to designate main o$$ice ser/ers as the master ser/ers $or any $uture re/erse loo0u# 1one The DNS ser/ers are not con$igured to #er$orm re/erse loo0u#s You need to create a re/erse loo0u# record $or a branch o$$ice client com#uter named com#uter< test0ing com* "hich has an I. address o$ <;2 <69 < 2<

!hat should you do% To ans"er* drag the action that you should #er$orm $irst to the )ction < bo3 'ontinue dragging actions to the corres#onding numbered bo3es until you list all required actions in the correct order You might not need to use all numbered bo3es ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-2 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-3 2 1 creating the 0one on the Main office Test@ingA ser%er will act as the master ser%ers for an future re%erse loo/up 0one. This 0one will be delegated to Test@ing1 that is located in a branch office in MeBico .it . .reating a 5TR record to resol%e a re%erse loo/up record for a branch office client computer named computer1.test/ing.com, which has an &5 address of 1=2.1;>.1.21. Delegation of 0one "H2- means that Test@ing1 ser%er will resol%e re%erse loo/ups &n the 0one 1=2.1;>.1.", Test@ing1 ser%er an computers 6uer form 1=2.1;>.1.1 &5 to 1=2.1;>.1.2F- &5 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;-2 QUESTION NO: ; DD)- DDO. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-- 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters The net"or0 security administrator re/ises the "ritten com#any security #olicy The security #olicy no" states that all com#uters must ha/e the ability to audit any attem#ts to change the registry To com#ly "ith the com#any security #olicy* you need to enable auditing $or the domain You do not "ant to generate any other ty#e o$ e/ent that is not related to the changes in the security #olicy :o" should you con$igure auditing% To ans"er* drag the a##ro#riate )udit .olicy setting or settings to the correct #olicy or #olices )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-F 2 Drag and dro# Success and Eailure to )udit Ob2ect )ccess )udit ob2ect access > This securit setting determines whether to audit the e%ent of a user accessing an ob)ect22for eBample, a file, folder, registr /e , printer, and so forth22that has its own s stem access control list *$A.4+ specified. Assign permissions to files, folders, and registr /e s Appropriate ob)ect manager and 5roperties page Access control is the model for implementing authori0ation. 'nce a user account has recei%ed authentication and can access an ob)ect, the t pe of access granted is determined b either the user rights that are assigned to the user or the permissions that are attached to the ob)ect. (or ob)ects within a domain, the ob)ect manager for that ob)ect t pe enforces access control. (or eBample, the registr enforces access control on registr /e s. 3%er ob)ect controlled b an ob)ect manager has an owner, a set of permissions that appl to specific users or groups, and auditing information. 1 setting the permissions on an ob)ect, the owner of the ob)ect controls which users and groups on the networ/ are allowed to access the ob)ect. The permission settings also define what t pe of access is allowed *such as readHwrite permission for a file+. The auditing information defines which users or groups are audited when attempting to access that ob)ect. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-; 2 After setting the audit refresh the polic and enabling the setting for the e%er one group on the regedit.eBe ou will be able to see an attempt to access.

De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. GF-, GF2 QUESTION NO: <= You are the net"or0 administrator $or Test Bing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The De$ault Domain .olicy has been modi$ied by im#orting a security tem#late $ile* "hich contain se/eral security settings ) ser/er named TestBing< cannot run a #rogram that us $unctioning on other similarly con$igured ser/ers You need to $ind out "hether additional security settings ha/e been added to the local security #olicy on TestBing< To troubleshoot* you "ant to use a tool to com#are the current security settings on TestBing< against the security tem#late $ile in order to automatically identi$y any settings that might ha/e been added to the local security #olicy !hich tool should you run on TestBing<% A. Microsoft 1aseline $ecurit Anal 0er *M1$A+ 1. $ecurit .onfiguration and Anal sis console .. gpresult.eBe D. Resultant $et of 5olic console in planning mode )ns"er: + E3#lanation: The Security 'on$iguration and )nalysis console can be used to analyse a system to com#are the local security settings to a tem#late !hen analy1ing a system* it "ill dis#lay di$$erences in con$iguration bet"een the local com#uter and a de$ined tem#late Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-G 2 ): The M1$A can be used to chec/ for missing securit updates as well as other securit %ulnerabilities. &t will howe%er not compare the securit settings with a defined template. ': C5result.eBe is used to displa the resultant set of policies when multiple group policies are applied to an ob)ect. &t cannot be used in this scenario. D: This is similar to answer .. &t will displa what the resultant set of policies would be if multiple group policies were applied to an ob)ect *without actuall appl ing the group policies+. &t cannot be used in this scenario. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2G", ;1; QUESTION NO: << You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< )n a##lication on Test0ing< gradually uses more and more memory until it causes Test0ing< to sto# res#onding I$ you restart the a##lication be$ore it uses the a/ailable memory* there is no interru#tion o$ user ser/ices You need to con$igure Test0ing< to noti$y you "hen it encounters a lo">memory condition !hat should you do% A. Using Tas/ $cheduler, schedule a repeating tas/ that runs the tracert command. 1. Using 5erformance 4ogs and Alerts, configure an alert for the appropriate performance ob)ect. .. Using $ stem Monitor, configure the appropriate performance ob)ect to displa . D. Using $tartup and Reco%er $ettings, configure Test/ing1 to send an Administrati%e Alert. )ns"er: + E3#lanation: !e can use .er$ormance Aogs and )lerts to con$igure an alert "hen a counter reaches a de$ined threshold In this scenario* "e can con$igure an alert to tell us "hen the L?emory Q )/ailable ?bytesL $alls belo" a certain le/el Incorrect )ns"ers: ): The tracert command is used to test T.5H&5 connecti%it . &t is not applicable in this scenario. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-> 2 ': !e can use $ stem Monitor to %iew the a%ailable memor . Aowe%er, this solution would in%ol%e contantl watching the counter to see when it falls below a certain le%el. &t would be more practical to configure an alert to tell us when the a%ailable memor falls below a certain le%el. D: The startup and reco%er alerts are onl configured when the computer crashes and

restarts. !e need an alert to be sent before the computer runs out of memor and crashes. QUESTION NO: <2 :OTS.OT You are a net"or0 administrator $or TestBing The net"or0 consist o$ a single )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )nother administrator shares a $older as UserData :e "ants users to be able to create* modi$y* and delete documents in the $older !hen users attem#t to create a document in the $older* they recei/e an error message You need to con$igure the NTES and share #ermissions so that users can only create* modi$y* and delete documents in the $older You need to achie/e this goal "ithout granting unnecessary NTES or share #ermissions !hat should you do% T"o ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3es in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F" 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F1 2 )ns"er: Share .ermissions: E/eryone > 'hange NTES .ermissions: E/eryone > ?odi$y E3#lanation: The L'hangeL share #ermission allo"s users to Dead* !rite* E3ecute &#rogram $iles(* and Delete $iles or $olders 8Modif 8 ,T($ permission also allows the users to Read, !rite, 3Becute *program files+, and Delete files or folders. These settings do not allow users to change the permissions or change the ownership of files. QUESTION NO: <, :OTS.OT You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll ser/ers on you net"or0 run !indo"s 2==, )ll client com#uters run !indo"s @. .ro$essional You install Terminal Ser/ices "ith all de$ault settings enabled on a com#uter named TestBing5 You add the )uthenticated Users grou# to the Demote Des0to# Users grou# in the domain )ll ne" user accounts are created "ith the de$ault settings and are tested success$ully TestBing is distributing a satis$action sur/ey to its em#loyees on TestBing5 Em#loyees use the Demote Des0to# client to com#lete the sur/ey on TestBing5 I$ em#loyees encounter issues related to the sur/ey* they "ill contact the hel# des0 You need to ensure that the hel# des0 em#loyees can connect to Terminal Ser/er sessions and can control the mouse on a userJs com#uter* "ith the consent o$ the user Your solution must not a$$ect settings $or the sessions o$ ne"ly created user accounts You o#en the #ro#erties o$ the DD.>Tc# connection in the Terminal Ser/ices 'on$iguration sna#>in !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F2 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F3 2 QUESTION NO: <4 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F- 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll net"or0 ser/ers run !indo"s Ser/er 2==, :al$ o$ the client com#uters run !indo"s @. .ro$essional* and the other hal$ run !indo"s NT 4 = !or0station You install Terminal Ser/ices on three member ser/ers named Test0ing<* Test0ing2* and Test0ing, Each ser/er has a single .entium III 6==>?h1 '.U "ith 5<2 ?+ o$ D)? and a single>channel EIDE dis0 subsystem You #lace all three terminal ser/ers in an organi1ational unit &OU( named Terminal Ser/er You lin0 a -rou# .olicy Ob2ect &-.O( to the Terminal Ser/er OU

Se/eral days a$ter the installation* users re#ort that the #er$ormance o$ all three terminal ser/ers is unacce#tably slo" You disco/er that each ser/er has at least 5= acti/e sessions at once You need to im#ro/e the #er$ormance o$ all three terminal ser/ers You must achie/e this goal by using the minimum amount o$ administrati/e e$$ort* "ithout u#grading any hard"are !hat should you do% A. 4og on to the console of each terminal ser%er. &n the RD52Tcp connection properties, set the MaBimum connections option to 3F. 1. 3dit the C5' to set the 4imit number of connections polic to 3F. .. Modif all domain user accounts to set the !hen a session limit is reached or bro/en user propert to 3nd session. D. 3dit the C5' to enable the Remo%e Disconnected option from shutdown dialog polic . )ns"er: + E3#lanation: The e3isting hard"are cannot handle the load o$ 5= acti/e sessions The #er$ormance o$ the Terminal Ser/ers becomes unacce#tably slo" "hen they ha/e 5= or more acti/e sessions There$ore* to im#ro/e #er$ormance* "e need to limit the number o$ simulataneaous acti/e sessions !e can do this by con$iguring the -.O to set the Aimit number o$ connections #olicy to ,5 This "ill limit the number o$ simulataneaous acti/e sessions to ,5 Incorrect )ns"ers: ): This answer would wor/. Aowe%er, we ha%e a C5' in place so an easier solution would be to edit the C5' to set the 4imit number of connections polic to 3F. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;FF 2 This solution would not wor/ because b default, there are no time limits to a usersK session so the session would ne%er be ended *disconnected+. D: This option is not used to limit the number of acti%e sessions on a Terminal $er%er. QUESTION NO: <5 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named Test0ing) has a locally attached ta#e de/ice Test0ing) contains se/eral $olders and $iles that are encry#ted by using Encry#ting Eile System &EES( You create a ne" user account $or a ne" em#loyee named 8ictoria 8ictoriaJs user account is member o$ the Users grou# only You need to ensure that 8ictoria can bac0 u# the encry#ted $olders and $iles on Test0ing) 8ictoria must be assigned the minimum administrati/e #ri/ileges needed to com#lete this tas0 !hat should you do% A. Add ?ictoriaKs domain user account to the Administrators group. 1. Add ?ictoriaKs user account to the 1ac/up 'perators group. .. Assign the Allow 2 (ull .ontrol permission on the encr pted folders and files to ?ictoria. D. Designate ?ictoria as a reco%er agent for the encr pted files. )ns"er: + E3#lanation: ?embers o$ the +ac0u# O#erators grou# can bac0 u# and restore $iles on all domain com#uters by using !indo"s +ac0u#* regardless o$ the #ermissions that #rotect those $iles This includes encry#ted $iles This does not mean that members o$ the bac0u# o#erators grou# can o#en the $iles $or reading or editing &unless the bac0u# o#erator restores the $iles to another location "ith no $ile security( Incorrect )ns"ers: ): The 6uestion states that ?ictoria must be assigned the minimum administrati%e pri%ileges needed to complete this tas/. Adding ?ictoriaKs domain user account to the Administrators group would gi%e her more administrati%e pri%ileges than are needed. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F; 2 ': Assigning the Allow 2 (ull .ontrol permission on the encr pted folders and files to ?ictoria would be gi%ing her more administrati%e pri%ileges than are needed. D: &t is not necessar to designate ?ictoria as a reco%er agent for the encr pted files. This wouldnKt gi%e her access to bac/ up the files because the files were encr pted before she became a reco%er agent. This would also gi%e her more administrati%e pri%ileges than are needed as she will be able to decr pt an files encr pted in the future. QUESTION NO: <6 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters )ll con$idential com#any $iles are stored on a $ile ser/er named TestBing< The "ritten com#any security states that all con$idential data must be stored and transmitted in a secure manner To com#ly "ith the security #olicy* you enable Encry#ting Eile System &EES( on the con$idential $iles You also add EES certi$icates to the data decry#tion $ield &DDE( o$ the con$idential $iles $or the users "ho need to access them !hile #er$orming net"or0 monitoring* you notice that the con$idential $iles that are stored on TestBing< are being transmitted o/er the net"or0 "ithout encry#tion You must ensure that encry#tion is al"ays used "hen the con$idential $iles on TestBing< are stored and transmitted o/er the net"or0 !hat are t"o #ossible "ays to accom#lish this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 3nable offline files for the confidential files that are stored on Test@ing1, and select the 3ncr pt offline files to secure data chec/ boB on the client computers of the users who need to access the files. 1. Use &5$ec encr ption between Test@ing1 and the client computers of the users who need to access the confidential files. .. Use $er%er Message 1loc/ *$M1+ signing between Test@ing1 and the client computers of the users who need to access the confidential files. D. Disable all 4M and ,T4M authentication methods on Test@ing1. 3. Use &&$ to publish the confidential files. 3nable $$4 on the &&$ ser%er. 'pen the files as a !eb folder. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;FG 2 )ns"er: +* E E3#lanation: !e can use I.SE' or S?+ to encry#t net"or0 tra$$ic !e can use SSA to secure the $iles &5$ec is a T.5H&5 securit mechanism that pro%ides machine2le%el authentication, as well as data encr ption, for %irtual pri%ate networ/ *?5,+ connections that use 4a er 2 Tunneling 5rotocol *42T5+. &5$ec negotiates between a computer and its remote tunnel ser%er before an 42T5 connection is established, which secures both passwords and data. M$ TAUM1 RU43 is less administrati%e effort. According to M$ (A:$ some 6uestions can ha%e two %alid answers. &n this case . and 3 can both be %alid answers. !hat should be /ept in mind is that whether $M1 signing is a %alid option or not, because the do not tell us if the are forcing the set $ecure channel in the clients or ser%er9 $ecure channel9 Digitall encr pt or sign secure channel data *alwa s+ 3nabled $M1 signing9 1 default, domain controllers running !indows $er%er 2""3 re6uire that all clients digitall sign $M12based communications. The $M1 protocol pro%ides file sharing, printer sharing, %arious remote administration functions, and logon authentication. 3Bamples include confirming the source and integrit of information, such as %erif ing a digital signature or %erif ing the identit of a user or computer for some clients running older operating s stem %ersions. .lient computers running !indows for !or/groups, !indows =F without the Acti%e Director client, and !indows ,T -." $er%ice 5ac/ 2 *or earlier+ do not support $M1 signing. The cannot connect to domain controllers running !indows $er%er 2""3 b default. and 3. De$erence9 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. G;3 QUESTION NO: <7 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F> 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, The domain contains t"o domain controllers named Test0ing< and Test0ing2 You use a !indo"s @. .ro$essional client com#uter named 'lient< In )cti/e Directory* the domain administrator creates t"o ne" user accounts named Net)dmin< and )dminUser< The Net)dmin< account is a member o$ the Domain )dmins global grou# The )dminUser< account is a member o$ only the Users local grou# You assign the )dminUser< logon account the )llo" log on locally user right in the De$ault Domain 'ontroller -rou# .olicy ob2ect &-.O( ) ne" "ritten security #olicy states that user accounts that are member o$ the

Domain )dmins global grou# should not be used to log on to the console o$ a domain controller It also states that administrati/e tas0s should be #er$ormed by using the Secondary Aogon ser/ice You need to create a ne" com#uter account in )cti/e Directory* and you must com#ly "ith the ne" com#any security #olicy !hat should you do% A. 4og on to Test/ing1 b using the AdminUser1 user account. Run the dsa.msc command. 1. 4og on to Test/ing1 b using the ,etAdmin1 user account. Run the dsa.msc command. .. 4og on to .lient1 b using the AdminUser1 user account. Run the runas Huser9netadmin1 dsa.msc D. 4og on to .lient1 b using the ,etAdmin1 user account. Run the runas Huser9adminuser1 dsa.msc )ns"er: ' E3#lanation: To create a ne" com#uter account in )cti/e Directory* "e need to o#en )cti/e Directory Users and 'om#uters One "ay to o#en )cti/e Directory Users and 'om#uters is to run the dsa msc command In this question* the "ritten security #olicy states that user accounts that are member o$ the Domain )dmins global grou# should not be used to log on to the console o$ a domain controller )ssuming the client com#uter 'lient< has the admin tools installed* "e can run )cti/e Directory Users and 'om#uters on the client com#uter :o"e/er* )cti/e Directory Users and 'om#uters needs to be run under the security conte3t o$ a domain administrator account !e can do this by running the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F= 2 runas Kuser:netadmin< dsa msc command to o#en )cti/e Directory Users and 'om#uters )s netadmin< is a member o$ the domain admins grou#* "e "ill be able to create com#uter accounts "hilst logged in to client< using a non>adminstrator account Incorrect )ns"ers: ): !e need to run dsa.msc under the securit conteBt of a domain administrator account. AdminUser1 is not a member of the domain administrators group. +: The written securit polic states that user accounts that are member of the Domain Admins global group should not be used to log on to the console of a domain controller D: !e need to run dsa.msc under the securit conteBt of a domain administrator account. AdminUser1 is not a member of the domain administrators group. !e could howe%er )ust log in to client1 with the netadmin1 account and run dsa.msc. &t would then run under the ,etAdmin1 *administrator+ login. QUESTION NO: <9 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s 2==, The net"or0 includes a $ile ser/er named Test0ing) You enable shado" co#ies on Test0ing) and con$igure them to run e/ery night at midnight Then you create a shared $older on Ser/er< and ma# a net"or0 dri/e to the $older* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;" 2 ) user named Doger deletes the -ra#hics $older by using a ma##ed shared $older on his client com#uter The ne3t morning* Doger edits $iles in the Eiles $older No" Doger requires access to the contents o$ the -ra#hics $older You need to reco/er the lost data in the -ra#hics $older You must ensure that you do not a$$ect any other "or0 done by Doger !hat should you do% A. &n the properties of the User Data folder, restore the most recent pre%ious %ersion. 1. &n the properties of the Mar/eting folder, restore the most recent pre%ious %ersion. .. Restore the Craphics folder from the Rec cle 1in on RogerKs computer. D. Restore the Craphics folder from the Rec cle 1in on Test/ingA. )ns"er: + E3#lanation: The -ra#hics $older is a sub$older o$ the ?ar0eting $older The only change to the ?ar0eting $older "as the deletion o$ the -ra#hics $older There$ore* "e can restore the gra#hics $older by restoring a #re/ious /ersion o$ the ?ar0eting $older Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;1 2 ): Restoring a pre%ious %ersion of the User Data folder will o%erwrite the changes to the

files in the (iles folder. ': permanentl deleted. D: permanentl deleted. QUESTION NO: <; You are the domain administrator $or TestBingJs )cti/e Directory domain The domain consists o$ $our domain controllers named Test0ingD'<* Test0ingD'2* Test0ingD',* and Test0ingD'4 Test0ingD'< and Test0ingD'2 run !indo"s 2=== Ser/er and ha/e the latest ser/ice #ac0 installed Test0ingD', and Test0ingD'4 run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and ha/e the latest ser/ice #ac0 installed You ha/e a ne" client com#uter that you #lan to use to #er$orm domain administration $unctions You need to be able to manage )cti/e Directory users and com#uters remotely !hat should you do% A. &nstall the !indows $upport Tools from the !indows $er%er 2""3 installation .D on our client computer. 1. &nstall the Adminpa/.msi file from the !indows $er%er 2""3 installation .D on our client computer. .. Use the Aelp and $upport .enter tools on our client computer to connect to the domain controller that ou need to manage. D. Use .omputer Management on our client computer to connect to the domain controller that ou need to manage. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;2 2 The )dministration Tools .ac0 &)dmin#a0 msi( allo"s you to install the !indo"s Ser/er management tools onto a com#uter running !indo"s @. .ro$essional or a !indo"s Ser/er 2==, $amily o#erating system to #er$orm remote ser/er management $unctions The )dmin#a0 msi &)dmin#a0( $ile is a sel$>e3tracting $ile that contains commonly used administrati/e tools The )dmin#a0 msi $ile is located in the QI,96 $older on the !indo"s Ser/er 2==, 'D>DO? or as a se#arate !eb do"nload #ac0age The admin#a0 msi #ac0age includes tools such as )cti/e Directory Users and 'om#uters "hich "ould enable you to manage users and com#uters remotely as required in this question QUESTION NO: 2= E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You install the Demote )dministration tools on ser/er named TestBing6* selecting all de$ault settings ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;3 2 In Internet E3#lorer* you ty#e htt#s:KKTestBing6Kadmin You recei/e the $ollo"ing error message: 8ATT5 3rror -"- 2 (ile or director not found.8 You o#en IIS ?anager and see the con$iguration sho"n in the e3hibit You need to ensure that you can use Internet E3#lorer to administer TestBing6 !hat should you do% A. &n &nternet 3Bplorer, t pe http9HHtest/ing;9>"== 1. &n &nternet 3Bplorer, t pe http9HHtest/ing; .. &nstall the Remote Des/top .onnection subcomponent of the !orld !ide !eb ser%ices. D. &n &nternet 3Bplorer, t pe https9HHtest/ing;9>"=> 3. &n &nternet 3Bplorer, t pe https9HHtest/ing; )ns"er: D E3#lanation: The remote administration connection is using SSA &the address starts "ith htt#s( You should ty#e htt#s:KKtest0ing6:9=;9 to ma0e sure that you can ma0e use o$ the Internet E3#lorer to administer TestBing6 since the SSA #ort is 9=;9 as sho"n in the e3hibit You must use a secure connection The :9=;9 in the UDA directs the bro"ser to connect to #ort 9=;9 on the ser/er instead o$ the de$ault #ort 44, Incorrect ans"ers: ): The remote administration connection needs to use $$4 for a secure connection. Therefore, we need to connect using https to the $$4 port on the ser%er.

+: The remote administration connection needs to use $$4 for a secure connection. Therefore, we need to connect using https to the $$4 port on the ser%er. ': The Remote Des/top .onnection subcomponent of the !orld !ide !eb ser%ices is alread installed. !e /now this because we can see the KtswebK folder. E: https9HHtest/ing; will connect to test/ing; using the default $$4 port which is --3. port number in the UR4. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. F=12F=3,;-G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;- 2 QUESTION NO: 2< You are the net"or0 administrator $or TestBing com )cti/e Directory domain The domain includes !indo"s Ser/er 2==, domain controllers and !indo"s @. .ro$essional client com#uters ) ne" administrator named Sandra is hired to assist you in de#loying !indo"s @. .ro$essional to <== ne" com#uters Sandra installs the o#erating system on a ne" com#uter named TestBing<< :o"e/er* "hen Sandra tries to log on to the domain $rom TestBing<<* she is unsuccess$ul The logon dialog bo3 does no" allo" her to /ie" and select the domain name You need to ensure that Sandra can log on to the domain $rom TestBing<< !hat should you do% A. 3nable the computer account for Test/ing11. 1. .onfigure Test@ing11 as a member of the domain. .. Add $andraKs user account to the 3nterprise Admins group. D. Add $andraKs user account to the $er%er 'perators group. )ns"er: + E3#lanation: Sandra is unable to log on to the domain $rom TestBing<< because the com#uter isnJt a member o$ the domain +y de$ault* a ne"ly installed client com#uter "ill be a member o$ a "or0grou# named !ODB-DOU. There$ore* the solution is to con$igure TestBing<< as a member o$ the domain The domain name "ill then a##ear in the logon dialog bo3 and Sandra "ill be able to log on using a domain user account Incorrect )ns"ers: ): The problem isnKt a disabled computer account. The problem is that the computer is not a member of the domain. ': &t is not necessar to add $andra to the 3nterprise Admins group. D: &t is not necessar to add $andra to the $er%er 'perators group. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;F 2 QUESTION NO: 22 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domains You ha/e not modi$ied the de$ault )cti/e Directory site con$igurations The $unctional le/el o$ both domains is !indo"s 2=== nati/e Ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er TestBingJs internal domain is named test0ing local Test0ingJs e3ternal domain is named e3tranet test0ing com The e3ternal domain is accessed only by TestBingJs business #artners You install a !indo"s Ser/er 2==, com#uter named Test0ing7 in the e3tranet test0ing com domain You install and con$igure Terminal Ser/ices on Test0ing7 Test0ing7 is con$igured as a member ser/er in the domain You install a secure database a##lication on Test0ing7 that "ill be accessed by TestBingJs business #artners ) $e" months later* users re#ort that they can no longer establish Terminal Ser/ices session to Test0ing7 You /eri$y that only the de$ault #orts $or :TT.* :TT.S* and Terminal Ser/ices on your $ire"all are o#en to the Internet You need to ensure that TestBingJs business #artners can establish Terminal Ser/ices sessions to Test0ing7 !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall Terminal $er%ices 4icensing on a !indows 2""" $er%er computer in test/ing.local. .onfigure the computer as an 3nterprise 4icense $er%er. 1. &nstall Terminal $er%ices 4icensing on a !indows 2""" $er%er computer in eBtranet.test/ing.com.

.onfigure the computer as an 3nterprise 4icense $er%er. .. &nstall Terminal $er%ices 4icensing on a !indows $er%er 2""3 computer in eBtranet.test/ing.com. .onfigure the computer as an 3nterprise 4icense $er%er. D. &nstall Terminal $er%ices 4icensing on a !indows $er%er 2""3 computer in test/ing.local. .onfigure the computer as an 3nterprise 4icense $er%er. 3. &nstruct Test@ingKs business partners to connect b using the Terminal $er%ices Ad%anced .lient *T$A.+ o%er ATT5$. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;; 2 )ns"er: +* ' E3#lanation: 'lients connecting to a !indo"s 2=== terminal ser/er $rom a !indo"s 2=== .ro$essional com#uter are not required to #urchase a license* as !indo"s 2=== .ro includes a Terminal Ser/ices ')A :o"e/er* you still must set u# a licensing ser/er In !indo"s Ser/er 2==,* Demote )dministration mode has been renamed to Demote Des0to# $or )dministration and it is installed by de$ault This "or0s li0e the Demote Des0to# $eature in !indo"s @. )s in !indo"s 2===* you are still limited to t"o simultaneous remote des0to#s at a time :o"e/er* there is one im#ro/ement: you can no" ta0e o/er the local console session Incorrect ans"ers: ): &nstalling Terminal $er%ices on Test/ing.local will not enable Test@ingKs business partners to establish terminal ser%ice sessions on Test/ingG. D: &nstalling Terminal $er%ices on Test/ing.local e%en if it is a !indows $er%er 2""3 machine, will not enable Test@ingKs business partners to establish Terminal $er%ice sessions. E: !ith the release of the Terminal $er%ices Ad%anced .lient *T$A.+ as a ?alueAdd component on Microsoft !indows 2""" $er%er, $er%ice 5ac/ 1, the Terminal $er%ices solution is now eBtended to the !eb. (or eBample, organi0ations needing to deplo line of business applications to remote offices can do so b means of a Terminal ser%er and a !eb ser%er running A$5 pages, such as the sample pages supplied with the T$A.. 'n the client side, all that is needed is &nternet 3Bplorer, a connection to the !orld !ide !eb, and appropriate access rights, howe%er this is not applicable in this scenario. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 3=. QUESTION NO: 2, You are the net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< You bac0 u# the data $olders on Test0ing< by using the $ollo"ing schedule: 1. Normal bac0u# e/ery ?onday 2. Incremental bac0u#s e/ery Tuesday* !ednesday* Thursday* and Eriday ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;G 2 )$ter the bac0u# on Eriday is com#leted* a user accidentally deletes a $ile $rom a data $older on Ser/er< The user re#orts that he modi$ied the $ile in the #ast "ee0* but he does not 0no" "hich day he modi$ied the $ile You do not 0no" "hen the $ile "as last bac0ed u# You need to restore the latest co#y o$ the $ile as quic0ly as #ossible !hat should you do% A. 'pen the bac/up log for each da . 1egin b opening the log for Monda , and then wor/ forward through the logs for each da of the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. 1. 'pen the bac/up log for each da . 1egin b opening the log for Tuesda , and then wor/ forward through the logs for each da of the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. .. 'pen the bac/up log for each da . 1egin b opening the log for (rida , and then wor/ bac/ward through the logs for each da of the wee/. &n each log, search for a bac/up of the file. Restore the first bac/up that ou find. D. Restore the file from the Monda , Tuesda , !ednesda , Thursda , and (rida bac/ups, in that order. 3. Restore the file from the Monda bac/up, and then from the (rida bac/up. )ns"er: ' E3#lanation: ) $ull bac0u# is ta0en e/ery ?onday This "ill bac0 u# e/ery $ile on the ser/er )n incremental bac0u# is ta0en e/ery day a$ter that )n incremental bac0u# "ill bac0 u# e/ery $ile that has changed since the $ull bac0u# )s "e donJt 0no" "hich day the $ile "as edited* "e donJt 0no" "hich day it "as bac0ed u#

There$ore* "e need to loo0 at the latest bac0u# &EridayJs( and "or0 bac0"ard through the logs $or each day o$ the "ee0 &Thursday then !ednesday then Tuesday etc( The $irst co#y o$ the $ile "e $ind "ill be the latest /ersion o$ the $ile This is the $ile "e need to restore Incorrect )ns"ers: ): !e need to find the latest %ersion of the file. The first cop we find ma not be the wor/ bac/ward from the last bac/up to the first bac/up. +: !e need to find the latest %ersion of the file. The first cop we find ma not be the wor/ bac/ward from the last bac/up to the first bac/up. D: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;> 2 This would wor/ as each later %ersion of the file would o%erwrite the pre%ious older %ersion. Aowe%er, this is not the 6uic/est wa of restoring the latest %ersion of the file. E: The (rida bac/up ma not contain a cop of the file. The incremental bac/up will onl bac/ up the file on the da it was edited. QUESTION NO: 24 You are the domain administrator $or TestBingJs )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) ne"ly installed ser/er "as added to your domain You need to administer this ser/er remotely $rom your client com#uter You need to con$igure the ne" ser/er to ensure that it can be administered remotely !hat should you do% A. &nstall Terminal $er%er 4icensing. Restart the ser%er. 1. Modif the s stem properties for the ser%er. 3nable Remote Des/top for the ser%er b selecting the Allow users to connect remotel to this s stem chec/ boB. .. $tart the Remote Access .onnection Manager ser%ice and then configure the ser%ice to start automaticall . D. Modif our user account properties to enable ou to connect to the terminal ser%er. )ns"er: + E3#lanation: Demote Des0to# connections are not allo"ed by de$ault To remotely administer !indo"s 2==, ser/ers* you need to log in locally to the ser/er and enable Demote Des0to# $or the ser/er by selecting the )llo" users to connect remotely to this system chec0 bo3 in the system #ro#erties Incorrect )ns"ers: ): Iou donKt need Terminal $er%er 4icensing to use remote des/top connections for administration. Two concurrent RD5 sessions are allowed for administration without the need to purchase Terminal $er%er licensing. ': Iou do not need to manuall configure this ser%ice. This ser%ice is configured when ou enable remote des/top connections. D: Iou donKt need to modif our account settings. As domain administrator, ou will alread ha%e permissions to connect to the terminal ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;= 2 QUESTION NO: 25 You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing6 runs IIS On Test0ing6* you create a ne" !eb site named ?ar0eting Users re#ort that they cannot connect to the ?ar0eting !eb site !hen you attem#t to start the ?ar0eting !eb site* you recei/e an error message You /ie" the IIS con$iguration sho"n in the e3hibit You need to con$igure IIS to allo" the ?ar0eting !eb site to start !hich action or actions should you #er$orm% &'hoose all that a##ly ( A. Disable the &&$ Administration !eb site. 1. .hange the port %alue of the &&$ Administration !eb site to an a%ailable port. .. Assign a uni6ue host header to the Mar/eting !eb site. D. .hange the port %alue of the Mar/eting !eb site to an a%ailable port. 3. Assign a !eb ser%er certificate to the Mar/eting !eb site. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G" 2 )ns"er: '* D E3#lanation: !hen you ha/e multi#le "eb sites running on one "eb ser/er* you need a "ay to distinguish bet"een the sites so that the "eb ser/er 0no"s "hich "eb site the client "ants to connect to There are three "ays to do this You can assign a

unique I. address to each site )nother "ay is to assign a unique #ort number to each site ) third "ay is to assign a unique Jhost headerJ to each site The host header method is the method most commonl used on the internet. Using the www.test/ing.com. The client will then be directed to the web site configured to use that name. otherwise, the client will use the default port >". !e can tell from the eBhibit that weKre not using the &5 address method because the &5 address configured for each site is 8All Unassigned8 which means that an &5 address configured on the ser%er *that isnKt specificall assigned to a web site+ will be used. QUESTION NO: 26 You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s 2==, )ll client com#uters run !indo"s @. .ro$essional You log on to a ser/er named Test0ing<5 by using the local )dministrator account You start the installation o$ a ne" ser/er a##lication )$ter you start the installation* you return to your o$$ice* "hich is located in another building You need to $ind out the status o$ the installation that is in #rogress on Test0ing<5 !hat should you do% A. $elect the Remember ser%er connections option in Terminal $er%ice Manager. 1. Use Terminal $er%ice Manager to connect to Test/ing1F. .. Use Remote Assistance from a client computer. D. Use the Remote Des/top .lient to connect to the console session on Test/ing1F. )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G1 2 !hen you log in to a com#uter locally* you are using the Lconsole sessionL !hen you connect to a ser/er using a Demote Des0to# connection* by de$ault you "ill o#en another session "ith another des0to# and "or0ing en/ironment "hich means you "onJt see the #rogram being installed in the console session You can ho"e/er use a Demote Des0to# connection to connect to the console session o$ the ser/er To do this* you need to o#en the Demote Des0to# client by ty#ing mstsc Kconsole at the Dun #rom#t +y connecting to the console session* you see the same des0to# and #rograms running as you "ould i$ you "ere logged in locally QUESTION NO: 27 You are the net"or0 administrator $or TestBing Your net"or0 consists o$ a single )cti/e Directory domain You manage a Terminal Ser/er $arm that includes $i/e terminal ser/ers and a Terminal Ser/ices Aicensing ser/er named test0ing; )ll ser/ers run !indo"s 2=== Ser/er There are 2*5== users "ho log on to the terminal ser/ers to access a custom human resource &:D( a##lication You install !indo"s Ser/er 2==, on a ne" ser/er named test0ing<= Test0ing<= is con$igured "ith all de$ault settings enabled You install Terminal Ser/ices and the :D a##lication on test0ing<= You instruct some users to access the :D a##lication on test0ing<= Eour months later* users re#ort that they can no longer establish Terminal Ser/ices sessions to test0ing<= You /eri$y that users can connect to the other terminal ser/ers in your Terminal Ser/er $arm You need to ensure that users can run the :D a##lication on all terminal ser/ers on the net"or0 !hat should you do% A. 'n test/ing1", set the 4icense 4ogging ser%ice to Automatic, and the start the ser%ice. 1. 'n test/ing1", install Terminal $er%ice 4icensing. Acti%ate the Terminal $er%ices 4icensing ser%er. .. &nstall !indows $er%er 2""3 on all domain controllers on the networ/. D. Deacti%ate and acti%ate Terminal $er%ice 4icensing on Test/ing=. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G2 2 The reason the users can no longer connect is that the time #eriod to use Terminal Ser/ices in a##lication mode has e3#ired ) terminal ser/er allo"s clients to connect "ithout license to0ens $or <2= days be$ore it requires communicating "ith a license ser/er The license ser/er grace #eriod ends a$ter <2= days* or "hen a license ser/er issues a #ermanent license to0en through the terminal ser/er* "hiche/er occurs $irst There$ore* i$ the license ser/er and terminal ser/er are de#loyed at the same time* the terminal ser/er grace #eriod "ill immediately e3#ire a$ter the $irst #ermanent license to0en has been issued A Terminal ser%er running !indows $er%er 2""3 must be licensed with one of the following9

1. !indows $er%er 2""3 Terminal $er%er De%ice .lient Access 4icense. 2. !indows $er%er 2""3 Terminal $er%er User .lient Access 4icense. 3. !indows $er%er 2""3 Terminal $er%er 3Bternal .onnector. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indowsO$er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. = QUESTION NO: 29 You are the net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==, com#uter named test0ing<* "hich hosts a critical business a##lication named Salesa## Test0ing< has one dis0 that contains a single NTES /olume Ei/e days ago* the System State o$ test0ing< "as bac0ed u#* and an )utomated System Deco/ery &)SD( bac0u# "as created No additional bac0u#s "ere #er$ormed Subsequently* many changes "ere made to the Salesa## data $iles You a##ly an u#date to the a##lication* "hich requires you to restart test0ing< !indo"s startu# terminates "ith a Sto# error You restart the com#uter and boot to a $lo##y dis0 ) utility on this dis0 gi/es you read>only access to the NTES $ile system You disco/er that one o$ the dll $iles $or the Salesa## a##lication is corru#ted The corru#ted $ile is stored in the ' Q!indo"sQSystem,2 $older You need to restore the corru#ted $ile You need to a/oid losing any changes made to the data $iles on test0ing< !hat should you do onTestBing<% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G3 2 A. 5erform the A$R restore procedure. 1. Restart !indows b using the 4ast @nown Cood configuration option. .. $tart the Reco%er .onsole and replace the corrupted .dll file with a cop from the $alesapp .D2R'M. D. Reinstall !indows $er%er 2""3. Do not format an %olumes. )ns"er: ' E3#lanation: The solution to this #roblem is sim#li$ied by the $act that "e 0no" the cause o$ the JSto#J error* a corru#ted dll $ile There$ore "e 2ust need to re#lace the corru#ted dll $ile "ith a co#y $rom the Salesa## 'D>DO? !e can do this using the Deco/ery 'onsole The Deco/ery 'onsole can be accessed as a startu# o#tion i$ it is installed or it can be accessed by booting the com#uter "ith a !indo"s 'D>DO? The Deco/ery 'onsole "ill gi/e us "rite access to the NTES $ile system and access to the 'D>DO? thus enabling us to co#y the dll $ile $rom the Salesa## 'D>DO? to the a##ro#riate location on the hard dis0 Incorrect )ns"ers: ): &t is not necessar to restore the s stem using an A$R restore procedure. !e )ust need to replace one file 2 the corrupted dll file. +: The 4ast @nown Cood configuration option is used to restore the registr to itKs state at the time of the last successful logon. &t will not ma/e an changes to the corrupted dll file. D: &t is not necessar to reinstall !indows $er%er 2""3. !e )ust need to replace one file 2 the corrupted dll file. (urthermore, reinstalling !indows $er%er will not replace the corrupted dll file. QUESTION NO: 2; You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll net"or0 ser/ers run !indo"s 2==,* and all client com#uters run !indo"s @. .ro$essional ) $ile ser/er named test0ing2 is con$igured as a stand>alone Distributed Eile System &DES( root The dis0 con$iguration o$ test0ing2 is sho"n in the $ollo"ing table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G- 2 Dis0 8olume 'ontents Dis/" MA&, $ stem files Dis/1 DATA Database files Dis/1 U$3R$ (iles and data for users USEDS hosts a shared $older named User Data You use -rou# .olicy to de#loy the .re/ious 8ersions client so$t"are to all client com#uters :o"e/er* users re#ort that they cannot access any #re/ious /ersions o$ any o$ the $iles in User Data Erom you client com#uter* you o#en the .ro#erties dialog bo3 o$ User Data* as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;GF 2

You need to enable all users to access #re/ious /ersions o$ the $iles in User Data To achie/e this goal* you "ill modi$y test0ing2 !hat should you do% A. $tart the Distributed 4in/ Trac/ing .lient $er%ice. 1. .reate a D($ lin/ to User Data. .. 3nable shadow copies on U$3R$. D. Disable 6uota management on U$3R$. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G; 2 )ns"er: ' E3#lanation: The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your ser/ers 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot To be able to sa%e pre%ious %ersion of files, ou need to enable $hadow .opies. After ou enable shadow copies on the ser%er and install the shadow cop client software on the des/top computers, end users can right2clic/ on a file and %iew pre%ious %ersions that were bac/ed up %ia shadow copies. The can then /eep the current %ersion of the file or roll bac/ to an earl %ersion. QUESTION NO: ,= You are the domain admin $or Test0ingJs )cti/e Directory domain You use a So$t"are U#date Ser/ices &SUS( ser/er to manage the security u#dates $or all ser/ers that run !indo"s Ser/er 2==, You need to install three critical security hot$i3es $rom ?icroso$t One o$ the hot$i3es cannot be installed in the current #roduction en/ironment because the hot$i3 causes a custom a##lication to sto# res#onding You need to install t"o o$ the three hot$i3es during a maintenance session tomorro" at 2:== ) ? You need to automate the installation #rocess !hat should you do% A. $chedule a tas/ b using Tas/ $cheduler on each ser%er. $et the tas/ to run !updmgr.eBe at 29"" A.M. 1. $ nchroni0e the $U$ ser%er. Appro%e onl the updates that ou want to install. .onfigure the $U$ Croup 5olic setting to chec/ for updates at 29"" A.M. .. 'n the $U$ ser%er, run the wmic 6fe command, and the run the net time Hsetntp9"2"" command. D. 'n the $U$ ser%er, edit the Aistor 2appro%e.Bml file to include onl the updates that ou want to install. The use the AT command to schedule $us1"sp1.eBe to run at 29"" A.M. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;GG 2 )ns"er: + E3#lanation: Synchroni1ing the SUS ser/er "ill ensure that it has all a/ailable u#dates $rom the ?icroso$t u#date ser/ers !e need to schedule the installation of the updates to occur during the maintenance session tomorrow at 29"" A.M. !e can configure the automatic updates client software on the client computers to install the updates at 29"" A.M b configure the $U$ Croup 5olic setting to chec/ for updates at 29"" A.M. 'nl appro%ed updates are installed so to ensure that onl two of the updates are deplo ed, we )ust need to appro%e the two updates and not appro%e the third update. QUESTION NO: ,< You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain ) member ser/er named Test0ing< runs !indo"s Ser/er 2==, and So$t"are U#date Ser/ices &SUS( You #er$orm a $ull bac0u# o$ Test0ing< e/ery night Test0ing< $ails une3#ectedly and cannot be restarted )s a result* automatic u#dates are no longer distributed "ithin the domain You need to restore the $unctionality o$ Test0ing< Eirst* you install !indo"s Ser/er 2==, on a ne" com#uter and con$igure it as a member ser/er You name the ne" com#uter Test0ing< and install all IIS com#onents that "ere installed on the original Test0ing< Then you install SUS and obtain the most recent success$ul bac0u# o$ the original Test0ing< !hich t"o additional actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Use the bac/up to restore .9Winetpub, .9WwindowsW!in$B$, and .9W!UTemp. 1. Use the bac/up to restore .9Winetpub, .9W$U$W.ontent, and .9WwindowsWs stem32Winetsr%WMetabase. .. Use &&$ Manager to restore the metabase configuration. D. Use &&$ Manager to create a new %irtual root named .ontent for .9W$U$W.ontent.

3. Use the $er%ices snap2in to restart $U$. (. Use the $er%ices snap2in to configure $U$ to use the pre%ious ser%ice account. )ns"er: +* ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G> 2 E3#lanation: Using ,T1ac/up to restore $U$ &n 8Restore files to98, select 'riginal 4ocation, and clic/ $tart Restore. The .onfirm Restore dialog boB will be displa ed. .lic/ '@ to begin the restore. After restoring the data to the hard dis/, the &&$ metabase needs to be restored. 'pen the &&$ MM. snap2in, select the ser%er to restore the metabase to, and from the Action menu select 1ac/upHRestore .onfiguration. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>" 2 &n the 1ac/upHRestore .onfiguration dialog boB, select the bac/up configuration that was )ust restored from tape and clic/ Restore. QUESTION NO: ,2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain that contains $i/e member ser/ers running !indo"s 2=== Ser/er )ll $i/e ser/ers ha/e 'D>DO? dri/es and $lo##y dis0 dri/es You #urchase a ne" com#uter that has a 'D>D! dri/e This com#uter does not currently ha/e a $lo##y dis0 dri/e* but you #lan to install one e/entually You install and con$igure !indo"s Ser/er 2==, and Deco/ery 'onsole on the ne" com#uter You con$igure it as a member ser/er named Test0ing6 No" you need to ensure that Test0ing6 can be restored in the e/ent o$ an o#erating system $ailure ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>1 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. .op Asr.sif, Asrpnp.sif, and Autorun.eBe from the appropriate directories on Test/ing; to another ser%er. .op the same files to a .D2Rom. 1. .op Asr.sif and Asrpnp.sif from the appropriate director on Test/ing; to another ser%er. .op the same files to a flopp dis/. .. $tart the Automated $ stem Reco%er wi0ard on Test/ing;. D. $tart the .reate an 3mergenc Repair Dis/ wi0ard on Test/ing;. 3. .op AutoeBec.nt, .onfig.nt, $etup.log, and Autorun.eBe from the appropriate directories on Test/ing; to another ser%er. .op the same files to a .D2Rom. (. .op AutoeBec.nt, .onfig.nt, and $etup.log from the appropriate directories on Test/ing; to another ser%er. .op the same files to a flopp dis/. )ns"er: +* ' QUESTION NO: ,, You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll net"or0 ser/ers run !indo"s Ser/er 2==, and all client com#uters run !indo"s @. .ro$essional Terminal Ser/ices is installed on a member ser/er named Test0ing< 'urrently* ,= acti/e terminal ser/er sessions are connected to Test0ing< )n un$oreseen hard"are u#grade "ill require shutting do"n the ser/er You need to #ro/ide a t"o>minute "arning about the shutdo"n to all acti/e terminal sessions Eirst* you log on to Test0ing< as an administrator !hat should you do ne3t% A. (rom a command prompt, run the tsdisconn command. 1. (rom a command prompt, run the net send Husers command to send a warning message. After two minutes, manuall shut down Test/ing1. .. (rom a command prompt, run the tsshutdn 12" Hser%er9Test/ing1 command. D. Run Tsadmin.eBe to disconnect all acti%e sessions. After two minutes, manuall shut down Test/ing1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>2 2 )ns"er: ' QUESTION NO: ,4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single

)cti/e Directory domain )ll <5 net"or0 ser/ers run !indo"s Ser/er 2==, Eric and .aul are the administrators res#onsible $or bac0ing u# and restoring all ser/ers +oth are members o$ a global grou# named +DTech +DTech is a member o$ the local +ac0u# O#erators grou# on all <5 ser/ers Eric schedules a bac0u# $or a ser/er named Test0ing2 The bac0u# com#letes success$ully and the bac0u# $ile is stored as ':Q+ac0u#$ilesQbac0u# b0$ The Scheduled Hob O#tions dialog bo3 $or the bac0u# is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>3 2 .aul tries to restore the contents o$ the +ac0u# b0$ to Test0ing2 :o"e/er* he is unsuccess$ul You need to enable .aul to restore the bac0u# as quic0ly as #ossible You must ensure that the minimum number o$ user rights are assigned to Eric and .aul !hat should you do% A. Assign the Allow 2 Read permission on 1ac/up.b/f to 5aul. 1. Assign the Allow 2 Read permission on 1ac/up.b/f to 1RTech. .. Add 5aul to the local Administrators group on Test/ing2. D. Add 1RTech to the local Administrators group on Test/ing2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>- 2 )ns"er: ' QUESTION NO: ,5 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional Each domain ser/er has a locally attached ta#e de/ice You need to bac0 u# each domain controller Your bac0u# #rocess must $ul$il the $ollo"ing requirements: a System reco/ery must be #ossible in the e/ent o$ ser/er $ailure b The system con$iguration and all current dynamic dis0 con$igurations must be bac0ed u# c Other data #artitions do not need to be bac0ed u# !hat should you do% A. Use the 1ac/up utilit to bac/ up the s stem files and to create an Automated $ stem Reco%er *A$R+ dis/. 1. Use the 1ac/up utilit to bac/ up the contents of all mounted dri%es. .. Use the 1ac/up utilit to bac/ up onl the $ stem $tate data. D. Use the .op command to cop .9Wwindows and its subfolders to a shared folder on the networ/. 3. Use the <cop command to cop .9Wwindows and its subfolders to a shared folder on the networ/. )ns"er: ) Topic G9 $imulation *13 :uestions+ QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domains named )$rica and )ustralia The $unctional le/el o$ both domains is !indo"s 2=== nati/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>F 2 TestBing com has multi#le o$$ices in )$rica and )ustralia User accounts are organi1ed in the domains based on the usersJ geogra#hical location TestBing com uses ?icroso$t E3change 2=== Ser/er $or e>mail ) grou# named Sales is used to send e>mail messages to the users in the sales de#artment in the 'a#e To"n o$$ice You need to con$igure the Sales grou# so that it can include users in the )ustralia domain You also need to con$igure the Sales grou# so that it can be used to control access to the :D $older on the $ile ser/er In addition* you need to add the Sales grou# a user named Tess Bing* "ho is a ne" em#loyee in the sales de#artment in the 'a#e To"n o$$ice !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo"s ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>; 2 )ns"er: Ste# G<

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>G 2 O#en the Users container in the )$rica domain and go into the #ro#erties o$ the Sales grou# The sales grou# is li0ely to be a global distribution grou# because it is used to send email ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>> 2 To add users $rom the other domain* the grou# needs to be changed to a uni/ersal grou# To access the $ile ser/er* the grou# needs to be a security grou# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>= 2 To add Tess to the grou#* clic0 the members tab* clic0 add and ty#e Tess ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=" 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=1 2 QUESTION NO: 2 SI?UA)TION You are the administrator o$ a !indo"s Ser/er 2==, com#uter named TestBing5 TestBing5 $unctions as a $ile ser/er $or TestBing comJs Sales and :uman Desources &:D( de#artments On TestBing5 you create a share named Sales on the ':QSales $older* and you create a share named TestBing on the ':Q'om#anyQTestBing $older Users "ho are members o$ the Sales-rou# need to be able to create and modi$y $iles in the ':QSales $older These users also need to be able to modi$y the #ermissions on all o$ the $iles in the ':QSales $older :o"e/er* these users re#ort that "hen they attem#t to #er$orm these tas0s* they recei/e the $ollo"ing error message: L)ccess denied L Users "ho are members o$ the :D-rou# grou# should only be able to read $iles that are in the ':Q'om#anyQTestBing $older :o"e/er* some o$ the users in the :D-rou# are occasionally able to modi$y those $iles You need to resol/e these #roblems by #er$orming the $ollo"ing administrati/e tas0s on TestBing5: 1. 'orrect the #ermissions on the Sales shared $older $or the Sales-rou# grou# 2. Ensure that the TestBing share is the only #oint o$ access $or the ':Q'om#anyQTestBing $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=2 2 !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: Ste# G<: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=3 2 Ste# G2: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=- 2 $tep b3 Salesgrou# needs to be able to modi$y the $iles in the Sales $older and to change #ermissions on the $iles The question doesnJt say Salesgrou# should be able to change o"nershi# o$ the $iles There$ore* "e can gi/e Salesgrou# $ull control then ta0e a"ay the change o"nershi# #ermission to the Sales $older Dight clic0 on the Sales $older and select #ro#erties 'lic0 the security tab and grant the Salesgrou# grou# $ull control #ermission ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=F 2 'lic0 )d/anced* clic0 Edit then ta0e a"ay the Ta0e O"nershi# #ermission ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=; 2

:Dgrou# needs read only #ermission to the TestBing $older Dight clic0 on the TestBing $older and select #ro#erties 'lic0 the security tab and remo/e the Eull 'ontrol* !rite and modi$y #ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=G 2 !e need to Lensure that the TestBing share is the only #oint o$ access $or the ':Q'om#anyQTestBing $olderL !e can chec0 $or multi#le shares on the Test0ing $older or the 'om#any $older using the Shared Eolders node in 'om#uter management The only share should be the LTest0ingL share I$ the ':Q'om#any $older is shared* "e need to delete the share ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=> 2 QUESTION NO: , SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com TestBing comJs "ritten security #olicy states that #ass"ords reset by hel# des0 technicians should be set to .ass"ord<2\* and users must change the #ass"ord immediately a$ter logging on )n em#loyee named Tess Bing has been on /acation and has not had access to the net"or0 She returns to the o$$ice and attem#ts to log on to the net"or0 She recei/es the $ollo"ing error message: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;== 2 LUnable to log you on because your account has been loc0ed out* #lease contact your administrator L Tess cannot remember her #ass"ord Sandra Bing "or0s as a contractor $or TestBing com SandraJs user account has e3#ired She "ill continue to "or0 $or TestBing com* but she "ill "or0 in the Eoo Atd * di/ision You need to ensure that both Sandra and Tess can access domain resources You need to ensure that SandraJs user account "ill continue $unctioning inde$initely* and that her user #rinci#al name &U.N( is changed to re$lect the Eoo Atd * di/ision !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: Ste# G< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"" 2 $tep b2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"1 2 Ste# G, O#en )cti/e Directory Users and 'om#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"2 2 $tep b- $elect the $ales 'U You can also try to o#en the Users OU $irst* it is not #enali1ed* but Tess is not #resent there ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"3 2 Ste# G5 !e need to reset the #ass"ord $or the Tess Bing account Dight clic0 on the Tess Bing user account ob2ect and select Deset .ass"ord Ty#e in the #ass"ord o$ .ass"ord<2\ )nd chec0 the chec0bo3: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"- 2 $tep b; !e also need to unloc0 the Tess Bing account Dight clic0 on the Tess Bing user account ob2ect and select #ro#erties 'lic0 the )ccount tab 'lear the L)ccount is loc0ed out chec0 bo3L ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 G"F 2 SandraJs account has e3#ired !e need to ensure that SandraJs user account "ill continue to $unction inde$initely* and that her user #rinci#al name &U.N( is changed to re$lect the Eoo Atd Dight clic0 on SandraJs account and select #ro#erties 'lic0 the account tab In the L)ccount E3#iresL section* select LNe/erL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"; 2 To change SandraJs user #rinci#al name &U.N(* clic0 the dro# do"n list and select $oo com $rom the domain list ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"G 2 QUESTION NO: 4 SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, So$t"are U#date Ser/ices &SUS( is installed on a single ser/er named TestBing, TestBing, recei/es recei/e critical u#dates and security u#dates $rom ?icroso$t !indo"s U#date ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"> 2 ) systems engineer installs and con$igures a ser/er named TestBing5 as a second SUS ser/er $or the domain You need to ensure that the ne" SUS Ser/er "ill automatically synchroni1e "ith TestBing, You also need to a##ro/e the current list o$ u#dates that are a/ailable $or the ne" SUS ser/er and ensure that any re/ised u#dates are automatically a##ro/ed !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"= 2 Ste# G< Double clic0 the ?icroso$t So$t"are U#date Ser/ices icon on the des0to# to o#en the So$t"are U#date Ser/ices administration "indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1" 2 $tep b2. 'lic0 the LSet o#tionsL lin0 on the le$t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G11 2 $tep b3. Scroll do"n the right hand #ane and con$igure the $ollo"ing o#tions and clic0 )##ly QUESTION NO: 5 SI?UA)TION ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G12 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, and all client com#uters run !indo"s@. .ro$essional You are res#onsible $or the day>to>day administration o$ user accounts $or customer ser/ice em#loyees in TestBing comJs ?osco" o$$ice You #er$orm administrati/e tas0s by using a ser/er TestBing4 Each user is allo"ed to customi1e their des0to# ) shared $older named Users on TestBing4 has been created to store user $olders $or customi1ed des0to# settings You need to #er$orm the $ollo"ing tas0s: 1. Use )cti/e Directory Users and 'om#uters to set user accounts in the Sales OU to retain customi1ed des0to# settings* regardless o$ the client com#uter used You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort 2. ?a0e the user #ro$ile named Tess Bing the de$ault #ro$ile $or any ne" user "ho logs on to TestBing4 !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo"

Simulation !indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G13 2 )ns"er: The $irst requirement o$ this question states: Use )cti/e Directory Users and 'om#uters to set user accounts in the Sales OU to retain customi1ed des0to# settings* regardless o$ the client com#uter used !e can do this by con$iguring the user accounts in the Sales OU to use roaming user #ro$iles Ste# G< O#en 'ontrol .anel ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1- 2 $tep b2 O#en )dministrati/e tools ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1F 2 $tep b3. O#en )cti/e Directory Users and 'om#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1; 2 $tep bSelect the Sales OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1G 2 $tep bF Select all the users accounts in the Sales OU Dight clic0 and select #ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1> 2 $tep b;. On the #ro$ile tab* enter the #ath $or the roaming #ro$iles Then clic0 O0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1= 2 The second re6uirement of the 6uestion states9 Ma/e the user profile named Tess @ing the default profile for an new user who logs on to Test@ing-. !e can do this by co#ying the Tess Bing #ro$ile to the De$ault User #ro$ile Ste# G< O#en 'ontrol .anel ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2" 2 $tep b2. O#en the System a##let and select the )d/anced tab 'lic0 the Settings button $or the User .ro$iles section ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G21 2 $tep b3. Select the Tess Bing #ro$ile and clic0 'o#y To ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G22 2 $tep b-. 'lic0 +ro"se ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G23 2 $tep bF. +ro"se to the Documents and SettingsQDe$ault User $older and clic0 o0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2- 2 $tep b;.

'lic0 the 'hange button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2F 2 Ste# G7 Ty#e in E/eryone and clic0 o0 $tep b>. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2; 2 'lic0 O0 Ste# G; 'lic0 the Yes button QUESTION NO: 6 SI?UA)TION You are the net"or0 administrator $or TestBing You administer a $ile ser/er named TestBing6 TestBing6 runs !indo"s Ser/er 2==, Se/eral users require access to resources on TestBing6 There are number o$ e3isting share and NTES #ermissions $or the ':QTestBing and ':QSales $olders on TestBing6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2G 2 You need to modi$y the e3isting #ermissions to ensure the a##ro#riate access $or the users and grou#s listed in the $ollo"ing table Croup or User Access $alesCroup The abilit to read files in the .9WTest@ing shared folder $alesUser The abilit to modif files in the .9W$ales shared folder Administrators The abilit to full control o%er the files in the .9WTest@ing shared folder You "ant to use a single share #ermission entry $or each shared $older You must not change the access $or any other user or grou#s !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2> 2 )ns"er: Ste# G<: O#en Aocal Dis0 &':( Ste# G2: Dight>clic0 on the TestBing $older* and select Sharing and Security $tep b3 On the Sharing tab* clic0 .ermissions ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2= 2 $tep b)llo" the E/eryone grou#* $ull control #ermission and clic0 O0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3" 2 $tep bF. -o to the Security tab and clic0 the )d/anced button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G31 2 $tep b; Untic0 the L)llo" inheritable #ermissions L chec0bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G32 2 $tep bG 'lic0 'o#y then clic0 o0 to return to the #ermission dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G33 2 Ste# G9

Ensure the )dministrators grou# has Eull 'ontrol .ermission and Sales-rou# ha/e Dead #ermission ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3- 2 Eollo" the #re/ious ste#s to con$igure access to the Sales $older The SalesUser account should ha/e ?odi$y #ermission on the $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3F 2 QUESTION NO: 7 SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, and all client com#uters run !indo"s @. .ro$essional Eour o$ the client com#uters on the net"or0 are named TestBing<* TestBing2* TestBing,* and TestBing4 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3; 2 You are res#onsible $or the day>to>day administration o$ the com#uter ob2ects in the domain You need to use )cti/e Directory Users and 'om#uters to #er$orm the $ollo"ing tas0s: 1. Delete an obsolete com#uter account named TestBing) $or a com#uter that has been rebuilt and renamed 2. Deset the com#uter $or TestBing2 3. ?o/e the TestBing, and TestBing4 ob2ects $rom the 'om#uters container to the Sales OU -. )dd TestBing< to the !indo"s @. 'lient global security grou# !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3G 2 )ns"er: The $irst requirement o$ this question states: Delete an obsolete com#uter account named TestBing) $or a com#uter that has been rebuilt and renamed Ste# G< O#en 'ontrol .anel ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3> 2 $tep b2 O#en )dministrati/e Tools ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3= 2 $tep b3 O#en )cti/e Directory Users and 'om#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-" 2 $tep b-. $elect the .omputers .ontainer, right2clic/ on Test@ing A and $elect delete. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-1 2 Ste# G5 'on$irm ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-2 2 The second requirement o$ this question states: Deset the com#uter $or TestBing2 Ste# G< In )cti/e Directory Users and 'om#uters* right>clic0 on TestBing2 and select Deset )ccount The third re6uirement of this 6uestion states9 Mo%e the Test@ing3 and Test@ingob)ects from the .omputers container to the $ales 'U. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-3 2

Ste# G< In )cti/e Directory Users and 'om#uters* select TestBing, and TestBing4* right>clic0 and select ?o/e $tep b2. Select the Sales OU and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-- 2 The $ourth requirement o$ this question states: )dd TestBing< to the !indo"s @. 'lient global security grou# Ste# G< In )cti/e Directory Users and 'om#uters* double clic0 TestBing< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-F 2 $tep b2. Select the ?ember O$ tab and clic0 the )dd button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-; 2 $tep b3. Ty#e !indo"s @. 'lient $or the grou# name and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-G 2 $tep b-. 'lic0 OB to close the .ro#erties dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-> 2 QUESTION NO: 9 SI?UA)TION You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) $ile ser/er in the data center is used to store customer data and large database re#orts that are generated daily The dis0 that holds this data is near ca#acity The system engineer "ants to mo/e data $rom a dis0 named Dis0 = to a ne"* recently installed Dis0 < Dis0 < has a single #artition that is $ormatted as E)T,2 The #artition currently contains no data ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-= 2 You need to con$igure Dis0< so that it can be e3tended in the $uture to increase dis0 s#ace "ithout mo/ing or deleting data You also need to con$igure Dis0 < $or o#timum "rite #er$ormance !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: !e need to con$igure Dis0 < &#artition E( so that "e can e3tend it in the $uture "ithout losing data To do this* the dis0 must be a dynamic dis0 and the #artition must $ormatted "ith the NTES $ile system Eurthermore* the #artition needs to ha/e been created on a dynamic dis0 so "eJll need to delete the e3isting #artition then con/ert the dis0 to a dynamic dis0 and then recreate the #artition The question states that the #artition contains no data so deleting the #artition "onJt cause any data loss Ste# G< O#en 'ontrol .anel ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF" 2 $tep b2 O#en )dministrati/e Tools ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF1 2 $tep b3. O#en 'om#uter ?anagement ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF2 2

$tep b-. Select Dis0 ?anagement ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF3 2 Ste# G5 Dight clic0 on #artition E and select Delete .artition ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF- 2 $tep b;. 'on$irm the deletion ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GFF 2 Ste# G7 Dight clic0 on Dis0 one and select L'on/ert to dynamic dis0L $tep b>. Ensure that Dis0 < is chec0ed and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF; 2 Ste# G; Dight clic0 on the unallocated dis0 s#ace and select LNe" 8olumeL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GFG 2 $tep b1". The Ne" 8olume "i1ard starts 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF> 2 $tep b11. Select the ma3imum si1e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF= 2 $tep b12. )cce#t the de$ault dri/e letter and clic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;" 2 $tep b13. 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;1 2 $tep b1-. 'lic0 Einish ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;2 2 QUESTION NO: ; SI?UA)TION You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, named TestBing7 TestBing7 $unctions as a $ile ser/er $or TestBing comJs Sales de#artment You need to #er$orm the $ollo"ing tas0s on TestBing7: 1. 'reate a share named TestBing on the ':QTestBing $older 2. On the TestBing share* con$igure share #ermissions so that the Sales-rou# has only the )llo">Dead #ermission No other grou#s should ha/e access to the share ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;3 2 3. ?odi$y the e3isting share named Sales to the ':QSales $older so that the share is hidden -. On the hidden share* con$igure share #ermissions so that the )dministrators grou# has the )llo">Eull 'ontrol #ermission No other grou#s should ha/e access to the share !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo"

Simulation !indo" )ns"er: The $irst requirement o$ this question states: 'reate a share named TestBing on the ':QTestBing $older The second requirement states: On the TestBing share* con$igure share #ermissions so that the Sales-rou# has only the )llo">Dead #ermission No other grou#s should ha/e access to the share Ste# G< O#en Dis0 ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;- 2 $tep b2. Dight>clic0 on $older TestBing and select .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;F 2 Ste# ,: 'lic0 the Sharing tab* select Share this $older and enter the share name TestBing Then clic0 the .ermissions button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;; 2 $tep -9 'lic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;G 2 $tep bF. Ty#e in Sales-rou# and clic0 o0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;> 2 Ste#G6 Select the E/eryone grou# and clic0 Demo/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;= 2 Ste# G7 'lic0 O0 to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG" 2 $tep b>. 'lic0 O0 to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG1 2 The third requirement o$ this question states: ?odi$y the e3isting share named Sales to the ':QSales $older so that the share is hidden !e can do this by creating a ne" share named SalesT and deleting the e3isting JSalesJ share &note: it is not #ossible to rename a share( Ste# G< Dight>clic0 on the Sales $older and select .ro#erties On the Sharing tab* clic0 Ne" Share ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG2 2 $tep b2. Enter the ne" share name and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG3 2 Ste# G, Select the e3isting Sales share $rom the dro# do"n list 'lic0 the Demo/e Share button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG- 2 The $ourth requirement o$ this question states: On the hidden share* con$igure share #ermissions so that the )dministrators grou# has the )llo">Eull 'ontrol

#ermission No other grou#s should ha/e access to the share Ste# G< Dight clic0 on the Sales $older and select #ro#erties -o to the Sharing tab &i$ you closed the dialog bo3 a$ter the #re/ious ste# 'lic0 the .ermissions button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GGF 2 $tep b2. 'lic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG; 2 $tep b3. Ty#e )dministrators and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GGG 2 $tep b-. Select the Eull 'ontrol chec0 bo3 $or the )dministrators grou# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG> 2 $tep bF. Select the E/eryone grou# and clic0 Demo/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG= 2 $tep b;. 'lic0 the OB button to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>" 2 $tep bG. 'lic0 the OB button to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>1 2 QUESTION NO: <= SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory Domain named test0ing com TestBing o#erates call centers in multi#le cities around the "orld The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing6 )ll client com#uters run !indo"s @. .ro$essional You are res#onsible $or creating and managing user accounts ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>2 2 TestBingJs "ritten security #olicy states that ne" em#loyees must create ne" #ersonal and con$idential #ass"ords the $irst time they log on to the net"or0 The $a3 number $or em#loyees "hose user accounts are in the Sales OU has changed to &555( 555>5555 ) ne" em#loyee named Tess Bing is hired to "or0 in TestBingJs O3$ort o$$ice You need to #er$orm the $ollo"ing tas0s: 1. 'reate a user account $or Tess Bing in the Sales OU that contains the same in$ormation as the user $or an em#loyee named )nna Smith The user name $or TessJs account should be TessB The #ass"ord should be set to .ass"ord<2\ Tess should be allo"ed to log on to only a single client com#uter* "hich is named TestBing< 2. Ensure that all em#loyees in the Sales OU ha/e the correct $a3 number listed in their user accounts !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>3 2 )ns"er: The $irst requirement o$ this question states: 'reate a user account $or Tess Bing in the Sales OU that contains the same in$ormation as the user $or an em#loyee named )nna Smith The user name $or TessJs account should be TessB The #ass"ord

should be set to .ass"ord<2\ Tess should be allo"ed to log on to only a single client com#uter* "hich is named TestBing< Ste# G< O#en 'ontrol .anel ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>- 2 $tep b2. O#en )dminstrati/e Tools ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>F 2 $tep b3. O#en )cti/e Directory Users and 'om#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>; 2 $tep b-. In the Sales OU* right clic0 on )nna Smith user ob2ect and select L'o#yL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>G 2 $tep bF. Enter the in$ormation $or Tess Bing and clic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>> 2 $tep b;. Enter .ass"ord<2\ $or the #ass"ord and select the LUser must change #ass"ord at ne3t logonL chec0bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>= 2 $tep bG. 'lic0 Einish ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=" 2 $tep b>. Double clic0 the Tess Bing user ob2ect ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=1 2 $tep b=. On the )ccount tab* clic0 the LAog On ToL button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=2 2 $tep b1". Select LThe $ollo"ing com#utersL* ty#e in TesBing< and clic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=3 2 $tep b11. 'lic0 OB to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=- 2 The second re6uirement of this 6uestion states9 3nsure that all emplo ees in the $ales 'U ha%e the correct faB number listed in their user accounts. Ste# G< Select all the user accounts in the Sales OU Dight clic0 and select .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=F 2 $tep b2. Tic0 the Ea3 chec0bo3 and enter the $a3 number* then clic0 OB to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 G=; 2 QUESTION NO: << SI?UA)TION You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing5 TestBing5 $unctions as a $ile ser/er $or TestBingJs Sales de#artment You need to #er$orm the $ollo"ing tas0s on TestBing5: 1. 'reate a share named TestBing on the ':QTestBing $older 2. On the TestBing shared $older* con$igure share #ermissions so that the Sales-rou# grou# has the )llo">Eull 'ontrol #ermission ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=G 2 3. On the TestBing shared $older* con$igure share #ermissions to #re/ent a member o$ the Sales-rou# named SalesUser $rom ma0ing modi$ications to any documents in the shared $older "ithout im#acting SalesUserJs access to other resources SalesUser must continue to be able to read $iles in the TestBing shared $older !hat should you do% Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=> 2 Ste# G< O#en the ': dis0 Ste# G2 Dight>clic0 on the TestBing $older and select Sharing and Security ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G== 2 $tep b3. Select LShare this $olderL )cce#t the de$ault share name and clic0 the .ermissions button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"" 2 $tep b-. 'lic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"1 2 $tep bF. Ty#e in Sales-rou# and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"2 2 $tep b;. )llo" Eull 'ontrol #ermission $or Sales-rou# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"3 2 $tep bG. Select the E/eryone grou# and clic0 Demo/e then clic0 OB to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"- 2 $tep b>. On the Security tab* ensure that Sales-rou# has Eull 'ontrol #ermission to the $older You may need to add the Sales-rou# by clic0ing the )dd button and ty#ing in Sales-rou# li0e "e did in Ste# G5 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"F 2 $tep b=. No" "e need to deny "rite #ermission to SalesUser On the Security tab* clic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"; 2 $tep b1". Ty#e in the name SalesUser and clic0 OB

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"G 2 $tep b11. Select the Deny !rite .ermission then clic0 OB to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"> 2 QUESTION NO: <2 SI?UA)TION You are the net"or0 administrator $or TestBing com You administer a domain controller named TestBing7 TestBing7 runs !indo"s Ser/er 2==, You need to schedule a bac0u# o$ TestBing7 to occur e/ery Eriday at <=:== . ? You need to be able to use a single bac0u# to com#letely restore )cti/e Directory on TestBing7 You do not "ant any o$ the bac0u#s o$ to o/er"rite e3isting bac0u#s on the target media The administrator #ass"ord should be set to TestBing,<5\ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"= 2 Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: The question states: You need to be able to use a single bac0u# to com#letely restore )cti/e Directory on TestBing7 To do this* "e need to bac0u# the System State Data Ste# G< To o#en the +ac0u# utility* clic0 Start U .rograms U )ccessories U System Tools U +ac0u# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1" 2 $tep b2. The +ac0u# "i1ard "ill start 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >11 2 $tep b3. 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >12 2 $tep b-. Select LAet me choose "hat to bac0 u#L and clic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >13 2 $tep bF. E3#and ?y 'om#uter and tic0 the System State chec0bo3 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1- 2 $tep b;. Enter a #ath and $ilename $or the bac0u# The question doesnJt say "here you should #ut the bac0u# $ile so any #ath and $ilename "ill do 'lic0 Sa/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1F 2 $tep bG. 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1; 2 $tep b>. 'lic0 )d/anced ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1G 2 $tep b=. Ensure JNormalJ is selected $or the bac0u# ty#e and clic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 >1> 2 $tep b1". 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1= 2 $tep b11. 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2" 2 $tep b12. Select JAaterJ* enter a name $or the bac0u# 2ob and clic0 the Set Schedule button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >21 2 $tep b13. Enter the $ollo"ing schedule settings and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >22 2 $tep b1-. Enter TestBing,<5\ $or the administrator #ass"ord and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >23 2 Ste# G<5 'lic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2- 2 $tep b1;. Enter the )dministrator account in$ormation again and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2F 2 $tep b1G. 'lic0 Einish to com#lete the bac0u# "i1ard ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2; 2 QUESTION NO: <, SI?UA)TION You are the net"or0 administrator $or TestBing com You administer a "eb ser/er named TestBing5 TestBing5 runs !indo"s Ser/er 2==, You are required to con$igure the De$ault !eb site on TestBing5 so that the !eb site "ill not use more than 2=49 Bb#s o$ TestBing5Js band"idth* and so that the !eb site can only be accessed by using #ort 9=9= You also need to create a ne" !eb site named Intranet by using the ':Q!indo"sQSystem,2QInetsr/QIntranet 3ml $ile on TestBing5 Ta0e the a##ro#riate actions in the simulation "indo" Simulation !indo" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2G 2 )ns"er: The $irst requirement o$ this question states: You are required to con$igure the De$ault !eb site on TestBing5 so that the !eb site "ill not use more than 2=49 Bb#s o$ TestBing5Js band"idth* and so that the !eb site can only be accessed by using #ort 9=9= Ste# G< O#en )dministrati/e Tools ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2> 2 $tep b2. O#en Internet Ser/ices &IIS( ?anager ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2= 2 $tep b3.

Dight clic0 on the De$ault !eb Site and select .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3" 2 $tep b-. 'hange the T'. #ort number to 9=9= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >31 2 $tep bF. On the .er$ormance tab* select the chec0bo3 to enable band"idth throttling* enter 2=49 $or the /alue then clic0 OB to close the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >32 2 The second re6uirement of this 6uestion states9 Iou also need to create a new !eb site named &ntranet b using the .9W!indowsW$ stem32W&netsr%W&ntranet.Bml file on Test@ingF. Ste# G< Dight clic0 on the !eb Sites $older and select Ne" U !eb Site &$rom $ile( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >33 2 $tep b2. 'lic0 the +ro"se button and bro"se to ':Q!indo"sQSystem,2QInetsr/QIntranet 3ml ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3- 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3F 2 $tep b3. 'lic0 the Dead Eile button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3; 2 Ste# G4 Select LIntranetL and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3G 2 $tep bF You should no" see the Intranet "ebsite in the "ebsite list ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3> 2 4eading the wa in &T testing and certification tools, www.test/ing.com 222 Microsoft 70-29! I)&*e)enting$ Managing$ and Maintaining a Microsoft Windows Server 2003 Network Infrastructure 45A wit% e6&*anations ersion 90"0 4eading the wa in &T testing and certification tools, www.test/ing.com 232 Im#ortant Note* .lease Dead 'are$ully Other TestBing #roducts A+ 'ffline Testing engine Use the offline Testing engine product topractice the 6uestions in an eBam en%ironment. 1+ $tud Cuide *not a%ailable for all eBams+ 1uild a foundation of /nowledge which will be useful also after passing the eBam. Aatest 8ersion !e are constantl re%iewing our products. ,ew material is added and old material is re%ised. (ree updates are a%ailable for =" da s after the purchase. Iou should chec/ our member 0one at Test@ing and update 32- da s before the scheduled eBam date. Aere is the procedure to get the latest %ersion9 1.Co towww.test/ing.com 2..lic/ on ?ember 1oneKAog in

3.The latest %ersions of all purchased products are downloadable from here. Qust clic/ the lin/s. (or mostupdates,itisenough )ust to print the new 6uestions at the end of the new %ersion, not the whole document. Eeedbac0 &f ou spot a possible impro%ement then please let us /now. !e alwa s interested in impro%ing product 6ualit . (eedbac/ should be send to feedbac/Utest/ing.com. Iou should include the following9 3Bam number, %ersion, page number, 6uestion number, and our login &D. 'ur eBperts will answer our mail promptl . 'o#yright 3ach i5AD file contains a uni6ue serial number associated with our particular name and contact information for securit purposes. $o if we find out that a particular i5AD file is being distributed b ou, Test@ing reser%es the right to ta/e legal action against ou according to the &nternational .op right 4aws. 4eading the wa in &T testing and certification tools, www.test/ing.com 2-2 Table o$ 'ontents Topic 1, &mplementing, Managing, and Maintaining &5 Addressing *F- :uestions+ ; 5art 19 .onfigure T.5H&5 addressing on a ser%er computer. *= :uestions+ ; 5art 29 Manage DA.5. 21 A9 Manage DA.5 clients and leases. *G :uestions+ 21 19 Manage DA.5 Rela Agent. *3 :uestions+ 33 .9 Manage DA.5 databases. *3 :uestions+ -" D9 Manage DA.5 scope options. *3 :uestions+ -; 39 Manage reser%ations and reser%ed clients. *1 :uestion+ F2 5art 39 Troubleshoot T.5H&5 addressing. FA9 Diagnose and resol%e issues related to Automatic 5ri%ate &5 Addressing *A5&5A+. *:uestions+ F19 Diagnose and resol%e issues related to incorrect T.5H&5 configuration. *11 :uest;io2ns+ ;2 5art -9 Troubleshoot DA.5. >; A9 Diagnose and resol%e issues related to DA.5 authori0ation. *2 :uestions+ >; 19 Diagnose and resol%e issues related to DA.5 reser%ation configuration. *3 :uest=io"ns+ =" .9 3Bamine the s stem e%ent log and DA.5 ser%er audit log files to find related e%ents. *" :uestions+ => D9 Diagnose and resol%e issues related to configuration of DA.5 ser%er and scope options. *G :uestions+ => 39 ?erif that the DA.5 Rela Agent is wor/ing correctl . *1 :uestion+ 113 (9 ?erif database integrit . *" :uestions+ 11; Topic 2, &mplementing, Managing, and Maintaining ,ame Resolution *1"1 :uestions+11; 11; 5art 19 &nstall and configure the D,$ $er%er ser%ice. 11G A9 .onfigure D,$ ser%er options. *> :uestions+ 11G 19 .onfigure D,$ 0one options. *2> :uestions+ 13F .9 .onfigure D,$ forwarding. *22 :uestions+ 1=G 5art 29 Managing D,$. 2-F A9 Managing D,$ 0one settings. *1" :uestions+ 2-F 19 Manage D,$ record settings. *1= :uestions+ 2;F .9 Manage D,$ ser%er options. *2 :uestions+ 3"2 5art 39 Monitor D,$. Tools might include $ stem Monitor, 3%ent ?iewer, Replication Monitor, and D,$ debug logs. *11 :uestions+ 3"F Topic 3, &mplementing, Managing, and Maintaining ,etwor/ $ecurit *F; :uestions+ 323 5art 19 &mplement secure networ/ administration procedures. 32A9 &mplement securit baseline settings and audit securit settings b using securit templates and policies. *2F :uestions+ 3219 &mplement the principle of least pri%ilege. *1> :uestions+ 3;F 4eading the wa in &T testing and certification tools, www.test/ing.com 2F2 5art 29 Monitor networ/ protocol securit . Tools might include the &5 $ecurit Monitor Microsoft Management .onsole *MM.+ snap2in and @erberos support tools. *G :uestions+ -"G 5art 39 Troubleshoot networ/ protocol securit . Tools might include the &5 $ecurit Monitor MM. snap2in, 3%ent ?iewer, and ,etwor/ Monitor. *; :uestions+ -1G Topic -, &mplementing, Managing, and Maintaining Routing and Remote Access *3> :uestions+ -2; 5art 19 .onfigure Routing and Remote Access user authentication. -2; A9 .onfigure remote access authentication protocols. *3 :uestions+ -2; 19 .onfigure &nternet Authentication $er%ice *&A$+ to pro%ide authentication for Routing

and Remote Access clients. *" :uestions+ -3" .9 .onfigure Routing and Remote Access policies to permit or den access. *3 :uestions+ -3" 5art 29 Manage remote access. -3F A9 Manage pac/et filters. *1 :uestion+ -3F 19 Manage Routing and Remote Access routing interfaces. *1 :uestion+ -3G .9 Manage de%ices and ports. *" :uestions+ -3= D9 Manage routing protocols. *- :uestions+ -3= 39 Manage Routing and Remote Access clients. *3 :uestions+ --; 5art 39 Manage T.5H&5 routing. -F" A9 Manage routing protocols. *" :uestions+ -F1 19 Manage routing tables. *3 :uestions+ -F1 .9 Manage routing ports. *" :uestions+ -FG 5art -9 &mplement secure access between pri%ate networ/s. -FG A9 Troubleshoot user access to remote access ser%ices. *> :uestions+ -FG 19 Diagnose and resol%e issues related to remote access ?5,s. *F :uestions+ -G2 .9 Diagnose and resol%e issues related to establishing a remote access connection. *3 :uestions+ ->1 D9 Diagnose and resol%e user access to resources be ond the remote access ser%er. *" :uestions+ ->G 5art F9 Troubleshoot Routing and Remote Access routing. ->G A9 Troubleshoot demand2dial routing. *3 :uestions+ ->G 19 Troubleshoot router2to2router ?5,s. *1 :uestion+ -=3 Topic F, Maintaining a ,etwor/ &nfrastructure *3> :uestions+ -=F 5art 19 Monitor networ/ traffic. Tools might include ,etwor/ Monitor and $ stem Monitor. *1G :uestions+ -=; 5art 29 Troubleshoot connecti%it to the &nternet. *11 :uestions+ F21 5art 39 Troubleshoot ser%er ser%ices. F-1 A9 Diagnose and resol%e issues related to ser%ice dependenc . *; :uestions+ F-1 19 Use ser%ice reco%er options to diagnose and resol%e ser%ice2related issues. *:uestions+ FF1 Topic ;, Miscellaneous *G> :uestions+ FFG 4eading the wa in &T testing and certification tools, www.test/ing.com 2;2 Topic G, $imulations *12 :uestions+ ;GG Total number o$ questions: ,9< 4eading the wa in &T testing and certification tools, www.test/ing.com 2G2 Topic 1, &mplementing, Managing, and Maintaining &5 Addressing*F- :uestions+ 5art 19 .onfigure T.5H&5 addressing on a ser%er computer.*= :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter is con$igured as a #rint ser/er $or a #rint de/ice that has a built>in net"or0 inter$ace Users o$ the #rint de/ice re#ort that they cannot #rint to it You con$irm that the correct I. address and dri/ers are being used You sus#ect that there is a #roblem "ith the ?)' to I. address resolution on the #rint ser/er You "ant to $ind out "hich ?)' address the #rint 2obs are being sent to !hich command should you run on the #rint ser/er% A. net session 1. netstat.eBe .. netsh.eBe D. netcap.eBe )ns"er: D E3#lanation: Netstca# e3e is a command line tool that could be used to ca#ture the net"or0 tra$$ic ) $ilter can be created to be used during the ca#ture to determine the ?)' address the #rint 2obs are being sent to The Net"or0 ?onitor 'a#ture Utility &Netca# e3e+ can be used to capture networ/ traffic in ,etwor/ Monitor. ,etcap *.cap+ files, ou must use the full ,etwor/ Monitor interface. ,etcap is installed when ou install the $upport tools that are on the !indows <5 .D2R'M. ,etcap pro%ides capture abilities that are similar to the %ersion of ,etwor/ Monitor that is included with ,etcap installs the ,etwor/ Monitor dri%er and binds it to all adapters when ou first run the ,etcap command. Incorrect O#tions: ): The 4eading the wa in &T testing and certification tools, www.test/ing.com 2>2 net session command can be used to %iew the computer names and user names of users on a ser%er, to see if users ha%e files open, and to see how long each userKs session has been idle. ,et session manages ser%er computer connections 2 used without parameters, net

session displa s information about all sessions with the local computer. +9 The netstat command is not a utilit to use when troubleshooting ,et1&'$ names, but is used to show what ports our computer is listening on.9 2R is used to reload our 4MA'$T$ file located in Zs stemrootZWs stem32Wdri%ersWetc., 2r will show ou which name resolutions ha%e been answered %ia broadcasts, and which ha%e been answered %ia a ,et1&'$ name ser%er, 2RR switch of the command utilit refreshes our ,et1&'$ name with a configured !&,$ ser%er. ': The ,etwor/ $hell utilit *,etsh.eBe+ can perform a wide range of s stem configuration tas/s. Iou can use commands in the ,etsh &nterface &5 conteBt to configure the T.5H&5 protocol *including addresses, default gatewa s, D,$ ser%ers, and !&,$ ser%ers+ and to displa configuration and statistical information. De$erence: Microsoft @nowledge 1ase9 3";G=-9 Aow to &nstall the $upport Tools from the !indows <5 .D2R'M ,etwor/ Monitor is pro%ided with !indows $er%er products and Microsoft $ stems Management $er%er *$M$+. Microsoft .orporation, 2""Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. ;>;, >F-2>F;, =2; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets )ll client com#uters run !indo"s @. .ro$essional and are located in one subnet )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are located in a central data center that uses a single I. subnet The data center contains the hosts sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2=2 :ost name Dole I. address Router1 Router 1".1".1.1 Router2 Router 1".1".1.2 Test/ing1 Domain controller 1".1".1".1 Test/ing2 Domain controller 1".1".1".2 Test/ing3 (ile ser%er 1".1".11.1 Test/ing- (ile ser%er 1".1".11.2 Test/ingF Mail ser%er 1".1".2FF.1 You install !indo"s Ser/er 2==, on ne" com#uter in the data center The com#uter is named Test0ing6 and "ill $unction as a database ser/er )$ter installation* the database administrator ma0es some changes to the T'.KI. settings o$ Test0ing6 as sho"n in the $ollo"ing table .arameter 8alue &5 address 1".1".1.3 $ubnet mas/ 2FF.2FF.2FF." Default gatewa 1".1".1.2 You disco/er that Test0ing6 cannot communicate "ith any o$ the other ser/ers You test net"or0 connecti/ity on Test0ing6 by using the #ing command !hen you attem#t to #ing Tes0ing<* you recei/e the $ollo"ing error message: LDestination host unreachableL You /eri$y that all other ser/ers in the data center can communicate "ith the other ser/ers and client com#uters You need to ensure that Test0ing6 can communicate "ith all com#uters in the net"or0 !hat should you do% A. .hange the default gatewa of Test/ing; to 1".1".1.1. 1. .hange the subnet mas/ of Test/ing; to 2FF.2FF.".". .. .hange the &5 address of Test/ing; to 1".1".1".3. D. .hange the &5 address of Test/ing; to 1".1".11.3. )ns"er: + E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1" 2 9 4arge networ/s are subdi%ided to create smaller subnetwor/s to reduce o%erall networ/ traffic b /eeping local traffic on the local subnet and sending all nonlocal traffic to the router. &n order to create a subnetwor/, we need to ha%e a s stem for addressing that allows us to use the networ/ &D and host &D within the class2based s stem. This is accomplished through the use of a subnet mas/. To determine the appropriate custom subnet mas/ *t picall referred to simpl as subnet mas/+ for a networ/, ou must first9 1. Determine the number of host bits to be used for subnetting. 2. Determine the new subnetted networ/ &Ds. 3. Determine the &5 addresses for each new subnet. -. Determine the appropriate subnet mas/.

Incorrect )ns"ers: ): Iou need to assign the correct subnet mas/ to ensure connecti%it . '* D: The problem in this scenario is not a fault &5 address. &t is the appropriate subnet mas/ that has to be determined to enable connecti%it . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FG QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets connected by a router )ll com#uters ha/e static I. addresses You add a ne" client com#uter named Test0ing< to subnet ) The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11 2 The "or0station administrator in$orms you that Test0ing< is incorrectly con$igured and cannot communicate "ith other hosts on the net"or0 You need to con$igure Test0ing< so that it can connect to all local and remote com#uters !hat should you do% A. .hange the default gatewa &5 address of Test/ing1 to 1=2.1;>.2G.>=. 1. .hange the default gatewa &5 address of Test/ing1 to 1=2.1;>.-.2F-. .. .hange the subnet mas/ of Test/ing1 to 2FF.2FF.2FF.12>. D. .hange the subnet mas/ of Test/ing1 to 2FF.2FF.2FF.1=2. )ns"er: ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12 2 It is e/ident $rom the e3hibit that the $ile ser/er and Test0ing< ha/e a di$$erent subnet mas0 This is the reason "hy they cannot communicate "ith each other You must there$ore change the subnet mas0 o$ Test0ing< to 255 255 255 <29 Incorrect )ns"ers: )* +: The problem is not the gatewa &5 address that is fault , but rather the subnet mas/. D: This option suggests the correct ob)ect that has to be changed, but it gi%es the wrong subnet mas/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FG QUESTION NO: 4 'ODDE'T TE@T You are the net"or0 administrator $or the branch o$$ice o$ TestBing The branch o$$ice net"or0 consists o$ 25 di$$erent subnets* each "ith a ma3imum o$ si3 com#uters You #lan to add no more than $i/e subnets to the branch o$$ice net"or0 in the $uture The central administrator has allocated the branch o$$ice the <;2 <69 2 =K24 net"or0 address You con$igure the Internet .rotocol &T'.KI.( #ro#erties on a ne" ser/er named Test0ing< as sho"n in the "or0 area You need to ensure that Test0ing< can communicate "ith other ser/ers on the net"or0 :o" should you con$igure the subnet mas0 on Test0ing<% To ans"er* ty#e the a##ro#riate subnet mas0 that should be used 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13 2 )ns"er: 255 255 255 249 E3#lanation: The net"or0 address is: <;2 <69 2 =K24* "hich means <<<<<<<< <<<<<<<< <<<<<<<< = in binary Therefore, ou can use the last octet to configure the 3" subnets and ; hosts in each subnet Iou need onl siB host 5.s. !hen ou con%ert to binar , it is9 """""111. As a result, ou use 3 bits. This lea%es F bits for the subnets 11111""" con%erted to decimal9 12>a;-a32a1;a>\2->, therefore the subnet mas/ will be9 2FF.2FF.2FF.2->. Iou can determine the number of subnets b 9 2 e F 2 2 \ 3" subnets. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p.FG QUESTION NO: 5 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1- 2

You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com and a single subnet )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains <5= client com#uters and <6 ser/ers )l com#uters on the net"or0 use the <= <= = =K<6 address scheme Dr Bing* your manager* instructs you to #lace the <6 ser/ers into a se#arate subnet that uses the <;2 <69 <= #ublic addressing scheme You must #lan $or a ma3imum o$ ,= ser/ers in the $uture You need to con$igure a ne" subnet mas0 The subnet mas0 must allo" a su$$icient number o$ I. addresses $or the e3isting ser/ers and $uture gro"th :o"e/er* you "ant to conser/e addresses as much as #ossible !hich subnet mas0 should you use% A. 2FF.2FF.2FF.221. 2FF.2FF.2FF.2-" .. 2FF.2FF.2FF.2-> D. 2FF.2FF.2FF.2F2 3. 2FF.2FF.2FF.2F)ns"er: ) E3#lanation9 A 2FF.2FF.2FF.22- subnet mas/ gi%es fi%e host address bits, so the maBimum number of host addresses is 2 e F 2 2 \ 3" host addresses. Thus option A suggests the onl subnet mas/ that will allow for sufficient &5 addresses in case of further growth, whilst still conser%ing as man current addresses as possible. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. ;2 QUESTION NO: 6 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory name test0ing com The rele/ant #ortion o$ the net"or0 is sho"n on the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1; 2 You need to con$igure a ser/er named TestBing) to use a /alid static I. con$iguration You need to enable TestBing) to communicate "ith all hosts on the net"or0 and on the internet You "ant TestBing) to query the DNS ser/er on the local subnet $or name resolution You also "ant to con$igure redundancy $or name resolution !hat should you do% To ans"er drag the a##ro#riate I. addresses and Subnet mas0s to the a##ro#riate #laces 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1> 2 The .lass . address 1=2.1;>.".1"" has to be the &5 address to enable Test@ingA to communicate with all hosts on the networ/ and on the internet. The subnet mas/ for this .lass . address is 2FF.2FF.2FF.". The default gatewa should be 1=2.1;>.".1. To configure redundanc for name resolution, configure the preferred D,$ ser%erHprimar address as 1=2.1;>.".2, and the alternate D,$ ser%erHsecondar address as 1=2.1;>.F.2. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1= 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter 2, pp. >"211; QUESTION NO: 7 You are the net"or0 administrator $or at the ?umbai o$$ice o$ TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing5 TestBing5 is a critical $ile ser/er TestBing5 is con$igured "ith a D:'. client reser/ation Users can success$ully do"nload ET. documents $rom TestBing5 The D:'. ser/er $ails Users re#ort that they cannot access resources on TestBing5 You "ant to con$igure TestBing5 so that it is a/ailable e/en i$ it is unable to obtain or rene" a lease $rom the D:'. ser/er !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( A. .onfigure a static &5 address.

1. 'n the Alternate .onfiguration tab of the &nternet 5rotocol *T.5H&5+ properties, configure &5 settings. .. .onfigure the DA.5 scope in the 1;=.2F-.".1. 2 1;=.2F-.2FF.2F- range. D. 'n the DA.5 ser%er, configure the DA.5 ""1 Resource 4ocation $er%ers reser%ation option for Test@ingF. )ns"er: )* + E3#lanation: !indo"s Ser/er 2==, includes the )lternate 'on$iguration $eature The !indo"s Ser/er 2==, ser/ers can be con$igured to use an alternate static I. con$iguration i$ a D:'. ser/er is una/ailable !hen a D:'. client determines that the D:'. ser/er is una/ailable* it "ill automatically change o/er and also con$igure the T'.KI. stac0 "ith the static address in$ormation s#eci$ied on the )lternate 'on$iguration tab o$ the Internet .rotocol &T'.KI.( #ro#erties Incorrect )ns"ers: ': Modif ing the DA.5 scope to the 1;=.2F-.".1. 2 1;=.2F-.2FF.2F- range will still be reliant on the DA.5 ser%er. D: .onfiguring the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2" 2 DA.5 ""1 Resource 4ocation $er%ers reser%ation option for Test@ingF on the DA.5 ser%er will not ensure that Test@ingF will recei%e an &5 address or ha%e the &5 address renewed. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter 2, pp. 11-, 11G QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains !indo"s Ser/er 2==, and !indo"s @. .ro$essional com#uters ) ser/er named TestBingS is con$igured as a D:'. ser/er and has been authori1ed The Telnet ser/ice is started on TestBingS You disco/er that the D:'. Ser/er ser/ice on TestBingD has sto##ed #ro/iding I. addresses to D:'. client com#uters on the net"or0 You log to a client com#uter named TestBing< The administrati/e tools are installed on TestBing< You o#en the D:'. console and attem#t to connect to TestBingD You recei/e the $ollo"ing error message: L'annot $ind the D:'. Ser/er L You are able to connect to TestBingD by running the #ing command You need to ensure that you can connect to the D:'. Ser/er ser/ice on TestBingD by using the D:'. console !hat should you do on TestBing<% A. 3stablish a Telnet session to Test@ingD. Run the net start dhcp command. 1. 3stablish a Telnet session to Test@ingD. Run the net start dhcpser%er command. .. 3stablish a Telnet session to Test@ingD. Run the ipconfig Hrenew command. D. Run the netsh dhcp ser%erWWtest/ingD show ser%er command. )ns"er: + E3#lanation9 Iou can start the DA.5 $er%er ser%ice b eBecuting the following command, at the command prompt. ,et $tart Dhcpser%er 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21 2 Telnet is a protocol that enables an &nternet user to log on to and enter commands on a remote computer lin/ed to the &nternet, as if the user were using a teBt2based terminal directl attached to that computer. Telnet is part of the T.5H&5 suite of protocols. The term telnet also refers to the software *client or ser%er component+ that implements this protocol. Ci%en the fact that ou can ping Test@ingD ou should then establish a Telnet session to Test@ingD and then run the appropriate command. De$erence9 Q. .. Mac/in L &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""-, p. G223 QUESTION NO: ; You are the net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter is con$igured as a #rint ser/er $or a #rint de/ice that has a built>in net"or0 inter$ace Users o$ the #rint de/ice re#ort that they cannot #rint to it You con$irm that the correct I. address and dri/ers are being used You sus#ect that there is a #roblem "ith the ?)' to I. address resolution on the #rint ser/er You "ant to $ind out "hich ?)' address the #rint 2obs are being sent to !hich command should you run on the #rint ser/er% A. net session 1. netstat e3e

.. netsh e3e D. netca# e3e )ns"er: D E3#lanation: Netstcap.exe is a command line tool that could be used to capture the network traffic. A filter can be created to be used during the capture to determine the MAC address the print jobs are being sent to. The Network Monitor Capture Utilit !Netcap.exe 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22 2 + can be used to capture networ/ traffic in ,etwor/ Monitor. ,etcap pro%ides capture use the full ,etwor/ Monitor interface. ,etcap is installed when ou install the $upport tools that are on the !indows <5 .D2R'M. ,etcap pro%ides capture abilities that are similar to the %ersion of ,etwor/ Monitor that is included with the !indows $er%er ,etwor/ Monitor dri%er and binds it to all adapters when ou first run the ,etcap command. Incorrect O#tions: ): The net session command can be used to %iew the computer names and user names of users on a ser%er, to see if users ha%e files open, and to see how long each userKs session has been idle. ,et session manages ser%er computer connections 2 used without parameters, net session displa s information about all sessions with the local computer. +9 The netstat command is not a utilit to use when troubleshooting ,et1&'$ names, but is used to show what ports our computer is listening on.9 2R is used to reload our 4MA'$T$ file located in Zs stemrootZWs stem32Wdri%ersWetc., 2r will show ou which name resolutions ha%e been answered %ia broadcasts, and which ha%e been answered %ia a ,et1&'$ name ser%er, 2RR switch of the command utilit refreshes our ,et1&'$ name with a configured !&,$ ser%er. ': The ,etwor/ $hell utilit *,etsh.eBe+ can perform a wide range of s stem configuration tas/s. Iou can use commands in the ,etsh &nterface &5 conteBt to configure the T.5H&5 protocol *including addresses, default gatewa s, D,$ ser%ers, and !&,$ ser%ers+ and to displa configuration and statistical information. De$erence: Microsoft @nowledge 1ase9 3";G=-9 Aow to &nstall the $upport Tools from the !indows <5 .D2R'M ,etwor/ Monitor is pro%ided with !indows $er%er products and Microsoft $ stems Management $er%er *$M$+. Microsoft .orporation, 2""Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. ;>;, >F-2>F;, =2; 5art 29 Manage DA.5. A9 Manage DA.5 clients and leases.*G :uestions+ QUESTION NO: < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23 2 Net"or0 To#ology E3hibit: A)N Settings E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e directory domain named test0ing com The domain contains a ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter named TestBingIS) and a DNS ser/er named TestBingDNS +oth ser/ers are !indo"s Ser/er 2==, com#uters The com#any redesigns its net"or0 addressing* and you change the static I. addresses $or TestBingIS) to the addresses sho"n in the Net"or0 e3hibit TestBingDNS contains the ne" host &)( resource records $or TestBingIS) ) !indo"s Ser/er 2==, $ile ser/er named TestBingSer/er) is on the <= <= << = subnet TestBingSer/er) has anti/irus so$t"are installed the chec0s hourly $or ne" /irus de$initions on a central anti/irus ser/er named !!! in the #erimeter net"or0 !!! is the !eb ser/er* and you can also access it through a !eb #age to #er$orm manual /irus de$inition u#dates 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F 2 You $ind out about a ne" /irus threat and "ant to immediately do"nload the ne" u#date to TestBingSer/er) You cannot access the !!! /irus u#date !eb site "hen you attem#t to do"nload a ne" /irus u#date The static T'.KI. con$iguration on TestBingSer/er) uses DNSI as the #re$erred DNS ser/er You con$irm that TestBingIS) is con$igured #ro#erly On TestBingSer/er)* you /ie" the Internet E3#lorer A)N settings that are sho"n in the A)N Settings e3hibit

You "ant to allo" TestBingSer/er) to connect to !!! !hat should you do% A. 'n Test@ing$er%erA, from a command prompt, run the ipconfig Hflushdns command. 1. 'n Test@ing$er%erA, in the 4A, settings in &nternet 3Bplorer, select the Automaticall detect settings chec/ boB. .. 'n Test@ing&$A, from a command prompt, run the ipconfig H flushdns command. D. 'n Test@ing&$A, from a command prompt, run the ipconfig Hregisterdns command. )ns"er: ) E3#lanation9 Running the ipconfig Hflushdns command will flush and reset the D,$ resol%er cache which is necessar to allow connection. Runthis command on Test@ing$er%erA to connect to !!!. Incorrect ans"ers: +9 $electing the 8Automaticall detect settings8 chec/boB is not going to allow Test@ing$er%erA to connect to !!!. '9 The ipconfig Hflushdns command flushes and resets the D,$ resol%er cache. This is not what is necessar . D9 The ipconfig Hregisterdns command refreshes all DA.5 leases and registers an related D,$ names. This option is a%ailable onl on !indows 2""" and newer computers that run the DA.5 .lient ser%ice. This is not going to allow Test@ing$er%erA to connect to !!! when it is run on Test@ing&$A. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. 311 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2; 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional One o$ the ser/ers is con$igured as a D:'. ser/er The D:'. ser/er is con$igured "ith a single sco#e You are con$iguring a ne" client com#uter named Test0ing< on the net"or0 You connect the net"or0 cable on Test0ing< and attem#t to connect to a ser/er on the net"or0 The connection $ails You o#en a command #rom#t on Test0ing< and attem#t to rene" Test0ing<Js I. address You recei/e the $ollo"ing res#onse ) client com#uter named Test0ing2 can connect to the net"or0 On Test0ing2* you run the i#con$ig Krene" command 'lient2 recei/es an I. address rene"al $rom the D:'. ser/er You need to ensure that Test0ing< recei/es an I. address con$iguration $rom the D:'. ser/er !hat should you do% A. .onfigure Test/ing1 with a static &5 address. 1. Restart the DA.5 ser%ice on the DA.5 ser%er. .. Restart Test/ing1. D. Add additional &5 addresses to the scope on the DA.5 ser%er. )ns"er: ' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G 2 E3#lanation: It is #robable that the T'.KI. stac0 has a #roblem because the com#uter is unable to send a D:'. disco/er broadcast #ac0et This can ha##en "hen you insert a net"or0 cable a$ter the .' has been started You should restart the client .' to success$ully obtain a ne" I. address Incorrect )ns"ers: ): This would wor/, but the 6uestion states9 Iou need to ensure that Test/ing1 recei%es an &5 address configuration from the DA.5 ser%er. +: This is unnecessar because Test@ing2 did obtain an &5 address from the DA.5 ser%er, thus indicating that the DA.5 ser%er configuration is not the issue. D: This is unnecessar because Test@ing2 did obtain an &5 address from the DA.5 ser%er, hence indicating that the DA.5 ser%er configuration is not the issue. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;2= QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s 2=== .ro$essional com#uters and !indo"s Ser/er 2==, com#uters ) ser/er named Ser/erTB< #ro/ides D:'. ser/ices $or the net"or0 The rele/ant #ortion o$ the net"or0 is sho"n in the $ollo"ing net"or0 diagram Eour em#loyees o$ the mar0eting de#artment are relocated to your building One o$

these em#loyees named He$$ uses a #ortable com#uter named 'lientTB< He$$ re#orts that "hen he #lugs 'lientTB< into the A)N connection in his ne" cubicle he cannot connect to the Internet or #ing any other com#uters on the net"or0 Other client com#uters do not ha/e the same #roblem 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2> 2 You run the i#con$ig command on 'lientTB<* and you see the results that are sho"n in the e3hibit NNN?ISSIN-NNN You need to enable 'lientTB< to connect to other com#uters on the net"or0 and to the Internet :o" could you change the I. con$iguration o$ 'lientTB< A. .hange the subnet mas/ to 2FF.2FF.2-".". 1. .hange the default gatewa to 1=2.1;>.F.1"". .. Add a primar D,$ suffiB of test/ing.com. D. .onfigure the computer to automaticall lease an &5 address from the DA.5 ser%ice. )ns"er: D E3#lanation: The client com#uters on the subnet use D:'. to obtain their I. con$igurations It is #robable that 'lientTB< has a static I. address* and there$ore cannot obtain a /alid I. con$iguration $rom the D:'. ser/er Incorrect )ns"ers: ): 1 changing the subnet mas/ ou will not ensure that .4ientT@1 will connect to other computers and the &nternet. +: .hanging the default gatewa to 1=2.1;>.F.1"" will not enable .lientT@1 4A, connection. ': Adding a primar D,$ suffiB means that onl domain names listed in that window will be tried for resolution purposes. 1oth the connection2specific and primar D,$ suffiB are ignored. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. F1F QUESTION NO: 4 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2= 2 You are the net"or0 administrator $or TestBing com You "or0 at the com#anyJs main o$$ice The com#any has 4== branch o$$ices Each branch o$$ice has $rom t"o to $i/e !indo"s 2=== .ro$essional com#uters One com#uter in each branch o$$ice is con$igured "ith a shared dial>u# connection One o$ the branch o$$ices has only t"o !indo"s 2=== .ro$essional com#uters* "hich are named TESTBIN-< and TESTBIN-2 The users in this branch o$$ice re#ort that the shared dial>u# connection on TESTBIN-< no longer $unctions You in/estigate and $ind out that TESTBIN-2 can connect to shared $olders on TESTBIN-< You also $ind out that TESTBIN-< automatically connects to the net"or0 at the main o$$ice "hene/er the user on TESTBIN-< attem#ts to access resources located on the main o$$ice net"or0 :o"e/er* TESTBIN-2 is unable to connect to resources on the main o$$ice net"or0 You need to ensure that both client com#uters can connect to resources on the main o$$ice net"or0 !hat should you do% A. $tart &nternet .onnection $haring on T3$T@&,C1. 1. .onfigure the shared dial2up connection on T3$T@&,C1 so that automatic dialog is enabled. .. .onfigure T3$T@&,C2 to use DA.5 to obtain &5 addressing information. D. .onfigure T3$T@&,C2 to use T3$T@&,C1 for D,$ name resolution. )ns"er: ' E3#lanation: The #roblem is most li0ely caused by an incorrect or non>e3istent de$ault gate"ay setting on TESTBIN-2 I$ you con$igure TESTBIN-2 to use D:'. to obtain I. addressing in$ormation* TESTBIN-2 "ill recei/e the correct settings $rom the I'S ser/ice on TESTBIN-< Incorrect )ns"ers: ): The 6uestion refers to a shared dial2up connection on T3$T@&,C1 not wor/ing. &f the dial2up connection is shared, then &nternet .onnection $haring is enabled alread . +: The 6uestion states that T3$T@&,C1 automaticall connects to the networ/ at the main office whene%er the user on T3$T@&,C1 attempts to access resources located on the main office networ/. This indicates that automatic dial2up is alread configured. D: T3$T@&,C1 is not a D,$ ser%er. The &.$ ser%ice has a D,$ proB that would pass D,$ re6uests to whiche%er D,$ ser%er T3$T@&,C1 is using. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 3" 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapters 1 L 2, pp. -F, 12QUESTION NO: 5 You are the net"or0 administrator $or TestBing com )ll client com#uters on the net"or0 run !indo"s NT !or0station 4 = The ne" "ritten com#any net"or0 #olicy requires you to change all net"or0 com#uters $rom static I. con$iguration to dynamically assigned I. con$iguration The net"or0 #olicy requires a !indo"s Ser/er 2==, D:'. ser/er to dynamically assign the addresses You antici#ate the #ossibility that some o$ the client com#uters in the com#any "ill be o/erloo0ed and "ill continue to use static I. con$iguration I$ this occurs* you "ant to ensure that the D:'. ser/er "ill not lease an address that is already statically con$igured on another com#uter You "ant to con$igure the D:'. ser/ers to lease only I. addresses that are not already in use )lso* you do not "ant to increase net"or0 tra$$ic any more than necessary* and you "ant to minimi1e the amount o$ time D:'. clients "ait $or an I. address lease !hat should you do% A. .onfigure the DA.5 ser%er .onflict detection attempts to 1. 1. .onfigure the DA.5 ser%er .onflict detection attempts to 3. .. .onfigure client reser%ations for each client computer MA. address. D. Acti%ate and reconcile the scopes. )ns"er: ) E3#lanation: !hen con$lict detection attem#ts are set* the D:'. ser/er uses the .ac0et Internet -ro#er &#ing( #rocess to test a/ailable sco#e I. addresses be$ore including these addresses in D:'. lease o$$ers to clients ) success$ul #ing means that the I. address is in use on the net"or0 This results in the D:'. ser/er not o$$ering to lease the address to a client &f the ping re6uest fails and times out, it indicates that the &5 address is not in use on the networ/. &n this case, the DA.5 ser%er offers to lease the address to a client. 3ach additional conflict detection attempt dela s the DA.5 ser%er response b a second while waiting for the ping re6uest to time out. This in turn increases the load on the ser%er. A %alue of no greater than two *2+ is recommended for ping attempts. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31 2 Incorrect )ns"ers: +: Due to the latenc in%ol%ed in ping attempts, the higher the conflict detection %alue is set, the longer the lease process will be for e%er client that uses the DA.5 ser%er. ': .onfiguring client reser%ations for each client computer MA. address will in%ol%e a ph sical %isit to each and e%er client computer if ou do not ping it successfull . D: The scope would alread be acti%ated in this scenario. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 2">22"= QUESTION NO: 6 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters run !indo"s @. .ro$essional* !indo"s 2=== .ro$essional* or !indo"s NT !or0station )ll client com#uters are con$igured "ith de$ault settings ) ser/er named Test0ing< $unctions as a D:'. and DNS ser/er )ll client com#uters are con$igured to use Test0ing< $or name resolution )ll DNS 1ones on Test0ing< are enabled $or DNS dynamic u#dates TestBingJs "ritten security #olicy states that* "hen #ossible* the com#uter account $or each client com#uter should be the o"ner o$ its o"n DNS host record ) ser/er named Test0ing<9 contains anti/irus ser/er so$t"are Test0ing<9 must be able to contact client com#uters by using $ully quali$ied domain names &EQDNs( to #ro#agate /irus de$inition u#dates You need to ensure that Test0ing<9 can resol/e EQDNs $or all client com#uters on the net"or0 !hich o#tion should you modi$y on Test0ing<% A. The D namicall update D,$ A and 5TR records onl if re6uested b the DA.5 clients chec/ boB. 1. The Alwa s d namicall update D,$ A and 5TR records chec/ boB. .. The Discard A and 5TR records when lease is deleted chec/ boB. D. The 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32 2

D namicall update D,$ A and 5TR records for DA.5 clients that do not re6uest d namic updates *for eBample, clients running !indows ,T -."+ chec/ boB. )ns"er: D E3#lanation9 D namicall Update D,$ A And 5TR Records (or DA.5 .lients That Do ,ot Re6uest Updates 2 This chec/boB lets ou handle these older clients graciousl b ma/ing the updates using a separate mechanism. !hen chec/ing this chec/ boB ou will ensure that Test@ing1> can resol%e (:D,s for all client computers on the networ/ under the gi%en circumstances and the role that Test@ing1 pla s. Incorrect ans"ers: )9 D namicall Update D,$ A And 5TR Records 'nl &f Re6uested 1 The DA.5 .lients 2 This radio button *which is on b default+ tells the DA.5 ser%er to register the update onl if the DA.5 client as/s for D,$ registration. !hen this button is acti%e, DA.5 clients that arenKt hip to DD,$ wonKt ha%e their D,$ records updated. Aowe%er, !indows 2""", <5, and $er%er 2""3 DA.5 clients are smart enough to as/ for the updates. +9 Alwa s D namicall Update D,$ A And 5TR Records 2 This radio button forces the DA.5 ser%er to register an client to which it issues a lease. This setting ma add D,$ howe%er, it allows other clients *li/e Mac '$, !indows ,T, and 4inuB machines+ to ha%e their D,$ information automaticall updated. This is not what is re6uired. '9 Discard A And 5TR Records !hen 4ease &s Deleted 2 !hen a DA.5 lease eBpires, what should happen to the D,$ registration[ 'b%iousl , it would be nice if the D,$ chec/ed *as it is b default+, thatKs eBactl what happens. &f ou unchec/ this boB, our address is reissued on a new lease, the D,$ will be updated, but in between leases ouKll ha%e incorrect data in our D,$2alwa s something to a%oid. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. 2-; QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33 2 You install a ne" client>ser/er a##lication on a !indo"s Ser/er 2==, com#uter named TestBing2 TestBing2 is not a member o$ the domain TestBing2 has static I. address <;2 <69 6 2, You install the client so$t"are on t"o !indo"s @. .ro$essional domain com#uters in order to test access to the a##lication on TestBing2 You #lan to install the client so$t"are on 27= additional !indo"s @. .ro$essional com#uters The client so$t"are must be able to resol/e to TestBing2 by using the $ully quali$ied domain name &EQDN( test0ing2 test0ing com ) !indo"s Ser/er 2==, com#uter named TestBingD is the DNS ser/er and has the I. address <;2 <69 6 < The test0ing com 1one is con$igured to acce#t only secure u#dates !hen you run the #ing command to <;2 <69 6 2,* you recei/e /alid re#lies !hen you attem#t to run the client so$t"are on the t"o test com#uters* the so$t"are cannot locate TestBing2 and terminates You need to correct this #roblem "ith the minimum amount o$ administrati/e e$$ort !hat should you do% A. (rom a command prompt on Test@ing2, run the ipconfig Hregisterdns command. 1. 'n each of two test computers, t pe the following line in the Aosts file9 test/ing2.test/ing.com 1=2.1;>.;.23 bpre .. .reate an 'U named Application$er%ers'U. .reate a computer account named Test@ing2 in Application$er%ers'U. $et the 5rimar D,$ $uffiB Croup 5olic setting on an Application$er%ers'U C5' to test/ing.com Restart Test@ing2. D. 'n Test@ingD, enter a host *A+ record for Test@ing2 that displa s Test@ing2Ks &5 address as 1=2.1;>.;.23. 'n Test@ing2, in the .omputer ,ame .hanges dialog boB in $ stem 5roperties, enter test/ing.com as the primar D,$ suffiB of the computer. Restart Test@ing2. 3. 'n Test@ing2 in the &nternet 5rotocol *T.5H&5+ 5roperties dialog boB, in the 5referred D,$ ser%er field, t pe 1=2.1;>.;.1. )ns"er: D E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3- 2 9 3%er computer in a !indows $er%er 2""3 networ/ can be assigned a primar D,$ suffiB to be used in name resolution and name registration. The primar D,$ suffiB is

specified on the .omputer ,ame tab of the properties dialog boB in M .omputer. The primar D,$ suffiB is also /nown as the primar domain name and the domain name. The full computer name is a t pe of (:D,. The same computer can be identified b more than one (:D,, but onl the (:D, that concatenates the host name and the primar D,$ suffiB represents the full computer name. &f ou can ping a computer b &5 address but not b name, the computer is missing an A resource record in D,$. Iou can attempt to remed this situation b eBecuting the &pconfig Hregisterdns command at that computer. Therefore, if ou want to run client software successfull on the two computers under the circumstances as gi%en in the 6uestion, option D would be the answer. Incorrect ans"ers: )9 &f ou can ping a computer b &5 address but not b name, the computer is missing an A resource record in D,$. Iou can attempt to remed this situation b eBecuting the &pconfig Hregisterdns command at that computer. Aowe%er, this is onl part of the solution. +9 This option will not allow ou to run client software on the two computers. '9 This option suggests too much administrati%e effort to be done. E9 This will not enable ou to run client software on the two computers in the gi%en circumstances. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. -2F, -2319 Manage DA.5 Rela Agent.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients TestBing has a main o$$ice and one branch o$$ice The o$$ices are se#arated by a router ) D:'. ser/er is de#loyed in each o$$ice 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F 2 One o$ the D:'. ser/ers shuts do"n une3#ectedly It ta0es $our hours to re#air the ser/er During that time* se/eral mobile users connect their #ortable com#uters to the net"or0 and re#ort that they cannot connect to shared resources on the net"or0 )$ter the ser/er is re#aired* you create a ne" sco#e on each D:'. ser/er that includes I. addresses $or the other o$$ice You acti/ate the sco#es You test the ne" D:'. con$iguration by shutting do"n the D:'. ser/er in the main o$$ice You $ind out that the client com#uters in the main o$$ice are not recei/ing I. addresses $rom the D:'. ser/er in the branch o$$ice You need to ensure that "hen the D:'. ser/er in one o$$ice $ails* the client com#uters "ill recei/e a correct I. address con$iguration $rom the D:'. ser/er in the other o$$ice !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. .onfigure the router between the offices to forward 1''T5 broadcasts. 1. .onfigure the DA.5 ser%er in each office with a DA.5 scope that includes the same &5 addresses as the DA.5 ser%er in the other office. Acti%ate the scope. .. .onfigure the DA.5 ser%er in each office with an additional networ/ adapter. .onnect each new networ/ adapter to the local networ/ Assign an &5 address from the other officeKs networ/ to each new networ/ adapter. D. &nstall and configure a DA.5 rela agent in each office. )ns"er: )* D E3#lanation9 &n a subnetted en%ironment, routers and remote computers can be configured to be DA.5 Rela Agents, which forward DA.5 information between subnets. The router forwards re6uests for &5 address configuration assignments to the remote DA.5 $er%er. The DA.5 Rela Agent is t picall configured on a networ/ segment where there is no DA.5 ser%er. The networ/ segments are normall on the other end of a non 2131 compliant router from a DA.5 ser%er. The DA.5 Rela Agent assists in passing on DA.5 and 1''T5 broadcast messages o%er routers which do not support the passing on of these messages. The DA.5 ser%er configured in the DA.5 Rela AgentKs properties through the DA.5 Rela Agent performs the DA.5 lease process. The ser%er specified appl to each networ/ interface that the rela agent is attached to. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3; 2 &nstead of using the approach )ust outlined, ou can configure the router between the offices to forward 1''T5 broadcasts. Incorrect )ns"ers:

+9 .onfiguring a scope and acti%ating it to include the same &5 addresses as the DA.5 ser%er in the other office will not wor/. This will be a/in to ha%ing two places with the same address. '9 The 6uestion states that ou need to ma/e sure that in case of failure the client computers will recei%e a correct &5 address configuration from the DA.5 ser%er in the other office. Iou thus do not ha%e to add in additional networ/ adapters and DA.5 ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1-2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter, pp. F3G 2 F-" QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters ) ser/er named Test0ing< $unctions as a D:'. ser/er* and a ser/er named Test0ing2 $unctions as a DNS ser/er ) rele/ant #ortion o$ the net"or0 is sho"n in the Net"or0 e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G 2 You con$igure Test0ing< to distribute I. addresses to all o$ the client com#uters on the <= ; 7 = subnet The D:'. ser/er sco#e settings are sho"n in the D:'. e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3> 2 )ll users o$ client com#uters on the <= ; 7 = subnet re#ort that they can see each otherJs com#uters in ?y Net"or0 .laces but cannot access the Internet or the <= ; 9 = subnet Users o$ client com#uters in the <= ; 7 = net"or0 cannot access ser/ers on either subnets Users o$ client com#uters on the <= ; 9 = subnet can access ser/ers on both subnets and can access the Internet )ll ser/ers use static I. addresses You need to ensure that all client com#uters can access the Internet !hat should you do% A. 'n Test/ing2, configure the DA.5 Rela Agent. 1. 'n Test/ing2, add a host *A+ record for Test/ing1 at address 1".=.>.=1. .. 'n Test/ing1, authori0e DA.5. D. 'n Test/ing1, acti%ate the 1".=.G." scope. 3. 'n Test/ing1, disable the ""1 Microsoft Disable ,etbios 'ption. )ns"er: ) E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3= 2 D:'. Delay )gent is a routing #rotocol that allo"s client com#uters to obtain an address $rom a D:'. ser/er on a remote subnet Ty#ically* D:'. clients broadcast D:'. Disco/er #ac0ets that are then recei/ed and ans"ered by a D:'. ser/er on the same subnet +ecause routers bloc0 broadcasts* D:'. clients and ser/ers must normally be located on the same #hysical subnet D:'. relay agents interce#t D:'. Disco/er #ac0ets and $or"ard them to a remote D:'. ser/er "hose address has been #recon$igured Since TestBing< contains the D:'. ser/er and the Internet is accessed through the router* you should con$igure the D:'. Delay )gent on TestBing2 so as to ensure that all the client com#uters can access the Internet Incorrect ans"ers: +9 Adding a host *A+ record for Test@ing1 at address 1".=.>.=1 on Test@ing2 will not ensure accessibilit to the &nternet for all the client computers. '9 The problem is not a matter of an Unauthori0ed DA.5 ser%er. D9 There is no need to acti%ate the 1".".G." scope on Test@ing1. This will not sol%e the problem. E9 Disabling the ""1 Microsoft Disable ,etbios 'ption on Test@ing1 will not sol%e the problem of accessibilit to the &nternet for all client computers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter =, pp. ;32;QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 contains three !indo"s Ser/er 2==, com#uters and 22= !indo"s @. .ro$essional com#uters No ser/ers currently ha/e Douting and Demote )ccess installed

You need to add 5= additional com#uters to the net"or0 You "ant to s#lit the net"or0 into t"o segments* using t"o di$$erent subnets ) diagram o$ the #lanned net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -" 2 )ll client com#uters must be able to connect to each other You need to minimi1e additional net"or0 ser/ices You also need to ensure that the com#uters can obtain addresses $rom the D:'. ser/ice !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure Routing and Remote Access on Test@ing$r%A. 1. .onfigure Routing and Remote Access on Test@ing$r%1. .. .onfigure Routing and Remote Access on Test@ing$r%.. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1 2 D. .onfigure a DA.5 rela agent on Test@ing$r%A. 3. .onfigure a DA.5 rela agent on Test@ing$r%1. (. .onfigure a DA.5 rela agent on Test@ing$r%.. )ns"er: '* E E3#lanation: TestBingSr/' is connected to both net"or0 segments and can there$ore act as a router To enable this* con$igure Douting and Demote )ccess on TestBingSr/' To enable the clients on the 1=2.1;>.1." subnet to obtain their T.5H&5 configurations from the DA.5 ser%er, ou need to configure a DA.5 rela agent on the 1=2.1;>.1." ou need to configure a DA.5 rela agent on Test@ing$r%.. Incorrect )ns"ers: ): Test@ing$r%A will not be a router and therefore does not need the Routing and Remote Access ser%ice. +: Test@ing$r%1 will not be a router and therefore does not need the Routing and Remote Access ser%ice. D: Test@ing$r%A wonKt ha%e the Routing and Remote Access ser%ice, so it wonKt be a DA.5 rela agent. E: The rela agent needs to be configured on the 1=2.1;>.1." subnet. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter G, p. 3=; .9 Manage DA.5 databases.*3 :uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBingJs main o$$ice in 'hicago The main o$$ice contains ,*=== des0to# com#uters ) !indo"s Ser/er 2==, com#uter named Ser/erTB<4 is the D:'. ser/er $or the net"or0 The hard"are con$iguration o$ Ser/erTB<4 is sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2 2 .rocessor One* 6== ?h1 RAM F12 M1 Aard dis/ " $.$&, with .9 and D9 partitions, 1F C1 each Aard dis/ 1 $.$& with 39 partition, *empt +, 3" C1 ,etwor/ adapter 1"" Mbps Ser/erTB<4 is ca#able o$ su##orting t"o #rocessors Nine hundred users $rom a branch o$$ice relocate to the main o$$ice in 'hicago The hel# des0 re#orts that client com#uter I. addresses ta0e an unusually long time to rene" You con$irm that net"or0 utili1ation is "ithin acce#table limits You notice that in the D:'. Ser/er #er$ormance ob2ect* the milliseconds #er #ac0et &)/g ( counter is 4= #ercent higher than the baseline You run System ?onitor to baseline Ser/erTB<4 during normal business hours You obser/e the #er$ormance results Ob2ect 'ounter Instance 8alue 5rocessor Z 5rocessor time Total 32 Memor 5agesHsec $ stem 5rocessor :ueue 4ength 1 4ogical dis/ Z Dis/ time . >G 4ogical dis/ Z Dis/ time D 2 4ogical dis/ Z Dis/ time 3 3 You "ant to im#ro/e the #er$ormance o$ Ser/erTB<4

!hat should you done on Ser/erTB<4% A. Mo%e the database path to dri%e 3. 1. Mo%e the database path to dri%e D. .. &ncrease RAM to 1"2- M1. D. Add an additional processor. )ns"er: ) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3 2 E3#lanation: )ccording to the table* the o#erating system and the database are on the same S'SI dis0 = Erom the #er$ormance results you can see that the R Dis0 Time is abo/e 5=R You can mo/e the database to dis0 E &because itJs em#ty( to di/ide the dis0 load De%iations from our baseline pro%ide the best indicator of performance problems. Iou can also chec/ for %arious t pes of bottlenec/s b monitoring the counters for each subs stem and chec/ing them against the recommended thresholds. Incorrect )ns"ers: +: Dri%e D is alread populated. $hifting the database path to Dri%e D will thus not impro%e $er%erT@1- performance. ': !hen increasing the RAM to 1"2- M1 ou will not be impro%ing the performance on $er%erT@1- because the problem is not a memor problem, but rather a problem of non2renewal or slow renewal of &5 addresses. D: 1 adding in an additional processor ou are not addressing the problem. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1;; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single subnet ) !indo"s Ser/er 2==, com#uter named TestBing, $unctions as a D:'. ser/er TestBing, leases I. addresses in the <= << =K24 range to des0to# client com#uters There are <2 client reser/ations $or other ser/ers and net"or0 #rinters You ha/e con$igured se/eral detailed sco#e and ser/er o#tions I$ TestBing, $ails* you "ant to ha/e a contingency #lan that "ill allo" you to use a domain controller named D'2 as a D:'. ser/er as quic0ly as #ossible You install D:'. on D'2 "ithout any con$iguration and sto# the D:'. Ser/er ser/ice You "ant to list the tas0s that are required to bac0 u# TestBing, and the tas0s that are required to restore the bac0u# to D'2 ) bac0u# age o$ 24 hours or less is acce#table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -- 2 I$ TestBing, $ails* "hich set o$ tas0s is required to enable D'2 to re#lace TestBing, as the D:'. ser/er% A. 'n Test@ing39 $chedule the 1ac/up utilit to bac/ up the $ stem $tate Data to tape e%er 2- hours. 'n D.29 perform non2authoritati%e $ stem $tate restore. Using the $er%ices console, start the DA.5 $er%er ser%ice. Authori0e DA.5. Reconcile the database. 1. 'n Test@ing39 Use the 1ac/up utilit to schedule a tape bac/up of the DA.5 database e%er 2- hours. 'n D.29 Restore the tape bac/up of the DA.5 database to a folder. Using the DA.5 console, restore the bac/up from the bac/up from the same folder. (rom the command prompt, t pe net start dhcpser%er. Authori0e DA.5. .. 'n Test@ing39 schedule the 1ac/up utilit to bac/ up the $ stem $tate Data to tape e%er 2- hours. 'n D.29 5erform an authoritati%e $ stem restore. Manuall recreate the ser%er and scope options that were on Test@ing3. (rom a command prompt, t pe start dhcpser%er. Authori0e DA.5. D. 'n Test@ing39 Use the DA.5 console to perform a DA.5 bac/up e%er 2- hours. .op the bac/up to a networ/ share that is accessible b D.2. 'n Dc29 cop the bac/up to a local folder. Using the DA.5 console, restore the bac/up from the local folder. (rom a command line, t pe net start dhcp. Authori0e DA.5. Recreate the 12 client reser%ations. )ns"er: + E3#lanation: The !indo"s Ser/er 2==, +ac0u# utility includes a scheduling $eature that can be utili1ed to schedule a ta#e bac0u# o$ the D:'. database $or e/ery 24 hours This can be #er$ormed using the +ac0u# tab or the Schedule Hobs tab o$ the +ac0u# utility The net start dhc#ser/er command "ould start the D:'. Ser/er ser/ice on D'2 Incorrect )ns"ers: ): A s stem state restore is not necessar as this will onl pro%ide a bac/up of the

configuration details. Iou would need a bac/up of the DA.5 database if ou are to ha%e D.2 ta/e o%er the function of Test@ing3 in case of failure. ': 5erforming an authoritati%e s stem restore and manuall recreating the Test@ing3 ser%er and scope options will not wor/ as ou need to restore the DA.5 database to a folder using the DA.5 console and then restore the bac/up from a bac/up from the same folder. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F 2 D: 'n D.2 ou do not need to recreate the 12 client reser%ations. De$erence: The Microsoft M.$AHM.$3 1oo/ for 3Bam G"22="9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter G, lessons 1, 2 and 3. Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""-, 5art 1, .hapter G, pp. 3GF, -"1 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s 2=== .ro$essional com#uters ) domain controller named TestBing< $unctions as an a##lication ser/er and also #ro/ides D:'. ser/ices and $ile ser/ices ) !indo"s Ser/er 2==, com#uter named TestBing2 #ro/ides DNS ser/ices You add a ne" ser/er named TestBing, to the net"or0 as a member ser/er in the domain You "ant TestBing, to #ro/ide D:'. ser/ices instead o$ TestBing< The D:'. sco#e that is con$igured on TestBing< is sho"n in the e3hibit The E3hibit is a D:'. screen on a ser/er "ith this: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -; 2 You need to #re/ent I. address con$licts and minimi1e net"or0 changes !hat should you do% A. .reate a new DA.5 scope on Test@ing3 that has a starting address of 1=2.1;>.".2" and an ending address of 1=2.1;>.".2FDeacti%ate the DA.5 ser%ice on Test@ing1 and then authori0e the DA.5 ser%ice on Test@ing3. Acti%ate the new DA.5 scope on Test@ing3 1. .reate a new DA.5 scope on Test@ing3 that has a starting address of 1=2.1;>.".1" and an ending address of 1=2.1;>.".2FDeacti%ate the new DA.5 scope on Test@ing3 .. 1ac/ up the DA.5 database on Test@ing1 to a local dri%e. $top the DA.5 ser%ice on Test@ing1 .op the bac/up file of the DA.5 database to Test@ing3 Restore the DA.5 ser%ice on Test@ing3 and then authori0e DA.5 ser%ices on Test@ing3 and acti%ate the DA.5 scope. D. $top the DA.5 ser%ice on Test@ing1. Replace the DA.5 database file on Test@ing3 with DA.5 database file from Test@ing1. Deacti%ate the DA.5 ser%ice on Test@ing1, and then authori0e the DA.5 ser%ice on Test@ing3 and acti%ate the DA.5 scope. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G 2 )ns"er: ' E3#lanation: The D:'. sco#e that is con$igured on TestBing< is <;2 <69 = <= > <;2 <69 254 To enable TestBing, to #ro/ide D:'. ser/ices instead o$ TestBing<* this D:'. sco#e should be con$igured on TestBing, To pre%ent &5 address conflicts and minimi0e networ/ changes, the bac/up file of the DA.5 database of Test@ing1 should be copied to Test@ing3. The DA.5 ser%ice on Test@ing1 should be stopped. This would pre%ent Test@ing1 from assigning new address leases to clients after the bac/up of the database. The onl tas/ remaining would be to restore and then authori0e DA.5 ser%ices on Test@ing3, and acti%ate the DA.5 scope. Incorrect )ns"ers: ): This option will result in ou not being able to minimi0e the &5 address conflicts and networ/ changes that ou will ensue when ou create a new DA.5 scope. +: DA.5 ser%ices ha%e to be authori0ed before &5 addresses and renewals of &5 addresses will be issued. This would be necessar since this option mentions a new scope that is created on Test@ing3. D: Iou would first need to ma/e a bac/up of the DA.5 database on Test@ing3 and this bac/up should be copied to Test@ing1 if ou are to minimi0e &5 conflicts and networ/ changes. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/

&nfrastructure, 5art 1, .hapter G, pp. -"1 2 -"3. D9 Manage DA.5 scope options.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ $our logical subnets that corres#ond to $our #hysical subnets The I. addresses $or the logical subnets are <= 5 6 =K24* <= 5 5 =K24* <= 5 4 =K24* and <= 5 , =K24 )##ro3imately 75 #ercent o$ the addresses on each subnet are in use ) <=>?b#s router se#arates the subnets You #lan to redesign the net"or0 to use a t"o <==>?b#s s"itches and one +OOT. router to create t"o 8A)Ns* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -> 2 You need to recon$igure the D:'. ser/er $or the ne" net"or0 design You "ant each e3isting D:'. client to retain the address it has in its e3isting sco#e* i$ #ossible You do not "ant to use more than 9= #ercent o$ the addresses !hat should you do% A. .reate two superscopes9 d $cope 19 1".F.F.1H2; 2 1".F.;.2F-H2; d $cope 29 1".F.3.1H2; 2 1".F.-.2F-H2; 1. .reate two superscopes d $uperscope 19 1".F.;.1H2- 2 1".F.;.2F-H2- and 1".F.F.1H2- 2 1".F.F.2F-H2d $uperscope 29 1".F.-.1H2- 2 1".F.-.2F-H2- and 1".F.3.1H2- 2 1".F.3.2F-H2.. .reate two superscopes9 d $cope 19 1".F.G.1H2- 2 1".F.G.2F-H2d $cope 29 1".F.>.1H2- 2 1".F.>.1F-H2D. .reate one superscope9 1".F.;."H2-, 1".F.F."H2-, 1".F.-."H2-, and 1".F.3."H24eading the wa in &T testing and certification tools, www.test/ing.com 2 -= 2 )ns"er: D E3#lanation: Su#ersco#es are required $or any net"or0 or bordering net"or0s that are con$igured as multinets or are multinets themsel/es* $or"arding broadcasts /ia a +OOT. router or D:'. Delay )gent Su#ersco#es is the administrati/e grou#ing o$ #recon$igured sco#es The su#ersco#e in$orms the D:'. ser/ice that more than a single logical I. net"or0 is #resent on the identical #hysical net"or0 In this manner* addresses $rom either o$ the sco#es in the su#ersco#e "ill "or0 on the net"or0 'reating one su#ersco#e: <= 5 6 =K24* <= 5 5 =K24* <= 5 4 =K24* and <= 5 , =K24* is the ideal solution because this allo"s the D:'. ser/er to #ro/ide multi#le logical subnet addresses to the D:'. clients on the one #hysical net"or0 E3isting D:'. clients are still able to retain the address it has in its e3isting sco#e You e3tend the address s#ace by subnetting it $or the same #hysical net"or0 segment Incorrect )ns"ers: )* +* ': $ince ou do not want to ma/e use of more than >"Z of the possible addresses ou onl need to create a single superscope. &n all these options there is tal/ of more than one superscope and the ranges that are suggested will result in more than >"Z of the possible &5 addresses. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1-2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter G, pp. 3=; 2 -"" QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets )ll des0to# com#uters are on subnet <= <= = = )ll ser/ers are on subnet <= ; 9 = )ll ser/ers e3ce#t Ser/erTB< and Ser/erTB2 use statically assigned I. addresses Ser/erTB< and Ser/erTB2 "ill use client reser/ations in D:'. You "ant to con$igure sco#e o#tions "ith the settings sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F" 2 I. con$iguration Ser/erTB< Ser/erTB2 Des0to# com#uters ""3 Router 1".=.>.1 1".=.>.1 1".1".".1 ""; D,$ $er%ers 1".=.>.2" 1".=.>.2" 1".=.>.2" 131.1"G.F.3" 131.1"G.F.3" 1".=.>.-" "-- !&,$H,1,$ $er%ers 1".=.>.;" 1".=.>.;" 1".=.>.;"

"-; !&,T$H,1T ,ode T pe "B2 "B> "B> You con$igure all o#tions necessary $or Ser/erTB2 and the des0to# com#uters to recei/e their necessary con$igurations No" you "ant to con$igure the D:'. ser/er $or the a##ro#riate Ser/erTB< o#tions "ith the minimum amount o$ administrati/e e$$ort !hich o#tions should you con$igure $or Ser/erTB<% A. Reser%ation option ""3 Router9 1".=.>.1 $cope option "-- !&,$H,1,$ $er%ers9 1".=.>.;" $er%er option ""3 Router9 1".=.>.1 1. Reser%ation option ""; D,$ $er%ers9 1".=.>.2" and 131.1"G.F.3" $cope option "-; !&,$H,1T ,ode T pe9 "B2 $er%er option ""; D,$ $er%ers9 1".=.>.2" and 131.1"G.F.3" .. Reser%ation option "-- !&,$H,1,$ $er%ers9 1".=.>.;" $cope option ""3 Router9 1".=.>.1 $er%er option "-; !&,$H,1T ,ode T pe9 "B2 D. Reser%ation option "-; !&,$H,1T ,ode T pe9 "B2 $cope option ""3 Router9 1".=.>.1 $er%er option ""; D,$ $er%ers9 1".=.>.2" and 131.1"G.F.3" $cope option "-- !&,$H,1,$ $er%ers9 1".=.>.;" )ns"er: D E3#lanation: The only di$$erence bet"een the con$iguration o$ the sco#e o#tions $or Ser/erTB< and Ser/erTB2 is the Node Ty#e The following is list of the "-; ,ode T pes and the role the pla in name resolution. !hen ou set up "-- !&,$H,1,$ $er%ers in DA.5 $cope 'ptions, ou must select "-; and configure the node t pe. 1. *"B1+ 2 1 node *1roadcast+9 Relies completel on local broadcasts for name registration, disco%er and release. &f the host cannot be found in the ,et1&'$ name cache or b local broadcast, the name is not resol%ed. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1 2 2. *"B2+ 2 5 node *5eer+9 (orces clients to directl contact a !&,$ ser%er if the name is not resol%ed in the local cache. 3. *"B-+ 2 M node *MiBed+9 .ombination of 1 node and 5 node. The cache is chec/ed first, then local broadcast, and finall the !&,$ ser%er. -. *"B>+ 2 A node *A brid+9 4i/e MiBed onl in re%erse order. The cache is still chec/ed first, then the !&,$ ser%er, finall local broadcast. This is the default setting for client side !&,$ configurations. Incorrect )ns"ers: )* +* ': These options should also wor/. 'ption "-; allows ou to enter the specific node t pe ou want our client to use. ,ode t pes determine the order in which our client tries to resol%e ,et1&'$ names. Aowe%er, the will in%ol%e more administrati%e effort than is necessar . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 2=1, 3F=23;" QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters $or the accounting* mar0eting* and sales de#artments reside on the subnet <;2 <69 5 =K24 The number o$ client com#uters $or each de#artment is sho"n in the $ollo"ing table De#artment Number o$ client com#uters )ccounting 9 ?ar0eting 2= Sales 5= )ll client com#uters currently recei/e their T'.KI. con$iguration $rom a D:'. ser/er named TestBing<2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2 2 'om#uters in the accounting de#artment $requently connect to an ET. ser/er on the Internet to do"nload a##lication u#dates ) $ire"all is con$igured to allo" ET. access only $rom com#uters "ithin the I. address range o$ <;2 <69 5 5= to <;2 <69 5 57 You need to ensure that only the accounting com#uters can access the Internet by using ET. !hat should you do%

A. 'n Test@ing12, create an eBclusion for the &5 address range of 1=2.1;>.F.F" to 1=2.1;>.F.FG. 1. 'n Test@ing12, create a new User 'ption class named Accounting. .. 'n all accounting computers, run the ipconfig Hsetclassid command. D. 'n Test@ing-, create a reser%ation for the &5 address range of 1=2.1;>.F.F" to 1=2.1;>.F.FG for all accounting computers. 3. 'n the D,$ ser%er, create a re%erse loo/up 0one for the subnet 1=2.1;>.F."H2-. )ns"er: D E3#lanation9 Iou use a reser%ation to create a permanent address lease assignment b the DA.5 ser%er. Reser%ations assure that a specified hardware de%ice on the subnet can alwa s use the same &5 address. (or eBample, if ou ha%e defined the range 1=2.1;>.F.F" through 1=2.1;>.F.FG as our DA.5 scope, ou can then reser%e an &5 address within that scope. This will ensure that onl accounting computers can access the &nternet through the (T5. Incorrect ans"ers: )9 To eBclude predefined addresses, ou can simpl choose to limit the scope range so that it does not include an staticall assigned addresses. Alternati%el , ou can configure a scope that ma/es up the entire subnet and then immediatel define eBclusion ranges for all of the subnetKs staticall addressed computers. Aowe%er, if ou set eBclusion on the &5 address range 1=2.1;>.F.F" to 1=2.1;>.F.FG then ou will be eBcluding the accounting computers as well. +9 .reating a new User option class is not going to sol%e our dilemma. '9 Running the ipconfigHsetclassid command is not the solution as it will not adrress the problem. E9 &n re%erse loo/up 0ones, D,$ ser%ers map &5 addresses to (:D,s. (orward loo/up 0ones thus answer 6ueries to resol%e (:D,s to &5 addresses, and re%erse loo/up 0ones answer 6ueries to resol%e &5 addresses to (:D,s. 1ut creating a re%erse loo/up 0one for the subnet 1=2.1;>.F."H2- is not going to ensure that onl accounting computers can access the &nternet through the (T5. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3 2 De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. G9G21" 39 Manage reser%ations and reser%ed clients.*1 :uestion+ QUESTION NO: < DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 contains <*,== !indo"s @. .ro$essional com#uters )ll client com#uters recei/e their I. addresses $rom a D:'. ser/er You are con$iguring a D:'. sco#e to assign addresses to the client com#utes You need to #lace all the client com#uters in the same subnet* You need to reser/e <== addresses $or ser/ers and #rinters that "ill not recei/e I. address assignments automatically To allo" $or $uture gro"th* you need to con$igure the sco#e to host ,*9== client com#uters :o" should you con$igure the sco#e% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3* and drag the a##ro#riate I. address or addresses and the a##ro#riate subnet mas0 to the correct locations in the dialog bo3 &Not all #ortions o$ the dialog bo3 are acti/e( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F- 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF 2 Iou need to accommodate 3>"" hosts. &f ou use 12 bits for the host addresses, ou can ha%e up to -"=; *22+ host addresses. 12 bits for the hosts would pro%ide 2" bits *32 2 12 \ 2"+ for the networ/ address. A 2" bit networ/ mas/ is 2FF.2FF.2-".". The networ/ range from the options gi%en would be 1"."."." to 1".".1F.2FF. Iou are The onl end address within the networ/ range that pro%ides enough host addresses is 1".".1F.1;". De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1G= 5art 39 Troubleshoot T.5H&5 addressing. A9 Diagnose and resol%e issues related to Automatic 5ri%ate &5 Addressing *A5&5A+.*:uestions+ QUESTION NO: < You are the administrator o$ the TestBing com com#any net"or0 The net"or0

consists o$ a single acti/e directory domain The net"or0 includes <= member ser/ers running !indo"s Ser/er 2==,* 4 domain controllers running !indo"s Ser/er 2==, and <5= client com#uters running !indo"s @. .ro$essional You install and con$igure a ne" !indo"s Ser/er 2==, ser/er named TestBingSr/< to $unction as a $ile ser/er to re#lace an e3isting ser/er You mo/e user $iles $rom the old ser/er to TestBingSr/<* and you create a logon scri#t that ma#s dri/e letters to shared $olders on TestBingSr/< Users re#ort that they cannot access TestBingSr/< through the dri/e ma##ings you created Users also re#ort that TestBingSr/< does not a##ear in ?y Net"or0 .laces You log on to TestBingSr/< and con$irm that the $iles are #resent and that the NTES #ermissions and share #ermissions are correct You cannot access any net"or0 resources You run the i#con$ig command and see the $ollo"ing out#ut 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F; 2 You need to con$igure the T'.KI. #ro#erties on TestBingSr/< to resol/e the #roblem !hat should you do% A. Add test/ing.com to the D,$ suffiB for this connection field. 1. .onfigure the default gatewa . .. .onfigure the D,$ ser%er address. D. .onfigure a static &5 address. )ns"er: D E3#lanation: The I. address sho"n in the e3hibit is an ).I.) &automatic #ri/ate I. addressing( address This means that the ser/er is con$igured to use D:'. $or its I. con$iguration but is unable to contact a D:'. ser/er &a li0ely cause $or this is that there isnJt a D:'. ser/er on the net"or0( Thus "hen there is no D:'. ser/er a/ailable to issue I. addresses* then a static I. address in the same range as the rest o$ the net"or0 should be assigned to resol/e the #roblem Incorrect )ns"ers: ): A D,$ suffiB isnKt necessar as it will not resol%e the problem for the users. +: A default gatewa obsolete unless this is a routed networ/. ': The ser%er not ha%ing a D,$ ser%er address wouldnKt pre%ent clients connecting to the ser%er. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. ;2= QUESTION NO: 2 TestBing is setting u# a sales booth at a large trade sho" T"el/e TestBing sales re#resentati/es "ill be "or0ing in the booth The sales re#resentati/es each ha/e a #ortable com#uter that runs !indo"s @. .ro$essional You con$igure a ser/er named Test0ing2 "ith a A)N connection and a dial>u# connection to the Internet )ll o$ sales re#resentati/esJ com#uters are also connected to the A)N The <2 sales re#resentati/es re#ort that they cannot connect to the Internet You /ie" the con$iguration o$ one o$ the #ortable com#uters as sho"n in the e3hibit You need to #ro/ide the <2 sales re#resentati/es #ortable com#uters "ith Internet access !hat should you do% A. .onfigure &nternet .onnection $haring *&.$+ on Test/ing2. 1. &nstall the DA.5 ser%ice on Test/ing2. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F> 2 .reate a scope for subnet 1;=.2F-."."H1;. .. Modif the &nternet 3Bplorer properties on the 12 sales representati%esK computers to specif 1;=.2F- as the proB ser%er. D. &nstall the .onnection Manager Administration @it *.MA@+ on Test/ing2. )ns"er: ) E3#lanation: Internet 'onnection Sharing &I'S( is a shared dial>u# connection on a ser/er that #ro/ides Internet access to net"or0 clients and automatically con$igures client com#uters "ith an address in the 1=2.1;>.".B subnet range. Incorrect ans"ers: +9 The D namic Aost .onfiguration 5rotocol *DA.5+ ser%ice can be implemented to centrali0e the administration and assignment of &5 addresses. &t automates and centrali0es man of the tas/s associated with &5 addressing. This is not pro%iding people with &nternet access. '9 Modif ing the &nternet 3Bplorer properties to specif 1;=.2F- as the proB ser%er is

not the same a pro%iding &nternet access. D9 &nstalling .MA@ on Test@ing2 will not be pro%iding the 12 sales representati%es with &nternet Access. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter G, p. 1Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 2 QUESTION NO: , You are the Net"or0 )dministrator $or TestBing com The net"or0 contains t"o !indo"s Ser/er 2==, com#uters and 22= !indo"s @. .ro$essional com#uters You #lan to add 75 !indo"s @. .ro$essional to a ne" subnet on the net"or0 ) ser/er named TestBing) hosts the DNS ser/ices $or the net"or0 You #laced TestBing) in the ne" subnet ) ser/er named TestBing+ hosts the D:'. ser/ices $or the net"or0 The router is con$igured as a D:'. relay agent 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F= 2 You #laced a client com#uter named 'lient < in the ne" subnet The rele/ant #ortion o$ the net"or0 is sho"n in the net"or0 e3hibit You con$igure the D:'. ser/er "ith t"o sco#es One sco#e leases I. addresses to client com#uters on the <;2 <69 = = subnet The other sco#e leases I. addresses to the <;2 <69 5 = subnet You test the ne" con$iguration "ith client< 'lient< can #ing TestBing+ by its I. address* but not by the name TestBing+ test0ing com 'lient< can #ing TestBing) by both* its name and its I. address You run the i#con$ig command to /eri$y the I. con$iguration o$ client< The results are sho"n in the I. con$iguration e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;" 2 You need to con$igure client< so that it can address all the hosts on the net"or0 by their names :o" should you con$igure the D:'. ser/ice $or the <;2 <69 = = sco#e on TestBing+% A. $et the default gatewa as 1=2.1;>.".1"" 1. $et the subnet mas/ to 2FF.2FF."." .. $et the primar D,$ suffiB to test/ing.com D. $et the &5 Address of the D,$ ser%er to 1=2.1;>.".1"" )ns"er: D E3#lanation: ) hostname resolution #roblem is occurring The DNS ser/er address is incorrect in the out#ut $rom the i#con$ig command The DNS ser/er should be set to <;2 <69 = <== 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1 2 Incorrect )ns"ers: ): 1 configuring the default gatewa to 1=2.1;>.".1"" will not enable .lient1 the abilit to address all networ/ hosts b name. +: 1 setting the subnet mas/ to 2FF.2FF."." ou will not ensure that .lient1 will address all the hosts on the networ/ b their name. ': $etting a primar D,$ suffiB means that onl domain names listed in that window will be tried for resolution purposes. 1oth the connection2specific and primar D,$ suffiB are ignored. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. F1F QUESTION NO: 4 E3hibit* i#con$ig E3hibit* D:'. 'onsole 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains t"o domain controllers and three $ile ser/ers The D:'. ser/er $or the net"or0 is named TestBing6 )ll client com#uters are con$igured as D:'. clients Users re#ort that they cannot connect to the $ile ser/ers on the net"or0 On one o$ the a$$ected com#uters* you run the i#con$ig Kall command You recei/e the result sho"n in the I.con$ig e3hibit You log on to the D:'. ser/er and /ie" the D:'. console as sho"n in the D:'.

e3hibit You need to ensure that the users can connect to the net"or0 $ile ser/ers !hat should you do% A. $tart the DA.5 ser%ice on Test@ing;. 1. &ncrease the number of addresses a%ailable in the scope on Test@ing;. .. Authori0e the DA.5 ser%er in Acti%e Director . D. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3 2 Add the Test@ing; computer account to the DA.5 Administrators domain local group. )ns"er: ) E3#lanation9 DA.5 ser%ice is a ser%ice that enables a computer to function as a DA.5 ser%er and configure DA.52enabled clients on a networ/. DA.5 runs on a ser%er, enabling the automatic, centrali0ed management of &5 addresses and other T.5H&5 configuration settings for networ/ clients. To ensure that users can connect to the networ/ file ser%ers, ou should start the DA.5 ser%ice on Test@ing; which is the DA.5 ser%er for the networ/ and all client computers are configured as DA.5 clients. Incorrect ans"ers: +9 3nlarging the scope on Test@ing; does not necessaril mean that the users can connect deduce that the DA.5 ser%ice has not been started. '9 !hen ou authori0e a ser%er, ouKre reall adding its &5 address to the Acti%e Director ob)ect that contains a list of the &5 addresses of all authori0ed DA.5 ser%ers. At start time, each DA.5 ser%er 6ueries the director , loo/ing for its &5 address on the 8authori0ed8 list. &f it canKt find the list, or if it canKt find its &5 address on the list, the DA.5 ser%ice fails to start. &nstead, it logs an e%ent log message indicating that it couldnKt ser%ice client re6uests because the ser%er wasnKt authori0ed. The eBhibits do not suggest unauthori0ed DA.5 ser%ers. D9 To authori0e a DA.5 ser%er, ou must be logged on as a member of the Administrators or 3nterprise Admins groups. 1ut adding Test@ing; computer account to the DA.5 Administrators domain local group is not the solution. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, p. 23" 19 Diagnose and resol%e issues related to incorrect T.5H&5 configuration.*11 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains <5 !indo"s Ser/er 2==, com#uters that $unction as intranet !eb ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;- 2 You install a !indo"s Ser/er 2==, com#uter named TestBing7 "ith Douting and Demote )ccess TestBing7 has the N)TK+asic Eire"all routing #rotocol enabled to route tra$$ic bet"een the A)N and the Internet TestBing7 uses an internal A)N I. address o$ <= <= < < The <5 intranet !eb ser/ers use a DNS ser/er named Ser/er, $or local host name resolution Each o$ the <5 intranet !eb ser/ers uses static I. con$iguration as sho"n in the T'.KI. #ro#erties e3hibit The !eb ser/ers also require Internet access to dis#lay certain #ublic !eb content "ithin intranet !eb #ages )ll the !eb ser/ers are con$igured "ith the Internet E3#lorer A)N settings sho"n in the A)N Settings e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F 2 Aocal net"or0 users re#ort that only the local !eb content on the intranet !eb ser/ers a##ears You attem#t to access #ublic !eb #ages $rom one o$ the intranet !eb ser/ers and con$irm that it cannot access #ublic Internet !eb content You "ant the <5 intranet !eb ser/ers to access #ublic Internet !eb content !hat should you do% A. 'n the DA.5 ser%er, create DA.5 client reser%ations for each of the !eb ser%ers. 1. &n the &nternet 3Bplorer 4A, settings, use a proB ser%er address of 1".1".1.1 and a port number of >">". .. &n the &nternet 3Bplorer 4A, settings, select Automaticall detect settings. D. .onfigure the &nternet 3Bplorer 4A, settings to use an automatic configuration script pointing to http9HHTest@ingG9>">"Harrat.dll[Cet.Routing.$cript. 3. .onfigure T.5H&5 properties of each !eb ser%er to use 1".1".1.1 as the default gatewa . )ns"er: E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;; 2

The ser/er running Douting and Demote )ccess is con$igured to share an Internet connection "ith com#uters on the #ri/ate net"or0* and to translate tra$$ic bet"een its #ublic address and the #ri/ate net"or0 'om#uters on the Internet "ill not be able to determine the I. addresses o$ com#uters on the #ri/ate net"or0 'on$iguring the !eb ser/er to use TestBing7Js internal I. address as the de$ault gate"ay "ould ensure that e3ternal requests are $or"arded to and resol/ed by N)TKEire"all* and sent to the Internet Incorrect )ns"ers: ): The web ser%ers ha%e static &5 addresses. The do not use DA.5. +: Iou need to configure the default gatewa , and not the proB address. ': This setting is used to disco%er a proB ser%er. Iou need to configure the default gatewa , and not the proB address. D: This script is non2eBistent. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. ;G QUESTION NO: 2 You are the net"or0 administrator $or TestBing com ) ser/er named TestBingSr/) $unctions as an intranet !eb ser/er $or the human resources &:D( de#artment ) ser/er named TestBingSr/+ is a ?icroso$t E3change 2=== Ser/er mail ser/er The net"or0 con$iguration is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G 2 TestBingSr/) contains con$idential documents that must be accessed daily by users on only the <= ; 9 = subnet )ll users must be able to connect to TestBingSr/+ You "ant to con$igure the T'.KI. #ro#erties o$ TestBingSr/) to #re/ent any com#uter in the <= ; 7 = subnet $rom establishing a session "ith TestBingSr/) !hat should you do% A. .onfigure Test@ing$r%A port filtering to bloc/ T.5 port >". 1. Use &nternet .onnection (irewall *&.(+ with no ser%ices selected. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;> 2 .. .onfigure Test@ing$r%A with a default gatewa address of 1".=.>.;. D. .onfigure Test@ing$r%A with no default gatewa address. )ns"er: D E3#lanation: The illustration abo/e re#resents a routed subnet In order to communicate "ith TestBingSr/)* the clients in the <= ; 7 = net"or0 ha/e been con$igured "ith a de$ault gate"ay address* that is* the address o$ the router Eor TestBingSr/) to communicate "ith the clients in the <= ; 7 = net"or0* it has to be con$igured "ith a de$ault gate"ay address &the address o$ the router( Demo/ing the de$ault gate"ay $rom TestBingSr/) "ill #re/ent com#uters residing in the <= ; 7 = subnet $rom establishing a session "ith TestBingSr/) TestBingSr/) "ill ho"e/er continue to be able to communicate "ith clients in the <= ; 9 = net"or0 This "ill ensure that the con$idential $iles "ill be accessible only by users on the <= ; 9 = subnet Incorrect )ns"ers: ): .onfiguring Test@ing$r%A port filtering to bloc/ T.5 port >" would result in clients in the 1".=.>." networ/ being unable to communicate with the ser%er on the default port. +: Utili0ing &nternet .onnection (irewall *&.(+ will not pre%ent internal networ/ communications. ': 1".=.>.; is the correct default gatewa address for Test@ing$r%A. Iou should remo%e the default gatewa setting. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, pp. 1=221=3 QUESTION NO: , E3hibit* net"or0 to#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;= 2 E3hibit* I. con$iguration 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G" 2 You are the Net"or0 )dministrator $or TestBing com TestBing com adds 5= ne" !indo"s @. .ro$essional com#uters to the net"or0 You add them to a ne" subnet named <;2 <69 = = The router that connects the subnets is not a +OOT. relay agent The rele/ant #ortion o$ this is sho"n in the net"or0 to#ology e3hibit

You add a ne" !indo"s Ser/er 2==, com#uter named TestBing<< to the ne" subnet You con$igure TestBing<< as a D:'. ser/er $or the ne" subnet ) !indo"s 2=== Ser/er com#uter named TestBing<2 is the D:'. ser/er the subnet named <;2 <69 5 = 'lient com#uters named TestBing< and TestBing2 can #ing other hosts on the <;2 <69 = = subnet They cannot #ing hosts on the <;2 <69 5 = subnet 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1 2 'lient com#uters named TestBing, and TestBing4 can #ing TestBing<< and hosts on the <;2 <69 5 = subnet They cannot #ing TestBing< or TestBing2 You run the i#con$ig command on TestBing< The results are sho"n in the I. con$iguration e3hibit You need to ensure that TestBing< and TestBing2 can connect to any host on the net"or0 You "ant to minimi1e administrati/e e$$ort :o" should you con$igure the Douter o#tion in the D:'. Sco#e% A. .onfigure the option on Test@ing11 to 1=2.1;>.F.1. 1. .onfigure the option on Test@ing11 to 1=2.1;>.".1. .. .onfigure the option on Test@ing12 to 1=2.1;>.".1. D. .onfigure the option on Test@ing12 to 1=2.1;>.".F. )ns"er: + E3#lanation9 5ing is the sending of a short message to which the other computer automaticall responds. !hen eBecuting the ping command and the other computer does not respond to the ping, it is often an indication that communications between the two computers cannot be established at the &5 le%el. A subnet is the portion of a Transmission .ontrol 5rotocolH&nternet 5rotocol *T.5H&5+ networ/ in which all de%ices share a common prefiB. (or eBample, all de%ices with an &5 address that starts with 1=> are on the same subnet. &5 networ/s are di%ided using a subnet mas/. Thus configuring the router option on Test@ing11 to 1=2.1;>.".1 will allow Test@ing1 and Test@ing2 to connect to an networ/ host with the least amount of administrati%e effort. Incorrect ans"ers: )9 This is the wrong option to configure in the DA.5 scope. '* D9 Iou should be configuring the scope options on Test@ing11 and not Test@ing12. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter 2, p. 3G QUESTION NO: 4 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2 2 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ t"o I. subnets The <;2 <69 < = subnet contains com#uters $or the human resources &:D( de#artment One o$ the com#uters in the <;2 <69 < =K24 subnet is a !indo"s Ser/er 2==, com#uter named !eb< that $unctions as the intranet !eb ser/er $or the :D de#artment !eb< contains con$idential data that must be accessible only to the :D de#artment !eb< hosts a #ersonnel administration a##lication that is bro"ser>based The only com#uters that communicate "ith !eb< are the client com#uters in the :D de#artment )ll other com#uters are located on the <;2 <69 2 =K24 subnet ) ser/er named E3change< $unctions as TestBingJs mail ser/er )ll users can connect to E3change< The net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3 2 The administrator o$ the :D com#uters re#orts that there are net"or0 sessions to !eb< originating $rom the <;2 <69 2 = subnet You need to #re/ent any com#uter in the <;2 <6; 2 = subnet $rom establishing a net"or0 session to !eb< You do not "ant to add a hard"are $ire"all You "ant to achie/e this goal by con$iguring the Internet .rotocol &T'.KI.( #ro#erties o$ !eb< !hat should you do% A. 3nable T.5H&5 port filtering on !eb1 to allow onl inbound T.5 port >" traffic. 1. 3nable the &nternet .onnection (irewall on !eb1 with no ser%ices selected. .. 3nable the &nternet .onnection (irewall with the !eb $er%er *ATT5+ ser%ice selected. D. .onfigure !eb1 with a default gatewa address of 1=2.1;>.1.2F-. 3. .onfigure !eb1 with no default gatewa address. )ns"er: E E3#lanation: ) de$ault gate"ay is an address that #ro/ides a de$ault route $or T'.KI. hosts to use "hen communicating "ith other hosts on remote net"or0s ) router &either a dedicated router or a com#uter that connects t"o or more net"or0 segments( generally acts as the de$ault gate"ay $or T'.KI. hosts The router maintains its o"n routing table o$ other net"or0s "ithin an inter>net"or0 The

routing table ma#s the routes required to reach the remote hosts that reside on those other net"or0s 'on$iguring !eb< "ith no de$ault gate"ay address "ill result in com#uters $rom the <;2 <6; 2 = subnet being unable to establish a net"or0 session to !eb< Incorrect ans"ers: )9 5ort >" on an &nternet node indicates a !eb ser%er. T.5 port >" is used for ATT5 traffic. Thus enabling T.5H&5 port filtering to allow onl inbound T.5 port >"2traffic is not the answer. +* '9 The 6uestion pertinentl states that ou do not want to add a hardware firewall. Iou need to achie%e our ob)ecti%e through configuration of the T.5H&5 properties of !eb1. D9 Iou need to configure !eb1 with no default gatewa to pre%ent 1=2.1;=.2." subnet computers from establishing networ/ sessions with !eb1. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G- 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter 2, p. 1> QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets Each subnet contains a !indo"s Ser/er 2==, com#uter that $unctions as a $ile ser/er The com#uters are named Test0ing< and Test0ing2 The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the e3hibit Users in each subnet need to connect to shared $olders on both $ile ser/ers Users in subnet ) re#ort that they can connect to Test0ing<* but they cannot connect to Test0ing2 Users in subnet + re#ort that they can connect to Test0ing2* but they cannot connect to Test0ing< You test connecti/ity bet"een the sites by using the #ing command !hen you attem#t to #ing Test0ing< $rom Test0ing2* you recei/e the $ollo"ing error message: LDestination host unreachableL You need to ensure that all users can access both ser/ers !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF 2 A. .hange the default gatewa address on Test/ing1 to 1".1".1".1=1. 1. .hange the default gatewa address on Test/ing2 to 1".1".1".1=1. .. .hange the subnet mas/ on Test/ing1 to 1".1".1".1=2. D. .hange the subnet mas/ on Test/ing2 to 2FF.2FF.2FF.22-. )ns"er: + E3#lanation: !hen a #articular route or table entry is a##lied to a #ac0et* the gate"ay /alue determines the ne3t address or ho# $or "hich that #ac0et is destined Thus i$ the de$ault gate"ay on TestBing2 is changed to <= <= <= <;< then all users "ill be able to access both ser/ers* because as it is currently users can only connect to the $ile ser/er that is on the same subnet as themsel/es The #roblem is thus bet"een the t"o sites $rom TestBing< to TestBing2 Incorrect ans"ers: )9 The Test@ing2 default gatewa address should be changed and not the Test@ing1 default gatewa . '* D9 .hanging the subnet mas/ on either Test@ing1 or Test@ing2 is not the issue. Iou need to change the default gatewa address. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter =, p. 1; QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 contains <== !indo"s @. .ro$essional com#uters You con$igure a !indo"s Ser/er 2==, com#uter named Test0ing< as a DNS ser/er Test0ing< has the I. address <;2 <69 < 2 and contains host &)( resource records $or all net"or0 client com#uters that are located in the branch o$$ice You install a !indo"s Ser/er 2==, com#uter named Test0ing2 as a D:'. ser/er Test0ing2 is con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G; 2 'on$iguration Setting $cope 1=2.1;>.1.1"" to 1=2.1;>.1.2"" $ubnet Mas/ 2FF.2FF.2FF." 'ption ""3 Default Catewa 1=2.1;>.1.1 'ption ""; D,$ 1=2.1;>.1.2 You install a DSA connection $or Internet access You con$igure a ser/er named

Test0ing, as an Internet 'onnection Sharing &I'S( host "ith t"o net"or0 ada#ters The net"or0 ada#ter that has the I. address <,< <=7 ;6 2< connects to the DSA modem* and the net"or0 ada#ter that has the I. address <;2 <69 = < connects to the A)N The IS.Js DNS ser/er has the I. address <,< <=7 62 ; Your users re#ort that they cannot access the Internet You need to ensure that all users in TestBing can access the Internet through the I'S host !hat should you do% A. Remo%e DA.5 from Test/ing2. 1. Replace the DA.5 scope on Test/ing2 with one that has a subnet mas/ of 2FF.2FF.2FF.1=2. .. .hange the DA.5 scope option ""3 Default Catewa on Test/ing2 to 131.1"G.=;.21. D. &nstall the D,$ ser%ice on Test/ing3, and configure 131.1"G.;2.= as a forwarder. )ns"er: ) E3#lanation: I'S &Internet 'onnection Ser/ice( also #ro/ides a D:'. ser/ice !hen you enable I'S on a com#uter* the I. address o$ the local net"or0 inter$ace changes to <;2 <69 = < The D:'. ser/ice #ro/ides addresses in the <;2 <69 = =K24 range The reason the clients cannot connect to the internet is that they are con$igured "ith <;2 <69 < 3 I. addresses "hich they recei/ed $rom the D:'. ser/ice on TestBing2* but the I. address o$ the I'S machine is <;2 <69 = < "hich means they are on di$$erent subnets The solution to the question is to remo/e the D:'. ser/ice on TestBing2 and 2ust use the D:'. ser/ice $rom the I'S com#uter The client com#uters "ill then recei/e I. addresses in the same range as the I'S com#uter and "ill then be able to connect to the internet Incorrect ans"ers: +9 Replacing the DA.5 scope with a subnet mas/ of 2FF.2FF.2FF.1=2 will not wor/ in this scenario. '9 The Default Catewa should be set to the &5 address of the &.$ computer, 1=2.1;>.".1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG 2 D9 This is not a D,$ issue. The problem is that the client computers are configured with &5 addresses in a different range from the &.$ computer. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1G> QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets se#arated by a router The net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G> 2 Subnet ) is connected to a router that has the I. address <= <= <= 65 It contains $i/e client com#uters )ll the client com#uters recei/e their I. con$iguration $rom a local D:'. ser/er The sco#e con$iguration o$ the D:'. ser/er is sho"n in the $ollo"ing table I. address range 1".1".1".;; to 1".1".1".G" Subnet mas0 2FF.2FF.2FF.1=2 De$ault gate"ay 1".1".1".;F Subnet + is connected to a router that has the I. address <= <= <= ;, It does not contain any com#uters yet You install a ne" !indo"s Ser/er 2==, com#uter named Test0ing< and connect it to the subnet + net"or0 The T'.KI. con$iguration o$ the ne" com#uter is sho"n in the $ollo"ing table I. address 1".1".1".=Subnet mas0 2FF.2FF.2FF.2-" De$ault gate"ay 1".1".1".=3 Users in subnet ) re#ort that they cannot connect to Test0ing< You need to enable the client com#uters in subnet ) to connect to Test0ing< !hat should you do% A. .reate a new scope on the DA.5 ser%er to assign the client computers in subnet A a subnet mas/ of 2FF.2FF.2FF.22-. 1. .hange the scope options of the DA.5 ser%er to assign the client computers in subnet A a default gatewa of 1".1".1".=3. .. .hange the subnet mas/ of Tes/ing1 to 2FF.2FF.2FF.1=2. D. .hange the default gatewa of Test/ing1 to 1".1".1".;F. )ns"er: ' E3#lanation9 4arge networ/s are subdi%ided to create smaller subnetwor/s to reduce o%erall networ/ traffic b /eeping local traffic on the local subnet and sending all nonlocal traffic to the router. &n order to create a subnetwor/, we need to ha%e a s stem for addressing that allows us to use the networ/ &D and host &D within the class2based s stem. This is accomplished through the use of a subnet mas/. To determine the appropriate custom subnet mas/ *t picall referred to simpl as subnet mas/+ for a

networ/, ou must first9 1. Determine the number of host bits to be used for subnetting. 2. Determine the new subnetted networ/ &Ds. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G= 2 3. Determine the &5 addresses for each new subnet. -. Determine the appropriate subnet mas/. Incorrect )ns"ers: )* +: The problem is not a matter of scope that has to be created or scope options that has to be changed, but rather the subnet mas/. D: This option suggests that the gatewa could be problematic which is not the case. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FG QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >" 2 You install a ne" !indo"s Ser/er 2==, com#uter named Test0ing2 on subnet + !hen you attem#t to run !indo"s U#date on Test0ing2* you recei/e the $ollo"ing error message: LInternet E3#lorer could not o#en the search #age L Other ser/ers on subnet + can success$ully run !indo"s U#date Users on subnet ) re#ort that they can success$ully connect to Test0ing2 T'.KI. settings $or all ser/ers on subnet + are con$igured by using D:'. You need to run !indo"s U#date on Test0ing2 !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1 2 A. &nstall the D,$ ser%ice on Test/ing2. 1. .onfigure Test/ing2 to use 1=2.1;>.2.F as its D,$ ser%er. .. .onfigure Test/ing2 to use 1=2.1;>.2.; as its !&,$ ser%er. D. .onfigure Test/ing2 to use 1=2.1;>.1.1 as its default gatewa . 3. .onfigure &nternet 3Bplorer on Test/ing2 to use 1=2.1;>.1.1 as its proB ser%er. )ns"er: E E3#lanation: You can determine $rom the e3hibit that there is a #ro3y ser/er in the net"or0 "hich handles Internet tra$$ic There$ore* you must con$igure Internet E3#lorer on Test0ing2 to use <;2 <69 < < as its #ro3y ser/er !hen a networ/ has a ser%er running the D namic Aost .onfiguration 5rotocol *DA.5 $er%ice, it can automaticall assign T.5H&5 configuration information to the client computers if the client computers are configured as DA.5 clients. Incorrect )ns"ers: ): Iou alread ha%e D,$1 in $ubnet 1 that functions as a D,$ ser%er. Iou do not need more. +: D,$ $er%er, the T.5H&5 propert , is alread configured b the DA.5 $er%er. This option would thus be obsolete. ': The T.5H&5 propert , !&,$ $er%er, is alread configured b the DA.5 $er%er. D: The T.5H&5 propert , default gatewa , is alread configured b the DA.5 $er%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 231, 2>1 QUESTION NO: ; You are the Net"or0 )dministrator $or TestBing com The net"or0 consists o$ a single acti/e Directory Domain named test0ing com You manage the <= <= = = subnet and the <= ; = = subnet The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2 2 The D:'. ser/er $or the domain is a member ser/er named TestBing' TestBing' success$ully leases I. addresses to 6== des0to# client com#uters and 2== #ortable com#uters The #ortable com#uters connect to one subnet or the other during each day Des0to# client com#uters and #ortable com#uters run !indo"s @. .ro$essional Se/eral #ortable com#uter users on the <= <= = = subnet re#ort that they recei/e error messages indicating du#licate I. addresses Users "ith these errors cannot be authenticated by the domain controllers You e3amine the D:'. log $ile on TestBing' and notice se/eral Nac0 messages 4eading the wa in &T testing and certification tools, www.test/ing.com

2 >3 2 !hat is the most li0ely cause o$ these errors% A. Test@ing. is not authori0ed 1. The DA.5 scope is not acti%ated .. The router is not a 1''T5 router D. A !indows ,T $er%er -." DA.5 ser%er is on the networ/ 3. A !indows $er%er 2""3 DA.5 ser%er with wor/group membership and an acti%ated 1".1"."." scope is on the networ/ )ns"er: D E3#lanation: ) !indo"s NT Ser/er D:'. ser/er on the net"or0 "ould cause these errors Incorrect )ns"ers: ): The 6uestion states that Test@ing. successfull leases &5 addresses to ;"" des/top client computers and 2"" portable computers. This is therefore the incorrect answer. +: The 6uestion states that Test@ing. successfull leases &5 addresses to ;"" des/top client computers and 2"" portable computers. This is therefore the incorrect answer. ': The 6uestion states that Test@ing. successfull leases &5 addresses to ;"" des/top client computers and 2"" portable computers. This is therefore the incorrect answer. E: A !indows $er%er 2""3 DA.5 ser%er would search the networ/ for other authorised DA.5 ser%ers. !hen it detects one, it would stop answering DA.5 re6uests. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 1G;, 23F QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You con$igure a ne" !indo"s Ser/er 2==, $ile ser/er named TestBingSr/< You restore user $iles $rom a ta#e bac0u#* and you create a logon scri#t that ma#s dri/e letters to shared $iles on TestBingSr/< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >- 2 Users re#ort that they cannot access TestBingSr/< through the dri/e ma##ings you created Users also re#ort that TestBingSr/< does not a##ear in ?y Net"or0 .laces You log on to TestBingSr/< and con$irm that the $iles are #resent and that the NTES #ermissions and share #ermissions are correct You cannot access any net"or0 resources You run the i#con$ig command and see the $ollo"ing out#ut You need to con$igure the T'.KI. #ro#erties on TestBingSr/< to resol/e the #roblem !hat should you do% A. Add test/ing.com to the D,$ suffiB for this connection field. 1. .onfigure the default gatewa . .. .onfigure the D,$ ser%er address. D. .onfigure a static &5 address. )ns"er: D E3#lanation: The I. address sho"n in the e3hibit is an ).I.) &automatic #ri/ate I. addressing( address !hat this indicates is that the ser/er is con$igured to use D:'. $or its I. con$iguration The ser/er could be unable to contact a D:'. ser/er because there is no D:'. ser/er on the net"or0 You correct this #roblem by con$iguring a static I. address in the same I. range as the remainder o$ the net"or0 Incorrect )ns"ers: ): 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F 2 A D,$ suffiB is basicall a character string that represents the domain name and t picall describes the latter part of the D,$ name. +: A default gatewa configuration would onl be rele%ant when dealing with a routed networ/. ': The ser%er not ha%ing a D,$ ser%er address does not pre%ent clients from connecting to the ser%er. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+,.hapter 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter -, p. 1G= QUESTION NO: << DD)- DDO. You are the net"or0 administrator $or Test0ing* a !eb hosting com#any )ll client com#uters run !indo"s @. .ro$essional

TestBing is assigned the $ollo"ing I. address ranges by the IS.: 1. <,< <=7 <= = through <,< <=7 <= 255 2. <,< <=7 << = through <,< <=7 << 255 TestBingJs data center contains 4== !indo"s Ser/er 2==, com#uters and consists o$ t"o subnets named subnet TB< and subnet TB2 subnet TB< contains 2== ser/ers and uses the <,< <=7 <= = net"or0 address subnet TB2 also contains 2== ser/ers and uses the <,< <=7 << = net"or0 address )ll ser/er I. addresses are assigned by D:'. )ll com#uters in the data center ha/e /alid Internet>accessible I. addresses )s a result o$ a cor#orate acquisition* 2== additional ser/ers "ill be added to TestBingJs data center "ithin one month The ne" ser/ers "ill be #laced on the net"or0 segment that ma#s to subnet TB< The e3isting router does not ha/e the ca#acity $or an additional subnet* and the budget does not allo" the #urchase o$ a ne" router You "ill need to add the additional ser/ers to the e3isting subnet TB< The IS. assigns you the additional I. address range <,< <=7 <2 = through <,< <=7 <2 255 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >; 2 You need to change the I. addressing scheme to accommodate all required ser/ers in subnet TB< and subnet TB2 You are authori1ed to ma0e any necessary changes The diagram in the "or0 are sho"s the net"or0 con$iguration and the #lanned number o$ ser/ers $or each subnet !hich I. address should be assigned to each subnet% To ans"er* drag the a##ro#riate I. address or addresses to the correct locations in the "or0 area )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G 2 To accommodate all re6uired ser%ers in subnet T@1 and subnet T@2, without ha%ing to purchase a new router and with the The &$5 assigns ou the additional &5 address range 131.1"G.12." through 131.1"G.12.2FF, ou should assign subnet T@1 and subnet T@2 the following &5 addresses respecti%el 9 131.1"G.1"."H23 and 131.1"G.12."H2De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FG 5art -9 Troubleshoot DA.5. A9 Diagnose and resol%e issues related to DA.5 authori0ation.*2 :uestions+ QUESTION NO: < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >> 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain The net"or0 also consists o$ t"o subnets You install a !indo"s Ser/er 2==, D:'. member ser/er named Test0ing6 The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit You con$igure and acti/ate the $ollo"ing sco#es on Test0ing6: 1. <= 5= = < > <= 5= 2 <==K22 2. <= 6= = < > <= 6= 2 <==K22 3. E3clusion: <= 5= = < > <= 5= = 2= -. E3clusion: <= 6= = < > <= 6= = 2= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >= 2 Users in both subnets re#ort that they cannot access net"or0 ser/ers Some users can /ie" other usersJ com#uters in ?y Net"or0 .laces You instruct one o$ these users to run the i#con$ig command $rom a command #rom#t !hen he does* an I. address o$ <6; 254 ; 24 is returned You run Net"or0 ?onitor on Test0ing6 $or $i/e minutes* and you ca#ture hundreds o$ D:'.DIS'O8ED broadcasts You /eri$y that Test0ing6 is connected to the net"or0 and is online You "ant all client com#uters on both subnets to be able to access hosts on both subnets !hat should you do% A. Authori0e Test/ing;. 1. .onfigure the router to forward UD5 port ;G from 1".F"."." to 1".;".".". .. .hange the subnet mas/s on the DA.5 scopes to 2FF.2FF.2F-.". D. .reate a host *A+ record for Test/ing; on the D,$ ser%er. )ns"er: ) E3#lanation: +e$ore an )cti/e Directory D:'. ser/er is allo"ed to distribute I. address leases* it must be authori1ed to do so in )cti/e Directory To authori1e a

!indo"s Ser/er 2==, D:'. ser/er* you must be a member o$ the root domainJs Enter#rise )dmins grou# Authori0ation also pre%ents a DA.5 ser%er with incorrect information from being introduced on the networ/. (or eBample, a DA.5 ser%er with incorrect scope information canKt lease pro%iding DA.5 clients with incorrect &5 parameters. DA.5 ser%ers are authori0ed through the DA.5 management console. Thus b authori0ing Test@ing; ou can enable both subnets to access hosts on both subnets. Incorrect ans"ers: +9 This scenario is a matter of ha%ing the DA.5 ser%ice authori0ed and not a case of UD5 port ;G forwarding DA.5 broadcasts. ' distribute &5 address leases. D9 Aost *A+ is a record used to map machine or resource host names to &5 addresses. This is not what is needed in this scenario. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 22>223", ->G Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 2 QUESTION NO: 2 You are the administrator o$ an )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure a ser/er named Test0ing2 as TestBingJs D:'. ser/er* as sho"n in the e3hibit )ll client com#uters are con$igured as D:'. clients Users re#ort that they cannot connect to net"or0 resources You in/estigate and disco/er that the client com#uters are not recei/ing their T'.KI. con$igurations $rom Test0ing2 You need to con$igure Test0ing2 so that the client com#uters can recei/e their T'.KI. con$igurations !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =1 2 A. Run the net stop dhcpser%er command. 1. Run the net start dhcpser%er command. .. Authori0e Test/ing2 b using the DA.5 console. D. Restart the DA.5 ser%ice b using the DA.5 console. 3. Add Test/ing2 to the DA.5 Administrators local group. )ns"er: ' E3#lanation: !hen the D:'. ser/er isnJt authori1ed* it "ill not ans"er lease requests This is the reason "hy the client com#uters are not recei/ing their T'.KI. con$igurations $rom Test0ing2 Test0ing2 has to be authori1ed to #ro/ide D:'. ser/ices to clients "hen it is installed in an )cti/e Directory domain )$ter a D:'. ser/er is authori1ed* its I. address is included in the )cti/e Directory ob2ect that holds a list o$ the I. addresses o$ all authori1ed D:'. ser/ers Incorrect )ns"ers: ): $ince Testing2 is the DA.5 ser%er, ou need to authori0e Test/ing2 so as to enable all the DA.5 client to recei%e their T.5H&5 configurations from Test/ing2. Thus running the net stop dhcpser%er command will not help. +: Running the net start dhcpser%er command will not sol%e the problem as the DA.5 ser%er first has to be authori0ed. D: Restarting the DA.5 ser%ice will not help in this scenario. E: Adding Test/ing2 to the DA.5 Administrators local group will not accomplish the tas/ as the ser%er has to be authori0ed first. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 2;" Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter G, page 3G-. 19 Diagnose and resol%e issues related to DA.5 reser%ation configuration.*3 :uestions+ QUESTION NO: < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =2 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses

)ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the Net"or0 e3hibit ) user named ?aria re#orts that she cannot access net"or0 resources by using her client com#uter :er client com#uter is named 'lient2 ?aria re#orts that she recei/ed an error message about a du#licate address on the net"or0 "hen she started her com#uter this morning You e3amine the D:'. sco#e #ro#erties on the D:'. ser/er The sco#e #ro#erties are sho"n in the D:'. e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =3 2 You need to ensure that ?aria can access the net"or0 by using her client com#uter You also need to ensure that this #roblem "ill not occur !hat should you do% A. 3Bclude the &5 addresses 1=2.1;>.1".1" to 1=2.1;>.1".1F from the DA.5 scope. Restart .lient2. 1. Add the additional &5 addresses of 1=2.1;>.1".2"1 to 1=2.1;>.2".2F" to the DA.5 scope. Restart .lient2. .. .onfigure the DA.5 scope to detect &5 address conflicts. Restart .lient2. D. Reconcile the DA.5 scope on the DA.5 ser%er. Restart .lient2. )ns"er: ) E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =- 2 E3clusion ranges assure that the ser/er does not o$$er to D:'. clients on your net"or0 any addresses in these ranges +y setting an e3clusion range $or these addresses* you s#eci$y that D:'. clients are ne/er o$$ered these addresses "hen they request a lease $rom the ser/er E3cluding I. addresses <;2 <69 <= <= to <;2 <69 <= <5 $rom the D:'. sco#e and then restarting 'lient2 should #re/ent the occurrence o$ a du#licate address Incorrect ans"ers: +9 There is no need to add additional &5 addresses to the DA.5 scope, the problem originates from duplicate &5 addresses. '9 DA.5 scope purpose is not to detect &5 address conflicts. 1esides ou need to ma/e sure that the address used on the A5&5A $ettings dialog boB is eBcluded from the DA.5 scope, to a%oid &5 address conflicts. D9 The Reconcile option is useful when ou need to fiB an inconsistencies in the DA.5 database, such as when not all &5 address leases are being reflected in the DA.5 database. &nformation in the database is compared with information stored in the Registr . This is not the same as chec/ing for duplicate addresses. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, .hapter G, pp. ;2G, 13 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter named Test0ing< $unctions as a mail ser/er ) !indo"s Ser/er 2==, com#uter named Test0ing2 is the D:'. ser/er You con$igure Test0ing2 to lease the reser/ed I. address <;2 <69 < 5 to Test0ing<* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =F 2 You create a host record $or Test0ing< that uses I. address <;2 <69 < 5 on the com#anyJs +IND 9 < 2 DNS ser/er :o"e/er* users re#ort that they cannot access Test0ing< Erom the command #rom#t on Test0ing<* you run the i#con$ig Kall command and recei/e the $ollo"ing res#onse 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =; 2 You "ant Test0ing< to recei/e <;2 <69 < 5 as its I. address !hat should you do% A. &n the reser%ation on Test/ing2, insert dashes in the reser%ation MA. address. 1. &n the reser%ation on Test/ing2, change the reser%ation MA. address. .. 'n Test/ing1, in the &nternet 5rotocol T.5H&5 properties, enter an alternate configuration. D. 'n Test/ing1, from the command prompt, run the ipconfig Hregisterdns command. 3. &n the reser%ation on Test/ing2, change the reser%ation name to Test/ing1.

)ns"er: + E3#lanation: The ?)' address is the #iece o$ the reser/ation that actually identi$ies the client as it $irst initiates its D:'.DIS'O8ED broadcast The ?)' address is a 49>bit binary number* but it is notated as <2 he3adecimal digits arranged in #airs It is im#erati/e that you ty#e this address correctly You can $ind out the ?)' address $rom the client com#uter by running i#con$ig Kall I$ you cannot #hysically /isit the client com#uter* you can use the #ing and ar# commands to identi$y this number and then use the co#y and #aste $eature to enter it into the reser/ation Iou can ma/e use of the cop and paste functionalit built into the command interface of !indows $er%er 2""3 to insert the MA. address into the reser%ation. .hanging the reser%ation MA. address in the reser%ation on Test@ing2 will allow ou to enter the &5 address to match the MA. address of Test@ing1. Incorrect )ns"ers: ): 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =G 2 &nserting dashes in the reser%ation MA. address will not wor/ because the dashes is eBtra characters that ou enter into the address, thus rendering it a different de%ice as MA. addresses must be t ped correctl . ': 3ntering an alternate configuration does not necessaril issue ou with a particular &5 address. D: The ipconfig H registerdns command refreshes all DA.5 leases and registers an related D,$ names for the adapter. &t does not change names. E: Reser%ation ,ame uni6uel identifies the client ou are reser%ing. Aowe%er, changing the reser%ation name to Test@ing1 will not assist ou in our tas/ as reser%ations are assigned based on a particular MA. address. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. 1=> Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. -G1 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named Ser/erTB; $unctions as a $ile ser/er ) !indo"s Ser/er 2==, com#uter named Ser/erTB<= $unctions as a D:'. ser/er ) !indo"s Ser/er 2==, com#uter named Ser/erTB<< $unctions as the DNS ser/er Ser/erTB; has the <= ;= 9= 7=K24 reser/ation on Ser/erTB<= Aogon scri#ts connect users to ma##ed dri/es and #rinters on Ser/erTB; You "ant to create a baseline $or net"or0 tra$$ic to and $rom Ser/erTB; !hen you use net"or0 monitoring so$t"are in #romiscuous mode* you notice that the I. address reser/ed $or Ser/erTB; does not a##ear in your net"or0 trace :o"e/er* no users re#ort connecti/ity #roblems to Ser/erTB; .re/ious net"or0 traces ha/e sho"n that Ser/erTB; had the reser/ed address <= ;= 9= 7=K24 in the #ast !hen you run #ing > a <= ;= 9= 7= command $rom a command #rom#t* the address resol/es to client;42 test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 => 2 Erom a command #rom#t on Ser/erTB;* you run the i#con$ig Kall command The out#ut dis#lays an I. address o$ <= ;= 9= <;9K24 and a ?)' address o$ ==>2=>ED>,D>4<>'9 Ser/erTB; must use the reser/ed address <= ;= 9= 7=K24 to com#ly "ith established net"or0 design requirements !hat should you do% A. .reate an alias *.,AM3+ record that points client=-2.test/ing.com to $er%erT@=.test/ing.com. 1. .onfigure the D,$ ser%er to accept onl secure d namic updates. .. &n the reser%ation MA. address setting, insert dashes to match the ipconfig output. D. 3dit the 1".=".>".G"H2- reser%ation to use ""2"3D3D-1.> MA. address. )ns"er: D E3#lanation: 'lient reser/ation is used to ensure that a com#uter recei/es the same I. address all the time There$ore* since D:'. I. address assignments use ?)' addresses to control assignments* the $ollo"ing are required $or client reser/ations: ?)' &hard"are( address and I. address An incorrect MA. address *the MA. address of client=-2+ has been entered in the DA.5 client reser%ation. $er%erT@= will not use the client reser%ation address and will obtain another DA.5 &5 address. This is wh ou need to edit the 1".=".>".G"H2-

reser%ation to use ""2"3D3D-1.> MA. address. .onfiguration of a reser%ation is dependant on the specific MA. address of a machineKs networ/ interface card. Incorrect )ns"ers: ): The .anonical ,ame *.,AM3+ resource record is used to create aliases that hide our networ/ details from the clients that connect to it. Aowe%er, in this scenario the creation of a canonical name will not sol%e our problem. +: .onfiguring the D,$ ser%er to accept onl secure d namic updates is not what is necessar in this case because the problem stems from an incorrect MA. address that has been entered into the DA.5 client reser%ation. ': &nserting dashes to match the ipconfig output will not force $er%erT@= to compl . The problem is an incorrectl entered MA. address. &nserting dashes merel prolongs the alread incorrect MA. address. Iou ha%e to edit the 1".=".>".G"H2- reser%ation to use ""2"3D3D-1.> MA. address. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 == 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 2;2, -2G .9 3Bamine the s stem e%ent log and DA.5 ser%er audit log files to find related e%ents.*" :uestions+ D9 Diagnose and resol%e issues related to configuration of DA.5 ser%er and scope options.*G :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains One domain is named test0ing com ) subsidiary com#any named )cme has a domain named acme com +oth domains are in a single $orest ) #rimary DNS ser/er $or test0ing com is located in the com#anyJs +erlin o$$ice ) #rimary DNS ser/er $or acme com is located in the com#anyJs .rague o$$ice +oth DNS ser/ers are !indo"s Ser/er 2==, com#uters Each domain has three regional o$$ices Each regional o$$ice contains the $ollo"ing com#uters: 1. ) secondary DNS ser/er in its res#ecti/e domain 2. ) D:'. ser/er 3. ) recently installed ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter that connects the A)N to the Internet 'om#any sales re#resentati/es /isit the +erlin o$$ice* the .rague o$$ice and all regional o$$ices se/eral times each month )ll sales re#resentati/es use !indo"s @. .ro$essional #ortable com#uters that are members o$ the test0ing com domain You create an a##ro#riate "#ad dat scri#t $ile on each o$ the IS) ser/ers in each regional o$$ice On each D:'. ser/er you con$igure the 252 .ro3y )utodisco/ery o#tion and the corres#onding htt#:KKIS)Ser/erNameK"#ad dat string /alue 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"" 2 Sales re#resentati/es re#ort that they cannot access to the Internet by using Internet E3#lorer "hen they /isit an o$$ice that is in the acme com domain You need to ensure that all users can access the Internet at all times You "ant to use the minimum amount o$ administrati/e e$$ort !hat should you do% A. .onfigure !indows <5 5rofessional portable computers with the primar D,$ suffiB of acme.com. 1. .onfigure the Ad%anced T.5H&5 $ettings on the !indows <5 5rofessional portable computers with a D,$ suffiB for this connection setting of acme.com. .. 'n each DA.5 ser%er that is a member of the acme.com domain, configure the =<5 DNS Domain Name o#tion to be acme com. D. 'n the primar D,$ ser%er for the acme.com domain, add a JhttpJser%ice ser%ice locator *$R?+ resource record for each &$A ser%er in the acme.com domain. )ns"er: ' E3#lanation: 'on$iguring the =<5 DNS Domain Name o#tion to be acme com "ill automatically set the LDNS Su$$i3 $or this connectionL string Incorrect ans"ers: ): This option onl deals with the D,$ suffiBes to be attempted when resol%ing names during a loo/up. +: The changes would ha%e to be manuall configured, with a change occurring each time the portable computer mo%ed locations. This option therefore does not meet the minimum amount of administrati%e effort re6uirement. D: There is no JhttpJser%ice ser%ice locator *$R?+ resource record li/e this being utili0ed. De$erence:

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 1>G QUESTION NO: 2 DD)- DDO. E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"1 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 is con$igured as sho"n in the e3hibit TestBing< is con$igured as a DNS ser/er $or domain named test0ing com TestBing< is con$igured to use IS.>DNS as a $or"arder ) com#uter named TestBingN)T is a Net"or0 )ddress Translation &N)T( ser/er TestBingN)T #ro/ides Internet access $or the entire com#any You recently created a subnet named Subnet <= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"2 2 You are con$iguring a D:'. ser/er to su##ort Subnet <= You need to con$igure the D:'. ser/er o#tions $or Subnet <= to ensure that all users can access the Internet and internal resources !hat should you do% Drag and dro# )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"3 2 the ""; D,$ $er%ers option specifies the &5 address of the D,$ ser%ers a%ailable to clients on the networ/. !hereas the ""3 Router option specifies the &5 address of the router or default gatewa . To ensure that all users are able to access the &nternet as well as internal resources ou need to configure the DA.5 ser%er options for $ubnet 1" as follows9 assign ""3 Router an &5 address of 1=2.1;>.1".1 and assign ""; D,$ an &5 address of 1=2.1;>.2.F since subnet1" has an &5 address of 1=2.1;>.1"."H2De$erence9 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 2 QUESTION NO: , Net"or0 to#ology e3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"- 2 E3hibit* D:'. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"F 2 You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the net"or0 to#ology e3hibit Users re#ort that they cannot access the Internet They can access shared $olders and #rinters on the net"or0* but no users can access the Internet You connect to the D:'. ser/er and $ind out that you can access the Internet $rom the ser/er You e3amine the D:'. sco#e #ro#erties The #ro#erties are sho"n in the D:'. e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"; 2 You need to ensure that all users can access the Internet $rom the client com#uters You need to ensure that current net"or0 connecti/ity is not a$$ected by your changes !hat should you do% A. .hange the subnet mas/ on all ser%ers and on the firewall &5 address to 2FF.2FF.2FF." 1. .hange the &5 address for all ser%ers to 1=2.1;>.1.B, where B is a uni6ue number less than 2". .. $et the conflict detection attempts to F on the DA.5 ser%er. D. Delete the scope on the DA.5 ser%er. Re2create the scope with the same properties but with a subnet mas/ of 2FF.2FF.".". )ns"er: D E3#lanation9 A scope determines the pool of &5 addresses from which a DA.5 ser%er can assign &5 addresses. The subnet mas/ of the local host is a 322bit address used to

compare the networ/ &D of the local host to the networ/ &D of e%er &5 pac/et the host sends on the networ/. As shown in the eBhibit, it is the subnet mas/ that is configured wrong. The &nternet can onl be accessed from the ser%er. Thus ou would need to change the scope on the DA.5 ser%er to enable all users to access the &nternet from the client computers since it is the DA.5 ser%er that is responsible to assign &5 addresses, ou need to configure it with the correct scope. Thus ou delete the eBisting scope and then re2create it with a subnet mas/ of 2FF.2FF."." and then ou will also ensure that the current networ/ connecti%it will not be affected. Incorrect ans"ers: )9 .hanging the subnet on all the folders will not wor/ in this scenario since ou need to ma/e sure that ou do not affect the current networ/ connecti%it . +9 This option is not the answer as it is not the &5 address of the ser%ers that are problematic. Rather, it is the DA.5 scope that needs to be deleted then re2created so as to compl with the conditions as set b the 6uestion. '9 This is not a conflict detection problem. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapters 2 L >, pp. ;2, -1 QUESTION NO: 4 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"G 2 You are the net"or0 administrator $or TestBing com The net"or0 contains 2= !indo"s Ser/er 2==, com#uters )ll client com#uters recei/e their T'.KI. settings $rom a D:'. ser/er named Test0ing2 Test0ing2 is con$igured as sho"n in the e3hibit TestBing has e3#erienced ra#id gro"th during the #ast si3 months Users re#ort that the net"or0 is slo" !hen you run Net"or0 ?onitor* you notice a signi$icant increase in broadcast tra$$ic on the net"or0 You "ant to increase net"or0 #er$ormance !hat should you do% A. .hange option "-; to "B1, 12node. 1. .hange option "-; to "B2, 52node. .. Remo%e option "-- from the DA.5 $er%er 'ptions. D. .reate a new scope for the networ/ &D 1=2.1;>.1"."H2)ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"> 2 You manually change the node ty#e o$ a machine by editing the local Degistry . node ty#e clients use a con$igured Net+IOS name ser/er to resol/e Net+IOS names and to register their name This client ty#e resol/es Net+IOS names in the order: Net+IOS remote name cache* Net+IOS name ser/er !ith # node* the message is sent only to the !INS ser/er* thus reducing net"or0 tra$$ic "hich "ill de$initely increase net"or0 #er$ormance Incorrect )ns"ers: )9 Microsoft 3nhanced b2node *or Modified b2node+ .lient chec/s the ,et1&'$ name cache, then initiates a broadcast, and lastl chec/s for a local 4MA'$T$ file. This means that a number of tas/s are getting done and thus does not help insofar as networ/ performance is concerned. '9 'ption "-- in our DA.5 ser%er options is used to distribute !&,$ ser%er &5 addresses to our clients. &t does not resol%e ,et1&'$ names. D9 .reating a new scope for the networ/ &D will not necessaril impro%e networ/ performance. !hat is needed is to resol%e ,et1&'$ names. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter G, pp. 3>1 2 3>3 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 2=1, 3F= QUESTION NO: 5 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses in the range <;2 <69 <= 2 through <;2 <69 <= <; )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients TestBing has a single o$$ice location The o$$ice is connected to the Internet through a router The router is con$igured "ith an internal I. address o$ <;2 <69 <= < The current internal net"or0 address is <;2 <69 <= =K24

The net"or0Js D:'. ser/er is con$igured "ith a single D:'. sco#e that assigns I. addresses in the range <;2 <69 <= 2= through <;2 <69 <= 254 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"= 2 You add <= ne" client com#uters to the net"or0 Ei/e o$ these com#uters cannot connect to net"or0 resources You $ind out that these client com#uters are not recei/ing an I. address con$iguration $rom the D:'. ser/er You $ind out that the cause is that the D:'. sco#e has no a/ailable addresses to assign You create a ne" sco#e in the D:'. ser/er that assigns I. addresses in the range <;2 <69 << 2= through <;2 <69 << 254 You restart the client com#uter that $ailed to recei/e an I. address $rom the D:'. ser/er The client com#uters still do not recei/e an I. address con$iguration $rom the D:'. ser/er You need to ensure that all client com#uters can recei/e and consistently rene" I. addresses $rom the D:'. ser/er You need to ensure that all net"or0 client com#uters can connect to shared resources on the net"or0 ser/ers !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Add an additional networ/ adapter to the DA.5 ser%er. Assign the &5 address 1=2.1;>.11.1" to the new networ/ adapter. 1. .reate a superscope that includes both scopes on the DA.5 ser%er. .. .hange the &5 address on all networ/ ser%ers to an &5 address in the range 1=2.1;>.11.2 through 1=2.1;>.11.1=. D. .onfigure the router with an additional &5 address of 1=2.1;>.11.1. .onfigure the router to route networ/ traffic between the 1=2.1;>.11." and the 1=2.1;>.1"." networ/s. )ns"er: +* D E3#lanation: Su#ersco#es are required $or any net"or0 or bordering net"or0s that are con$igured as multinets or are multinets themsel/es* $or"arding broadcasts /ia a +OOT. router or D:'. Delay )gent Thus creating a su#ersco#e that "ill include both the sco#es on the D:'. ser/er and in addition con$iguring the router net"or0 tra$$ic bet"een the t"o net"or0s* "ill ensure that all client com#uters "ill be able to connect to shared resources and consistently ha/e rene"ed I. addresses $rom the D:'. ser/er Incorrect )ns"ers: ): 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11" 2 Adding an additional networ/ adapter to the DA.5 ser%er and assigning it 1=2.1;>.11.1" as the &5 address does not mean that client computers will be able to connect to shared resources and ha%e renewed &5 addresses issued b the DA.5 ser%er. ': .hanging all networ/ ser%er &5 addresses to an &5 address that falls within the 1=2.1;>.11.2 through 1=2.1;>.11.1= range will not sol%e the problem. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 1-2 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You manage one subnet You install a !indo"s Ser/er 2==, D:'. ser/er named Ser/erTB2* and you con$igure the <;2 <69 < <>254K24 sco#e $or your subnet The lease duration is <4 days Ser/ers on your subnet are statically con$igured in the <;2 <69 < =K24 range Other D:'. ser/ers on the com#anyJs net"or0 are managed by other net"or0 administrators You e3#ect 22= A)N D:'. clients to request I. addresses $rom Ser/erTB2 To /eri$y that the D:'. ser/er $unctions #ro#erly* you start three !indo"s @. .ro$essional com#uters* each o$ "hich leases an I. address $rom Ser/erTB2 Si3ty #o"er>line ins#ectors routinely connect their #ortable com#uters to your subnet You e3#ect no more than ,= #o"er>line ins#ectors to connect to your subnet during any gi/en se/en>day #eriod Ten days a$ter you install the D:'. ser/er* #o"er>line ins#ectors re#ort that they cannot connect to ser/ers on your subnet The D:'. log on Ser/erTB2 sho"s no errors You o#en the D:'. console and see the results sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 111 2 You "ant A)N D:'. clients and the #ortable com#uters to success$ully connect to the ser/ers on your subnet

!hat should you do% A. Reduce the lease duration to one da . 1. &ncrease the lease duration to 21 da s. .. .hec/ for an o%erlapping scope on another DA.5 ser%er. D. 'n $er%erT@2, add an additional scope 1=2.1;>.2.1 2 1=2.1;>.2.2F-H2- and create a superscope that includes the eBisting scope. )ns"er: ) E3#lanation: The #rocess a D:'. client goes through in order to obtain an I. address and any net"or0 s#eci$ic con$iguration o#tions is called the D:'. lease #rocess The e3hibit indicates that the D:'. sco#e has run out o$ a/ailable I. addresses This occurred because the lease is set to <4 days You can con$igure the sco#e to reduce the lease time to one day This "ill ensure that unused I. addresses are returned to the sco#e sooner You do not need to con$igure another sco#e because the question states that you e3#ect no more than ,= #o"er>line ins#ectors to connect to your subnet during any gi/en se/en>day #eriod The e3isting sco#e there$ore has su$$icient I. addresses 4eading the wa in &T testing and certification tools, www.test/ing.com 2 112 2 Incorrect )ns"ers: +: &t is a best practice not to set our lease duration too high, because other DA.5 clients on our networ/ ma be unable to obtain an &5 address lease if all addresses are used up before current leases eBpire. Thus increasing the lease duration will not release enough unused &5 addresses. ': The problem is this scenario is not one of an o%erlapping scope on another DA.5 ser%er. The problem here stems from too little a%ailable &5 addresses due to the lease duration of 1- da s. D: $uperscopes are re6uired for an networ/ or bordering networ/s that are configured as multinets or are multinets themsel%es, forwarding broadcasts %ia a 1''T5 router or DA.5 Rela Agent. &n this scenario creating a superscope will not sol%e our predicament. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 1-2, 1;QUESTION NO: 7 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients TestBing com has a main o$$ice and one branch o$$ice The o$$ices are se#arated by a router ) D:'. ser/er is de#loyed in each o$$ice The D:'. ser/ers are named TestBing7 and TestBing9 You con$igure the sco#es on TestBing7 and TestBing9 as sho"n in the $ollo"ing table D:'. Ser/er name Sco#e name Sco#e addresses Test@ingG Main 1".1.1;." 2 1".1.31.2FTest@ing> 1ranch 1".2.2>." 2 1".2.31.2FTest@ingG Main 1".1.2>." 2 1".1.31.2FTest@ing> 1ranch 1".2.1;." 2 1".2.31.2F4eading the wa in &T testing and certification tools, www.test/ing.com 2 113 2 You shut do"n TestBing7 $or scheduled maintenance !hile TestBing7 is shut do"n* client com#uters on both o$$ices continue to recei/e correct I. address assignments $rom TestBing9 You restart TestBing7 Se/eral users re#ort that "hen they restart their com#uters* they recei/e error messages stating that a du#licate I. address e3ists on the net"or0 You need to ensure that these error messages do not a##ear "hen you shut do"n and restart a D:'. ser/er You need to ensure that changes you ma0e does not a$$ect the current D:'. $unctionality !hat should you do% A. 'n each DA.5 ser%er, configure a superscope that includes both D.A5 scopes. 1. .onfigure the router between the offices to bloc/ all broadcasts. .. Modif the Main scope on Test@ingG to include addresses 1".1.1;." through 1".1.2G.2F-. Modif the 1ranch scope on Test@ing> to include addresses 1".2.1;." through 1".2.2G.2F-. D. Modif the Main scope on Test@ing> to include addresses 1".1.1;." through 1".1.2G.2F-. Modif the 1ranch scope on Test@ing> to include addresses 1".2.1;." through 1".2.2G.2F-. )ns"er: '

E3#lanation9 A superscope allows ou to group two or more scopes *&5 networ/ addresses+ together into a single logical networ/. 1ut this is not necessar in this case as one of the re6uirements is that our solution is not supposed to affect the current DA.5 functionalit . Thus ou should modif Test@ingG and Test@ing> appropriatel . Incorrect ans"ers: )9 Io are not supposed to affect the current DA.5 functionalit . Thus this option is not the solution. +9 There is no need to configure the router to bloc/ all broadcasts as this will result in total non2functionalit . D9 This option suggests the wrong scope modifications. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 2FF 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11- 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter, pp. F3G 2 F-" 39 ?erif that the DA.5 Rela Agent is wor/ing correctl .*1 :uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing com )ll ser/ers on the net"or0 run !indo"s Ser/er 2==, )ll ser/ers are con$igured "ith static I. addresses )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters are con$igured as D:'. clients TestBing has a main o$$ice and one branch o$$ice The D:'. ser/er is de#loyed in the main o$$ice The routers are con$igured to $or"ard all broadcasts You de#loy a D:'. relay agent in the branch o$$ice You con$igure the routers to disable broadcast $or"arding The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the Net"or0 e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11F 2 Users in the branch o$$ice re#ort that they cannot access any shared resources on the net"or0 You $ind out that the client com#uters are not recei/ing I. addresses $rom the D:'. ser/er You e3amine the con$iguration o$ the D:'. relay agent The con$iguration is sho"n in the D:'. Delay )gent e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11; 2 You need to ensure that the client com#uters located in the branch o$$ice recei/e I. addresses $rom the D:'. ser/er !hat should you do% A. Deplo a DA.5 rela agent at the main office. 1. .hange the DA.5 rela agent configuration so that the DA.5 ser%er has an &5 address of 1=2.1;>.1.1". .. .reate a superscope on the DA.5 ser%er that includes both the scope for the main office and the scope for the branch office. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11G 2 D. .hange the &5 address configuration for the DA.5 rela agent to use 1=2.1;>.1.21 as the default gatewa . )ns"er: + E3#lanation: The D:'. Delay )gent is ty#ically con$igured on a net"or0 segment "here there is no D:'. ser/er* li0e the branch o$$ice in this scenario The D:'. ser/er con$igured in the D:'. Delay )gentJs #ro#erties through the D:'. Delay )gent #er$orms the D:'. lease #rocess The ser/er s#eci$ied a##ly to each net"or0 inter$ace that the relay agent is attached to To ensure that the client com#uters located in the branch o$$ice recei/e I. addresses $rom the D:'. ser/er* change the D:'. relay agent con$iguration so that the D:'. ser/er has an I. address o$ <;2 <69 < <= Incorrect ans"ers: ): Deplo ing a new DA.5 rela agent is not necessar . All that needs to be done is to change the DA.5 rela agent to ma/e the DA.5 ser%er &5 address 1=2.1;>.1.1" ': $uperscopes are re6uired for an networ/ or bordering networ/s that are configured as multinets or are multinets themsel%es, forwarding broadcasts %ia a 1''T5 router or DA.5 Rela Agent. This will not ensure that the DA.5 rela agent ma/es the DA.5 ser%er &5 address 1=2.1;>.1.1". D: This would be obsolete as there is not need to change the &5 address configuration of the rela agent to ma/e use of 1=2.1;>.1.21 as the default gatewa . The default gatewa should be 1=2.1;>.1.1". De$erence:

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 1-2, 2"1 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter, pp. F3G 2 F-" (9 ?erif database integrit .*" :uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11> 2 Topic 2, &mplementing, Managing, and Maintaining ,ame Resolution*1"1 :uestions+ 5art 19 &nstall and configure the D,$ $er%er ser%ice. A9 .onfigure D,$ ser%er options.*> :uestions+ QUESTION NO: < E3hibit G<* Desearch con$iguration E3hibit G2* TestBing com con$iguration 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11= 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Each client com#uter is con$igured "ith a static I. address The net"or0 also single !indo"s NT domain named Desearch )ll ser/ers in the Desearch domain run !indo"s NT Ser/er 4 = )ll client com#uter runs !indo"s NT !or0station 4 = or !indo"s 2=== .ro$essional Users in the test0ing com domain re#ort that they cannot access resources in the Desearch domain You /eri$y that users in the Desearch domain can access resources in both domains You /ie" the T'.KI. con$iguration on a client com#uter in the Desearch domain The con$iguration is sho"n in e3hibit G< You /ie" the T'.KI. con$iguration on a client com#uter in the test0ing com domain The con$iguration is sho"n in e3hibit G2 You need to ensure that users in the test0ing com domain can access resources in the Desearch domain You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 'n each client computer in the test/ing.com domain, configure a !&,$ address of 1G2.1;.".1". 1. 'n the D,$ ser%er in the test/ing.com domain, configure a !&,$ loo/up entr with the &5 address 1G2.1;.".1". .. 'n the D,$ ser%er in the test/ing.com domain, configure a conditional forwarding entr to forward all 6ueries for the Research domain to 1G2.1;.".1". D. 'n the D,$ ser%er in the test/ing.com domain, enable nonsecure and secure d namic updates. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12" 2 !hen you con$igure !INS loo0u# $or a $or"ard loo0u# 1one* a !INS resource record #ointing to the !INS ser/er you s#eci$y on the !INS tab is added to the 1one database !hen you con$igure !INS>D loo0u# $or a re/erse loo0u# 1one* a corres#onding !INS>D resource record is added to the 1one database Thus you "ill sol/e the #roblem o$ the users in the test0ing com domain accessing resources in the Desearch domain "ith the least amount o$ administrati/e e$$ort i$ you con$igure a !INS loo0u# entry "ith I. address <72 <6 = <= in the test0ing com DNS ser/er Incorrect ans"ers: )9 !&,$ is a software ser%ice that d namicall maps &5 addresses to computer names *,etwor/ 1asic &nput 'utput $ stem X,et1&'$Y names+. This enables users to access resources b name instead of re6uiring them to use &5 addresses that are difficult to recogni0e and remember. (urthermore this will result in too much administrati%e effort since this option suggests that each client computer in the testing.com domain has to be configured. '9 .onfiguring a conditional forwarding entr to forward all 6ueries is not the answer. D9 3nabling nonsecure and secure d namic updates will not ensure that users in the test/ing.com domain can access resources in the Research domain. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter F, p. 3QUESTION NO: 2

You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< is a domain member ser/er that has the DNS ser/ice installed The net"or0 inter$ace on Test0ing< is con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 121 2 I. address Subnet mas0 .ur#ose 1".1".1.1 2FF.2FF."." .lient referrals for name resolution 6ueries 1".1".2.1 2FF.2FF."." Third2part monitoring application 1".1".3.1 2FF.2FF."." Third2part monitoring application 1".1".-.1 2FF.2FF."." .lients referrals for name resolution 6ueries 1".1".F.1 2FF.2FF."." .urrentl not used 1".1".;.1 2FF.2FF."." .urrentl not used Test0ing< is con$igured to re$er to <27 = = < as the I. address o$ the #re$erred DNS ser/er You need to increase the #er$ormance o$ the binding $unction o$ the DNS ser/ice on Ser/er< You "ant to accom#lish this tas0 "ith a minimum amount o$ disru#tion to users !hat should you do% A. &n the D,$ console, configure the properties of Test/ing1 to listen on 1".1".F.1 and 1".1".;.1 onl . 1. &n the D,$ console, configure the properties of Test/ing1 to listen on 1".1".1.1 and 1".1".-.1 onl . .. &n the properties of the 4ocal Area .onnection on Test/ing1, configure the D,$ ser%ers to be 1".1".1.1 and 1".1".-.1. D. &n the properties of the 4ocal Area .onnection on Test/ing1, configure the D,$ ser%ers to be 1".1".F.1 and 1".1".;.1. )ns"er: + E3#lanation: You s#eci$y the binding order to o#timi1e net"or0 #er$ormance This can be done by con$iguring the #ro#erties o$ Test0ing< to listen on <= <= < < and <= <= 4 < $or clientsJ re$errals $or name resolution queries Incorrect )ns"ers: ): 4istening to 1".1".F.1 and 1".1".;.1 onl is not the answer as those two subnet mas/s are not in use. '* D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 122 2 9 D,$ ser%er configuration can ta/e place in the properties of the 4ocal Area .onnection on Test/ing1, but this will disrupt users somewhat. Iou need to chec/ onl the client referrals for name resolution 6ueries b configuring the Test/ing1 properties in the D,$ console. These referrals can be found on subnet mas/s 1".1".1.1 and 1".1".-.1 onl . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -3> QUESTION NO: , You are a net"or0 administrator $or TestBing TestBingJs main o$$ice is in To0yo* and it has a branch o$$ice in Seoul The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domains as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 123 2 Test0ing< and Test0ing2 each ha/e the DNS ser/ice installed as sho"n in the $ollo"ing table Ser/er name .rimary DNS 1ones hosted Secondary DNS 1ones hosted I. address Test/ing1 to/ o.test/ing.com seoul.test/ing.com 1=2.1;>.2.1 Test/ing2 seoul.test/ing.com to/ o.test/ing.com 1=2.1;>.3.1 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12- 2 You need to con$igure the #rimary and secondary DNS address re$errals on the client com#uters in the Seoul o$$ice by using the minimum amount o$ administrati/e e$$ort You need to ensure that users ha/e access to the Internet "ith as $e" net"or0

ho#s as #ossible You also need to ensure that users can access resources on the internal net"or0 in Seoul only as quic0ly as #ossible* and that DNS loo0u# tra$$ic o/er the !)N does not occur i$ the local DNS ser/er is a/ailable !hat should you do% A. .onfigure 131.1"G.".1 as the primar D,$ ser%er. .onfigure 1=2.1;>.2.1 as the secondar D,$ ser%er. 1. .onfigure 1=2.1;>.2.1 as the primar D,$ ser%er. .onfigure 131.1"G.".1 as the secondar D,$ ser%er. .. .onfigure 1=2.1;>.2.1 as the primar D,$ ser%er. .onfigure 1=2.1;>.3.1 as the secondar D,$ ser%er. D. .onfigure 1=2.1;>.3.1 as the primar D,$ ser%er. .onfigure 1=2.1;>.2.1 as the secondar D,$ ser%er. )ns"er: D QUESTION NO: 4 DD)- DDO. TestBing uses an internal DNS root & ( 1one The internal rot 1one has delegations to three internal all DNS names#aces named na com* euro#e com* and a$rica com The domain names na com* euro#e com* and a$rica com are not registered on the Internet The DNS hierarchy is dis#layed in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12F 2 The net"or0 contains si3 !indo"s Ser/er 2==, com#uters that $unction as DNS ser/er In$ormation about these ser/ers is sho"n in the $ollo"ing table Ser/er Ser/er hosts these 1ones DNS 1one ty#e Stored in )cti/e Directory T3$T@&,C1 Root *.+ 5rimar ,o T3$T@&,C; Root *.+ $econdar ,o T3$T@&,C2 africa.com 5rimar ,o T3$T@&,C3 na.com 5rimar ,o T3$T@&,C- na.com $econdar ,o You "ant to con$igure the root hints on TestBing2 to enable resolution o$ all internal DNS names#aces used by TestBing Your solution must continue to $unction i$ any single DNS ser/er $ails 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12; 2 !hat should you do% To ans"er* drag only the necessary and a##ro#riate DNS ser/er or ser/ers to the correct location or locations in the dialog bo3 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12G 2 &f ou ha%e an internal D,$ root in our D,$ infrastructure, configure the root hints of the internal D,$ ser%ers to onl point to the D,$ ser%ers hosting our root domain, and not to the D,$ ser%ers hosting the &nternet root domain. This will pre%ent our internal D,$ ser%ers from sending pri%ate information o%er the &nternet when resol%ing names. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ->12->2 QUESTION NO: 5 :OTS.OT You are the administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains named contoso com and cor# contoso com +oth domains are )cti/e Directory integrated )ll domain controllers are DNS ser/ers )nother administrator creates t"o a##lication #artitions named .artition< and .artition2 The domain controllers are enlisted in the #artitions as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12> 2 You need to con$igure the re#lication o$ test0ing com You also need to ensure that test0ing com 1one in$ormation is not re#licated to caching>only ser/ers !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: Select the radio button: To all DNS ser/ers in the )cti/e directory domain 'ontoso com

4eading the wa in &T testing and certification tools, www.test/ing.com 2 12= 2 This is the default setting in !indows 2""" and !indows $er%er 2""3. &n this solution, replication will onl go to the .ontoso.com ser%er because the partition option is not being utili0ed for setting replication. This is a tric/ 6uestion. !hen ou install the first !indows $er%er 2""3 domain controller in the forest while setting up the Acti%e Director en%ironment, and ou install D,$, two !indows $er%er 2""3 D,$ application director partitions are created b default. A forest2wide D,$ application director partition called (orestD,$Rones is created, and for each domain in the forest, a domain2wide D,$ application director partition called DomainD,$ Rones is created. Incorrect )ns"er: Do not choose the option that states 8to all domain controllers specified in the scope of the following application director partition8 with the Application director partition name wanting ou to select either 5artition 1 or 5artition 2 This answer is incorrect. Iou need to configure replication for contoso.com, and not replication for the caching ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F"> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13" 2 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters* !indo"s @. .ro$essional com#uters* and !indo"s 2=== .ro$essional com#uters )n I.Sec #olicy is assigned to a ser/er named TestBing) +y using the I. Security ?onitor console on TestBing)* you /eri$y the I.Sec communication connections* and you notice that all com#uters that ha/e established security associations &S)s( "ith TestBing) are dis#layed by their I. addresses You "ant com#uters that ha/e established S)s "ith TestBing) to be dis#layed in I. Security ?onitor by a $ully quali$ied domain name &EQDN( !hat should you do on TestBing)% A. &n the assigned polic , add a new rule that filters all T.5 and UD5 traffic on port F3. .onfigure the filter action to permit unsecured &5 pac/ets to pass through. 1. 'pen the &5 $ecurit Monitor console and configure the properties of Test@ingA to enable the 3nable D,$ name resolution option. .. (rom a command prompt, run the netsh ipsec static show all command. D. (rom a command prompt, run the netsh ipsec d namic show all command. )ns"er: + E3#lanation: You ha/e to use the I. Security ?onitor console and con$igure the #ro#erties o$ TestBing) to enable the Enable DNS name resolution o#tion The .TD records in DNS "ill resol/e the I. addresses to host names Incorrect )ns"ers: ): .onfiguring a filter rule and its action to permit unsecured traffic will not result in the computers being displa ed in &5 $ecurit Monitor b a full 6ualified domain name *(:D,+. &t would onl permit unsecured &5 pac/ets to pass through. ': Running the netsh ipsec static show all command would onl return information on assigned &5$ec policies. D: Running the netsh ipsec d namic show all command would onl return statistical information on filters and securit associations, and so forth De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 131 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2-, -31 QUESTION NO: 7 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains t"o domain named test0ing com and cor# test0ing com The $unctional le/el o$ the $orest and the t"o domains is !indo"s Ser/er 2==, The cor# test0ing com 1one is con$igured as an )cti/e Directory>integrated 1one The cor# test0ing com 1one is also con$igured to re#licate to all domain controllers in the domain The ser/ers are con$igured as sho"n in the $ollo"ing table

4eading the wa in &T testing and certification tools, www.test/ing.com 2 132 2 Ser/er Dole Ser/ices and a##lications installed O#erating System DNS Yones hosted Test/ing1.corp.test/ing.com Domain controller D,$, Distributed (ile $ stem *D($+ !indows $er%er 2""3 .or.test/ing.com Test/ing2.corp.test/ing.com Application ser%er !&,$, 3Bchange $er%er 2""3 !indows 2""" $er%er ,one Test@ing3.test/ing.com D,$ ser%er D,$ U,&< Test/ing.com Test/ing-.corp.test/ing.com Domain controller DA.5 !indows $er%er 2""3 ,one Test/ingF.corp.test/ing.com .ertification authorit .ertificate $er%ices !indows $er%er 2""3 ,one Test/ing;.corp.test/ing.com Domain controller ,one !indows $er%er 2""3 ,one You #lan to remo/e TestBing< $rom the net"or0 You need to install DNS to host the cor# test0ing com 1one Your solution must be $ault>tolerant On "hich ser/er or ser/ers should you install DNS% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 133 2 )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13- 2 Test@ing- and Test@ing; would be the appropriate ser%ers on which to install D,$ since the are both domain controllers and also gi%en the situation that Test@ing1 will be remo%ed and ou need to ma/e pro%ision for fault tolerance. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 2FF QUESTION NO: 9 E3hibit* Net"or0 To#ology E3hibit* Table 4eading the wa in &T testing and certification tools, www.test/ing.com

2 13F 2 You are the net"or0 administrator $or TestBing TestBing uses the test0ing com names#ace $or its internal net"or0 The TestBing net"or0 consists o$ t"o net"or0s that are connected by a !)N lin0 The <= ; ; = net"or0 uses the <= ; ; =K24 address The <= ; 9 = net"or0 uses the <= ; 9 =K24 address The rele/ant #ortion o$ the net"or0 is sho"n in the net"or0 to#ology e3hibit The net"or0 contains the DNS ser/ers that are con$igured as sho"n in the table e3hibit In the <= ; ; =K24 net"or0* a ser/er named TestBingE $requently needs to resol/e names in the test0ing com names#ace and on the Internet You need to con$igure the T'.KI. #ro#erties o$ TestBingE to use the most e$$icient ser/er as its #re$erred DNS ser/er The number o$ ho#s required to resol/e any name must be 0e#t to a minimum You also need to minimi1e the amount o$ net"or0 tra$$ic that is caused by name resolution On TestBing7E "hich DNS ser/er should you con$igure as the #re$erred DNS ser/er% A. Test@ing1 1. Test@ing2 .. Test@ing3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13; 2 D. 131.1"G.F.1 )ns"er: ' E3#lanation9 The preferred D,$ ser%er should be the D,$ ser%er that is ph sicall closest to the client computer. &tKs important to note that manual D,$ settings o%erride D,$ settings obtained from a DA.5 ser%er. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F3 19 .onfigure D,$ 0one options.*2> :uestions+ QUESTION NO: < SI?UA)TION You are a net"or0 administrator $or TestBing com The net"or0 consists o$ three )cti/e Directory domains named test0ing com* asia test0ing com* and #aci$ic test0ing com )n )cti/e Directory a##lication #artition named asia#aci$icregion test0ing com has re#licas on all domain controllers in the asia test0ing com and #aci$ic test0ing com domains )nother )cti/e Directory a##lication #artition named asia#aci$ic test0ing com has been created on one o$ the DNS ser/ers in the asia test0ing com domain )ll the DNS ser/ers run !indo"s Ser/er 2==, and are con$igured as domain controllers The DNS 1ones named test0ing com* asia test0ing com* and #aci$ic test0ing com are )cti/e Directory>integrated 1ones TestBing DNS management standards s#eci$y that all DNS 1ones must be re#licated by using )cti/e Directory The intranet administrator o$ the )sia>.aci$ic regional di/ision o$ TestBing "ants a se#arate DNS 1one to be created This 1one "ill be used to register host names $or a regional intranet im#lementation This 1one must be re#licated to all domain controllers in only the aisa test0ing com and #aci$ic test0ing com domains The ne" 1one "ill be named asia#aci$ic test0ing com You must create the asia#aci$ic test0ing com 1one You need to choose the a##ro#riate con$iguration settings to meet the requirements 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13G 2 :o" should you con$igure the asia#aci$ic test0ing com 1one% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13> 2 E3#lanation9 A Replication 0one in a D,$ database, a contiguous portion of the D,$ tree that is administered as a single, separate entit b a D,$ ser%er. The 0one contains resource records for all the names within the 0one. $ince the 0one should be replicated to all controllers in aisa.test/ing.com and pacific.test/ing.com domains, ou should configure the Rone Replication scope to replicate to all domain controllers specified in the scope of the Asiapacificregion.test/ing.com application director partition. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/

&nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter 1-, p. 2> QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13= 2 One o$ the DNS ser/ers is named DNS< On DNS<* the DNY 1one named test0ing com is con$igured as sho"n in the e3hibit )nother administrator re#orts that domain controllers ta0e an unacce#tably long time to start and that some users cannot log on to the test0ing com domain You need to ensure that domain controllers start as quic0ly as #ossible and that all users can log on to the test0ing com domain You must achie/e this goal "hile ensuring that u#dates to the test0ing com 1one are as secure as #ossible 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-" 2 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .hange the 0one t pe of the test/ing.com 0one to an Acti%e Director 2integrated 0one. 1. .hange the 0one t pe of the test/ing.com 0one to a stub 0one. .. 3nable secure2onl d namic updates on the test/ing.com 0one. D. &mplement an &5$ec filter on D,$1 that allows D,$ traffic from onl domain members. 3. .onfigure a list of D,$ ser%ers that are allowed to transfer a cop of the test/ing.com 0one. )ns"er: )* ' E3#lanation9 A D,$ ser%er that hosts a primar 0one is said to act as a primar D,$ ser%er. 5rimar D,$ ser%ers store original source data for 0ones. !ith !indows $er%er 2""3, ou can implement primar 0ones in one of two wa s9 as standard primar 0ones, in which 0one data is stored in a teBt file, or as an Acti%e Director 2integrated 0one, in which 0one data is stored in the Acti%e Director database. This 0one t pe stores 0one information within Acti%e Director . This enables ou to ta/e ad%antage of additional features, such as secure d namic updates and replication. Acti%e Director 2integrated 0ones can be configured on !indows $er%er 2""3 domain controllers running D,$. 3ach domain controller maintains a writable cop of the 0one information, which is stored in the Acti%e Director database. (urthermore $ecure2onl d namic updates can be performed onl in Acti%e Director 2integrated 0ones. The $ecure 'nl tab will enable d namic updates for those users and groups authori0ed to do so because the ha%e accounts in Acti%e Director and ha%e been granted permission to update their records. Thus b changing the 0one t pe to an Acti%e Director 2integrated 0one and enabling secure2onl d namic updates ou will be able to ensure that domain controllers start as speed as possible as well as allow all users to log on to the test/ing.com domain. This wa ou will also ensure that updates will be secure. Incorrect ans"ers: +9 A stub 0one is a cop of a 0one containing onl those resource records necessar to identif the authoritati%e D,$ ser%ers for the master 0one. .hanging the 0one t pe to a stub 0one will not do in this scenario. Iou need to ha%e an Acti%e Director 2integrated 0one that will allow ou to enable secure2onl d namic filters. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-1 2 D9 Iou do not need to implement an &5$ec filter on D,$1 to allow onl D,$ traffic from the domain members. E9 There is no need for configuring a list of D,$ ser%ers. Iou need an Acti%e Director 2integrated 0one and to enable secure2onl d namic updates. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter -, p. 3" QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional TestBing has o$$ices in San Erancisco* Aos )ngeles and Aondon Each o$$ice contains three ser/ers that are con$igured as domain controllers and run the DNS Ser/er ser/ice )ll client com#uters and ser/ers are con$igured to use a local DNS ser/er as the #rimary DNS ser/er You create a ne" #rimary 1one named east test0ing com on a ser/er in Aondon named Test0ing<

You need to con$igure DNS ser/ers in San Erancisco and Aos )ngeles to resol/e queries $or resources in east test0ing com You must ensure that client com#uters can u#date DNS data on the local DNS ser/ers You also need to minimi1e !)N net"or0 tra$$ic relating to DNS queries $or resources in east test0ing com !hat should you do% A. 'n one D,$ ser%er in $an (rancisco and on one D,$ ser%er in 4os Angeles, create a secondar 0one east.test/ing.com. .onfigure the secondar 0one to recei%e D,$ data from the D,$ ser%er in 4ondon. 1. 'n one D,$ ser%er in $an (rancisco and on one D,$ ser%er in 4os Angeles, create a primar 0one east.test/ing.com. 3nable d namic updates on both ser%ers for the east.test/ing.com 0one. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-2 2 .. 'n Test@ing, configure the east.test/ing.com 0one as an Acti%e2Director 2integrated 0one. 3nable d namic updates for the east.test/ing.com 0one. D. 'n each D,$ ser%er, create an Acti%e Director 2integrated stub 0one for east.test/ing.com. .onfigure the stub 0one to replicate D,$ data from the D,$ ser%er in 4ondon )ns"er: ' QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ an )cti/e Directory $orest that contains a single domain )ll ser/ers run !indo"s Ser/er 2==, You install DNS on a domain controller named Test0ing< You con$igure Test0ing< as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-3 2 )ll com#uters in the domain use Test0ing< $or DNS name resolution ) ser/er named Test0ing, #ro/ides Internet access $or net"or0 users Test0ing, is con$igured as a Net"or0 )ddress Translation &N)T( ser/er Users re#ort that they cannot connect to Internet !eb sites by using their $ully quali$ied domain names &EQDNs( Users re#ort that they can access internal ser/ers by using their EQDNs You must ensure that users can access both Internet !eb sites and internal ser/er by using their EQDNs !hat should you do% A. Delete the root 0one on Test/ing1. 1. .onfigure all client computers to use Test/ing3 as their D,$ ser%er. .. .onfigure the root 0one on Test/ing1 to be an Acti%e Director 2integrated 0one. D. .reate a re%erse loo/up 0one on Test/ing1. )ns"er: ) E3#lanation: ) $or"ard loo0u# 1one is a name to address database that assists com#uters to translate DNS names into I. addresses It also #ro/ides in$ormation about a/ailable resources The DNS ser/ers ma# EQDNs to I. addresses in $or"ard loo0u# 1ones I$ you "ant to #re/ent !indo"s Ser/er 2==, com#uters $rom re$erring queries to the Internet* you can con$igure them to ha/e their o"n root 1one You ty#ically con$igure a DNS ser/er to contain its o"n root 1one "hen you do not "ant your ser/ers to re#ly to queries $or names e3ternal to your net"or0 This creates an em#ty root 1one* thereby ma0ing the internal ser/er a root ser/er This is the situation in the question The $or"arders "ould not be utili1ed and only internal queries "ould be resol/ed Deleting the root 1one &L L( on Test0ing< "ould enable users to access Internet !eb sites and the internal ser/er by using their EQDNs You can ma0e use o$ the DNS ?anager console to delete the root 1one Incorrect )ns"ers: +: To ensure that users can access both &nternet !eb sites and internal ser%er b using their (:D,s, ou cannot ha%e the client computers ma/e use of Test/ing3 as their D,$ ser%er. &t will not sol%e their problem. The will onl gain access when to root 0one is emptied. ': 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-- 2 Due to the forwarders not being used and onl internal 6ueries being resol%ed, the problem indicated that the client computers needed their own root 0one so as to pre%ent their computers from referring 6ueries to the &nternet. 1ut this problem can be addressed b empt ing the root 0one on Test/ing1. D: .reating a re%erse loo/up 0one on Test/ing1 will not sol%e the problem for the client computers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/

&nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter -, p. 2"2 QUESTION NO: 5 DD)- DDO. You are a net"or0 administrator $or TestBing com The net"or0 contains $i/e "indo"s Ser/er 2==, com#uters that also $unction as DNS ser/ers The ser/ers are con$igured as sho"n in the "or0 area The Aagos and Nairobi branches o$ the school each ha/e $i/e !indo"s @. .ro$essional client com#uters The Tangier branch has 5*=== !indo"s @. .ro$essional client com#uters* and the 'a#e To"n branch has 2*5== !indo"s @. .ro$essional client com#uters Test0ing< is located in the schoolJs main o$$ice in 'airo Test0ing< is the authoritati/e ser/er $or a 1one named test0ing com No changes are #laned $or the name ser/er &NS( resource records $or test0ing com The DNS ser/ers in the Nairobi and Aagos branches are multiuse ser/ers that are con$igured "ith the minimum hard"are necessary to run !indo"s Ser/er 2==, The DNS Ser/ers in the 'a#e To"n and Tangier branches are con$igured as dedicated ser/ers "ith hard"are that is su$$icient to sustain multi#le DNS 1ones You need to ensure that the $ollo"ing requirements are met: 1. Each client com#uter can resol/e names on the net"or0 as quic0ly as #ossible by using a $ully quali$ied domain name &EQDN( 2. .re/ent 1one re#lication tra$$ic $rom occurring on the slo" net"or0 connections 3. ?inimi1e hard dis0 utili1ation on the DNS ser/ers in the Aagos and Nairobi branches as much as #ossible -. Ensure that DNS queries in Tangier and 'a#e To"n are resol/ed locally 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-F 2 :o" should you con$igure the Demote DNS ser/ers% To ans"er* drag the a##ro#riate ser/er con$iguration to the correct ser/er or ser/ers in the "or0 area )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-; 2 A forward loo/up 0one is a name to address database that assists computers to translate D,$ names into &5 addresses. The D,$ ser%ers map (:D,s to &5 addresses in forward loo/up 0ones. This enables users to access &nternet !eb sites and internal ser%ers b using their (:D,s. .onfigure the D,$ ser%ers in the 4agos and ,airobi branches to use a forwarder so that re6uests sent b our ser%er to the forwarder will be recursi%e 6ueries. The client sends a 6uer to one name ser%er and re6uests it to respond either with the re6uested answer or with an error. This would minimi0e hard dis/ utili0ation on the D,$ ser%ers. To pre%ent 0one replication traffic from occurring on the slow networ/ connections, and to ensure that D,$ 6ueries in Tangier and .ape Town are resol%ed locall , configure these branches as standard secondar 0ones. A secondar 0one is a read2onl cop of the 0one database. This would pro%ide fault tolerance and faster name resolution across the networ/. &t also balances the load of the primar D,$ ser%ers. The database is updated %ia 0one transfer process. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-G 2 De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, pp. 2"-, 2-;22-= QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The )cti/e Directory>integrated DNS 1one named test0ing com is re#licated to all domain controllers Only domain controllers ha/e the DNS ser/ice installed The net"or0 management de#artment requires all hosts in the manu$acturing di/ision to be registered in the names#ace manu$acturing test0ing com The manu$acturing test0ing com names#ace does not e3ist on any o$ the DNS ser/ers You need to add su##ort $or the manu$acturing test0ing com names#ace to all the e3isting DNS ser/ers To reduce administrati/e o/erhead* you "ant to $ind a solution that "ill not require recon$iguration i$ DNS ser/ers are added to the domain in the $uture !hat should you do% A. .reate a subdomain named manufacturing in the test/ing.com 0one. 1. .reate a delegation named manufacturing in the test/ing.com 0one. .. .reate a stub0one for manufacturing.test/ing.com. D. .reate a primar 0one for manufacturing.test/ing.com that is not Acti%e Director 2integrated. )ns"er: )

E3#lanation: Subdomains are belo" second>le/el domain names* and there can be multi#le subdomains belo" the secondary le/el ) sub domain is a DNS domain located directly beneath another domain name &the #arent domain( in the names#ace tree 'reating a subdomain "ill not necessitate recon$iguration in the e/ent o$ DNS ser/ers being added to the domain in $uture In this $ashion it also reduces administrati/e o/erhead i$ you add su##ort $or the manu$acturing test0ing com names#ace to all the e3isting DNS ser/ers Incorrect ans"ers: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-> 2 +9 Delegation is an assignment of administrati%e responsibilit to a user, computer, group, or organi0ation. (or D,$, an assignment of responsibilit for a D,$ 0one is where delegation occurs when a name ser%er *,$+ resource record in a parent 0one lists the D,$ ser%er that is authoritati%e for a child 0one. This is not compl ing with the re6uirement of reducing administrati%e o%erhead. '9 A stub 0one is a cop of a 0one that contains onl the resource records re6uired to identif the authoritati%e D,$ ser%ers for that 0one. A D,$ ser%er that hosts a parent 0one and a stub 0one for one of the parent 0oneKs delegated child 0ones can recei%e updates from the authoritati%e D,$ ser%ers for the child 0one. This is not what is re6uired. D9 A primar 0one is a cop of the 0one that is administered locall . .reating a primar 0one will not be the solution. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -212-2QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains $our domains Each domain has t"o domain controllers )ll domain controllers are con$igured as DNS ser/ers The net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-= 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F" 2 You need to ensure that the DNS 1one $or the research test0ing com domain remains a/ailable in the case o$ a single ser/er $ailure You also need to ensure that the 1one su##orts only secure dynamic u#dates You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .onfigure a primar 0one for research.test/ing.com on D.G. .reate a secondar 0one on D.>. 1. .onfigure a primar 0one for research.test/ing.com on D.>. .reate a secondar 0one on D.G. .. .reate an Acti%e Director partition and scope it for the domain controllers in the research domain. .onfigure an Acti%e Director 2integrated 0one to replicate to the domain controllers that are scoped in partition. D. .reate an Acti%e Director 2integrated 0one on the domain controllers in the research domain. .onfigure the 0one to replicate to all domain controllers in the domain. )ns"er: D E3#lanation: )n )cti/e Directory>integrated DNS 1one is a DNS 1one stored in )cti/e Directory !hen you con$igure a domain controller* )cti/e Directory requires that DNS be installed Yones "hich are created on a DNS ser/er that is an )cti/e Directory domain controller can be )cti/e Directory>integrated DNS 1ones )cti/e Directory>integrated DNS 1ones has se/eral ad/antages o/er non>)cti/e Directory>integrated DNS 1ones )cti/e Directory>integrated DNS 1ones can use )cti/e Directory: 1. To store 0one configuration data in Acti%e Director instead of storing it in a 0one file. 2. To use Acti%e Director Replication instead of 0one transfers. 3. To allow onl secure d namic updates instead of secure and non2secure updates on a non2Acti%e Director 2integrated D,$ 0one. Incorrect )ns"ers: )* +: Iou do not need to configure a primar 0one and then create a secondar 0one. This will in%ol%e too much administrati%e effort. ': Iou need to create an Acti%e Director integrated 0one and not a partition. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 1F1 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -3F QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains named test0ing com and cor# test0ing com )ll DNS 1ones are con$igured to be )cti/e Directory>integrated 1ones You create a global security grou# named 'onsole)dmins in cor# test0ing com You add a member o$ the Domain Users global grou# named )nne to 'onsole)dmins )nne logs on to her !indo"s @. .ro$essional com#uter named Test0ing< )nne runs the nsloo0u# command and recei/es the out#ut sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F2 2 You need to con$igure the 1one #ro#erties to ensure that )nne can list the contents o$ cor# test0ing com $rom Test0ing< !hat should you do% A. Allow 0one transfers to 1=2.1;>.2.-G. 1. Allow 0one transfers to 1=2.1;>.2.-F. .. Allow 0one transfers to 1=2.1;>.2.2G. D. Allow 0one transfers to 1;=.2F-.2F.1-2. 3. Assign the .onsoleAdmins group the Allow 2 (ull .ontrol permission. (. Assign the .onsoleAdmins group the Allow 2 4ist .ontents permission. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F3 2 )ns"er: ' E3#lanation: The de$ault setting $or Yone Security in the DNS ser/er included "ith ?icroso$t !indo"s Ser/ers is to allo" 1one trans$er request $rom any client This allo"s easier con$iguration and setu# o$ a ne" DNS ser/er The de$ault settings may allo" unauthori1ed or undesired read access to the DNS Yone in$ormation ) client may request a 1one trans$er "ith the Nsloo0u# utility* or by con$iguring a secondary 1one on a DNS ser/er To restrict access* you can con$igure the ?icroso$t DNS ser/er to LOnly allo" access $rom secondaries included on the noti$y list L This setting "ill limit access to the DNS ser/erJs 1one in$ormation to I. addresses must be indi/idually con$igured ,sloo/up can be used to transfer an entire 0one b using the ls command. This is useful to see all the hosts within a remote domain. The s ntaB for the ls command is9 --> ls [- a | d | t type] domain [> filename]. !e need to allow 0one transfers to 1=2.1;>.2.2G to enable Anne to list the contents of the 0one. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -3F QUESTION NO: ; You are the net"or0 administrator in the in$ormation technology &IT( de#artment o$ TestBing TestBing uses a DNS names#ace named test0ing com $or the com#any intranet The IT de#artment manages three !indo"s Ser/er 2==, com#uters that ha/e the DNS ser/ice installed The three DNS ser/ers are not domain controllers ) #rimary 1one named test0ing com has been created on one o$ the DNS ser/ers and has been re#licated to secondary 1ones on the other t"o ser/ers The IT de#artment #lans to install additional DNS ser/ers to host secondary>1one co#ies o$ test0ing com in the $uture 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F- 2 The multimedia de#artment uses a DNS names#ace named multimedia test0ing com $or its o"n intranet The multimedia de#artment manages three !indo"s Ser/er 2==, com#uters that ha/e the DNS ser/ice installed ) #rimary 1one named multimedia test0ing com has been created on one o$ the DNS ser/ers in the multimedia de#artment and has been re#licated to secondary 1ones on the other t"o ser/ers You need to con$igure a name resolution mechanism that "ill allo" all DNS ser/ers that are managed by the IT de#artment to resol/e DNS queries $or hosts in the multimedia test0ing com names#ace To reduce the administrati/e o/erhead* you must im#lement a name resolution mechanism that you can con$igure on a single ser/er You must not be required to #er$orm any additional con$iguration ste#s in the $uture* i$ additional DNS ser/ers are installed by the IT de#artment to host the

test0ing com 1one :o" should you con$igure the DNS ser/ers that are managed by the IT de#artment% A. &n the test/ing.com 0one, create a delegated subdomain named multimedia. $pecif all the D,$ ser%ers in the multimedia department as name ser%ers. 1. .reate a secondar 0one named multimedia.test/ing.com. $pecif all the D,$ ser%ers in the multimedia department as master ser%ers. .. .onfigure conditional forwarding for the multimedia.test/ing.com namespace. $pecif all the D,$ se%ers in the multimedia department as target ser%ers. D. .reate a stub 0one named multimedia.test/ing.com. $pecif all the D,$ ser%ers in the multimedia department as master ser%ers. )ns"er: ) E3#lanation: Delegation is the #rocess o$ assigning authority o/er child domains in your DNS names#ace to another entity by adding records in the DNS database )s the manager o$ a DNS domain* DNS #ro/ides the o#tion o$ creating child domains and their res#ecti/e 1ones* "hich can then be stored* distributed* and re#licated to other DNS ser/ers These additional 1ones can be delegated to other administrators to manage 1 creating a delegated sub2domain, we are adding ,$ *,ame $er%er+ records to the test/ing.com 0one. &f a test/ing.com D,$ ser%er recei%es a 6uer for a host in the multimedia.test/ing.com namespace, the ser%er will /now from the ,$ records the addresses of the D,$ ser%ers in the multimedia.test/ing.com domain and forward the 6uer to the appropriate D,$ ser%er. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FF 2 Incorrect )ns"ers: +: The 6uestion states, 8Iou must not be re6uired to perform an additional configuration steps in the future, if additional D,$ ser%ers are installed b the &T department to host the test/ing.com 0one.8 &f we configure a secondar 0one named multimedia.test/ing.com on the eBisting D,$ ser%ers, we would ha%e to configure a secondar 0one named multimedia.test/ing.com on an future D,$ ser%ers. ': This answer doesnKt ma/e sense. Iou canKt configure conditional forwarding for the multimedia.test/ing.com namespace to forward to a D,$ ser%er that hosts the multimedia.test/ing.com 0one. This answer is suggesting configuring a D,$ ser%er to forward to itself. D: The 6uestion states, 8Iou must not be re6uired to perform an additional configuration steps in the future, if additional D,$ ser%ers are installed b the &T department to host the test/ing.com 0one.8 &f we configured a stub 0one on the eBisting D,$ ser%ers, we would ha%e to configure a stub 0one on an future D,$ ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ->= QUESTION NO: <= DD)- DDO. E3hibit: NNN ?ISSIN-NNN You are the net"or0 administrator $or TestBing com TestBing com uses an internal DNS root & ( 1one The DNS internal root 1one has delegations to three internal names#aces named test0ingonlinetesting com* test0ingqa com* and test0ingstudyguide com The domain names test0ingonlinetesting com* test0ingqa com* and test0ingstudyguide com are not registered on the Internet The DNS hierarchy is dis#layed in the e3hibit The net"or0 contains si3 !indo"s Ser/er 2==, com#uters that $unction as DNS ser/ers In$ormation about these ser/ers is sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F; 2 Ser/er Ser/er hosts 1ones DNS 1one ty#e Stored in )cti/e Directory Test@ingA Root *.+ 5rimar ,o Test@ing( Root *.+ $econdar ,o Test@ing1 test/ing6a.com 5rimar ,o Test@ing. test/ingstud guide.com 5rimar ,o Test@ingD test/ingstud guide.com $econdar ,o Test@ing3

test/ingonlinetesting.com 5rimar ,o You are required to con$igure the root hints on TestBing+ to enable resolution o$ all internal DNS names#aces used by TestBing You solution must continue to $unction i$ any single DNS ser/er $ails !hat action should you ta0e% &Use only required and $itting DNS ser/er or ser/ers to the correct location or locations in the dialog bo3( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FG 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F> 2 A root ser%er in a D,$ namespace is created b naming a 0one with a single dot. &n this case, ou are using the D,$ ser%ice on our pri%ate networ/. The contents in the .ache.dns file has to be modified %ia the Root Aints tab of the D,$ ser%er properties dialog boB. The root hints ha%e to point to the root ser%ers in our networ/. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter -, lesson 3. QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional The DNS ser/ice is installed on three !indo"s Ser/er 2==, com#uters that are con$igured as domain controllers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F= 2 The com#anyJs net"or0 management standards state that a DNS domain must be created $or each regional di/ision in the com#any ) ne" regional di/ision named South )merica is added to the com#any You need to create a corres#onding DNS 1one named samerica test0ing com The net"or0 management standards contain the $ollo"ing requirements 1. )ll hosts must be registered in DNS 2. )ll DNS record must be 0e#t u#>to>date at all times* and any changes to the host name or I. address must be u#dated on the DNS record 3. !hen hosts are remo/ed $rom the net"or0* the corres#onding DNS records must be deleted -. To #re/ent #roblems caused by du#licate com#uter names* one host must not be able to o/er"rite another hostJs entry in DNS F. To reduce administrati/e e$$ort* all #ossible administrati/e tas0s should be automated ;. To allo" $or di$$erent requirements bet"een de#artments* con$iguration changes should* "here #ossible* be a##lied only to indi/idual 1ones You must con$igure the samerica test0ing com 1one to meet the stated requirements !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .reate a primar 0one named samerica.test/ing.com, and ensure that the $tore the 0one in Acti%e Director option is disabled. 1. .reate a primar 0one named samerica.test/ing.com, and ensure that the $tore the 0one in Acti%e Director option is enabled. .. 3nable automatic sca%enging of stale resources records on all the D,$ ser%ers, and configure the sca%enging options on the samerica.test/ing.com 0one. D. .onfigure the 3Bpires after setting on the samerica.test/ing.com 0one to be 1 da s. 3. .onfigure the D namic updates setting on the samerica.test/ing.com 0one to be $ecure onl . (. .onfigure the D namic updates setting on the samerica.test/ing.com 0one to be $ecure and nonsecure. )ns"er: +* '* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;" 2 Yones stored this "ay are located in the )cti/e Directory tree under the domain or a##lication directory #artition Each directory>integrated 1one is stored in a dnsYone container ob2ect identi$ied by the name you choose $or the 1one "hen creating it Aging and sca%enging is the process that the D,$ ser%ice uses to remo%e outdated or stale resource records. Aging and sca%enging is important because outdated or stale records ma 9

1. ,ot ha%e been remo%ed. 2. Ta/e up space in the D,$ database. 3. .ause unnecessaril long 0one transfers. -. 1e sent as responses to 6ueries and thus cause name resolution issues for D,$ clients. D namic update is the process of a D,$ client d namicall creating, registering, or updating its records in 0ones which are maintained b D,$ ser%ers that can accept and process messages for d namic updates. A secure d namic update is a process in which a client submits a d namic update re6uest to a D,$ ser%er, and the ser%er attempts the update onl if the client can pro%e its identit and has the proper credentials to ma/e the update. $ecure d namic updates are onl a%ailable on Acti%e Director 2integrated 0ones. Incorrect )ns"ers: ): The $tore the 0one in Acti%e Director option should not be disabled. Therefore this option is incorrect. D: .onfiguring the 3Bpires after setting on the samerica.test/ing.com 0one to be 1 da is not going to help ou in meeting the re6uirement s as stated in the 6uestion. The better option would be to enable automatic sca%enging of stale resource records. E: The d namic updates should be secure onl to be able to meet the stated re6uirements. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 332 QUESTION NO: <2 E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;1 2 You are the net"or0 administrator $or TestBing com The net"or0 contains <5 !indo"s Ser/er 2==, com#uters that host a DNS 1one named test0ing com ) ser/er named Ser/erTB< is located in the main o$$ice and hosts the #rimary 1one $or test0ing com The <4 other ser/ers are located in branch o$$ices These <4 ser/ers host secondary 1ones $or test0ing com The #ro#erties o$ the start o$ authority &SO)( resource record $or test0ing com are sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;2 2 The net"or0 connections bet"een the main o$$ice and the branch o$$ices $ails You need to ensure that a 1one trans$er ta0es #lace as soon as the net"or0 connections bet"een the main o$$ice and the branch o$$ices become a/ailable You also need to ensure that net"or0 tra$$ic does not increase !hat should you do on Ser/erTB<% A. .hange the Time to 4i%e *TT4+ for the $'A record to 1 minute. 1. .hange the retr inter%al to 1 minute. .. .hange the serial number to 1FF>. D. .hange the serial number to 1FF;. )ns"er: ' E3#lanation: !hen a DNS ser/er recei/es an u#date directly &either $rom the administrator* or through dynamic u#dates( its serial number al"ays increases 3ach time the 0one information is updated, the 0oneKs serial number is incremented. $erial numbers are used b other D,$ ser%ers to determine whether or not updates to their records are re6uired. &f the primar D,$ ser%erKs serial number is higher than that of the secondar D,$ ser%er, the secondar D,$ ser%er /nows it must initiate a pull transfer in order to update its records. Thus it would ma/e sense to change the serial number to 1FF> to as to ensure 0one transfers ta/es place speedil without increasing networ/ traffic. Incorrect )ns"ers: ): Minimum *default+ TT4 is the minimum Time2To24i%e *TT4+ %alue applied to all resource records in the 0one with unspecified record2specific TT4s. This %alue is supplied in 6uer responses b ser%ers for the 0one to inform others how long the should cache a resource record pro%ided in an answer. Default here is 1 hour. +: A retr inter%al is where a secondar D,$ ser%er ma be unable to refresh data from the primar ser%er because of a connection or ser%ice failure. The secondar D,$ ser%er attempts to refresh data once the inter%al specified for retr ing lapses. Thus it would be logical that the retr inter%al should be less than the refresh inter%al. Retr inter%al is the time, in seconds, that a secondar ser%er waits before retr ing a failed 0one transfer. The default is 1" minutes. This is not the %alue that has to be changed. D: The serial number has to be changed to 1FF> not 1FF;. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 2"-, -3", F"4eading the wa in &T testing and certification tools, www.test/ing.com

2 1;3 2 QUESTION NO: <, DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains t"o !indo"s Ser/er 2==, domain controllers named TestBing) and TestBing+ TestBing) and TestBing+ ha/e the DNS ser/ice installed TestBing) is located in the main o$$ice in Toronto TestBing+ is located in a branch o$$ice in ?e3ico 'ity The branch o$$ice net"or0 contains an I. subnet "ith the net"or0 address <;2 <69 < =K24 You #lan to designate main o$$ice ser/ers as the master ser/ers $or any $uture re/erse loo0u# 1one The DNS ser/ers are not con$igured to #er$orm re/erse loo0u#s You need to create a re/erse loo0u# record $or a branch o$$ice client com#uter named com#uter< test0ing com* "hich has an I. address o$ <;2 <69 < 2< !hat should you do% To ans"er* drag the action that you should #er$orm $irst to the )ction < bo3 'ontinue dragging actions to the corres#onding numbered bo3es until you list all required actions in the correct order You might not need to use all numbered bo3es 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;- 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;F 2 1 creating the 0one on the Main office Test@ingA ser%er will act as the master ser%ers for an future re%erse loo/up 0one. This 0one will be delegated to Test@ing1 that is located in a branch office in MeBico .it . .reating a 5TR record to resol%e a re%erse loo/up record for a branch office client computer named computer1.test/ing.com, which has an &5 address of 1=2.1;>.1.21. Delegation of 0one "H2- means that Test@ing1 ser%er will resol%e re%erse loo/ups &n the 0one 1=2.1;>.1.", Test@ing1 ser%er an computers 6uer form 1=2.1;>.1.1 &5 to 1=2.1;>.1.2F- &5 De$erence: Q... Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. -92> QUESTION NO: <4 SI?UA)TION 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;; 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domain named test0ing com and cor# test0ing com )ll DNS 1ones are con$igured as )cti/e Directory>integrated 1ones ) user named Tess logs on to her !indo"s @. .ro$essional com#uter* "hich is named 'om#uter< Tess runs the nsloo0u# command and recei/es the out#ut sho"n in the e3hibit NNN ?issing e3hibit NNNN You need to ensure that Tess can list the contents o$ cor# test0ing com $rom only 'om#uter< !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3* and drag the a##ro#riate I. address or addresses to the a##ro#riate location or locations 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;G 2 )ns"er: Enter the I. address o$ 'om#uter< in the dialog bo3 E3#lanation: This "ill enable Tess to run the nsloo0u# ls Nsloo0u# can be used to trans$er an entire 1one by using the ls command &n order for nsloo/up to wor/ properl , ou must ha%e a Re%erse 4oo/up Rone set up for the domain ou want to troubleshoot. !hen ou launch nsloo/up, it does a re%erse loo/up against our configured D,$ ser%er, and reports an error if a re%erse loo/up 0one is not configured. An record ou want to perform a loo/up against must ha%e an associated 5TR record registered in the re%erse loo/up 0one, or troubleshooting with nsloo/up will not wor/. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;> 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F-;2F-G

QUESTION NO: <5 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The test0ing com domain contains three domain controllers You use a com#uter named !or0station4 $or DNS administration and monitoring 'om#uter con$iguration in$ormation is sho"n in the $ollo"ing table You $requently use the NSAOOBU. ls >d test0ing com command to /eri$y entries in the test0ing com 1one The DNS 1one con$iguration $or the test0ing com 1one is sho"n in the e3hibit NNmissingNN The DNS con$iguration #lan requires that the test0ing com 1one must be a/ailable on all DNS ser/ers in the )cti/e Directory $orest You need to con$igure the 1one trans$er settings $or the test0ing com 1one according to the DNS con$iguration #lan You must also ensure that !or0station4 can #er$orm all s#eci$ied DNS monitoring tas0s Yone trans$ers ha/e been enabled You need to select "hich com#uter or com#uters "ill be allo"ed to recei/e 1one trans$ers To ans"er* drag the a##ro#riate I. address or addresses to the correct location or locations in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;= 2 )ns"er: E3#lanation: Drag the $ollo"ing addresses to ser/er list: <= < = 2* <= < = , and <= < = 4 Assuming 1".1.".1 is the primar D,$, and then 1".1.".2 1".1.".3 will recei%e 0one transfers. 1".1.".- is also re6uired to allow the ,$4''@U5 ls 2d test/ing.com from the wor/station. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. F"G 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G" 2 QUESTION NO: <6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The DNS ser/ers $or the domain are con$igured as sho"n in the $ollo"ing table Ser/er Name DNS Yone Ty#e $e%er1 5rimar Test@ing2 $econdar You disconnect TestBing2 $rom the net"or0 to conduct hard"are maintenance Se/eral days later* you reconnect TestBing2 to the net"or0 The #ro#erties o$ the SO) &start o$ authority( resource record $or the 1one on TestBing< are sho"n in the TestBing< E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G1 2 The properties of the $'A resource record for the 0one on Test@ing2 are shown in the Test@ing2 eBhibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G2 2 You need to ensure that TestBing2 e3hibit can immediately and accurately ans"er DNS requests $rom client com#uters on the net"or0 !hat should do% A. 'n Test@ing1, create a new 0one delegation for Test@ing2. 1. 'n Test@ing1, update the ser%er data file. .. 'n Test@ing2, clear the D,$ cache. D. 'n Test@ing2, transfer the 0one from Test@ing1. 3. 'n Test@ing2, reload the 0one. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G3 2 )ns"er: D E3#lanation: The e3hibits sho" that the serial number in the #rimary DNS ser/er e3hibit is higher than the secondary DNS ser/er e3hibit This indicates that changes ha/e been made to the 1one on the #rimary ser/er !hat this means is that the in$ormation in the 1one on the secondary DNS ser/er is out o$ date You need to trans$er the 1one $rom TestBing< so that the secondary DNS ser/er has the most current in$ormation Incorrect )ns"ers: ): A 0one delegation is irrele%ant to this 6uestion. +: Test@ing1, the primar D,$ ser%er, has the most recent information. Iou need to

replicate this information to Test@ing2. ': The serial number indicates that the 0one file on Test@ing2 is outdated. This is not a D,$ cache issue. E: Reloading the 0one on Test@ing2 will onl reload the old 0one. Iou need to transfer the more recent 0one to Test@ing2. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -2QUESTION NO: <7 You are the net"or0 administrator $or TestBing com The com#any registers the DNS domain name test0ing com The test0ing com DNS domain "ill contain the host name records $or three ser/ers in the com#any that are accessible $rom the Internet One o$ these ser/ers $unctions as a !eb ser/er* one $unctions as an ET. ser/er* and one $unctions as a mail ser/er The #rimary name ser/er $or the test0ing com 1one is a !indo"s Ser/er 2==, com#uter named TESTBIN-SD8) TESTBIN-SD8) is on a net"or0 segment that is accessible $rom the Internet The com#any also "ants to use the DNS names#ace test0ing com to register hosts $rom the internal net"or0 The internal net"or0 is #rotected by a $ire"all that $ilters tra$$ic $rom the Internet The "ritten com#any security #olicy states that host names on the internal net"or0 must not be resol/ed by queries $rom the Internet 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G- 2 You install !indo"s Ser/er 2==, on a com#uter named TESTBIN-SD8+ TESTBIN-SD8+ "ill be used to allo" com#uters on the internal net"or0 to resol/e host names in the test0ing com names#ace )ll com#uters on the internal net"or0 "ill be con$igured to use TESTBIN-SD8+ as their DNS ser/er The com#any net"or0 is con$igured as sho"n in the e3hibit You need to con$igure TESTBIN-SD8) and TESTBIN-SD8+ so that all com#uters on the internal net"or0 can resol/e the host names o$ 1. other com#uters on the internal net"or0* and 2. the three ser/ers that are accessible $rom the Internet !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a primar D,$ 0one named test/ing.com on T3$T@&,C$R?1. 1. .reate a secondar D,$ 0one named test/ing.com on T3$T@&,C$R?1. .. .onfigure D,$ forwarding from T3$T@&,C$R?1 to T3$T@&,C$R?A. D. .onfigure D,$ forwarding from T3$T@&,C$R?A to T3$T@&,C$R?1. 3. Manuall add a host *A+ record for each computer on the internal networ/ to the test/ing.com 0one on T3$T@&,C$R?A. (. Manuall add a host *A+ record for each &nternet2accessible computer to the test/ing.com 0one on T3$T@&,C$R?1. )ns"er: )* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GF 2 You must con$igure a #rimary 1one named test0ing com on the internal ser/er to use the test0ing com name $or the internal net"or0 Eor the internal ser/er to resol/e the hostnames o$ the e3ternal ser/ers* you must manually add a host &)( record $or each ser/er on the internal DNS ser/er Incorrect )ns"ers: +: Iou need a primar 0one for the internal networ/ and not a secondar D,$ 0one. ': Iou do not need to configure forwarding. The 6uestion does not state that ou need to resol%e &nternet host names. Iou onl need to resol%e the names of the eBternal ser%ers. D: D,$ forwarding is not re6uired because ou onl need to resol%e the names of eBternal ser%ers. E: This would enable eBternal hosts to resol%e hostnames from the internal networ/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 33, -2QUESTION NO: <9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBingSr/) TestBingSr/) is a domain controller and #rimary DNS ser/er $or test0ing com The com#any o#ens a ne" branch o$$ice ) !indo"s Ser/er 2==, com#uter named

TestBingSr/+ is located at the ne" o$$ice TestBingSr/+ is a domain controller and a DNS ser/er You set u# a DNS 1one $or east test0ing com on Ser/e2 You need to ensure that com#uters in test0ing com can resol/e host names in east test0ing com on TestBingSr/+ !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Add a start2of2authorit *$'A+ record to Test@ing$r%A that refers to Test@ing$r%1.east.test/ing.com. 1. Add a new delegation on Test@ing$r%A for east.test/ing.com to Test@ing$r%1. .. Add a new stub 0one to Test@ing$r%A named east.test/ing.com. D. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G; 2 Add a ser%ice locator *$R?+ record to Test@ing$r%A that refers to Test@ing$r%1.east.test/ing.com. )ns"er: +* ' E3#lanation: ) stub 1one is a #artial co#y o$ a 1one that can be hosted by a DNS ser/er and used to resol/e recursi/e or iterati/e queries Stub 1ones contain the Start o$ )uthority &SO)( resource records o$ the 1one > the DNS resource records that are required $or contacting the 1oneJs authoritati/e ser/ers Delegation is the process of distributing responsibilit for domain names between different D,$ ser%ers in our networ/. Iou ha%e to create at least one 0one for each domain name delegated. The more domains ou delegate, the more 0ones ou need to create. A delegation or stub 0one would enable Test@ing$r%A to forward resolution re6uests for east.test/ing.com to Test@ing$r%1 Incorrect )ns"ers: ): The start2of2authorit *$'A+ record must eBist in the delegated 0one. D: Iou need ,$ records to point to Test@ing$r%1, not $R? records. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -31 QUESTION NO: <; You are the net"or0 administrator $or Test Bing Inc The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains three domains named test0ing com* cor# test0ing com* and regions test0ing com The com#any has o$$ices in many cities )ll domain controllers are con$igured as DNS ser/ers Yone re#lication $or each DNS 1one is con$igured to occur bet"een the domain controllers in each domain The domain controllers are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GG 2 You #er$orm a recursi/e query against TestBing< and disco/er that TestBing< queries only TestBing, $or the 1one in$ormation in regions test0ing com You need to ensure that a recursi/e query against TestBing< "ill request in$ormation $rom TestBing4 and TestBing5* in addition to TestBing, You also need to ensure that any domain controllers that are added to regions test0ing com "ill be added automatically to the list o$ ser/ers against "hich TestBing< "ill query !hat should you do% A. 'n Test@ing1, create a stub 0one for regions.test/ing.com. 1. 'n Test@ing1, create a secondar 0one for regions.test/ing.com. .. 'n Test@ing3, configure regions.test/ing.com to replicate to all D,$ ser%ers in the forest. D. 'n Test@ing3, configure regions.test/ing.com to replicate to all D,$ ser%ers in the domain. )ns"er: ) E3#lanation: ) stub 1one "ill list all the name ser/ers $or regions test0ing com Name resolution requests $or hosts in regions test0ing com "ill be $or"arded to the three regions test0ing com ser/ers The stub 1one in$ormation "ill automatically be u#dated "hen name ser/ers are added to regions test0ing com Incorrect )ns"ers: +: A secondar 0one does not forward resolution re6uests. ': Replicating to all D,$ ser%ers in the forest will not assist in meeting the re6uirements because the D,$ ser%ers will onl be able to use the replicated information if the are configured with a 0one for regions.test/ing.com. D: This option is similar to &ncorrect Answer . albeit a forest or a domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G> 2

De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2-, -31 QUESTION NO: 2= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains three ser/ers In$ormation about the ser/ers is sho"n in the $ollo"ing table TestBing) is the start o$ authority &SO)( $or test0ing com TestBing adds a ne" branch o$$ice The net"or0 in the ne" o$$ice is assigned to a child DNS domain named south test0ing com The t"o domains connect to each other through a 8.N connection TestBing+ is con$igured as the SO) $or south test0ing com ) !indo"s @. .ro$essional com#uter named TestBing< is located in the test0ing com domain The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G= 2 ) user re#orts that he cannot connect to TestBing' $rom TestBing< You need to ensure that client com#uters in the test0ing com domain can resol/e host named in south test0ing com !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 'n Test@ing1, add a host *A+ record for Test@ingA. 1. 'n Test@ingA, add a delegation for south.test/ing.com. .. 'n Test@ing1, add a pointer *5TR+ record for Test@ingA.test/ing.com. D. 'n Test@ingA, add a host *A+ record for Test@ing1. 3. 'n Test@ingA, add a stub 0one for south.test/ing.com. )ns"er: +* E E3#lanation: ) stub 1one is a #artial co#y o$ a 1one that can be hosted by a DNS ser/er and used to resol/e recursi/e or iterati/e queries Stub 1ones contain the Start o$ )uthority &SO)( resource records o$ the 1one > the DNS resource records that are required $or contacting the 1oneJs authoritati/e ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>" 2 Delegation is the process of distributing responsibilit for domain names between different D,$ ser%ers in our networ/. Iou ha%e to create at least one 0one for each domain name delegated. The more domains ou delegate, the more 0ones ou need to create. Thus adding a delegation and a stub 0one for south.test/ing.com on Test@ingA will wor/. Incorrect )ns"ers: ): This will result in onl clients in south.test/ing.com able to locate Test@ingA b hostname. ': This will onl enable clients in south.test/ing.com to resol%e an &5 address to Test@ingA. D: This will enable clients in test/ing.com to onl locate Test@ingA, and not all computers in south.test/ing.com. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -31 QUESTION NO: 2< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er )ll client com#uters run either !indo"s @. .ro$essional* !indo"s 2=== .ro$essional or !indo"s NT !or0station 4 = )ll the com#uters are members o$ the domain )ll ser/ers ha/e static I. addresses* and all client com#uters are assigned addresses by a D:'. ser/er that runs !indo"s Ser/er 2==, The DNS ser/ice is installed on three !indo"s Ser/er 2==, com#uters that are con$igured as domain controllers 'om#any net"or0 management standards state that a DNS domain must be created $or each de#artment in the com#any ) ne" de#artment named ?ar0et Desearch has been organi1ed You need to create a corres#onding DNS 1one named mar0etresearch test0ing com The net"or0 management standards contain the $ollo"ing requirements 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>1 2 1. )ll com#uters must be registered in a DNS 1one 2. )ll DNS records must be 0e#t u#>to>date at all times* and any changes to the host

name or I. address must be u#dated on the DNS record 3. Only com#uters that ha/e /alid accounts in the domain must be allo"ed to dynamically register records in the DNS 1one -. To reduce administrati/e e$$ort* all #ossible administrati/e tas0s should be automated You must con$igure the mar0etresearch test0ing com 1one to meet these requirements !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .reate a standard primar 0one named mar/etresearch.test/ing.com. 1. .reate an Acti%e Director 2integrated 0one named mar/etresearch.test/ing.com. .. .onfigure the D namic updates settings on the mar/etresearch.test/ing.com 0one to be $ecure onl . D. .onfigure the D namic updates settings on the mar/etresearch.test/ing.com 0one to be $ecure and nonsecure. 3. .onfigure the D namic updates setting on the mar/etresearch.test/ing.com 0one to be ,one. (. Manuall create and update D,$ records for all hosts in the mar/etresearch.test/ing.com 0one. C. .onfigure the DA.5 ser%er to register client computers that ha%e recei%ed &5 configuration from the DA.5 ser%er in the mar/etresearch.test/ing.com 0one. )ns"er: +* '* E3#lanation: 'reate an )cti/e Directory>integrated 1one named mar0etresearch test0ing com .onfiguring the D namic updates settings on the mar/etresearch.test/ing.com 0one to be $ecure onl would ensure automated replication and secure records. (inall , configuring the DA.5 ser%er to register client computers that ha%e recei%ed &5 configuration from the DA.5 ser%er in the mar/etresearch.test/ing.com 0one would ensure that DA.5 will register the A and 5TR records on behalf of the clients. Incorrect )ns"ers: ): &f ou want secure updates, ou will need an Acti%e Director 2integrated 0one. D: ,on2secure updates should not be permitted. &t poses an unnecessar ris/. E: D namic updates should be enabled to automate administrati%e tas/s. E: This option does not reduce administrati%e effort, nor does it automate the process. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>2 2 D namic updates should be enabled. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter -, p.23G QUESTION NO: 22 You are the net"or0 administrator $or the +ei2ing o$$ice o$ TestBing ) branch o$$ice is located in 'airo The DNS ser/ers in both locations run !indo"s Ser/er 2==, The net"or0 uses t"o DNS names#aces internally They are named #ublishing test0ing com and test0ing com The locations o$ the #rimary name ser/ers are sho"n in the $ollo"ing table The +ei2ing o$$ice contains some ser/ers that are registered in the test0ing com 1one and other that are registered in the #ublishing test0ing com 1one )ll com#uters in the +ei2ing o$$ice are con$igured to use the local DNS ser/er as their #re$erred DNS ser/er The t"o o$$ices are connected only by using a 8.N through the Internet 8arious net"or0 #roblems occasionally result in loss o$ connecti/ity bet"een the t"o o$$ices Eire"alls #re/ent the DNS ser/ers in both o$$ices $rom recei/ing queries $rom the Internet You need to con$igure the DNS ser/er in the +ei2ing o$$ice to allo" success$ul resolution o$ all queries $rom the +ei2ing o$$ice $or names in the #ublishing test0ing com names#ace* e/en "hen the 8.N lin0 bet"een the +ei2ing and 'airo o$$ices $ails !hat should you con$igure on the DNS ser/er in the +ei2ing o$$ice% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>3 2 A. &n the test/ing.com 0one, create a delegated subdomain named publishing. $pecif the D,$ ser%er in the .airo office as a name ser%er. 1. .reate a secondar 0one name publishing.test/ing.com. $pecif the D,$ ser%er in the .airo office as a master ser%er. .. .onfigure conditional forwarding for the publishing.test/ing.com namespace. $pecif the D,$ ser%er in the .airo office as a target ser%er. D. .reate a stub 0one named publishing.test/ing.com.

$pecif the D,$ ser%er in the .airo office as a master ser%er. )ns"er: + E3#lanation: !e must be able to loo/up in the 1ei)ing test/ing.com for records in .airo publishing.test/ing.com without a networ/ connection. 1ei)ing office *test/ing.com+ uses the local D,$ ser%er as their preferred D,$ ser%er. 1ei)ing office needs to allow successful resolution of all 6ueries from the 1ei)ing office for names in the publishing.test/ing.com namespace, *.airo ser%er+ e%en when the ?5, lin/ between the 1ei)ing and .airo offices fails. !e 2ust ha/e one o#tion is use delegation and #oint Secondary DNS ser/er A D,$ ser%er that hosts a read2onl cop of 0one data. A secondar D,$ ser%er periodicall chec/s for changes made to the 0one on its configured primar D,$ ser%er, and performs full or incremental 0one transfers, as needed. A secondar 0one contains a complete cop of a 0one. After transfers the secondar 0one from the child domain we can set the name ser%er of .airo D,$ in this wa Delegation is the process of using resource records to pro%ide pointers from parent 0ones to child 0ones in a namespace hierarch . This enables D,$ ser%ers in a parent 0one to route 6ueries to D,$ ser%ers in a child 0one for names within their branch of the D,$ namespace. 3ach delegation corresponds to at least one 0one. Incorrect )ns"ers: ): !e can not delegate a child 0one to a principal 0one we can delegate to another ser%er in the child 0one 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>- 2 &f ou are deplo ing D,$ on a large enterprise networ/, or if ou eBpect our networ/ to eBpand to include additional subnets and sites, consider distributing the management of portions of our D,$ namespace to the administrators for the different subnets and sites in our networ/. To distribute the management of our D,$ namespace, create subdomains of our initial D,$ domain and delegate the authorit for these subdomains to D,$ ser%ers located on different subnets or sites. &n this wa , ou can create an number of separate and autonomous entities within a D,$ namespace, each of which is authoritati%e for a portion of the o%erall namespace. ': !e can not forward 6ueries that are not in the .airo D,$ cache for publishing.test/ing.com o%er a bro/en 4in/ D: !e can not use a stub 0one. $tub 0ones contain the $tart of Authorit *$'A+ resource records of the 0one, the D,$ resource records that list the 0oneKs authoritati%e ser%ers, and the glue address *A+ resource records that are re6uired for contacting the 0oneKs authoritati%e ser%ers. $tub 0ones are used to reduce the number of D,$ 6ueries on a networ/, and to decrease the networ/ load on the primar D,$ ser%ers hosting a particular name. De$erence: $3R?3R A345 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 2, You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The DNS ser/ers $or the domain are con$igured as sho"n in the $ollo"ing table You disconnect TestBingSr/+ $rom the net"or0 to conduct hard"are maintenance Se/eral days later* you reconnect TestBingSr/+ to the net"or0 The #ro#erties o$ the SO) &start o$ authority( resource record $or the 1one on TestBingSr/) are sho"n in the TestBingSr/) e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>F 2 The #ro#erties o$ the SO) resource record $or the 1one on TestBingSr/+ are sho"n in the TestBingSr/+ e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>; 2 You need to ensure that TestBingSr/+ can immediately and accurately ans"er DNS requests $rom client com#uters on the net"or0 !hat should you do% A. 'n Test@ing$r%A, create a new 0one delegation for Test@ing$r%1. 1. 'n Test@ing$r%A, update the ser%er data file. .. 'n Test@ing$r%1, clear the D,$ cache. D. 'n Test@ing$r%1, transfer the 0one from Test@ing$r%A. 3. 'n Test@ing$r%1, reload the 0one. )ns"er: D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>G 2 E3#lanation

$er%er Test@ing$r%A ha%e serial number D,$ %ersion 2F;1 $er%er Test@ing$r%1 ha%e serial number D,$ %ersion 2F-3 !e need to transfer the latest D,$ %ersion 0one from Test@ing$r%A in order to update the records in Test@ing$r%1 De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. 2G1 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, p. F91= QUESTION NO: 24 You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< is a member ser/er that has the DNS ser/ice installed Test0ing< hosts a standard #rimary DNS 1one This 1one contains host records $or <5 #roduction ser/ers You need to con$igure the DNS ser/ice on Test0ing< to ensure that no client>initiated host u#dates $rom !indo"s @. .ro$essional client com#uter or !indo"s Ser/er 2==, com#uter are added to the 1one !hat should you do% A. .onfigure the D,$ 0one with a D namic updates setting of ,one. 1. .onfigure Test/ing1 as a caching2onl ser%er. .. .onfigure the D,$ 0one to allow 0one transfers to onl ser%ers that ha%e name ser%er *,$+ resource records. D. Delete all entries in the Root Aints tab in the properties of Test/ing1. )ns"er: ) E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>> 2 9 A d namic update is an update to the D,$ standard that permits D,$ clients to d namicall register and update their resource records in 0ones. D namic updates can be disabled on the host and for some en%ironments, this might ma/e sense. D namic updates can be disabled for the computer or for one or more interfaces on that computer. 1 changing this default %alue in the !indows $er%er 2""3 registr , the D,$ client is pre%ented from registering A and 5TR RRs for whiche%er interfaces are specified. Thus b configuring the D,$ 0one setting of ,one for D namic Updates ou can ensure that no client2initiated host updates are added to the 0one. Incorrect ans"ers: +9 A .aching2onl ser%er is a D,$ ser%er set up to resol%e the 6ueries of D,$ clients using its configured root hints or an D,$ forwarders. .aching2onl D,$ ser%ers build up a local cache of resol%ed 6ueries while performing recursi%e D,$ 6ueries for its clients. D,$ caching2onl ser%ers are not authoritati%e and thus do not host an local D,$ 0ones. '9 The ,ame $er%er *,$+ resource record indicates which D,$ ser%ers are authoritati%e for the 0one.The specif both primar and secondar ser%ers for the 0one indicated in the $'A record.The also indicate ser%ers for an delegated 0ones. This will not pre%ent d namic updates that cause client2initiated host updates being added to the 0one. D9 Deleting all entries in the Root Aints tab in the properties of Test@ing1 will not pre%ent client2initiated host updates frpm computers that will be added to the 0one. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 2-;, 2>3 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -2G, ->" QUESTION NO: 25 You are the net"or0 administrator $or TestBing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>= 2 TestBing com uses a DNS names#ace named test0ing com on the com#any intranet Three hundred records ha/e been manually created in the test0ing com 1one $or hosts that do not su##ort dynamic u#dates The test0ing com #rimary 1one is currently located on a !indo"s Ser/er 2==, com#uter named TestBing, No secondary 1one is currently con$igured TestBing com #urchases a ne" com#uter to $unction as the #rimary ser/er $or the test0ing com 1one The ne" com#uter "ill be named TestBing4 !hen TestBing4 is con$igured* TestBing, must be recon$igured to host test0ing com as a secondary 1one

You install !indo"s Ser/er 2==, on TestBing4 and add the DNS ser/ice You need to con$igure TestBing4 to host the #rimary 1one $or the test0ing com names#ace The records that are currently in the test0ing com must be retained You "ant to ensure that all host names can be resol/ed immediately a$ter TestBing4 becomes the ne" #rimary name ser/er $or the 1one !hat should you do% A. 1. 'n Test@ing-, set up a primar 0one named test/ing.com. 2. .op the file Zs stemrootZWs stem32WdnsWtest/ing.com.com.dns from Test@ing3 to the same location on Test@ing-. 3. 'n Test@ing3, delete the test/ing.com primar 0one. -. 'n Test@ing3, set up a secondar 0one named test/ing.com. 1. 1. 'n Test@ing-, set up a primar 0one named test/ing.com. 2. 3nable d namic updates on the 0one. 3. 'n Test@ing3, delete the test/ing.com primar 0one. -. 'n Test@ing3, set up a secondar 0one named test/ing.com. .. 1. 'n Test@ing-, set up a secondar 0one named test/ing.com. 2. Add a name ser%er *,$+ record for Test@ing- to the test/ing.com primar 0one. 3. 'n Test@ing-, change the 0one t pe of the test/ing.com secondar 0one to a primar 0one. -. 'n Test@ing3, delete the test/ing.com primar 0one. F. 'n Test@ing3, set up a secondar 0one named test/ing.com. D. 1. 'n Test@ing-, set up a stub 0one named test/ing.com. 2. Add a name ser%er *,$+ record for Test@ing- to the test/ing.com primar 0one. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=" 2 3. 'n Test@ing-, change the 0one t pe of the test/ing.com stub 0one to a primar 0one. -. 'n Test@ing3, delete the test/ing.com primar 0one. F. 'n Test@ing3, set up a secondar 0one named test/ing.com. )ns"er: ' E3#lanation9 A D,$ ser%er is authoritati%e o%er one or more 0ones, meaning it maintains the database of resource records related to the nodes in the 0one*s+ for which is it responsible *or authoritati%e+. Rones can be either primar or secondar .A primar 0one is the cop of the 0one to which updates are made.A D,$ ser%er that is authoritati%e for a particular 0one will ma/e updates to the primar 0one.A secondar 0one is a cop of the 0one that is copied from the master ser%er when replication of the 0one occurs %ia 0one transfer.A primar 0one cannot be managed b two different D,$ ser%ers, eBcept that multiple computers can be configured to manage 0ones that are integrated into !indows Acti%e Director . To compl with the configuration re6uirements while ensuring that all host names be resol%ed as soon as Test@ing- becomes the new primar name ser%er for the 0one and /eeping the abo%e inmind, ou ha%e to set up a secondar 0ome on Test@ing-, add a name ser%er *,$+ record for Test@ing- to the test/ing.com prmar 0one. Iou also ha%e to change the test/ing.com 0one t pe on Test@ing- to a primar 0one. 'n Test@ing3 ou should delete the test/ing.com primar 0one and set up a secondar test/ing.com 0one on Test@ing3. Incorrect ans"ers: )9 Iou should set up a secondar 0one and not a primar 0one for test/ing.com 0one on Test@ing- and not a primar 0one. (urthermore, there is no need to cop the s stemrootZWs stem32WdnsWtest/ing.com.com.dns file from Test@ing3 to the same location on Test@ing- in order to compl with the configuration re6uirements as set out in the 6uestion. +9 Iou should set up a secondar 0one and not a primar 0one for test/ing.com 0one on Test@ing- and not a primar 0one. Also enabling d namic updates on that 0one will not compl with what is re6uired b this 6uestion. D9 The stub 0one is used to /eep a parent 0one up2to2date as to the authoritati%e D,$ ser%ers for a child 0one. $tub 0ones are uni6ue and contain a small subset of t pical 0one data. This is the wrong 0one t pe to be configuring under the circumstances. Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, p. -24eading the wa in &T testing and certification tools, www.test/ing.com 2 1=1 2 QUESTION NO: 26 E3hibit* Net"or0 To#ology You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and are members o$ the domain TestBing< is a member ser/er in the domain Test0ing< #ro/ides DNS ser/ices $or

hosts in test0ing com and can currently resol/e host name on the Internet You are connecting test0ing com to the net"or0 o$ an a$$iliate com#any named Eoo EooJs net"or0 consists o$ an )cti/e Directory domain named $oo com Eoo com hosts a !indo"s Ser/er 2==, com#uter named TestBing2 TestBing com is a #ri/ate domain and is not accessible $rom the Internet The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit Some o$ the ser/ers that are registered in the $oo com DNS domain reside on the TestBing com net"or0 You need to con$igure TestBing< to quic0ly resol/e host names in test0ing com and $oo com You need to ensure that TestBing< can resol/e names in the test0ing com domain i$ the router $ails You also need to ensure that TestBing< can resol/e host names on the Internet !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=2 2 A. 'n Test@ing1, forward re6uests for test/ing.com to 1=2.1;>.2.2. 1. .onfigure Test@ing1 to host a secondar 0one for foo.com. .. 'n Test@ing2, forward all re6uests for foo.com to 131.1"G.1.2. D. .onfigure Test@ing2 to host a secondar 0one for test/ing.com )ns"er: + E3#lanation9 A secondar 0one is a read2onl cop of a D,$ 0one that is transferred from an authoritati%e D,$ ser%er to another D,$ ser%er to pro%ide redundanc . &f ou configure Test@ing1 to host a secondar 0one for foo.com then Test@ing1 will be able to resol%e host names for both test/ing.com and foo.com also in case of router failure. Incorrect ans"ers: ) C '9 (orwarding re6uests for test/ing.com on test/ing.com will not pro%ide the necessar abilit to resol%e host names as re6uested in the 6uestion. D9 .onfiguring a secondar 0one for test/ing.com is correct, but in this case it should be Test@ing1 that is configured to host the secondar 0one and not Test@ing2. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, p. 2=3 QUESTION NO: 27 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domain named asia test0ing com and a$rica test0ing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters )ll client com#uters and 25 ser/ers are dynamically assigned I. addresses by D:'. )ll com#any com#uters are registered in either asia test0ing com DNS 1one or the a$rica test0ing com DNS 1one )ll DNS ser/ers contain co#ies o$ all 1ones The "ritten com#any net"or0 management #olicy states that com#uters cannot ha/e du#licate host names 'lient com#uters al"ays connect to other com#uters by s#eci$ying only the name o$ the target com#uter ) $ully quali$ied domain name &EQDN( is not required 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=3 2 You need con$igure the client com#uters to ensure that all com#uter names can be resol/ed by using DNS "ithout the domain name being s#eci$ied The con$iguration o$ client com#uters must be automated so that they do not need to be manually recon$igured i$ an additional domain is added to the $orest !hat should you do% A. .onfigure the Append these D,$ suffiBes option in the D,$ client configuration of each client computer. 1. .onfigure the "1F D,$ Domain ,ame option on all DA.5 scopes. .. .onfigure the Default Domain 5olic C5' in each domain. 3nable the D,$ $uffiB $earch 4ist polic setting in the C5'. D. .onfigure the Default Domain 5olic C5' in each domain. 3nable the 5rimar D,$ $uffiB polic setting in the C5'. )ns"er: ' E3#lanation9 &f ou enter a D,$ suffiB search list, the D,$ .lient ser%ice adds those D,$ suffiBes in order and does not tr an other domain names. $etting polic in a C5' ta/es care of automaticall configuring that configuration of the client computers without manuall ha%ing to configure all those client computers. Incorrect ans"ers: )9 The Append These D,$ $uffiBes option lets ou specif a list of D,$ suffiBes to add to un6ualified names. This is )ust part of the solution and will not ensure that all computer names can be resol%ed without domain name specification. Iou also need to enable the D,$ $uffiB $earch 4ist polic setting.

+9 "1F D,$ Domain ,ame is an option that specifies the domain name that DA.5 clients should use when resol%ing un6ualified names during D,$ domain name resolution. This option also allows clients to perform d namic D,$ updates. Aowe%er, this is not the solution. D9 The primar D,$ suffiB is also /nown as the primar domain name and the domain name. 3%en with this option enabled, it will not sol%e our problem. De$erence9 Q... Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, pp. -9F1, G913 QUESTION NO: 29 DD)- DDO. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=- 2 You are the net"or0 administrator $or TestBing com The net"or0 contains $i/e !indo"s Ser/er 2==, com#uters that also $unctions as DNS ser/ers These are con$igured as in the Drag and Dro# e3hibit belo" The 'airo and Stuttgart branches o$ TestBing com each ha/e $i/e clientJs com#uters The Aondon branch has 5*=== client com#uters The Stoc0holm branch has 2*5== client com#uters TestBing< is located in the TestBing com main o$$ice in +oston TestBing< is the authoritati/e ser/er $or a 1one named test0ing com TestBing com management #lans to u#date the net"or0 in$rastructure in the main o$$ice During these u#grades* there "ill be $requent changes to the name ser/er &NS( resource records $or test0ing com You need to ensure that each DNS ser/er on the !)N has a dynamically u#dated list o$ NS records $or test0ing com You also need to minimi1e 1one re#lication tra$$ic across the slo" connections and minimi1e DNS loo0u#s on TestBing< :o" should you con$igure the DNS ser/ers in the TestBing comJs branches% To ans"er* drag the a##ro#riate ser/er con$iguration to the correct ser/er or ser/ers E3hibit* Drag and Dro# 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=F 2 )ns"er: E3#lanation: TestBing2 Z Standard secondary 1one TestBing4 Z Standard secondary 1one TestBing, Z Stub 1one TestBing 5 Z Stub 1one QUESTION NO: 2; :OTS.OT 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=; 2 You are the net"or0 adminsitrator $or your com#any The net"or0 consists o$ a single )cti/e Directory domain named contoso com The domain includes t"o domain controllers that are both con$igured as DNS ser/ers )ll ser/ers run !indo"s Ser/er 2==, The De#artment named TestBing de#loys t"o intranet !eb Se/er named TestBing< and TestBing2 Users "ithin the com#any need to be able to access the intranet !eb ser/er by using the UDAs htt#:KKtest0ing< test0ing com and htt#:KKtest0ing2 test0ing com You need to con$igure a DNS 1one $or test0ing com You need to ensure that the DNS 1one is a/ailable on both DNS ser/ers "ithout additional con$iguration :o" should you con$igure the DNS 1one% To ans"er* select the a##ro#riate o#tion or o#tions in the dialog bo3 in the "or0 area 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=G 2 )ns"er: E3#lanation: Select .rimary 1one and tic0 the chec0bo3 to LStore the 1one in )cti/e DirectoryL 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=> 2 .9 .onfigure D,$ forwarding.*22 :uestions+ QUESTION NO: < :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single !indo"s Ser/er 2==, domain named test0ing com The $unctional le/el o$ the test0ing com domain is !indo"s 2=== mi3ed The net"or0 con$iguration is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1== 2

The ser/ers are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"" 2 TestBing< is the re#lication hub $or the other !INS ser/ers You need to reduce the loo0u# tra$$ic bet"een client com#uters and the !INS ser/ers "ithin each o$$ice In addition* you need to o#timi1e all net"or0 tra$$ic bet"een o$$ices and "ithin each o$$ice You also need to ensure redundancy i$ the !INS ser/ice $ails on any one o$ the ser/ers :o" should you con$igure !INS $or"ard loo0u#s on TestBing<% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3* and clic0 the t"o a##ro#riate I. addresses 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"1 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"2 2 E3#lanation9 To a%oid !&,$ loo/up traffic across the !A, lin/s, ou ha%e to configure !&,$ forward loo/ups to Test@ing1 and Test@ing2 because the are local to the D,$ ser%er. Iou should configure the other !&,$ ser%ers to replicate with Test@ing1 during non2office hours. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 3;2 QUESTION NO: 2 DD)- DDO. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"3 2 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) domain controller named Test0ing< is con$igured as a DNS ser/er TestBing #artners "ith 'ity .o"er C Aight The 'ity .o"er C Aight net"or0 consists o$ three )cti/e Directory domains The 'ity .o"er C Aight domain structure and DNS ser/ers are sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"- 2 Ser/ers in only the c#andl com domain contain records that can be modi$ied DNS ser/ers in the research c#andl com and cor# c#andl com domains are con$igured as secondary ser/ers to the DNS ser/ers in the c#andl com domain Users in the test0ing com domain $requently access resources that are stored on ser/ers in the research c#andl com and cor# c#andl com domains You need to con$igure Test0ing< to allo" users in the test0ing com domain to access resources in the research c#andl com and cor# c#andl com domains Your solution must be $ault tolerant You must also accom#lish this tas0 "ithout a$$ecting name resolution $or TestBing !hat should you do% To ans"er* drag the a##ro#riate domain named and I. address or addresses to the correct location or locations in the "or0 area )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"F 2 Iou can configure different forwarders for different domain names 6ueried with !indows $er%er 2""3. This is t picall called conditional forwarding. A forwarder can be described as a D,$ ser%er which forwards eBternal 6ueries to suitable D,$ ser%ers. The inform our D,$ ser%er to which D,$ ser%ers to forward re6uests when it is 6ueried b a client for a name for which it is not authoritati%e. Therefore, to configure Test/ing1 to allow users in the test/ing.com domain to access resources in the research.cpandl.com and corp.cpandl.com domains, the 1G2.1;.".1 and 1G2.1;.".2 address should be configured. !hen ou configure multiple D,$ forwarders, the are 6ueried from top to bottom in a recursi%e manner, as is the case here. This impro%es fault tolerance. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, p. 2-; QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==,

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"; 2 The net"or0 contains t"o DNS ser/ers These ser/ers are con$igured to $or"ard DNS queries to a DNS ser/er at a local IS. $or all Internet name resolution Users on your net"or0 re#ort that they $requently cannot access !eb sites on the Internet You disco/er that the IS.Js DNS ser/er is $requently not a/ailable You need to ensure that users can access !eb sites on the Internet "hen the IS.s DNS ser/er is not a/ailable !hat should you do% A. .onfigure the D,$ ser%ers on the networ/ with forwarder records to each other. Remo%e the forwarder to the &$5s D,$ ser%er. 1. .onfigure the D,$ ser%ers on the networ/ with conditional forwarders to the &$5Ks D,$ ser%er. .. .onfigure the D,$ ser%ers on the networ/ to use the default root hints. Remo%e the forwarder to the &$5Ks D,$ ser%er. D. .onfigure the D,$ ser%ers on the networ/ as authoritati%e ser%ers for the &nternet root D,$ 0one. )ns"er: ' E3#lanation9 A forwarder is a D,$ ser%er designated b other internal D,$ ser%ers to be used to forward 6ueries for resol%ing eBternal or offsite D,$ domain names. &t is used to inform D,$ where to loo/ for name resolution when not in the local D,$ database. !ith !indows $er%er 2""3 conditional forwarding, recursi%e 6uer re6uests can be sub)ect to different D,$ forwarder ser%ers based on the domain name 6ueried. The root hints file *cache hints file+ contains host information needed to resol%e names eBternal of the authoritati%e D,$ domains. &t holds names and addresses of root D,$ ser%ers which are normall located on the &nternet. &n this situation where the D,$ ser%ers are configured to forward D,$ 6ueries to a D,$ ser%er at a local &$5 for all &nternet name resolution. And users still report that the are unable to access !eb sites on the &nternet, ou need to remo%e the forwarder to the &$5Ks D,$ ser%er so as to ensure that users can access !ebsites on the &nternet e%en when the &5$Ks D,$ ser%er is not a%ailable. Incorrect ans"ers: )9 .onfiguring the D,$ ser%ers on the networ/ with forwarder records to each other will not ensure that users will be able to access !ebsites on the &nternet when the &$5Ks D,$ ser%er is not a%ailable. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"G 2 +9 .onfiguring conditional forwarders is not the solution. D9 Authoritati%e ser%ers for the &nternet root D,$ 0ones will not ensure accessibilit to !ebsites when the &$5Ks D,$ ser%er is not a%ailable. De$erence9 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest* "hich contains <4 domains )ll ser/ers run !indo"s Ser/er 2==, Only DNS ser/ers in the test0ing com domain ha/e access to the Internet to resol/e Internet DNS names You need to con$igure each DNS ser/er so that unresol/ed queries are resol/ed by DNS ser/ers in the test0ing com domain !hat should you do% A. Replace the root hints with the addresses of the D,$ ser%ers in the test/ing.com domain. 1. .reate a stub 0one named test/ing.com that contains a cop of the test/ing.com 0one. .. .onfigure the default forwarding entr to forward data to D,$ ser%ers in the test/ing.com domain. D. .onfigure a conditional forwarding entr for test/ing.com that forwards data to D,$ ser%ers in the test/ing.com domain. )ns"er: ' E3#lanation: ) $or"arder is a DNS ser/er that other internal DNS ser/ers designate to $or"ard queries $or resol/ing e3ternal or o$$site DNS domain names !hen a D,$ name ser%er recei%es a 6uer , it attempts to locate the re6uested information within its own 0one files. This could fail because the ser%er is not authoritati%e for the domain re6uested, or because the ser%er does not ha%e the record cached from a pre%ious loo/up. &n this case, the ser%er must communicate with other name ser%ers to resol%e the re6uest. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"> 2 'n a globall connected networ/ li/e the &nternet, D,$ 6ueries that are outside a local

0one ma re6uire interaction with D,$ name ser%ers across wide area networ/ *!A,+ lin/s outside of the organi0ation. .reating D,$ forwarders is a manner in which to designate specific name ser%ers as being responsible for !A,2based D,$ traffic. $pecific D,$ name ser%ers can be selected to be forwarders to resol%e D,$ 6ueries on behalf of other D,$ ser%ers. Incorrect )ns"ers: ): The root hints file holds host information needed to resol%e names outside of the authoritati%e D,$ domains. Replacing the root hints will thus not help ou in our tas/. +: !e can not use a stub 0one which is in essence a partial cop of a 0one that can be hosted b a D,$ ser%er and used to resol%e recursi%e or iterati%e 6ueries. $tub 0ones contain the $tart of Authorit *$'A+ resource records of the 0one, the D,$ resource records that list the 0oneKs authoritati%e ser%ers and the glue address *A+ resource records that are re6uired for contacting the 0oneKs authoritati%e ser%ers. $tub 0ones are used to reduce the number of D,$ 6ueries on a networ/, and to decrease the networ/ load on the primar D,$ ser%ers hosting a particular name. D: .onfiguring a conditional forwarder will not sol%e our problem. De$erence: $3R?3R A345 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; QUESTION NO: 5 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest named test0ing com The $orest contains $i/e domains as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"= 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21" 2 Three !indo"s 2==, member ser/ers are DNS ser/ers and are con$igured as sho"n in the $ollo"ing table Ser/er name Secondary 1ones hosted Test/ing1 test/ing.com, west.test/ing.com, east.test/ing.com Test/ing2 resource.west.test/ing.com Test/ing3 resource.east.test/ing.com ) !indo"s 2==, DNS ser/er named Test0ing4 is located in the #erimeter net"or0 )ll ser/ers are con$igured "ith root hints Test0ing4 is not authoritati/e $or any 1one The test0ing com* "est test0ing com* and east test0ing com 1ones do not contain any delegate records ?ember ser/ers in resource "est test0ing com re$er to Test0ing2 as their only DNS ser/er You need to con$igure $or"arding $or Test0ing2 by using the minimum amount o$ administrati/e e$$ort You must ensure that all resources in the $orest and the Internet are accessible to the ser/ices on the member ser/ers in resource "est test0ing com by using DNS resolution Eor "hich domain or domains should you con$igure $or"arding on Test0ing2% &'hoose all that a##ly( A. test/ing.com 1. west.test/ing.com .. east.test/ing.com D. resource.west.test/ing.com 3. resource.east.test/ing.com (. All other D,$ domains. )ns"er: )* +* '* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 211 2 The question states that the test0ing com* "est test0ing com* and east test0ing com 1ones do not contain any delegate records This means that a domain does not 0no" ho" to locate resources in itJs subdomain Eor e3am#le* i$ "e queried the test0ing com 1one $or a resource in the "est test0ing com domain* the test0ing com 1one "ould normally $or"ard the request to a "est test0ing com DNS ser/er It does this by loo0ing u# itJs NS records &0no"n as delegate records in this question( !ithout the delegate records* this "ould not ha##en There$ore* "e need to con$igure $or"arding to the a##riate DNS ser/er $or each domain in the $orest ): (or the test/ing.com 0one, we would configure forwarding to Test@ing1. +: (or the west.test/ing.com 0one, we would configure forwarding to Test@ing1. ': (or the east.test/ing.com 0one, we would configure forwarding to Test@ing1. E: (or the resource.east.test/ing.com 0one, we would configure forwarding to Test@ing3. Incorrect )ns"ers:

D: !e are configuring Test@ing2. Test@ing2 hosts the resource.west.test/ing.com 0one. Therefore, we do not need to configure forwarding for this 0one. E: The 6uestion states that all ser%ers are configured with root hints. This means that Test@ing2 will be able to 6uer the internet root D,$ ser%ers to locate internet resources. Therefore, we do not need to configure forwarding for 8All other D,$ domains8. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G2 QUESTION NO: 6 You are the net"or0 administrator $or TestBing com TestBing is in a #artnershi# "ith Eabri0am* Inc The rele/ant #ortions o$ the net"or0 are con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 212 2 Users in the test0ing com domain $requently access resources in the $abri0am com domain You need to con$igure the DNS ser/er to ensure that users in the test0ing com domain can resol/e the names o$ ser/ers in the $abri0am com domain You must ensure that users can continue to resol/e names e/en i$ Eabri0am* Inc ma0es changes to its DNS in$rastructure !hat should you do% A. .reate a conditional forwarding entr on the test/ing.com D,$ ser%er. .onfigure all re6uests for fabri/am.com to forward to 131.1"G.-F.>=. 1. .reate a conditional forwarding entr on the test/ing.com D,$ ser%er. .onfigure all re6uests for fabri/am.com to forward to 131.1"G.23.F;. .. .onfigure a stub 0one of fabri/am.com on the test/ing.com D,$ ser%er. D. .onfigure a stub 0one of test/ing.com on the fabri/am.com D,$ ser%er. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 213 2 )ns"er: ' E3#lanation: Stub 1ones are use$ul "hen you need to enhance name resolution by su##lying connections to authoritati/e DNS ser/ers o/er domains !hen you con$igure a stub 1one o$ $abri0am com on the test0ing com DNS ser/er* the stub 1one "ould send the users to the #rimary DNS ser/er $or $abri0am com "ithout resol/ing the names This #rimary DNS ser/er "ould then resol/e the names o$ ser/ers in the $abri0am com domain !hen administrators at $abri0am com modi$y their DNS in$rastructure con$iguration* these changes "ould automatically be re#licated to the stub 1one in the same manner as they "ould $or a secondary ser/er Incorrect )ns"ers: )* +: .reating conditional forwarding entries on the test/ing.com D,$ ser%er to configure re6uests for fabri/am.com will not ensure that test/ing.com users will be able to resol%e hostnames in the fabri/am.com domain. D: Iou should configure a stub 0one of (abri/am.com instead of test/ing.com on the corresponding D,$ ser%er. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, p. 3"G QUESTION NO: 7 You are the net"or0 administrator $or TestBing com TestBing includes t"o di/isions: 'ontoso* Atd and Eabri0am* Inc The t"o di/isions are in se#arate locations The t"o locations are connected by a !)N connection The net"or0 consists o$ t"o single>domain )cti/e Directory $orests The domain names are contoso com and $abri0am com )ll domain controllers run !indo"s Ser/er 2==, )ll domain controllers are con$igured as DNS ser/ers )ll com#uters in each domain are con$igured to use the local domain controller $or DNS Users in the contoso com domain $requently need to access se/eral !eb ser/ers in the $abri0am com domain :o"e/er* "hen the users attem#t to connect* they recei/e an error message stating that the ser/ers cannot be located 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21- 2 You need to ensure that users in the contoso com domain can access the !eb ser/ers in the $abri0am com domain Your solution must ha/e a minimal e$$ect on the current name resolution and should require minimal administrati/e e$$ort to maintain !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 'n the D,$ ser%ers in the contoso.com domain, create a secondar 0one for the

fabri/am.com domain. .onfigure one of the D,$ ser%ers in the fabri/am.com domain as the primar D,$ ser%er for the 0one. 1. .onfigure the D,$ ser%ers in the contoso.com domain with a primar 0one for the fabri/am.com domain. .reate a host *A+ resource record for each of the !eb ser%ers in the fabri/am.com domain. .. 'n the D,$ ser%ers in the contoso.com domain, create an Acti%e Director 2integrated stub 0one for the fabri/am.com domain. .onfigure one of the D,$ ser%ers in the fabri/am.com domain as the primar D,$ ser%er for the 0one. D. .reate a forwarder entr on the D,$ ser%ers in the contoso.com domain. .onfigure the ser%ers to forward all unresol%ed re6uests to a D,$ ser%er in the fabri/am.com domain. )ns"er: )* D E3#lanation: 'reating a secondary 1one $or the $abri0am com domain on the DNS ser/ers in the contoso com domain and con$iguring one o$ the DNS ser/ers in the $abri0am com domain as the #rimary DNS ser/er $or the 1one* "ill create a co#y o$ the #rimary 1one on the com#uter The #rimary DNS ser/er "ould hold a master co#y o$ the 1one database that "ould be re#licated to the secondary 1one Demember that the secondary 1one is a read>only co#y o$ the 1one database 'on$iguring the DNS ser/ers in the contoso com domain to $or"ard all unresol/ed requests to a DNS ser/er in the $abri0am com domain ensures that users in the contoso com domain can still access the !eb ser/ers in the $abri0am com domain "hen the co#y o$ the #rimary 1one cannot resol/e requests Incorrect )ns"ers: +9 .onfiguring a primar 0one for the fabri/am.com domain on the D,$ ser%er in the .ontoso.com domain and creating a host *A+ resource record will not wor/ in this scenario. ': 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21F 2 .reating a stub 0one will maintain onl a list of authoritati%e name ser%ers for a particular 0one. The purpose of a stub 0one is to ensure that D,$ ser%ers hosting a parent 0one are aware of authoritati%e D,$ ser%ers for its child 0ones. 1ut if ou are to carr out our tas/ with minimal disruption and minimal administrati%e effort then this is not the wa to go. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, pp. 2"-, 2-;22-= QUESTION NO: 9 You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure a ser/er named Test0ing, as the DNS ser/er $or the domain TestBing recently started using a ne" IS. Since the change to the ne" IS. occurred* users re#ort that they cannot access Internet !eb sites by using their $ully quali$ied domain names &EQDNs( You manually con$igure a test com#uter to use the DNS ser/er address o$ the ne" IS. The test com#uter can success$ully access Internet !eb sites by using their EQDNs You need to ensure that net"or0 users can access Internet !eb sites by using their EQDNs* "hile ensuring that user access to internal resources is not disru#ted !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. .reate a root 0one on Test/ing3. 1. .onfigure Test/ing3 to use the default root hints. .. .onfigure a forwarder on Test/ing3 to the new &$5Ks D,$ ser%er. D. .onfigure all computers on our networ/ to use the new &$5Ks D,$ ser%er. )ns"er: +* ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21; 2 Eor"arders are used to in$orm DNS "here to loo0 $or name resolution "hen not in the local DNS database !ith !indo"s Ser/er 2==, conditional $or"arding* recursi/e query requests can be sub2ect to di$$erent DNS $or"arder ser/ers based on the domain name queried The root hints $ile &cache hints $ile( contains host in$ormation needed to resol/e names e3ternal o$ the authoritati/e DNS domains It holds names and addresses o$ root DNS ser/ers "hich are normally located on the Internet In this situation "here your net"or0 is connected to the Internet* the root hints $ile should contain the addresses o$ the root DNS ser/ers on the Internet !ith

the de$ault installation o$ !indo"s Ser/er 2==,* DNS uses the root hints $ile It is not necessary to con$igure $or"arders to access the Internet E/en though it is recommended to con$igure $or"arders to #oint to your e3ternal domain* root hints "ill $unction quite $ine Incorrect )ns"ers: ): Iou do not need to create root 0ones when what ou should be doing is configuring Test/ing3 to use default root hints. D: need to configure a forwarder on Test/ing3. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ 2-G. QUESTION NO: ; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a DNS domain named test0ing com The DNS domain structure is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21G 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21> 2 Each domain contains si3 DNS ser/ers )ll DNS ser/ers run !indo"s Ser/er 2==, Users in the e3tranet test0ing com domain $requently access resources in the res ad test0ing com domain Se/eral users in the e3tranet test0ing com domain re#ort slo" res#onse times "hen they attem#t to access resources in the res ad test0ing com domain You e3amine the usersJ client com#uters and disco/er that it ta0es a long time to resol/e DNS names in the res ad test0ing com domain You need to ensure that the client com#uters in the e3tranet test0ing com domain do not e3#erience slo" res#onse times "hen they resol/e names in the res ad test0ing com domain !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. .onfigure the D,$ ser%ers in the res.ad.test/ing.com domain to use the D,$ ser%ers in the test/ing.com domain as root hints. 1. .onfigure the D,$ ser%ers in the eBtranet.test/ing.com domain to use the D,$ ser%ers in the test/ing.com domain as root hints. .. .onfigure the D,$ ser%ers in the eBtranet.test/ing.com domain to perform conditional forwarding to res.ad.test/ing.com domain. D. .onfigure the D,$ ser%ers in the res.ad.test/ing.com domain to use a stub 0one that contains the eBtranet.test/ing.com domain. 3. .onfigure the D,$ ser%ers in the eBtranet.test/ing.com domain to use a stub 0one that contains the res.ad.test/ing.com domain. )ns"er: '* E E3#lanation: !hen* a$ter recei/ing and $or"arding a query $rom an internal client* the local $or"arding ser/er recei/es a query res#onse bac0 $rom 2=7 46 <,2 2,* the local $or"arding ser/er then #asses this query res#onse bac0 to the original querying client The #rocess o$ $or"arding selected queries in this "ay is 0no"n as conditional $or"arding Thus conditional $or"arding should also cut do"n the slo" res#onse time $or the client com#uters in the e3tranet test0ing com domain "hen they resol/e names in the res ad test0ing com domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21= 2 Alternati%el ou could also ha%e the eBtranet.test/ing.com D,$ ser%ers ma/e use of a stub 0one that contains the res.ad.test/ing.com domain. A stub 0one is a cop of a 0one containing onl those resource records necessar to identif the authoritati%e D,$ ser%ers for the master 0one. This should ensure that the users will not eBperience slow response times when resol%ing names in the res.ad.test/ing.com domain. Incorrect ans"ers: )* +9 .onfiguring the D,$ ser%ers of either the res.ad.test/ing.com domain or the eBtranet.test/ing.com domain to ma/e use of root hints of each otherKs domains, is not going to ensure that the eBtranet.test/ing.com client computers not eBperience slow response times when the resol%e names in the res.ad.test/ing.com domain. D9 Iou need to configure the eBtranet.test/ing.com D,$ ser%ers to use a res.ad.test/ing.com containing stub 0one and not the res.ad.test/ing.com domain that contains the eBtranet.test/ing.com domain. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9

&mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter F, p. QUESTION NO: <= You are a net"or0 administrator $or Eabri0am* Inc ) -erman com#any named TestBing -m+h * recently acquired Eabri0am* Inc * and another com#any named .rose"are* Inc Your team is res#onsible $or establishing connecti/ity bet"een the com#anies Each o$ the three com#anies has its o"n )cti/e Directory $orest The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22" 2 TestBing<* TestBing,* and TestBing5 run !indo"s Ser/er 2==, Each o$ these ser/ers is the DNS ser/er $or its res#ecti/e domain )ll three ser/ers can currently resol/e Internet host names TestBing, is con$igured as a secondary 1one ser/er $or $abri0am com and #rose"are com You need to con$igure TestBing5 to resol/e host names $or test0ing com and #rose"are com as quic0ly as #ossible* "ithout adding ne" 1ones to TestBing5 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. (orward re6uests for test/ing.com to 131.1"G.1.2. 1. (orward re6uests for test/ing.com to 131.1"G.3.2. .. (orward re6uests for test/ing.com to 131.1"G.1".2. D. (orward re6uests for proseware.com to 131.1"G.1.2. 3. (orward re6uests for proseware.com to 131.1"G.3.2. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 221 2 (. (orward re6uests for proseware.com to 131.1"G.1".2. )ns"er: +* D E3#lanation: Test0ing, &<= <=7 , 2( is able to resol/e hostnames $or test0ing com* #rose"are com and $abri0am com There$ore to resol/e hostnames $or test0ing com and #rose"are com as quic0ly as #ossible* you could $or"ard resolution requests $or these t"o domains to test0ing, &<= <=7 , 2( :o"e/er* "hile ans"ers D and E "ould both "or0 $or #rose"are com* it is #robably better to $or"ard requests $or #rose"are com to the #rimary DNS ser/er $or that domain &<,< <=7 < 2( Incorrect )ns"ers: ): 131.1"G.1.2 can resol%e hostnames for proseware.com, but not test/ing.com. ': 131.1"G.1".2 can resol%e &nternet domain names, but not hostnames for proseware.com or test/ing.com. E: This would wor/, and so could be an answer, though it would be better to forward re6uests for proseware.com to the primar D,$ ser%er for that domain in 6uestion. E: 131.1"G.1".2 can resol%e &nternet domain names, but not hostnames for proseware.com or test/ing.com. Thus this option should not be followed. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F"=2F1QUESTION NO: << You are the Net"or0 )dministrator $or the .aris branch o$$ice o$ TestBing The .aris o$$ice has a !indo"s Ser/er 2==, DNS #rimary 1one named test0ing com )ll com#uters in the .aris o$$ice are con$igured to use Ser/er<= as their #re$erred DNS ser/er The +erlin o$$ice o$ Eourth 'o$$ee has a UNI@ DNS ser/er named Ser/er<< Ser/er<< host a #rimary 1one named engineering test0ing com The re$resh inter/al o$ the engineering test0ing com 1one is set to 24 hours 4eading the wa in &T testing and certification tools, www.test/ing.com 2 222 2 In the +erlin o$$ice* a $ire"all $ilters all incoming net"or0 tra$$ic $rom other o$$ices ) rule on this $ire"all #re/ents all com#uters $rom the .aris o$$ice net"or0* e3ce#t Ser/er<=* $rom #er$orming DNS loo0u#s against Ser/er<< There is a business requirement that no delay should occur bet"een the times that a ne" record is created in the engineering test0ing com 1one and the time that the record can be resol/ed $rom any com#uters in the .aris o$$ice )ll com#uters in the .aris o$$ice must be able to resol/e names in the engineering test0ing com names#ace You need to con$igure DNS on Ser/er<= to meet the requirements !hat should you do% A. $et up a stub 0one named engineering.test/ing.com. 1. $et up conditional forwarding to $er%er11 for the engineering.test/ing.com namespace.

.. &n the test/ing.com 0one, set up a delegation to the engineering.test/ing.com 0one on $er%er1. D. $et up a secondar 0one named engineering.test/ing.com that has $er%er11 as master. )ns"er: + E3#lanation: The $ire"all in the +erlin o$$ice allo"s only Ser/er<= to communicate "ith Ser/er<< No clients in the .aris o$$ice can send DNS queries to Ser/er<< because their attem#ts "ill be bloc0ed by the $ire"all There$ore* you need Ser/er<= to communicate "ith Ser/er<< to resol/e hostnames in the +erlin o$$ice You can achie/e this by con$iguring conditional $or"arding to Ser/er<< $or the engineering test0ing com names#ace !hen Ser/er<= recei/es a hostname resolution request $or a host in the +erlin o$$ice* Ser/er<= "ould query Ser/er<< Ser/er<= "ill then #ro/ide the in$ormation to the client Incorrect )ns"ers: ): A stub 0one lists the authoritati%e D,$ ser%ers for 0one. !ith this solution, $er%er1" would inform the clients in the 5aris office to 6uer $er%er11 for hostname resolution. The 1erlin firewall would bloc/ the D,$ 6uer from the client. ': A delegation lists the authoritati%e D,$ ser%ers for 0one. !ith this solution, $er%er1" would inform the clients in the 5aris office to 6uer $er%er11 for hostname resolution. The 1erlin firewall would bloc/ the D,$ 6uer from the client. D: This would enable successful resolution. Aowe%er, changes to the 0one on $er%er11 would not immediatel be replicated to $er%er1" because the refresh inter%al is set to 2hours. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 223 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2-2-2; QUESTION NO: <2 You are the net"or0 administrator TestBing The net"or0 consists o$ t"o )cti/e Directory Domains named test0ing com and asia test0ing com The Domain controllers in each domain are also con$igure as DNS ser/ers )ll Domain controllers in the asia test0ing com domain host the asia test0ing com 1one and are con$igured to $or"ard unresol/ed queries to the DNS ser/er in the test0ing com domain )ll domain controllers in the test0ing com domain contain a co#y o$ the test0ing com 1one and a delegation $or asia test0ing com The con$iguration o$ the DNS ser/ers in each domain is in the $ollo"ing table Domain Aocal DNS 1ones Delegation $or Eor"ard to Test/ing.com Test/ing.com Asia.test/ing.com ,one Asia.test/ing.com Asia.test/ing.com ,one Test/ing.com D,$ $er%ers You need to /eri$y that names in the asia test0ing com names#ace can be success$ully resol/ed $rom the test0ing com domain controllers !hat should you do on one o$ the domain controllers in the test0ing com domain% A. 'pen the D,$ ser%er properties in the D,$ console on the Monitoring tab, perform a simple loo/up test 1. 'pen the D,$ ser%er properties in the D,$ console on the Monitoring tab, perform a recursi%e loo/up test. .. (rom the command prompt, run the following command9 ,sloo/up 2 6uer t pe\soa asia.test/ing.com D. (rom the command prompt, run the following command9 ,sloo/up 2 6uer t pe\ns asia.test/ing.com )ns"er: D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22- 2 E3#lanation: The test0ing com DNS ser/ers ha/e delegation $or the asia test0ing com 1one This means that the test0ing com 1one contains NS records $or the asia test0ing com DNS ser/ers You need to test the NS records to ensure that the test0ing com DNS ser/ers $or"ard resolution requests $or hosts in asia test0ing com to the asia test0ing com DNS ser/ers Incorrect )ns"ers: ): This solution does not specificall test the name resolution of hosts in asia.test/ing.com. &t )ust %erifies that the ser%er can perform a simple loo/up test. +: This solution does not specificall test the name resolution of hosts in asia.test/ing.com. &t )ust %erifies that the ser%er can perform a recursi%e loo/up test. ': This solution would tell ou which D,$ ser%er is authoritati%e for the asia.test/ing.com 0one. &t does not confirm that names in the asia.test/ing.com namespace can be successfull resol%ed from the test/ing.com domain controllers. De$erence:

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F3QUESTION NO: <, DD)- DDO. You are a net"or0 administrator $or Eabri0am* Inc The Eabri0am* Inc * net"or0 consists o$ a $orest that contains a single )cti/e Directory domain named $abri0am com Eabri0am* Inc * "as recently acquired by TestBing The TestBing net"or0 consists o$ a $orest that contains t"o )cti/e Directory domains named test0ing com and east test0ing com TestBing<* TestBing2* and TestBing, are !indo"s Ser/er 2==, com#uters They $unction as domain controllers and DNS ser/ers in their res#ecti/e domains* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22F 2 You need to con$igure name resolution $or the test0ing com domain on TestBing, 'om#uters in the $abri0am com domain should resol/e names in test0ing com as quic0ly as #ossible Name resolution to TestBing com should also be $ault tolerant :o" should you con$igure the DNS $or"arder I. addresses To ans"er* drag the a##ro#riate I. addresses to the correct locations in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22; 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22G 2 All 6ueries recei%ed for the domain test/ing.com will now be forwarded to the D,$ ser%er 1=2.1;>.3.2. !hen a 6uer response is recei%ed bac/ from 1=2.1;>.3.2, it will be passed bac/ to the computers in the fabri/am.com domain. Test@ing3 now /nows to which D,$ ser%er to forward re6uests when it is 6ueried b a client for a name. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, pp. 2-;22F". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22> 2 QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains one domain named test0ing com The net"or0 contains t"o subnets named subnet ) and subnet + The t"o subnets are connected by a router The net"or0 also contains $our !indo"s Ser/er 2==, com#uters* ,== !indo"s 2=== .ro$essional com#uters* and 25 !indo"s NT Ser/er 4 = com#uters Three o$ the ser/ers are con$igured as sho"n in the $ollo"ing table The DNS 1one currently records $or only !indo"s 2=== .ro$essional com#uters Each client com#uter is con$igured to transmit name resolution requests to TestBingSr/) and TestBingSr/' Users are able to access all resources on the net"or0 You #lan to change the T'.KI. settings $or each client com#uter to remo/e the #ointer to TestBingSr/' You need to ensure that the client com#uters can continue to access e>mail !hat should you do% A. &n the ad%anced T.5H&5 settings, enable ,et1&'$ o%er T.5H&5. 1. &n the ad%anced T.5H&5 settings, enable 4mhosts loo/up. .. &n the properties of test/ing.com, add a name ser%er *,$+ resource record for Test@ing$r%.. D. &n the properties of test/ing.com, enable !&,$ forward loo/up. )ns"er: D E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22= 2 The mail ser/er is a !indo"s NT ser/er The !indo"s NT ser/er does not ha/e a record in DNS To locate the mail ser/er* the clients query the !INS ser/er > !INS resol/es Net+IOS names to I. addresses The question states that the clients "ill be con$igured to not query the !INS ser/er TestBingSr/' hosts the !INS ser/ice This means that the client com#uters "ill not be able to locate the mail ser/er To resol/e this issue* you need to con$igure the DNS ser/er to $or"ard unresol/ed requests to the !INS ser/er You do this by enabling !INS $or"ard loo0u# on the DNS ser/er

Incorrect )ns"ers: ): This will not enable the clients to locate the mail ser%er. +: This will not wor/ either because the mail ser%er does not ha%e an entr in the 4Mhosts file. ': ,$ records point to D,$ ser%ers. The D,$ ser%er is not able to resol%e the address of the mail ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F2;2F2> QUESTION NO: <5DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, DNS ser/ers* and !indo"s @. .ro$essional com#uters TestBing installs a $ire"all The "ritten com#any security #olicy allo"s only S?T.* :TT.* and DNS tra$$ic through the $ire"all You need to allo" internal DNS ser/ers to resol/e names on the Internet You need to allo" S?T. and :TT. tra$$ic through the $ire"all You need to enable the $ire"all $or the needed ser/ices and a##lications !hich #ort or #orts should you s#eci$y% To ans"er* drag the a##ro#riate #ort or #orts to the $ire"all 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23" 2 )ns"er: E3#lanation: !ell>0no"n #orts are the $ollo"ing: $MT5 port number is T.5HUD5 2F. D,$ port number is T.5HUD5 F3. ATT5 port number is T.5HUD5 >". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 231 2 5'53 port number is T.5HUD5 11". 4DA5 port number is T.5HUD5 3>3. ATT5$ port number is T.5HUD5 --3. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G32 http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindows2"""ser%Hres/itHtcp QUESTION NO: <6 You are a net"or0 administrator $or TestBing The net"or0 consist o$ a single )cti/e Directory domain named test0ing de Users regularly bro"se the internal net"or0 and the Internet $rom their client com#uters )ll !eb and e>mail hosting $or a se#arate DNS domain named test0ing com is outsourced to an IS. )ll name resolution requests $or test0ing com are resol/ed by the IS. You ha/e no administrati/e control o/er the DNS ser/ers at the IS. You cannot list the contents o$ test0ing com by using the nsloo0u# command on the DNS ser/ers at the IS. ) !indo"s Ser/er 2==, com#uter named Test0ing< is con$igured "ith a #rimary 1one $or test0ing de )ll root hints ha/e been remo/ed $rom Test0ing< )ll client com#uters re$er to this DNS ser/er $or name resolution You need to con$igure DNS resolution to ensure that all client com#uters can locate and access resources in test0ing net* test0ing com* and the Internet !hat should you do% A. .onfigure a secondar 0one for test/ing.com on Test/ing1. 1. .onfigure a primar 0one for test/ing.com on Test/ing1. .. .onfigure conditional forwarding for test/ing.com with the &5 address of the D,$ ser%er at the &$5. D. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 232 2 .onfigure a simple forwarding with the default settings with the &5 address of the D,$ ser%er at the &$5. )ns"er: D E3#lanation9 All 6ueries from D,$ ser%ers within the organi0ation to resol%e names eBternal to the organi0ation can be sent through one *or more+ forwarder for resolution.To accomplish this, the internal D,$ ser%ers must also be configured to forward 6ueries for which the are not authoritati%e b pro%iding the forwarding D,$ ser%er*s+ &5 address.

$imple forwarding is a/in to caching2onl . This option of configuring simple forwarding with the default settings will ensure that all client computers will be able to locate and access resources in the test/ing.net, test/ing.com and the &nternet. Incorrect ans"ers: )9 A secondar 0one is a cop of the 0one that is copied from the master ser%er when replication of the 0one occurs %ia 0one transfer. This will not ensure that client computers can locate and access resources in the re6uired domains and the &nternet. +9 A primar 0one is the cop of the 0one to which updates are made. A D,$ ser%er that is authoritati%e for a particular 0one will ma/e updates to the primar 0one. 1ut this will not compl with what is re6uired b the client computers. '9 1eing able to selecti%el set up different forwarders for different domain names 6ueried, is referred to as conditional forwarding. At the same time, ou are able to enable or disable recursion for each of those domains separatel . This is not what ou should be doing under the circumstances, ou should configure simple forwarding to enable the client computers to locate and access resources in the said domains and the &nternet. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -2-, --2, -=QUESTION NO: <7 You are the net"or0 administrator $or TestBing The net"or0 consists o$ t"o subnets: <= <= <= =K24 and <= <= << =K24 4eading the wa in &T testing and certification tools, www.test/ing.com 2 233 2 One a nonbusiness day* you re#lace #re/ious DNS ser/ers "ith !indo"s Ser/er 2==, DNS ser/ers The +IND ser/ers used I. addresses <= <= <= <= and <= <= << <= The !indo"s Ser/er 2==, DNS ser/er named DNS< "ill use I. address <= <= <= 2= The !indo"s Ser/er 2==, DNS ser/er named DNS2 "ill use I. address <= <= << 2= The I. con$iguration o$ NDS is sho"n in the I. 'on$iguration e3hibit ) router has I. addresses <= <= <= <* <= <= << <* and <,< <=7 69 < The router routes tra$$ic bet"een both A)N subnets and bet"een the A)N and the Internet as sho"n in the Net"or0 e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23- 2 The router bloc0s outbound UD. #ort 5, tra$$ic to all addresses e3ce#t <,< <=7 69 < ) D:'. ser/er named D:'.< has t"o sco#es to #ro/ide I. address con$iguration to 6== !indo"s @. .ro$essional com#uters on the t"o subnets On the ne3t business day* users re#ort that they can access all A)N hosts and the intranet* but they cannot access Internet !eb sites You can access the intranet and #ublic Internet !eb sites $rom the DNS ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23F 2 You "ant to allo" all users to access #ublic Internet !eb sites and the intranet You "ant to log all DNS queries $rom the A)N on the t"o ne" !indo"s Ser/er 2==, DNS ser/ers !hat should you do% A. .onfigure both DA.5 ser%er scope options to use 1".1".1".2", 1".1".11.2", and 131.1"G.;>.=3 for D,$ &5 addresses. 1. .onfigure both D,$ ser%ers to use 131.1"G.;>.=3 as a forwarder. .. Add the &nternet ser%ice pro%iderKs *&$5+ D,$ ser%er to the name ser%ers list in our 0one. D. .onfigure both D,$ ser%ers to allow 0one transfer to 131.1"G.;>.=3. )ns"er: + E3#lanation9 All 6ueries from D,$ ser%ers within the organi0ation to resol%e names eBternal to the organi0ation can be sent through one *or more+ forwarder for resolution.To accomplish this, the internal D,$ ser%ers must also be configured to forward 6ueries for which the are not authoritati%e b pro%iding the forwarding D,$ ser%er*s+ &5 address. $imple forwarding is a/in to caching2onl . .onfiguring both the D,$ ser%ers to use 131.1"G.;>.=3 as a forwarder will allow all users access to the &nternet as well as the intranet while still pro%ing ou with the opportunit to log all D,$ 6ueries from the 4A, to the new D,$ ser%ers. Incorrect ans"ers: )9 This is not a DA.5 scope issue. This option will not afford ou the opportunit to log all D,$ 6ueries from the 4A, to the new D,$ ser%ers. '9 Adding the &$5Ks D,$ ser%er to the name ser%ers list in our 0one is not the solution under the gi%en circumstances. D9 Allowing 0one transfers to 131.1"G.;>.=3 is not the issue ou should rather configure the D,$ ser%ers to use that address as a forwarder as that ill allow ou to log D,$ 6ueries from the 4A, to all the 0ones and the &nternet.

De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -2-, --2, -=QUESTION NO: <9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23; 2 E3hibit* Net"or0 To#ology You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) com#any !eb site named """ test0ing com is hosted in the #erimeter net"or0 The net"or0 is sho"n in the e3hibit )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The DNS ser/ers are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23G 2 Ser/er name I. address Yone hosted Yone Ty#e Test@ing1 1".1".1.1 .orp.test/ing.com Acti%e Director integrated Test@ing3 131.1"G.".>> Test/ing.com $tandard primar TestBing, is con$igured to $or"ard e3ternal DNS requests to a DNS ser/er at the local IS. :al$ o$ the client com#uters are con$igured to use <= <= < < as their #re$erred DNS ser/er The other hal$ are con$igured to use <,< <=7 = 99 as their #re$erred DNS ser/er You disco/er that name resolution is inconsistent Not all client com#uters can resol/e host names in cor# test0ing com* test0ing com* and Internet names#aces Internal DNS client com#uters need to be able to resol/e $ully quali$ied domain names &EQDNs( in all internal or Internet names#aces You need to ensure that only client com#uters requests $or cor# test0ing com names are resol/ed by TestBing< )ll other name resolution requests are to be resol/ed by TestBing, !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution* 'hoose t"o ( A. Disable recursion on Test@ing1. 1. Disable recursion on Test@ing3. .. .onfigure a forwarder on Test@ing1 for All other D,$ domain and specif 131.1"G.".>> in the forwarderKs &5 address list. D. .onfigure a forwarder on Test@ing1 for All other D,$ domain and specif 1".1".1.1 in the forwarderKs &5 address list. 3. .onfigure client computers to refer to Test@ing1 as their preferred D,$ ser%er. (. .onfigure client computers to refer to Test@ing3 as their preferred D,$ ser%er. )ns"er: '* E E3#lanation9 '9 All 6ueries from D,$ ser%ers within the organi0ation to resol%e names eBternal to the organi0ation can be sent through one *or more+ forwarder for resolution. (orwarders, is used to tell our D,$ ser%er to which D,$ ser%ers to forward re6uests when it is 6ueried b a client for a name for which it is not authoritati%e. Iou can configure multiple D,$ forwarders that will be 6ueried from top to bottom in a recursi%e fashion. This is the wa to ensure that onl client computers re6uests are resol%ed b Test@ing1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23> 2 E9 The D,$ client 6ueries its preferred D,$ ser%er. The preferred D,$ ser%er contacts the D,$ ser%er that is authoritati%e for that 0one. The authoritati%e ser%er for that 0one forwards that re6uest to itKs configured for resolution. The ser%er resol%es the name loo/up and forwards the &5 address bac/ to the authoritati%e 0one ser%er. The authoritati%e 0one ser%er returns the &5 address bac/ to the preferred D,$ ser%er. The preferred D,$ ser%er returns the &5 address bac/ to the D,$ client. .onfiguring the client computer to refer to Test@ing1 as the preferred D,$ ser%er will sol%e the problem. Incorrect ans"ers: )* +9 Recursion9 &f ou select to chec/ the Do not use recursion for this domain option chec/ boB, ou are in essence telling the ser%er to not tr an other means of name resolution if it cannot resol%e a 6uer using its list of forwarders. This is not desired. D9 .onfiguring a forwarder is a possible solution, but it will onl wor/ if configured and specified properl . E9 Ma/ing use of the preferred D,$ ser%er for client computers represents another solution, though ou should be using Test@ing1 and not Test@ing3 as the preferred D,$ ser%er. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter,

M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. 3;-, -2-, -=3 QUESTION NO: <; E3hibit* Net"or0 To#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23= 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-" 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest named test0ing com The $orest has t"o additional domain trees named $oo com and bar com Ser/ers named TestBing<* TestBing2* and TestBing, are domain controllers and DNS ser/ers $or their res#ecti/e domains The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit You are using )cti/e>Directory integrated storage o$ the DNS database )ll 1ones are set to re#licate to all the DNS ser/ers in the $orest )ll re$erences to root ser/ers ha/e been remo/ed $rom TestBing< TestBing, $or"ards DNS requests to TestBing2 TestBing2 $or"ards DNS requests to TestBing< You need to ensure that TestBing< can resol/e names "ithin test0ing com* $oo com* bar com* and the Internet :o" should you con$igure DNS $or"arding on TestBing<% A. (orward all other D,$ re6uests to 1=2.1;>.3.2. 1. (orward all other D,$ re6uests to131.1"G.-.2. .. (orward all other D,$ re6uests to 1=2.1;>.2.2. D. Add 1=2.1;>.2.2 and 1=2.1;>.3.2 to the root hints on Test@ing1. )ns"er: + E3#lanation9 The (orwarders tab allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. Using this tab, ou can specif the &5 addresses of the upstream forwarders, and ou can specif the domain names of 6ueries that should be forwarded. &n addition to the top2le%el domains on the &nternet, organi0ations can also ha%e a pri%ate namespace9 a D,$ namespace based on a pri%ate set of root ser%ers independent of the &nternetKs D,$ namespace. !ithin a pri%ate namespace, ou can name and create our own root ser%er or ser%ers and an subdomains as needed. 5ri%ate names cannot be seen or resol%ed on the &nternet. $ince all references to root ser%ers ha%e been remo%ed from Test@ing1 and Root ser%ers are D,$ ser%ers that are authoritati%e for the root of the namespace. &f ou want to ensure that Test@ing1 can resol%e names within the gi%en domains as well as the &nternet, then ou should configure Test/ing1 D,$ forwarding re6uests to 131.1"G.-.2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-1 2 De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. F9QUESTION NO: 2= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers are con$igured as DNS ser/ers and host an )cti/e Directory integrated 1one $or test0ing com ) local IS. #ro/ides users "ith access to the Internet )ll !eb sites $or test0ing com are located in the #erimeter net"or0 ) secondary DNS 1one $or test0ing com is located on the internal net"0r on a !indo"s Ser/er 2==, com#uter named TestBing4 )ll client com#uters re$er only to this DNS ser/er $or name resolution You need to con$igure DNS resolution to ensure that all client com#uters can log on to the net"or0* access the !eb sites* and bro"se the Internet You must also ensure that the test0ing com 1one is stored as securely as #ossible !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution Select t"o ( A. .onfigure a secondar D,$ 0one for test/ing.com on Test@ing-. 1. .onfigure a primar D,$ 0one for test/ing.com on Test@ing-. .. .onfigure conditional forwarding for test/ing.com to point to the &5 addresses of the domain controllers. D. .onfigure conditional forwarding for all other D,$ domains to point to the &5 address of the &$5 D,$ ser%er. )ns"er: '* D E3#lanation9 The (orwarders tab allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. Using this tab, ou can

specif the &5 addresses of the upstream forwarders, and ou can specif the domain names of 6ueries that should be forwarded. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-2 2 1eing able to selecti%el set up different forwarders for different domain names 6ueried, is referred to as conditional forwarding. At the same time, ou are able to enable or disable recursion for each of those domains separatel . 'ptions . and D suggests configuring conditional forwarding for test/ing.com to point to the domain &5 addresses anf forwarding for all other D,$ domain to point to the &$5Ks D,$ ser%er. This shouls ensure that the test/ing.com 0one is stored as securel as possible while ensuring that all client computers can log on to the networ/, access the !eb sites and browse the &nternet. Incorrect ans"ers: )9 $econdar 0one is a read2onl cop of the 0one database used to pro%ide fault tolerance and faster name resolution across the networ/. The database is updated %ia the 0one transfer process. This is not goung to compl with the re6uirements of the 6uestion. +9 5rimar 0ones hold the master cop of the 0one database and are replicated to secondar 0ones. All changes to the 0one are made to the primar 0one. This option will not ensure that client computers can connect to the necessar !eb sires, domains and the &nternet as is re6uired in this 6uestion with the correct measure of safet for the test/ing.com 0one. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. F9Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -2-, -=QUESTION NO: 2< E3hibit* net"or0 to#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-3 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ t"o DNS domains named $oo com and test0ing com $oo com is an intranet domain ) !indo"s Ser/er 2==, named TestBing< is the DNS ser/er $or $oo com TestBing com can be #ublicly accessed $rom the Internet ) !indo"s Ser/er 2==, com#uter named TestBing, is the DNS ser/er $or test0ing com The rele/ant #artition o$ the net"or0 is sho"n in the net"or0 to#ology e3hibit You need to con$igure name resolution so that the com#uters that are DNS clients o$ TestBing, can resol/e names in $oo com and the Internet* and so that the com#uters that are DNS clients o$ Test0ing< can resol/e names only the $oo com domain !hich t"o actions should you #er$orm% Each correct ans"er #resents #art o$ the solution Select t"o A. .onfigure Test@ing1 to forward all re6uests for test/ing.com to 1=2.1;>.1.2. 1. .onfigure Test@ing3 to forward all re6uests for foo.com to 1=2.1;>.".2 .. Remo%e all references to root ser%ers on Test@ing3. D. Remo%e all references to root ser%ers on Test@ing1. )ns"er: +* D E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-- 2 9 The (orwarders tab allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. Using this tab, ou can specif the &5 addresses of the upstream forwarders, and ou can specif the domain names of 6ueries that should be forwarded. Root ser%ers are D,$ ser%ers that are authoritati%e for the root of the namespace. Thus if ou want the Test@ing3 D,$ clients to resol%e names in the foo.com domain and the &nternet and that Test@ing1 D,$ clients can resol%e onl foo.com domain names, then ou should remo%e all rerefences to root ser%ers on Test@ing1 as this would lead to the cache.dns file and ou should configure Test@ing1 to forward all re6uests for foo.com to 1=2.1;>.".2 Incorrect ans"ers: )9 &t is Test@ing1 and not Test@ing3 that should be reconfigured appropriatel . '9 Thereis no need to remo%e the references to root ser%ers on Test@ing3 in this case. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. F9-

QUESTION NO: 2, E3hibit* Net"or0 To#ology NN ?ISSIN- NNN You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory $orests Each $orest contains a single domain The domain names are test0ing com and $oo com )ll ser/ers run !indo"s Ser/er 2==, The domain controllers in each domain are con$igured as DNS ser/ers The DNS ser/ers are con$igured to $or"ard all requests $or host names on the Internet to a DNS ser/er located at the com#anyJs IS. The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit Users in the test0ing com domain re#ort that they cannot connect to the intranet !eb sites in the $oo com domain !hen they try to connect to the !eb sites* they recei/e the $ollo"ing error message: L'annot $ind ser/er or DNS error L Users in the $oo com domain can connect to the intranet !eb sites in the $oo com domain You need to ensure that users in the test0ing com domain can connect to intranet !eb sites in the $oo com domain You "ant to accom#lish this goal by ma0ing the minimum amount o$ changes to the current net"or0 con$iguration 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-F 2 !hat should you do% A. 'n the D,$ ser%ers in the test/ing.com domain, configure a conditional forwarder to one of the D,$ ser%ers in the foo.com domain. 1. 'n the D,$ ser%ers in the foo.com domain, configure a conditional forwarder to one of the D,$ ser%ers in the test/ing.com domain. .. 'n the D,$ ser%ers in the test/ing.com domain, remo%e the forwarder configuration. .onfigure the D,$ ser%ers to use root hints. D. 'n the D,$ ser%ers in the test/ing.com domain, change the forwarder configuration so that all re6uests for host names are forwarded to the D,$ ser%ers in the foo.com domain. 3. 'n the D,$ ser%ers in the foo.com domain, configure a stub 0one for the test/ing.com domain. )ns"er: ) E3#lanation9 The (orwarders tab allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. Using this tab, ou can specif the &5 addresses of the upstream forwarders, and ou can specif the domain names of 6ueries that should be forwarded. !hen, after recei%ing and forwarding a 6uer from an internal client, the local forwarding ser%er recei%es a 6uer response bac/, the local forwarding ser%er then passes this 6uer response bac/ to the original 6uer ing client. The process of forwarding selected 6ueries in this wa is /nown as conditional forwarding. .onditional forwarding will ensure that the test/ing.com users can connect to intranet !eb sites in the foo.com domain. Incorrect ans"ers: +9 The conditional forwarders should be configured on the test/ing.com domain and not the foo.com domain. '9 Ma/ing use of root hints after remo%ing the forwarder configuration is not going to ensure that test/ing.com users will be able to connect to the &ntranet !eb sites in the foo.com domain. D9 There is no need to change the forwarder configuration. E9 .onfiguring a stub 0one will not ha%e the desired effect in this case. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. F94eading the wa in &T testing and certification tools, www.test/ing.com 2 2-; 2 5art 29 Managing D,$. A9 Managing D,$ 0one settings.*1" :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains t"o domains named test0ing com and cor# test0ing com )ll 1ones are con$igured to re#licate to all DNS ser/ers in the $orest The DNS ser/ers are described in the $ollo"ing table Ser/er name Ser/er roles Yones hosted Yone ty#e )cti/e Directory Site Test/ing1.test/ing.com Domain controller, D,$ ser%er test/ing.com corp.test/ing.com

Acti%e Director 2integrated primar Main'ffice Test/ing2.test/ing.com D,$ ser%er test/ing.com, corp.test/ing.com $econdar 1ranch'ffice Test/ing3.corp.test/ing.com Domain controller ,one ,ot applicable Main'ffice Test/ing-.corp.test/ing.com Domain controller, D,$ ser%er corp.test/ing.com Acti%e Director 2integrated primar 1ranch'ffice The #ro#erties sheet o$ the start o$ authority &SO)( resource record $or the 1one is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-G 2 You remo/e Test0ing2 $rom the net"or0 $or hard"are maintenance T"o days later* you bring Test0ing2 bac0 on the net"or0 You need to ensure that the DNS 1one in$ormation $or cor# test0ing com is immediately u#dated on Test0ing2 !hat should you do% A. Use ,TD$ setting on Test/ing1 to initiate replication between the Main'ffice site and the 1ranch'ffice site. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-> 2 1. Use ,TD$ settings on Test/ing- to initiate replication between the Main'ffice site and the 1ranch'ffice site. .. Use the D,$ console on Test/ing1 to increment the serial number for corp.test/ing.com D. Use the D,$ console on Test/ing2 to initiate a 0one transfer from the master ser%er for corp.test/ing.com. 3. Use the D,$ console on Test/ing2 to reload corp.test/ing.com )ns"er: D E3#lanation: Directory re#lication* is a #ush trans$er* initiated by the domain controller hosting the #rimary DNS ser/er $unction !hen changes to the database occur* the domain controller sends u#dates to other domain controllers This allo"s the changes to be u#dated more quic0ly and more e$$iciently DNS ser/ers do not need to chec0 $or u#dates constantly since u#dates "ill be recei/ed as changes are made on the #rimary DNS ser/er ) secondary 1one is a co#y o$ the 1one that is co#ied $rom the master ser/er "hen re#lication o$ the 1one ta0es #lace through 1one trans$er Secondary DNS ser/ers obtain their 1one databases through 1one trans$ers To ensure that DNS 1one in$ormation $or cor# test0ing com is immediately u#dated on Test0ing2* use the DNS console on Test0ing2 to initiate a 1one trans$er $rom the master ser/er $or cor# test0ing com ) secondary ser/er ty#ically initiates a 1one trans$ers "hen the secondary ser/er boots or the re$resh inter/al $or the 1one e3#ires Incorrect )ns"ers: )* +: &nitiating replication through the ,TD$ setting does not necessaril mean immediate updating. Ta/ing the 0one t pes of the ser%ers into account, the best wa to ensure that the D,$ 0one information for corp.test/ing.com is immediatel updated on Test/ing2 is to initiate a 0one transfer. ': &ncrementing the serial number for corp.test/ing.com on the D,$ console on Test/ing1 will not ensure immediate updates of the D,$ 0one information of corp.test/ing.com on Test/ing2. E: Reloading corp.test/ing.com using the D,$ console onTest/ing2 will not wor/ in this scenario. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing

&nc., Roc/land, 2""3, p. -3F 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-= 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, pp 2G-22G=. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s NT Ser/er 4 = com#uters* !indo"s Ser/er 2==, com#uters* !indo"s NT !or0station 4 = com#uters* and !indo"s @. .ro$essional com#uters The test0ing com DNS names#ace is used on the com#anyJs intranet The test0ing com DNS 1one is hosted on a !indo"s Ser/er 2==, com#uter and is con$igured to allo" secure dynamic u#dates )ll !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters are con$igured to dynamically register their host names in the test0ing com DNS 1one The !indo"s NT Ser/er com#uters and !indo"s NT !or0station com#uters use !INS and DNS $or name resolution :ost &)( records $or the !indo"s NT Ser/er com#uters ha/e not been created in the test0ing com DNS 1one The !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters cannot connect to the !indo"s NT Ser/er com#uters "hen using com#uter names You need to im#lement a mechanism that allo"s the !indo"s Ser/er 2==, and !indo"s @. .ro$essional com#uters to resol/e the com#uter names o$ the !indo"s NT Ser/er com#uters To reduce administrati/e o/erhead* you must choose a solution that "ill not need to be con$igured "hen the I. address o$ any com#uter is changed !hat should you do% A. .onfigure !&,$ re%erse loo/up on the D,$ 0ones. 1. .onfigure !&,$ forward loo/up on the D,$ 0ones. .. .onfigure nonsecure and secure updates in the D,$ 0one test/ing.com. D. &nstall the Acti%e Director .lient 3Btensions on the !indows ,T $er%er computers. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F" 2 The !INS and DNS ser/ices are used to #ro/ide name resolution $or the Net+IOS names#ace and the DNS domain names#ace* res#ecti/ely )lthough both DNS and !INS can #ro/ide a se#arate and use$ul name ser/ice to clients* !INS is mainly needed to #ro/ide su##ort $or older clients and #rograms that require su##ort $or Net+IOS naming :o"e/er* the DNS ser/ice can "or0 "ith !INS to #ro/ide combined name searches in both names#aces "hen resol/ing a DNS domain name not $ound in 1one in$ormation To #ro/ide this intero#erability* a ne" record &the !INS record( is de$ined as #art o$ the 1one database $ile The !&,$ resource record is specific to computers running !indows ,T -." and earlier, !indows 2""", and !indows $er%er 2""3 operating s stems, and can be attached onl to the domain of origin for a 0one. The presence of a !&,$ resource record can instruct the D,$ ser%ice to use !&,$ to loo/ up an forward 6ueries for host names or names that are not found in the 0one database. This functionalit is particularl useful for name resolution re6uired b clients that are not !&,$2aware *for eBample, U,&<+ for the names of computers not registered with D,$, such as !indows =F or !indows => computers. Incorrect )ns"ers: ): .onfiguring !&,$ forward loo/up for our D,$ implementation is 0one independent. &t is the !&,$ forward loo/up that had to be configured on the D,$ 0ones and not the re%erse loo/up. ': .onfiguring secure and non2secure updates in the D,$ 0one test/ing.com will not allow !indows ,T $er%er access. D: &nstalling Acti%e Director .lient 3Btensions on the !indows ,T ser%er computers will not allow computer names to be resol%ed. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 3;3 QUESTION NO: , You are the net"or0 administrator $or TestBing The com#anyJs main o$$ice is located in Aima* and branch o$$ices are located in $i/e other cities The net"or0 consists o$ a single DNS domain named test0ing com The net"or0 con$iguration is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F1 2

)ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll client com#uter I. addresses are assigned by using a D:'. ser/er that is located in each o$$ice 'lient com#uters are reimaged o$ten and are assigned ne" names each time they are reimaged )ll client com#uters are con$igured to re$erence their local DNS ser/er as the #re$erred DNS ser/er and to re$erence the central DNS ser/er as the alternate DNS ser/er ) #rimary 1one $or test0ing com is con$igured on a ser/er in the Aima o$$ice Secondary 1ones are con$igured on a ser/er in each branch o$$ice The retry inter/al* the re$resh inter/al* the e3#iration inter/al* and the de$ault minimum Time to Ai/e &TTA( inter/al are con$igured "ith the de$ault settings Net"or0 band"idth utili1ation a/erages 4= #ercent The net"or0 connection bet"een the Aima o$$ice and the +ogota o$$ice $ails on a/erage o$ t"ice #er day Users in the +ogota o$$ice occasionally recei/e incorrect res#onses to queries against the local DNS ser/er "hen the net"or0 connection is interru#ted during a 1one trans$er 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F2 2 You need to change the con$iguration o$ the start o$ authority &SO)( resource record $or test0ing com In addition* you need to reduce the #ossibility that users can query local DNS 1ones be$ore success$ul 1one trans$ers occur !hat should you do% A. .hange the retr inter%al to 12 hours. 1. .hange the default minimum Time to 4i%e *TT4+ to 2 da s. .. .hange the refresh inter%al to 2 da s. D. .hange the eBpiration inter%al to 12 hours. )ns"er: D E3#lanation: E3#iration inter/al is the time* in seconds* be$ore a secondary ser/er sto#s res#onding to queries a$ter a la#sed re$resh inter/al "here the 1one "as not re$reshed or u#dated E3#iration occurs because at this #oint in time* the secondary ser/er must consider its local data unreliable The de$ault /alue is 96*4== seconds &24 hours( Deducing the e3#iration inter/al "ill thus reduce the #ossibility o$ users querying the local DNS 1ones be$ore a success$ul 1one trans$er occurs Incorrect )ns"ers: ): Retr inter%al is the time, in seconds, that a secondar ser%er waits before retr ing a failed 0one transfer. This is not the %alue that has to be changed. +: Minimum *default+ TT4 is the minimum Time2To24i%e *TT4+ %alue applied to all resource records in the 0one with unspecified record2specific TT4s. This %alue is supplied in 6uer responses b ser%ers for the 0one to inform others how long the should cache a resource record pro%ided in an answer. Aowe%er, it is the 3Bpiration inter%al that should be changed. ': Refresh inter%al is the time, in seconds, that a secondar D,$ ser%er waits before 6uer ing its source for the 0one to attempt renewal of the 0one. !hen the refresh inter%al eBpires, the secondar D,$ ser%er re6uests a cop of the current $'A record for the 0one from its source, which answers this re6uest. The secondar D,$ ser%er then compares the serial number of the source ser%erKs current $'A record *as indicated in the response+ with the serial number in its own local $'A record. &f the are different, the secondar D,$ ser%er re6uests a 0one transfer from the primar D,$ ser%er. 1ut ou need to change the eBpiration inter%al to be able to reduce the possibilit of users 6uer ing the local D,$ 0ones before successful 0one transfers can occur. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F3 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 2>, 2"QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ an )cti/e Directory $orest "ith t"o domains named test0ing com and euro#e test0ing com +oth domains contain !indo"s Ser/er 2==, domain controllers and !indo"s 2=== Ser/er domain controllers DNS is installed on all domain controllers No other com#uters $unction as DNS ser/ers The DNS 1ones test0ing com and euro#e test0ing com are )cti/e Directory>integrated 1ones TestBingJs !eb administrator as0s you to create a ne"* se#arate DNS 1one that "ill be used to register host names $or intranet !eb sites This 1one must be re#licated to all DNS ser/ers in the com#any The ne" 1one must be named intranet test0ing com You must create and con$igure the intranet test0ing com 1one to $ul$il these requirements !hat should you do%

A. $et up and Acti%e Director 2integrated 0one on one !indows $er%er 2""3 domain controller in the test/ing.com domain. .hoose the replication scope To all domain controllers in the Acti%e Director domain test/ing.com. 1. $et up an Acti%e Director 2integrated 0one on one !indows $er%er 2""3 domain controller in the test/ing.com domain. .hoose the replication scope To all D,$ ser%ers in the Acti%e Director domain test/ing.com. .. .reate an Acti%e Director application partition named intranet.test/ing.com. $et up an Acti%e Director 2integrated 0one on one !indows $er%er 2""3 domain controller in the test/ing.com domain. $pecif the intranet.test/ing.com application partition as the replication scope of the 0one. D. $et up and Acti%e Director 2integrated 0one on one !indows $er%er 2""3 domain controller in the test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F- 2 .hoose the replication scope To all D,$ ser%ers in the Acti%e Director forest test/ing.com. $et up a secondar 0one on all !indows 2""" domain controllers in the forest. )ns"er: D E3#lanation: )cti/e Directory integrated 1one data is stored as an )cti/e Directory ob2ect and is re#licated as #art o$ domain re#lication This pro%ides the following ad%antages9 ,o single point of failure, (ault tolerance, $ingle replication topolog and $ecure d namic. Incorrect )ns"ers: ): The replication scope, To all domain controllers in the Acti%e Director domain test/ing.com, is the wrong option. +: This option is correct but ou also need a secondar 0one on all the domain controllers in the forest to be able to fulfill all the re6uirement. ': There is no need to create an Acti%e Director application partition and ha%e that partition be specified as the replication scope. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$3 9 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ->" QUESTION NO: 5 You are the administrator o$ the TestBing com com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 includes <5 ser/ers running !indo"s Ser/er 2==, and ,== client com#uters running !indo"s @. .ro$essional ) domain controller named TestBingSr/) is the #rimary DNS ser/er $or the test0ing com domain The com#any o#ens a ne" branch o$$ice The ne" o$$ice net"or0 "ill be a subdomain o$ test0ing com The domain "ill be named east test0ing com You install a domain controller named TestBingSr/+ in the branch o$$ice TestBingSr/+ hosts the DNS 1one $or east test0ing com You need to ensure that com#uters in test0ing com can resol/e host names in east test0ing com on TestBingSr/+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FF 2 !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Use dnsmgmt.msc to add a start2of2authorit *$'A+ record to Test@ing$r%A that refers to Test@ing$r%1.east.test/ing.com. 1. Use dnsmgmt.msc to add a new delegation on Test@ing$r%A for east.test/ing.com to Test@ing$r%1. .. Use dnsmgmt.msc to add a new stub 0one to Test@ing$r%A named east.test/ing.com. D. Use dnsmgmt.msc to add a ser%ice locator *$R?+ record to Test@ing$r%A that refers to Test@ing$r%1.east.test/ing.com. )ns"er: +* ' E3#lanation: ) delegation or a stub 1one "ill enable TestBingSr/) to $or"ard resolution requests $or east test0ing com to TestBingSr/+ $tub 0one is a partial cop of a 0one that can be hosted b a D,$ ser%er and used to resol%e recursi%e or iterati%e 6ueries. $tub 0ones contain the $tart of Authorit *$'A+ resource records of the 0one 2 the D,$ resource records that list the 0oneKs authoritati%e 0oneKs authoritati%e ser%ers. Delegation is the process of distributing responsibilit for domain names between different D,$ ser%ers in the networ/. (or each domain name delegated, ou ha%e to

create at least one 0one. The more domains ou delegate, the more 0ones ou need to create. Incorrect )ns"ers: ): The $'A record must eBist in the delegated 0one. D: Iou need ,$ records to point to Test@ing$r%1, and not $R? records. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2;, F2> QUESTION NO: 6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F; 2 You are the Net"or0 )dministrator $or TestBing com The net"or0 consists o$ a single !indo"s Ser/er 2==, DNS 1one named test0ing com The net"or0 to#ology is sho"n in the e3hibit )ll net"or0 ser/ers run !indo"s Ser/er 2==, )ll I. )ddresses are statically aasigned The #rimary DNS 1one $or test0ing com is hosted in a ser/er at the com#anyJs main o$$ice in 'airo secondary 1ones $or test0ing com are hosted on ser/ers in the branch o$$ices )nother administrator re#orts that net"or0 utili1ation is at ;=R o$ com#any You recon$igure the re$resh inter/al and the minimum de$ault Time To Ai/e &TTA( inter/als $or the test0ing com 1one* as sho"n in the $ollo"ing table Refresh inter%al 3 hours Minimum default Time To 4i%e*TT4+ 1 da You need to con$igure the start o$ authority &SO)( resource record #ro#erties $or the test0ing com 1one You also need to ensure that the ser/er in the 'airo o$$ice "ill continue to attem#t 1one trans$ers i$ an initial attem#t $ails 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FG 2 !hat should you do% A. .onfigure the test/ing.com 0one to eBpire after 1 hour 1. .onfigure the test/ing.com 0one to eBpire after - hours. .. .onfigure the test/ing.com 0one to eBpire after 2" seconds. D. .onfigure the retr inter%al to be 1 hour. 3. .onfigure the retr inter%al to be - hours. (. .onfigure the retr inter%al to be 2" seconds. )ns"er: D E3#lanation: One can con$igure the re$resh inter/al bet"een u#dates $rom a secondary DNS ser/er The re$resh inter/al should be tuned accordingly to a/oid "asting band"idth* and to ensure that the content on the secondary ser/er is constantly accurate I$ DNS record changes occur in$requently* increase the de$ault /alue I$ DNS record changes occur o$ten* decrease the de$ault /alue A retr inter%al is where a secondar D,$ ser%er ma be unable to refresh data from the primar ser%er because of a connection or ser%ice failure. The secondar D,$ ser%er attempts to refresh data once the inter%al specified for retr ing lapses. Thus it would be logical that the retr inter%al should be less than the refresh inter%al. Incorrect )ns"ers: ): After the inter%al specified for eBpir , the secondar ser%er stops ser%ing name re6uests. Therefore, the 0one eBpir inter%al has no effect on the bandwidth used b 0one transfers. +: After the inter%al specified for eBpir , the secondar ser%er stops ser%ing name re6uests. Therefore, the 0one eBpir inter%al has no effect on the bandwidth used b 0one transfers. ': After the inter%al specified for eBpir , the secondar ser%er stops ser%ing name re6uests. Therefore, the 0one eBpir inter%al has no effect on the bandwidth used b 0one transfers. E: The Retr inter%al should be less than refresh inter%al. &n this 6uestion, the refresh inter%al is set to 3 hours. E: This %alue is too low. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F"; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F> 2 QUESTION NO: 7 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain DNS ser/ers are

con$igured as sho"n in the $ollo"ing table You uninstall DNS $rom TestBing2 and recon$igure TestBing2 as a $ile ser/er Then you recon$igure TestBing4 as a caching>only ser/er Ne3t* you recon$igure the domain controllers to use )cti/e Directory>integrated DNS 1ones You need to eliminate unnecessary 1one trans$er acti/ity on the net"or0 !hat should you change in the Noti$y dialog bo3% To ans"er* select the setting or settings that need to be changed Select the I. address o$ addresses that need to be remo/ed $rom the list 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F= 2 )ns"er: E3#lanation: Demo/e all the I. addresses The remaining ser%ers are domain controllers hosting acti%e director integrated 0ones. The information in an Acti%e Director integrated 0one is automaticall replicated to e%er domain controller in the domain. ,ote9 Iou ma need to clear the Automaticall notif boB because notification is no longer re6uired. Rone transfers are no longer performed when all the ser%ers are Acti%e Director &ntegrated 0ones. Rone transfer is then included in Acti%e Director replication. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 2>, 2"QUESTION NO: 9 You are a net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, The DNS domain structure is con$igured as sho"n in the $ollo"ing diagram 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;" 2 The net"or0 administrator $or the DD test0ing com domain maintains se#arate DNS ser/ers that are authoritati/e $or that domain You create a delegation entry the test0ing com domain $or the DD test0ing com domain The net"or0 administrator $or the DD test0ing com domain "ill use the ne" DNS ser/ers "hen they are added !hat should you do% A. Delete the delegation entr . .reate a stub 0one for the RD.test/ing.com domain. 1. Delete the delegation entr . Add a conditional forwarding entr for the RD.test/ing.com domain. .. &n the test/ing.com domain, disable recursion on the D,$ ser%ers. D. &n the test/ing.com domain, create a new root hint that includes the D,$ ser%ers in the RD.test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;1 2 )ns"er: ) E3#lanation9 Delegation and glue records are records added to the 0one to delegate a subdomain into a separate 0one. A stub 0one contains onl the resource records needed to identif the authoritati%e D,$ ser%ers for the 0one. The stub 0one is used to /eep a parent 0one up2to2date as to the authoritati%e D,$ ser%ers for a child 0one. $tub 0ones are uni6ue and contain a small subset of t pical 0one data. Thus a stub 0one contains onl the $'A, ,$, and glue records for the 0one.This helps the parent domain remain up2to2date with regard to the authorit of delegated 0ones.The delegation record is a ,ame $pace *,$+ record in the parent 0one that lists the parent 0one as authoritati%e for the delegated 0one.The glue record is an A t pe record *A RR+ for the D,$ ser%er authoritati%e for the delegated 0one. 'ption A will thus be the wa forward. Incorrect ans"ers: +9 Deleting the delegation entr will be correct under the circumstances, but then ou should not add a conditional forwarder fpor the RD.test/ing.com domain since the networ/ administrator will be using the new D,$ ser%ers. '9 Recursion9 &f ou select to chec/ the Do not use recursion for this domain option chec/ boB, ou are in essence telling the ser%er to not tr an other means of name resolution if it cannot resol%e a 6uer using its list of forwarders. This is not desired. D9 The root hints file *cache hints file+ contains host information needed to resol%e names eBternal of the authoritati%e D,$ domains. &t holds names and addresses of root D,$ ser%ers which are normall located on the &nternet. .reating new root hints that includes the D,$ ser%ers in the RD.test/ing.com domain will thus not be ad%isable in the circumstances. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress

5ublishing, Roc/land, 2""3, pp. -2-. -31 QUESTION NO: ; You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 to#ology is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;2 2 The con$igurations o$ the DNS ser/ers that host the 1one named test0ing com are sho"n in the $ollo"ing table < Ser/er < Yone ty#e < Ser/er role < Aocation 2. Test/ing1 2. Acti%e Director 2integrated 2. Domain controller 2. ,ew Ior/ 3. Test/ing2 3. Acti%e Director 2integrated 3. Domain controller 3. .hicago -. Test/ing3 -. $econdar -. Member ser%er -. .aracas The re$resh inter/al $or the 1one is one hour The 1one contains <=*=== records The net"or0 connection to 'aracas is o#erating at ;= #ercent o$ ca#acity You remo/e Test0ing, $rom the net"or0 to #er$orm hard"are maintenance T"o hours later* you bring Test0ing, bac0 on the net"or0 You need to ensure that Test0ing, can immediately #ro/ide accurate res#onses to client com#uter requests $or data You also need to ensure that no unnecessary tra$$ic is generated by the DNS ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;3 2 !hat should you do on Test0ing,% A. Transfer the 0one from the master ser%er. 1. Reload the 0one from the master ser%er. .. Update ser%er data files. D. $ca%enge stale resource records. )ns"er: ) E3#lanation9 A D,$ 0one transfer is the process b which the 0oneKs resource records are copied, or replicated, to other D,$ ser%ers. The resource records in the 0one are stored in a database that is copied at specified inter%als to other D,$ ser%ers to ensure reliable host name resolution. Thus transferring the 0one from the master ser%er will ha%e the desired effect. Incorrect ans"ers: +9 Reloading the 0one is not going to ma/e sure that unnecessar traffic is not generated b the D,$ ser%ers. '9 Updating ser%er data files is not going to ensure that unnecessar trasffic is generated on the D,$ ser%ers. &t is irrele%ant in this case. D9 1e careful when enabling D,$ sca%enging and understand that it is disabled b default for a reason. &f it is set up incorrectl , %ital D,$ resource records could be deleted accidentall , causing more problems than an abundance of stale records. $ca%enging stale resource records is not ad%ised in this case. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -3-, F"1 QUESTION NO: <= E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The test0ing com 1one is con$igured as sho"n in the e3hibit TestBing< also hosts a DNS 1one named test0ing internal The domain controllers are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;F 2 Domain controller Ser/ices and a##lications installed Test@ing1 D,$, !&,$ Test@ing2 D,$, DA.5

Test@ing3 !&,$ You create a global grou# named TestBingDNS You need to be able to assign the TestBingDNS global grou# necessary #ermissions to create and delete the child entries in the test0ing com 1one !hat should you do $irst% A. .hange the test/ing.internal 0one to an Acti%e Director 2integrated primar 0one. 1. .hange the test/ing.internal 0one to an Acti%e Director 2integrated stub 0one. .. .hange the test/ing.com 0one to an Acti%e Director 2integrated primar 0one. D. .hange the test/ing.com 0one to an Acti%e Director 2integrated stub 0one. )ns"er: ' E3#lanation9 An Acti%e Director &ntegrated 0one is a 0one where 0one information held in the !indows Acti%e Director and replicated using Acti%e Director replication, pro%iding greater fleBibilit in the replication process. 'nl primar D,$ 0ones can be stored in the Acti%e Director . $econdar 0ones must be stored in the old standard teBt format. This might seem odd at first, but secondar D,$ 0ones are essentiall obsolete in light of the multi2master replication model of the Acti%e Director 2integrated D,$ 0one. $econdar 0ones might still be needed if some 0ones will not be stored in the Acti%e Director , or will be maintained during the migration period. &n the light of the abo%e, changing the test/ing.com 0one to an Acti%e Director &ntegrated primar 0one would enable ou to assign the Test@ingD,$ global group the needed permissions to create and delte child entried on the test/ing.com 0one. Incorrect ans"ers: )9 Iou should rather be changing the test/ing.com 0one and not the teset/ing.internal 0one. As this option suggests, it would not enable ou to assign the correct permissions to the Test@ingD,$ global group. +9 A stub 0one is not authoritati%e for the 0ones the cop . Iou would thus not be able to assign the correct permissions. D9 This is the wrong 0one t pe to be changing the test/ing.com 0one into. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;; 2 Michael .ross and Qeffer A. Martin, M.$3 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, p. 3;> 19 Manage D,$ record settings.*1= :uestions+ QUESTION NO: < You are the net"or0 administrator $or the Oslo branch o$$ice o$ TestBing The Oslo o$$ice has a !indo"s Ser/er 2==, DNS ser/er named TestBing, TestBing, hosts a DNS #rimary 1one named test0ing com )ll com#uters in the Oslo o$$ice are con$igured to use TestBing, as their #re$erred DNS ser/er The +uda#est branch o$$ice o$ TestBing has a UNI@ DNS ser/er named TestBing4 TestBing4 hosts a #rimary 1one named engineering test0ing com The re$resh inter/al o$ the engineering test0ing com 1one is set to 24 hours In the +uda#est o$$ice* a $ire"all $ilters all incoming net"or0 tra$$ic $rom other o$$ices ) rule on this $ire"all #re/ents all com#uters $rom the Oslo o$$ice net"or0* e3ce#t TestBing,* $rom #er$orming DNS loo0u#s against TestBing4 There is a business requirement that no delay should occur bet"een the time that a ne" record is created in the engineering test0ing com 1one and the time that the record can be resol/ed $rom any com#uters in the Oslo o$$ice )ll com#uters in the Oslo o$$ice must be able to resol/e names in the enginnering test0ing com names#ace You need to con$igure DNS on TestBing, to meet the requirements !hat should you do% A. $et up a stub 0one named engineering.test/ing.com. 1. $et up conditional forwarding to Test@ing- for the engineering.test/ing.com namespace. .. &n the test/ing.com 0one, set up a delegation to the engineering.test/ing.com 0one on Test@ing-. D. $et up a secondar 0one named engineering.test/ing.com that has Test@ing- as its master. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;G 2 )ns"er: + E3#lanation: !ith !indo"s Ser/er 2==, you can through conditional $or"arding* con$igure $or"arding on TestBing, to TestBing4 $or the engineering test0ing com names#ace DNS $or"arders can be set u# $or di$$erent domains $or $or"arding name resolution requests Incorrect )ns"ers: ): A stub 0one maintains onl a list of authoritati%e name ser%ers for a particular 0one. The purpose of a stub 0one is to ensure that D,$ ser%ers hosting a parent 0one are aware

of authoritati%e D,$ ser%ers for its child 0ones. $etting up a stub 0one would thus not wor/ in this scenario. ': Delegation is the abilit of an administrator to distribute certain administrati%e tas/s to other indi%iduals or groups. &n terms of D,$, a portion of a domain namespace can be delegated to another ser%er that will then be responsible for resol%ing name2resolution re6uests. Aowe%er, what is needed in this case is conditional forwarding. D: $econdar 0ones are 0one t pes that stores a cop of an eBisting 0one in a read2onl teBt file. To create a secondar 0one, the primar 0one must alread eBist, and ou must specif a master name ser%er. This is the ser%er from which the 0one information is copied. Thus this option will not meet the stated re6uirements. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, p. 2-; QUESTION NO: 2 You are the administrator o$ the TestBing com com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 includes <= member ser/ers running !indo"s Ser/er 2==,* 4 domain controllers running !indo"s Ser/er 2==, and <5= client com#uters running !indo"s @. .ro$essional The domain controllers are also con$igured as DNS ser/ers You con$igure a ne" UNI@ ser/er to act as a secondary DNS ser/er that is authoritati/e $or the DNS 1one You create a host &)( record $or the UNI@ ser/er in the DNS 1one You con$igure the DNS 1one to allo" 1one trans$ers to all ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;> 2 You need to con$igure the DNS 1one to accommodate the ne" UNI@ ser/er !hat should you do% A. Use dnsmgmt.msc to add a name ser%er *,$+ resource record for the U,&< ser%er to the D,$ 0one. 1. Use dnsmgmt.msc to add the U,&< ser%er to the start of authorit *$'A+ resource record for the D,$ 0one. .. Use dnsmgmt.msc to add a ser%ice locator *$R?+ resource record that includes the U,&< ser%er as a host. D. Use dnsmgmt.msc to add a 4DA5 ser%ice locator *$R?+ resource record that includes the U,&< ser%er as a host. 3. Use dnsmgmt.msc to add an alias *.,AM3+ record that includes the U,&< ser%er as a host )ns"er: ) E3#lanation: !hen adding DNS ser/ers to the domain* you must add name ser/er &NS( resource record to the 1one A name ser%er *,$+ resource record is used to map a D,$ domain name as specified in owner, to the name of hosts operating D,$ ser%ers specified in the nameJser%erJdomainJname field. Incorrect )ns"ers: +: Adding to the D,$ 0one is proper, though not adding the U,&< ser%er to the start of authorit resource record. ': Iou should not be adding a ser%ice locator resource record is this will not allow 0one transfers to the U,&< ser%er. D: &f the client and ser%er configurations do not match in this case, the client will recei%e an 4DA5 1&,D re6uest failed and the client will be unable to connect to the ser%er. Thus adding a 4DA5 ser%ice locator resource record will not accommodate the new U,&< ser%er. E: The U,&< ser%er as host should not be included and ou should not be adding an alias record. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp F=-2F, G>; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;= 2 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a DNS domain named test0ing com ) !indo"s Ser/er 2==, com#uter named Ser/erTB< is the #rimary DNS ser/er $or test0ing com The net"or0 also contains a UNI@ ser/er named Ser/erTB2 The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit NNN?ISSIN-NNN ) user named )nne uses a !indo"s @. .ro$essional com#uter named 'lientTB< )nne re#orts that 'lientTB< can #ing Ser/erTB2 by its I. address but not by its

name 'lientTB< can success$ully connect to Ser/erTB< Other hosts on the same subnet as 'lientTB< e3hibit the same beha/iour You need to ensure that all client com#uters can connect to Ser/erTB2 by its name You need to minimi1e administrati/e e$$ort !hat should you do% A. Add an alias *.,AM3+ record to 1=2.1;>.1.2 that references $er%erT@2. 1. Add a host *A+ record to 1=2.1;>.1.2 that references $er%erT@2. .. Add a reference to $er%erT@2 in the Aosts file of each client computer in the networ/. D. Add a reference to $er%erT@2 in the 4mhosts file of each client computer in the networ/. )ns"er: + E3#lanation: ) :ost )ddress Decord &)( also re$erred to as a :ost Decord* associates a host name to its I. address It is a record used to ma# machine or resource host names to I. addresses Incorrect )ns"ers: ): A canonical name ser%es as an alias when ou want to hide our networ/ details from the clients that connect to it. This is not what is re6uired. '* D: The Aosts file pro%ides host name resolution on an &52based networ/, while 4MAosts is used for ,et1&'$ name resolution. This option should also wor/, but both cases in%ol%e more administrati%e effort than option 1. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$3 9 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2G2-2>, >GQUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters run either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional The net"or0 includes a single DNS ser/er The DNS ser/er hosts the test0ing com 1one You are de#loying an intranet site that "ill be accessed by all com#any users The site "ill be hea/ily utili1ed You de#loy three !eb ser/ers named !eb<* !eb2* and !eb, to host the site )ll users must be able to access the intranet site by using intranet test0ing com as the address You need to ensure that the three !eb ser/ers are equally utili1ed !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a host *A+ resource record named intranet.test/ing.com. 1. .onfigure a host *A+ resource record for each of the three !eb ser%ers. .. .reate an alias *.,AM3+ resource record for each of the three !eb ser%ers. .onfigure each record to refer to test/ing.com. D. .onfigure three alias *.,AM3+ resource records for intranet.test/ing.com. .onfigure each record to refer to one of the !eb ser%er host *A+ resource records. )ns"er: +* D E3#lanation: You ha/e to con$igure a host &)( resource record $or each o$ the three !eb ser/ers This record "ill be used to associate the hostname to a s#eci$ic I. address Domains use DNS alias records so that they can use more than one name to #oint to a single host There$ore* to ensure that users can access the intranet site by using intranet test0ing com as the address* you ha/e to set u# three alias &'N)?E( resource records $or intranet test0ing com and enable each one to re$er to one o$ the !eb ser/er host &)( resource records Incorrect )ns"ers: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G1 2 ): The host *A+ resource record has to be created for the intranet.test/ing.com onl and not on all three !eb ser%ers. Iou onl need to refer to one of the !eb ser%er host *A+ resource records. ': The .anonical ,ame *.,AM3+ resource record is used to create aliases that hide our networ/ details from the clients that connect to it. &n this scenario ou need to create aliases for intranet.test/ing.com and not for the three !eb ser%ers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter -, pp. 2"F 2 21", -2> QUESTION NO: 5 DD)- DDO. You are the Net"or0 )dministrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains named cor# test0ing com and engineering test0ing com

DNS 1ones named cor# test0ing com and engineering test0ing com ha/e been created on the internal DNS ser/ers The com#any also uses a se#arated DNS 1one named test0ing com to register the host names $or the internal com#any !eb sites )ll DNS 1ones are con$igured to allo" dynamic u#dates The net"or0 contains t"o DNS ser/ers One has I. address <;2 <69 < <= and the other has I. address <;2 <69 < << )ll DNS 1ones that are used by the com#any are re#licated to both DNS ser/ers You install !indo"s Ser/er 2==, on a com#uter named Ser/er<= cor# ca#andl com* "hich is a member o$ the cor# test0ing com domain Ser/er<= cor# test0ing com "ill host an internal !eb site The internal "eb site must be accessible on the USA htt#:KKser/er<= test0ing comK You must con$igure the DNS client settings on Ser/er<= cor# test0ing com to ensure that its DNS host &)( record is automatically registered in the correct DNS 1one Ser/er<= cor# test0ing com must be able to resol/e the com#uter names o$ all hosts in the test0ing com 1one* cor# test0ing com 1one* and the engineering test0ing com 1one "ithout s#eci$ying their domain names There are no du#licate host names on the net"or0 !hat should you do% To ans"er* con$igure the a##ro#riate o#tion in the dialog bo3* and drag the a##ro#riate DNS su$$i3 or su$$i3es to the correct location or locations 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G2 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G3 2 Iou need to configure $er%er1" to register an A record in the test/ing.com domain because the internal web site has to be accessible on the UR4 http9HHser%er1".test/ing.comH. $etting the D,$ suffiB to test/ing.com, and selecting the Register this connectionKs address in D,$ chec/boB, and the Use this connectionKs D,$ suffiB in D,$ registration chec/boB will achie%e this. $er%er1".corp.test/ing.com must be able to resol%e the computer names of all hosts in the test/ing.com 0one, corp.test/ing.com 0one, and the engineering.test/ing.com 0one without specif ing their domain names. Iou can ensure this b entering test/ing.com, corp.test/ing.com and engineering.test/ing.com in the Append these D,$ suffiBes *in order+ boB. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G- 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. FF2 QUESTION NO: 6 You are the Net"or0 )dministrator $or TestBing com The net"or0 consists o$ a single acti/e directory domain named test0ing com The domain contains three !indo"s Ser/er 2==, com#uters* "hich are described in the $ollo"ing table: ,ame Dole Test@ing1 Domain controller and primar D,$ ser%er Test@ing2 Accounting application ser%er Test@ing3 &n%entor application ser%er T"o hundred !indo"s 2=== .ro$essional com#uters use the accounting and in/entory a##lications The client com#uters connect to TestBing2 and TestBing, by using T'.KI. and the names o$ the ser/ers The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GF 2 You need to consolidate ser/ers You mo/e the in/entory a##lication to TestBing2 and then remo/e TestBing, $rom the net"or0 You need to ensure that all client com#uters can connect to TestBing2 $or both the accounting and in/entory a##lication and you do not "ant to modi$y the client com#uters You need to minimi1e administrati/e time !hat should you do% A. .onfigure the networ/ adapter on Test@ing2 to use &5 addresses 1=2.1;>.1.F and 1=2.1;>.1.;. 1. 'n Test@ing1, add a .,AM3 D,$ record that refers Test@ing3 to Test@ing2. .. Add a line to the Aosts file on Test@ing2 that identifies 1=2.1;>.1.F as Test@ing3. D. 'n Test@ing1, add an A&,(' D,$ record that refers to Test@ing2. 4eading the wa in &T testing and certification tools, www.test/ing.com

2 2G; 2 )ns"er: + E3#lanation: You can enter an alias &'N)?E( record in DNS to ensure that requests sent to tes0ing, test0ing com are $or"arded to test0ing2 test0ing com )lias &'N)?E( resource records are sometimes called canonical names These records allo" you to use more than one name to #oint to a single host This ma0es it sim#ler to #er$orm tas0s such as hosting both an ET. ser/er and a !eb ser/er on the same com#uter Eor instance* the "ell>0no"n ser/er names &$t#* """( are registered using 'N)?E DDs that ma# to the DNS host name* such as Lser/er><L $or the ser/er com#uter that hosts these ser/ices Incorrect )ns"ers: ): This could wor/ but it is not the recommended solution. Using a .,AM3 record in D,$ is an easier method. ': The hosts file on Test@ing2 is not used. D,$ is used in this scenario. D: An A&,(' D,$ record lists the hardware and operating s stem that is running at the listed host. This is irrele%ant. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -1F QUESTION NO: 7 You are the Net"or0 )dministrator $or TestBing com The Net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <25 !indo"s 2=== .ro$essional com#uters and t"o !indo"s Ser/er 2==, 'om#uters The net"or0 has no direct connection to the internet ) ser/er named TestBing) is a domain controller and the #rimary DNS Ser/er $or the test0ing com domain The net"or0 use TestBing) as the authoritati/e root ser/er $or the test0ing com domain ) ser/er named TestBing+ is a domain controller and D:'. ser/er Ser/er2 is also used as a "eb ser/er and it runs an intranet a##lication Users re#ort that "hen then try to connect to UDAs outside o$ the test0ing com domain* their !eb +ro"sers are /ery slo" to re#ort that the UDAs cannot be reached 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GG 2 You need to ensure that DNS name resolution is as $ast as #ossible !hat should you do% A. Delete the cache.dns file from Test@ingA. 1. Delete the netlogon.dns file from Test@ingA. .. &n the Aosts file on Test@ingA, add a reference to Test@ing1. D. &n the 4mhosts file on Test@ingA, add a reference to Test@ing1. )ns"er: ) E3#lanation: The cache dns $ile contains a list o$ the Internet root DNS ser/ers Erom the question* it can be concluded that the DNS ser/er is una"are that the net"or0 is not connected to the Internet !hen the DNS ser/er recei/es a name resolution request $or an e3ternal hostname* it attem#ts to connect to an Internet root ser/er !hen the connection attem#t times out* the DNS ser/er attem#ts to contact another Internet root ser/er The #rocess is re#eated until an attem#t has been made to contact all the root ser/ers listed in the cache dns $ile This is the reason $or DNS name resolution being slo" You can sol/e this #roblem by deleting the cache dns $ile Incorrect )ns"ers: +: Thenetlogon.dns file allows ou access to manuall configure D,$, but this is not what is re6uired, ou need to ensure that D,$ name resolution is as fast as possible and for this to occur ou need to get rid of the cache.dns. '* D: Adding a reference to Test@ing1 in the Aosts file or e%en 4mhosts file on Test@ingA is not the same as purging information out of the cache. &n fact it adds to the alread populated cache. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -G= QUESTION NO: 9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G> 2 You are the administrator o$ an organi1ational unit &OU( named Einance TestBingJs net"or0 consists o$ t"o !indo"s 2==, )cti/e Directory domains named TestBing com and main TestBing com The Einance OU is in the

main TestBing com domain The net"or0 contains a !indo"s 2==, Ser/er com#uter named Ser/er)* "hich runs the DNS Ser/er ser/ice Ser/er) contains )cti/e Directory integrated 1ones $or both TestBing com and main TestBing com ) !indo"s 2=== .ro$essional com#uter named 'lient< must be mo/ed $rom the TestBing com domain to the Einance OU in the main tes t0ing com domain The domain administrator o$ TestBing com mo/es 'lient< $rom TestBing com to a "or0grou# named Tem# You 2oin 'lient< to the main TestBing com domain You mo/e 'lient< into the Einance OU You disco/er that you cannot resol/e 'lient< by using 'lient<Js $ully quali$ied domain name &EQDN( "hen you run the #ing command You can resol/e other client com#uters in the main TestBing com domain by using a EQDN "hen you run the #ing command You need to be able to resol/e 'lient< by using the EQDN !hat should you do% A. Run the ipconfig Hregisterdns command on .lient1. 1. Run the ipconfig Hflushdns command on .lient1. .. As/ the D,$ administrator to configure the D,$ ser%er to re6uire secure d namic updates. D. As/ the D,$ administrator to configure main.Test@ing.com on $er%erA as a standard primar 0one. )ns"er: ) E3#lanation: To resol/e the $ully quali$ied domain name o$ client< main test0ing com* you need an ) record in the DNS 1one $or main test0ing com You can manually enter the ) record &not gi/en as an o#tion in these ans"ers( or you can $orce 'lient< to register itJs o"n ) record by running the i#con$ig K$lushdns command on 'lient< Incorrect )ns"ers: +: This would clear the D,$ cache on .lient1. The 6uestion does not indicate that .lient1 is eBperiencing problems resol%ing hostnames. 'ther computers are ha%ing problems resol%ing .lient1Ks hostname. ': &t is immaterial whether the D,$ ser%er re6uires secure updates or insecure updates. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G= 2 D: !hether the D,$ 0one is a standard primar 0one or an Acti%e Director &ntegrated 0one, is irrele%ant. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F1; QUESTION NO: ; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single DNS domain named test0ing com You re#lace a UNI@ ser/er "ith a !indo"s Ser/er 2==, com#uter named TestBing< TestBing< is the DNS ser/er and start authority &SO)( $or test0ing com ) UNI@ ser/er named TestBing2 is the mail ser/er $or test0ing com You recei/e re#orts that Internet users cannot send e>mail to the test0ing com domain The host addresses are sho"n in the $ollo"ing "indo" You need to ensure that Internet users can send e>mail to the test0ing com domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>" 2 !hat should you do% A. Add an Jsmtp ser%ice locator *$R?+ D,$ record for Test@ing2. 1. Add a mail eBchange *M<+ D,$ record for Test@ing2. .. Add an alias *.,AM3+ record for mail.test/ing.com. D. 3nable the $MT5 ser%ice on Test@ing1. )ns"er: + E3#lanation: Email ser/ers on the Internet query Test0ing< $or the address o$ the mail ser/er $or the domain The address o$ the mail ser/er is held in a ?@ &?ail E3change( DNS record Incorrect )ns"ers: ): 3mail ser%ers find other email ser%ers b using M< records, not $R? records. ': 3mail ser%ers find other email ser%ers b using .,AM3 records. D: The $MT5 ser%ice should be running on the mail ser%er and not on the D,$ ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -2;

QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest named test0ing com The $orest contains t"o domains named test0ing com and cor# test0ing com The net"or0 consists o$ <5 subnets The domain controllers are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>1 2 TestBingSr/) and TestBingSr/+ are registered in test0ing com )ll other com#uters are registered in cor# test0ing com You create re/erse loo0u# 1ones $or all subnets The cor# test0ing com domain contains a !indo"s NT Ser/er 4 = $ile and #rint ser/er named TestBingSr/E You change the static I. address $or TestBingSr/E You need to ensure that this change is re$lected in DNS !hich t"o resource records should you modi$y% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. The pointer *5TR+ record in the corp.test/ing.com 0one. 1. The host *A+ record in the corp.test/ing.com 0one. .. The alias *.,AM3+ record in the corp.test/ing.com 0one. D. The pointer *5TR+ record in the stub 0one. 3. The host *A+ record in the stub 0one. (. The alias *.,AM3+ record in the stub 0one. )ns"er: )* + E3#lanation: need to #er$orm this manually The t"o records that should be created are the J)J record and the J.TDJ record These records should be created in the cor# test0ing com 1one because the NT ser/er is a member o$ that domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>2 2 Incorrect )ns"ers: ': Iou do not need a .,AM3 record. Iou onl need to modif two resource records. D: $tub 0ones are updated automaticall , and onl contain the names and &5 addresses of D,$ ser%ers. Test@ing$r%F is a (ile and 5rint ser%er. E: $tub 0ones are updated automaticall , and onl contain the names and &5 addresses of D,$ ser%ers. Test@ing$r%F is a (ile and 5rint ser%er. E: $tub 0ones are updated automaticall , and onl contain the names and &5 addresses of D,$ ser%ers. Test@ing$r%F is a (ile and 5rint ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -2QUESTION NO: << DD)- DDO. You are the net"or0 administrator $or Test Bing The net"or0 contains eight DNS ser/ers You use a DNS names#ace named test0ing com in the net"or0 )ll eight DNS ser/ers must be con$igured to allo" host named in the contoso com names#ace to be resol/ed The $ollo"ing table s#eci$ies ho" each ser/er "ill be con$igured to su##ort the test0ing com names#ace 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>3 2 There are currently many incorrect name ser/er &NS( records in the test0ing com 1one You delete all the e3isting records You no" need to add bac0 the NS records $or only the other ser/ers that "ill host the test0ing com 1one !hich ser/er or ser/ers should be added as name ser/ers to the test0ing com 1one% To ans"er* drag the a##ro#riate ser/er or ser/ers to the correct location or locations in the dialog bo3 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>- 2 Iou need to add the ,$ records to the D,$ ser%ers hosting the primar and secondar 0ones for test/ing.com. Test/ingD,$"1 and Test/ingD,$"2 are primar ser%ers. Test/ingD,$"3 and Test/ingD,$"- are the secondar ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -2G QUESTION NO: <2DD)- DDO.

You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o DNS domains named test0ing com and "est test0ing com The com#any o#ens a ne" branch o$$ice The net"or0 in the ne" o$$ice is con$igured as the east test0ing com DNS domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>F 2 The three domains no" contain the !indo"s Ser/er 2==, com#uters that are described in the $ollo"ing table The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>; 2 You start the Ne" Delegation "i1ard to create a ne" delegation resource record $or the east test0ing com domain to the test0ing com domain :o" should you con$igure the delegation resource record% To ans"er* drag the a##ro#riate ser/er name and I. address to the correct locations in the dialog bo3 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>G 2 !hen creating a delegation resource record, ou must configure the full 6ualified domain name *(:D,+ of the D,$ ser%er that is authoritati%e for the delegated domain. &n this case, the ser%erKs name is tes/ing3.east.test/ing.com and its &5 address is 1=2.1;>.F.2. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -31 QUESTION NO: <, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains <== !indo"s 2=== .ro$essional com#uters and three !indo"s Ser/er 2==, com#uters In$ormation about the three ser/ers is sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>> 2 You add a net"or0 inter$ace #rint de/ice named TestBing.rinter< to the net"or0 You manually con$igure the I. address $or TestBing.rinter< TestBing.rinter< is not currently registered on the DNS ser/er The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit You need to ensure that client com#uters can connect to TestBing.rinter< by using its name !hat should you do% A. 'n Test@ing$r%A, add an alias *.,AM3+ record that references Test@ing5rinter1. 1. &n the Aosts file on Test@ing$r%., add a line that references Test@ing5rinter1. .. 'n Test@ing$r%A, add a ser%ice locator *$R?+ record that reference Test@ing5rinter1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>= 2 D. 'n Test@ing$r%A, add a host *A+ record that references Test@ing5rinter1. 3. &n the Aosts file on Test@ing$r%1, add a line that references Test@ing5rinter1. )ns"er: D E3#lanation: ) host &)( record is utili1ed in a DNS 1one to ma# DNS domain names o$ hosts or com#uters to their I. addresses There$ore* adding a host &)( record in the DNS 1one "ould ensure that client com#uters can connect to TestBing.rinter< by using its name Incorrect )ns"ers: ): An alias *.,AM3+ resource record onl points to an A record. Alias *.,AM3+ resource records enable ou to utili0e more than one name to point to a particular host. +: D,$ should be utili0ed in this case. A Aosts file associates host names to &5 addresses and is t picall stored in the !&,D'!$W$ stem32WDri%ersWfolder. ': $er%ice *$R?+ records associate the location of a ser%ice such as a domain controller with information on the manner in which to contact the ser%ice. The printer does not re6uire a $R? record. E: A Aosts file associates host names to &5 addresses. Iou should use D,$ in this case. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -2; QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain test0ing com )ll domain controllers ha/e the DNS ser/ice installed You con$igure a ne" UNI@ ser/er to act as a secondary DNS ser/er that is authoritati/e $or the DNS 1one You create a host &)( record $or the UNI@ ser/er in the DNS 1one You con$igure the DNS 1one to allo" 1one trans$ers to all ser/ers You need to con$igure the DNS 1one to accommodate the ne" UNI@ ser/er !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=" 2 A. Add a name ser%er *,$+ resource record for the U,&< ser%er to the D,$ 0one. 1. Add the U,&< ser%er to the start of authorit *$'A+ resource record for the D,$ 0one. .. Add a global ser%ice locator *$R?+ resource record that includes the U,&< ser%er as a host. D. Add a 4DA5 ser%ice locator *$R?+ resource record that includes the U,&< ser%er as a host. )ns"er: ) E3#lanation: You must add a name ser/er &NS( resource record to the DNS 1one "hen adding DNS ser/ers to the domain The name ser/er &NS( resource record is used in the DNS 1one to assign the DNS domain names $or authoritati/e DNS ser/ers $or the DNS 1one Incorrect )ns"ers: +: The $'A resource record defines the general parameters for the D,$ 0one such as $ource host and Refresh time, as well as the authoritati%e ser%er is for the 0one. A secondar 0oneKs $'A tab indicates the contents of the master $'A record. '* D: $R? records basicall associate the location of a ser%ice with information on how to contact the ser%ice. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp F=-2F, G>; QUESTION NO: <5:OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <= !indo"s Ser/er 2==, com#uters The domain controllers are also con$igured as DNS ser/er Each DNS ser/er hosts an )cti/e Directory>integrated $or"ard loo0u# 1one named test0ing com The DNS ser/ers are also con$igured "ith a re/erse loo0u# 1one named <;2 <69 < 3 Subnet The D:'. ser/er is con$igured "ith a sco#e that has the $ollo"ing #ro#erties: 1. )n I. address range $rom <;2 <69 < < > <;2 <69 < 254 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=1 2 2. ) subnet mas0 o$ 255 255 255 = 3. )n e3clusion range $rom <;2 <69 < < > <;2 <69 < 55 -. Sco#e o#tions that include the assignment o$ a DNS ser/er and a !INS ser/er The e3isting ser/ers ha/e static I. addresses "ithin the range o$ <;2 <69 < < > <;2 <69 < <= You assign a static I. address to a ne" UNI@ ser/er named Ser/er< You need to create a ne" host &)( resource record $or Ser/er< In addition* you need to ensure that the DNS ser/ers "ill res#ond to re/erse loo0u# queries against the I. address $or Ser/er< You also need to ma3imi1e the security and a/ailability o$ the ) record $or TestBingSr/<, !hat should you do% To ans"er* clic0 the a##ro#riate o#tion or o#tions in the dialog bo3* and clic0 the a##ro#riate I. address )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=2 2 )( I. )ddress 1=2.1;>.1." L 1=2.1;>.1.2FF9 These are broadcast addresses and would therefore not be used. 1=2.1;>.1.19 3Bisting ser%ers are 121". This address is alread being used. 1=2.1;>.1.F>9 This address is alread in the scope *remember that 12FF are eBcluded, so F;22F- are d namic and can onl be used when a reser%ation is set+. 1=2.1;>.1.2F9 This is therefore the onl usable and a%ailable address remaining. +( Also enable the .reate associated pointer *5TR+ record option. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;-2

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. --"2--QUESTION NO: <6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=3 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named Ser/er< is currently the only domain controller $or test0ing com Ser/er< is also the DNS ser/er $or the )cti/e Directory>integrated 1one named test0ing com You con$igure a ne" !indo"s Ser/er 2==, com#uter named Ser/er2 to query Ser/er< $or DNS name resolution You run the )cti/e Directory Installation !i1ard on Ser/er2 and restart Ser/er2 Eorty>$i/e minutes later* you ins#ect the ser/ice location &SD8( resource records* "hich are sho"n in the e3hibit You need to ensure that the SD8 records on Ser/er< are com#lete !hat should you do% A. Restart the ,et 4ogon ser%ice on $er%er1. 1. Restart the ,et 4ogon ser%ice on $er%er2. .. Run the ipconfig Hregisterdns command on $er%er1. D. Run the ipconfig Hregisterdns command on $er%er2. )ns"er: + E3#lanation9 The ,et 4ogon ser%ice on a domain controller registers the D,$ resource records re6uired for the domain controller, to be located in the networ/ e%er 2- hours. Iou can manuall initiate the registration performed b the ,et 4ogon ser%ice b restarting the ,et 4ogon ser%ice. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=- 2 Incorrect )ns"ers: )9 The eBhibit shows that the $R? records for Test@ingA do eBist. The records for Test@ing1 are missing. '9 The eBhibit shows that the $R? records for Test@ingA do eBist. The records for Test@ing1 are missing. D9 The command ipconfig Hregisterdns refreshes all DA.5 address leases, and registers all related D,$ names configured and used b the client computer. This option will register client settings *A and 5TR records+, but not ser%er resource *$R?+ records. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapters - L 1G, p. 2">, =GG QUESTION NO: <7 :OTS.OT You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run either !indo"s Ser/er 2==,* !indo"s 2=== Ser/er* or !indo"s NT Ser/er 4 = )ll client com#uters run either !indo"s @. .ro$essional* !indo"s 2=== .ro$essional* !indo"s NT !or0station 4 =* or !indo"s ;9 The net"or0 consists o$ an )cti/e Directory domain named test0ing com )ll domain controllers in the domain run !indo"s Ser/er 2==, )ll domain controllers also ha/e the DNS ser/ice installed and host an )cti/e Directory>integrated 1one named test0ing com ) !indo"s Ser/er 2==, member ser/er assigns I. addresses to all com#uters in the com#any )ll I. addresses are assigned $rom the <= < = =K24 sco#e )ll com#uters in the com#any must al"ays be registered automatically in the test0ing com 1one* regardless o$ the local T'.KI. con$iguration settings Only com#uters that ha/e /alid com#uter accounts in the )cti/e Directory domain must be able to register host &)( records in the 1one I$ a com#uter is remo/ed $rom the net"or0* the associated name registration must be remo/ed $rom DNS You are con$iguring the test0ing com DNS 1one and the <= < = =K24 D:'. sco#e to com#ly "ith the stated requirements !hich con$iguration settings should you use% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3es 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=F 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=; 2 $ecure updates are applicable onl to the D,$ 0ones that are integrated into Acti%e Director . &n this case access to the records is controlled b access control lists. The

6uestion states that the domain controllers ha%e the D,$ ser%ice installed and host an Acti%e Director 2integrated 0one named test/ing.com. Iou can therefore select the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=G 2 $ecure 'nl option to ensure that %alid computers in the Acti%e Director domain are able to register host *A+ records in the 0one. (or those client computers running !indows ,T !or/station -.", or !indows =>, the D,$ client computer 2 the DA.5 ser%er, can perform d namic updates for these clients. There is a !indows $er%er 2""3 member ser%er that assigns &5 addresses to all computers in the compan . !hen the $ecure 'nl option is selected, onl the owner of a record can update that record. Iou thereb enable the client computers to automaticall create or update their own resource records. )l"ays Dynamically U#date DNS ) )nd .TD Decords has to be enabled to allow client computers running !indows ,T to ha%e their D,$ information automaticall updated. Recall that the re6uirement states that the computers in the compan must alwa s be registered automaticall in the test/ing.com 0one. .hec/ing the Discard A And 5TR Records !hen 4ease &s Deleted would ensure that the associated name registration is remo%ed from D,$ when a computer is remo%ed from the networ/. 3nabling this chec/boB ensures that D,$ has the correct data. To configure the DA.5 ser%er, the !indows $er%er 2""3 member ser%er, to update A resource records and 5TR resource records for the !indows ,T - .lient, the D namicall Update D,$ A And 5TR Records (or DA.5 .lients That Do ,ot Re6uest chec/boB has to be enabled. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, p. 1G= QUESTION NO: <9 You are the administrator o$ a !indo"s Ser/er 2==, com#uter named TestBing, TestBing, is a domain member ser/er that has the DNS ser/ice installed TestBing, is con$igured "ith t"o net"or0 inter$aces named NI'< and NI'2 Douting is not enable bet"een the t"o net"or0 inter$aces NI'< and NI'2 are con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=> 2 Net"or0 inter$ace I. address Subnet mas0 .re$erred DNS ser/er .ur#ose ,&.1 1=2.1;>.2.1" 2FF.2FF.2FF." 1=2.1;>.2.1" .onnect to production networ/ ,&.2 1=2.1;>.3.1" 2FF.2FF.2FF." 1=2.1;>.3.2 .onnect to isolated preproduction networ/ segment Desources on the #re#roduction net"or0 segment use the same $ully quali$ied domain names &EQDNs( as resources in the #roduction net"or0 The T'.KI. #ro#erties on client com#uters in the #re#roduction en/ironment are controlled by indi/idual testers You need to ensure that the users in the #re#roduction en/ironment cannot resol/e EQDNs $rom the #roduction net"or0 You "ant to accom#lish this goal by using the DNS console on TestBing, !hat should you do% A. .onfigure the interfaces properties on Test/ing3 to listen on 1=2.1;>.2.1" onl . 1. .onfigure the forwarders on Test@ing3 to refer re6uests to 1=2.1;>.3.2. .. .onfigure Test@ing3 to disable recursion. D. .onfigure Test@ing3 to disable round robin. )ns"er: ) E3#lanation9 !hen configuring Iour D,$ $er%er, the first tab, &nterfaces, is used to tell our D,$ ser%er on which ,etwor/ &nterface .ards *,&.+, and &5 addresses attached those cards, it will listen for D,$ 6ueries. The default is to pic/ up all &5 addresses assigned to the D,$ ser%er during installation.To limit the &5 addresses on which our D,$ ser%er will listen, 'nl the following &5 addresses, t pe the &5 addresses ou want in the &5 Address field, and clic/ the Add button. Thus configuring the Test@ing3 interfaces properties to listen to 1=2.1;>.2.1" onl will result in the preproduction segment not being able to resol%e (:D,Ks from the production networ/. Incorrect ans"ers:

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2== 2 +9 .onfiguring the forwarders to refer re6uests to 1=2.1;>.3.2 will not pre%ent the preproduction segment from resol%ing the (:D,s from the production networ/. '9 'ne uses the Do not use recursion for this domain option chec/ boB when ou are sure that the forwarder to which ou are pointing the domain for resolution re6uests will be able to resol%e 6ueries for that domain. 'therwise, ou will be faced with a lot of failed 6ueries because no other resolution methods will be attempted. This is not the wa to pre%ent preproduction from resol%ing (:D,s from the production section. D9 Round robining enables D,$ entries that ha%e multiple &5 addresses sharing the same host name to be alternatel se6uenced through when clients 6uer that host name for name resolution. This means that clients 6uer ing the same host name will be directed to different &5 addresses in a load balancing fashion. Thus disabling round robin is not going to pre%ent the preproduction segment from resol%ing production (:D,s. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -=22-=G QUESTION NO: <; DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains $i/e ser/ers and 2*5== !indo"s @. .ro$essional com#uters The ser/ers are described in the $ollo"ing table Ser/er name O#erating System Ser/er roles I. address Test@ing1 !indows $er%er 2""3 Domain controller, D,$ ser%er 1=2.1;>.".2 Test@ing2 !indows $er%er 2""3 Domain controller, DA.5 $er%er 1=2.1;>.".F Test@ing3 !indows 2""" Ad%anced $er%er Member ser%er, order entr application ser%er 1=2.1;>.".1"" Test@ing- !indows 2""" Ad%anced $er%er Member ser%er, order entr application ser%er 1=2.1;>.".1"1 Test@ingF !indows $er%er 2""3 Member ser%er, database ser%er 1=2.1;>.".1"2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"" 2 DNS round robin is enabled on TestBing< You "ant client com#uters to connect to TestBing, and TestBing4 by using the host name TestBingSer/er You need e/enly distribute connections to TestBing, and TestBing4 to distribute the load !hat resource records should you create% To ans"er* drag the a##ro#riate host names* record ty#es* and I. addresses to the correct locations Drag and Dro# 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"1 2 )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"2 2 The Address *A+ Resource Record associates an (:D, or host name to an &5 address. This pro%ides information for resol%ers to re6uest an &5 address for a gi%en (:D,.

5TR record is )ust the opposite of a t pe A record. &t resol%es an &5 address to a host name. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"3 2 The Mail 3Bchange *M<+ resource record specifies a mail eBchange ser%er that will process e2mail for the domain name. 'nl mail ser%ers use the M< record t pe. Mail eBchange ser%ers can either send the mail directl or forward it to another mail ser%er that is closer to the final destination. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. -2G2-2> .9 Manage D,$ ser%er options.*2 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBing com acquires a com#any named Eoo EooJs net"or0 consists o$ a single )cti/e Directory domain named $oo com ) ser/er named TestBing; is a net"or0>management a##lication ser/er in the $oo com domain TestBing; accesses all o$ the des0to# client com#uters to #er$orm automated so$t"are u#grades and hard"are in/entory The net"or0>management so$t"are on TestBing; re$erences des0to# com#uters by unquali$ied host names* "hich are resol/ed to clientname $oo com by using a DNS ser/er You 2oin TestBing; to your domain to become test0ing; test0ing com The TestBing; I. address is <= <= <= ;= You gradually migrate all $oo com des0to# client com#uter to your domain to become clientname test0ing com You do not ha/e access to the $oo com DNS ser/er !hen TestBing; attem#ts to a##ly an u#date to the client com#uters* the net"or0>management so$t"are returns many alerts that say that des0to# com#uters cannot be $ound 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"- 2 You "ant to allo" the net"or0>management so$t"are on Test0ing; to resol/e unquali$ied client host named in $oo com or test0ing com* and you "ant to use the minimum amount o$ administrati/e e$$ort !hat should you do% A. 'n the D,$ ser%er for test/ing.com, add a 0one for foo.com. .reate a host *A+ record for test/ing=.foo.com that points to 1".1".1".=". 1. 'n Test@ing=, in $ stem 5roperties, t pe foo.com in the 5rimar D,$ suffiB of this computer field in the D,$ $uffiB and ,et1&'$ .omputer ,ame setting. .. 'n Test@ing=, configure a Aosts file that contains the name and &5 address of e%er networ/ computer. D. 'n Test@ing=, in Ad%anced T.5H&5 $ettings, add foo.com and test/ing.com to the Append these D,$ suffiBes *in order+ setting. )ns"er: D E3#lanation9 &f ou choose Append the D,$ suffiBes *in order+, onl domain names listed in that window will be tried for resolution purposes. 1oth the connection2specific and primar D,$ suffiB are ignored. This is eBactl what is necessar if ou want to allow the networ/ management software on Test@ing= to resol%e un6ualified client host name in foo.com or test/ing.com with the least amount of administrati%e effort. Iou should thus add the foo.com and test/ing.com names in that setting. Incorrect ans"ers: )9 There is no need to add new 0ones or creating a host *A+ record when all that is needed is to add the foo.com and test/ing.com names to the Append these D,$ suffiBes *in order+ setting through the Ad%anced T.5H&5 setting. +9 The $ stem properties do not host this option. The Ad%anced T.5H&5 $ettings is the place where ou will find the appropriate settings. '9 A hosts file is a static file. &f an names or addresses change, the must be changed manuall in the hosts file. This is not what is re6uired. De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, pp. ;=, F1F QUESTION NO: 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"F 2 You are the net"or0 administrator $or TestBing com You administer a !indo"s Ser/er 2==, com#uter named TestBing6 TestBing6 is a $iler ser/er that contains

sensiti/e com#any data 'lient com#uters on the net"or0 run either !indo"s @. .ro$essional or !indo"s NT !or0station 4 = )ll users "ho need to connect to the shared $olders on Test0ing6 run !indo"s @. .ro$essional Sandra* another net"or0 administrator* re#orts that all legacy a##lication ha/e been decommissioned on TestBing6 and that there is no longer any need to use anything other than DNS $or name resolution on TestBing6 You "ant to ensure that only the !indo"s @. .ro$essional client com#uters can bro"se or ma# to shared $olders on TestBing6 !hat should you do% A. &nstall the D,$ $er%er ser%ice on Test@ing;. .onfigure Test@ing; to refer to itself as the preferred D,$ $er%er. 1. .onfigure Test@ing; to disable ,et1&'$ o%er T.5H&5. .. Uninstall (ile and 5rint $haring for Microsoft ,etwor/s. D. Disable the computer browser ser%ice on Test@ing;. )ns"er: + E3#lanation9 ,et1&'$ wor/s b broadcasting networ/ resource information. 3nable ,et1&'$ o%er T.5H&5 2 3nables the use of ,et1&'$. Disable ,et1&'$ o%er T.5H&5 2 Disables the use of ,et1&'$, in effect ma/ing settings useless. $ince ,et1&'$ pac/ets arenKt routable, ou should disable ,et1&'$ o%er T.5H&5 to ensure that onl the !indows <5 5rofessional clients can browse or map shared folders on Test@ing;. Incorrect ans"ers: )9 The D,$ client 6ueries its preferred D,$ ser%er. The preferred D,$ ser%er contacts the D,$ ser%er that is authoritati%e for that 0one. The authoritati%e ser%er for that 0one forwards that re6uest to itKs configured for resolution. The ser%er resol%es the name loo/up and forwards the &5 address bac/ to the authoritati%e 0one ser%er. The authoritati%e 0one ser%er returns the &5 address bac/ to the preferred D,$ ser%er. The preferred D,$ ser%er returns the &5 address bac/ to the D,$ client. Aowe%er, this is not what is re6uired. '9 Uninstalling (ile and 5rint $haring for Microsoft ,etwor/s will not ensure that the !indows <5 5rofessional client omputers can eBclusi%el browse or map to shared folder on Test@ing;. D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"; 2 9 Disabling computer browser ser%ice on Test@ing; is not the solution. Iou need to disable ,et1&'$ o%er T.5H&5 on Test@ing;. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. F; Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, p. 2>1 5art 39 Monitor D,$. Tools might include $ stem Monitor, 3%ent ?iewer, Replication Monitor, and D,$ debug logs.*11 :uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing com The net"or0 consists o$ three )cti/e Directory domains You are res#onsible $or managing a single )cti/e Directory domain that contains $i/e DNS ser/ers You use the DNS console to manage all $i/e DNS ser/ers Some o$ the users on your net"or0 re#ort that they cannot connect to net"or0 resources You disco/er that the usersJ client com#uters are con$igured to use a DNS ser/er named D'2 as their #rimary DNS ser/er You /ie" the DNS console* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"G 2 You need to identi$y the #roblem that is #re/enting users $rom connecting to net"or0 resources !hat should you do% A. &n the D,$ e%ent logs, loo/ for error e%ents. 1. &n the D,$ properties on D.2, loo/ at the 3%ent 4ogging tab. .. &n the s stem e%ent logs, loo/ for warning e%ents. D. &n the D,$ properties on D.2, loo/ at the Monitoring tab. )ns"er: ) E3#lanation: !indo"s Ser/er 2==, automatically logs DNS e/ents in the e/ent log beneath a se#arate DNS ser/er heading DNS e/ents are logged to the DNS e/ent log* DNS E/ents* "hich is located either in the DNS console or the E/ent 8ie"er ??' console Sim#ly select DNS E/ents and loo0 $or any detailed DNS "arnings

and alerts to identi$y the #roblem that is #re/enting users $rom connecting to net"or0 resources Incorrect )ns"ers: +: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"> 2 The 3%ent 4ogging tab enables ou to configure the t pe of e%ents that should be written to the D,$ e%ent log. Iou can log errors, warnings, and all e%ents.This is a %er wide parameter, ma/ing identification of the problem a length process. ': 3%ents related to !indows s stem components are stored in this log file. This includes entries regarding failure of dri%ers and other s stem components during startup and shutdown. Thus this option will not enable ou to %iew problems regarding connecti%it . D: The Monitoring tab can be used to test and %erif the configuration b manuall sending 6ueries against the ser%er. Iou can perform a simple 6uer that uses the D,$ client on the local ser%er to 6uer the D,$ ser%ice to return the best possible answer. Iou can also perform a recursi%e 6uer in which the local D,$ ser%er can 6uer other D,$ ser%ers to resol%e the 6uer . Aence this tab will be used to resol%e 6ueries and not help ou in identif ing what pre%ents users from connecting to networ/ resources. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G;2 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter ;, pp. 3-"23-2 QUESTION NO: 2 E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"= 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest The IT de#artment manages the $orest root domain* "hich is named test0ing com The root domain contains three !indo"s Ser/er 2==, domain controllers named TestBing<* TestBing2* and TestBing, These three domain controllers ha/e the DNS Ser/ice installed The con$iguration o$ test0ing com 1one is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31" 2 You /ie" the e/ent logs o$ the domain controllers You notice that there are $requent $ailures o$ )cti/e Directory transactions* "hich are caused by DNS loo0u# $ailures against the test0ing com 1one You disco/er that the data in the DNS 1one on TestBing, is out o$ date !hat should you do on TestBing,% A. Use the Replmon utilit to loo/ for Acti%e Director replication errors. 1. Use 3%ent ?iewer to eBamine the D,$ $er%er log for 0one transfer errors. .. 3nable debug logging and eBamine the log file for transfer pac/ets. D. Use $ stem Monitor to monitor the D,$WRone Transfer (ailure counter. )ns"er: ) E3#lanation: The )cti/e Directory De#lication ?onitor* re#lmon e3e* is #art o$ the !indo"s 2=== Su##ort Utilities a/ailable on the !indo"s 2=== Ser/er 'D in the QSU..ODTQTOOAS $older The re#lmon command allo"s you to monitor the status o$ )cti/e Directory re#lication bet"een domain controllers I$ 1one in$ormation is stored "ithin )cti/e Directory* this also enables you to monitor re#lication bet"een DNS ser/ers Incorrect ans"ers: +9 3Bamining the D,$ ser%er log for 0one transfer errors through the 3%ent ?iewer will not ield the proper information for our purposes. '9 Debug logging logs e%er pac/et in and out of the D,$ ser%er. D,$ debug logging collects information b logging an D,$ traffic that fits the debug logging criteria. Thus this option will not do since ou need to ma/e use of the Replmon utilit to loo/ for the Acti%e Director Replication errors that is causing the D,$ loo/up failures. D9 $ stem Monitor will re%eal the li%e performance to ou, but not those that has alread ta/en place. Thus this option is not the answer. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/

&nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 3-3, -GG, FF1, =;1 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 4eading the wa in &T testing and certification tools, www.test/ing.com 2 311 2 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Three net"or0 ser/ers are con$igured as DNS ser/ers The DNS ser/ers are con$igured as sho"n in the e3hibit You need to /eri$y that the DNS data on all DNS ser/ers is u# to date !hat should you do on each DNS ser/er% A. Re%iew the e%ent log. 1. ?iew the test/ing.com 0one properties. .. Use Replication Monitor. D. Use $ stem Monitor. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 312 2 )ns"er: + E3#lanation: The -eneral tab o$ the 1one #ro#erties allo"s you to determine "hat the status o$ your DNS ser/er ser/ice is Yone #ro#erties include: -eneral* Start o$ )uthority &SO)(* Name Ser/ers* !INS* Yone Trans$ers and Security D,$ 0one data is /ept updated during the 0one transfer process b using a number of configurable time inter%als such as the Refresh inter%al, Retr inter%al, 3Bpires after, Minimum *default+ TT4 and TT4 for this record inter%al setting. These settings would be located on the $tart of Authorit *$'A+ tab of the test/ing.com 0one properties. Iou can manuall initiate a 0one transfer b incrementing the $erial ,umber field. This is done b selecting the &ncrement button. Incorrect )ns"ers: ): Re%iewing the e%ent log enables ou to configure the t pe of e%ents that should be written to the D,$ e%ent log. Iou can log errors, warnings, and all e%ents. Iou can also turn off logging b selecting ,o 3%ents. This would not be necessar as all ou need to do is to %iew the test/ing.com 0one properties. ': Ma/ing use of the Replication ou can monitor the status of Acti%e Director replication between domain controllers. &f 0one information is stored within Acti%e Director , this also enables ou to monitor replication between D,$ ser%ers. Monitoring replication does not mean that ou will be able to %erif that D,$ data on all D,$ ser%ers is up to date. D: Using $ stem monitor $ stem Monitor can be used to acti%el monitor li%e performance statistics for our D,$ ser%er using o%er ;" different D,$2related performance counters. This means ou still need to %iew the test/ing.com 0one properties. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter F, pp. 2;222G=. QUESTION NO: 4 You are a net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, One net"or0 ser/er is a DNS ser/er named DNS< 'lient com#uters query DNS< to locate in$ormation on )cti/e Directory 4eading the wa in &T testing and certification tools, www.test/ing.com 2 313 2 ) user that is using a client com#uter named Test0ing< re#orts that he cannot access net"or0 resources You disco/er that this #roblem is caused by incorrect name resolution You /eri$y that DNS is con$igured correctly on Test0ing< You also /eri$y that other client com#uters can query DNS< You need to /ie" the com#lete queries and res#onse bet"een Test0ing< and DNS< !hat should you do% A. 3nable debug logging on D,$1. 1. Use $ stem Monitor to monitor 6ueries and responses on D,$1. .. Re%iew the e%ent logs on D,$1 for errors relating to the D,$ ser%ice. D. 'n Test/ing1, run the nsloo/up command to %iew the 0one records on D,$1. )ns"er: ) E3#lanation: DNS debug logging is an o#tional logging tool $or DNS that stores the DNS in$ormation that you select 1ecause debug logging consumes ser%er resources, it is disabled b default. Debug logging is configured at the D,$ ser%er le%el. The debug logging settings therefore affect all 0ones hosted on the D,$ ser%er. D,$ debug logging collects information b logging

an D,$ traffic that fits the debug logging criteria. 4ogging continues until either the log file si0e specified is met or the dri%e where the log file is stored runs out of space. Incorrect )ns"ers: +: $ stem Monitor can be used to monitor the real2time performance of s stem components as well as ser%ices and applications. $ stem Monitor can be used to collect and %iew real2time performance data, %iew data sa%ed in a counter log, and present captured data using %arious %iews. ': :ueries and responses do not necessaril mean errors in the D,$ ser%ice. D: The nsloo/up command can be used to determine the hostname associated with a specific &5 address. To use the nsloo/up command, 5TR records must eBist. Thus this option is not the answer. De$erence: D1iana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31- 2 QUESTION NO: 5 DD)- DDO. You are the net"or0 administrator $or the IT de#artment o$ TestBing The com#any net"or0 consists o$ an )cti/e Directory $orest named test0ing com The IT de#artment manages the $orest root domain named test0ing com This domain contains t"o !indo"s Ser/er 2==, domain controllers named D'=2 and D'=, +oth domain controllers ha/e the DNS ser/ice installed )ll DNS 1ones are )cti/e Directory>integrated You notice that recent changes to the Smcdcs test0ing com 1one "ere not re#licated to D'=2 The con$iguration o$ the Smcdcs test0ing com 1one is sho"n in the e3hibit NNN?ISSIN-NNN You need to /eri$y that the Smsdcs test0ing com 1one is being success$ully re#licated You "ant to use )cti/e Directory De#lication ?onitor to monitor D'=2 )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31F 2 The Acti%e Director Replication Monitor, replmon.eBe, is part of the !indows 2""" $upport Utilities a%ailable on the !indows 2""" $er%er .D in the W$U55'RTWT''4$ folder. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. -GG QUESTION NO: 6 You are the net"or0 administrator $or TestBing com TestBing uses the test0ing com DNS names#ace The #rimary name ser/er $or the test0ing com 1one is a !indo"s Ser/er 2==, com#uter named DNS=< The test0ing com 1one on DNS=< is enabled $or dynamic u#dates 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31; 2 You notice that some hosts that should be registered in the test0ing com 1one are not listed You need to $ind the cause o$ the #roblem You need to $ind out "hich com#uters are attem#ting to #er$orm dynamic registrations and "hich DNS records they are attem#ting to register !hat should you do% A. Use 3%ent ?iewer to eBamine the D,$ $er%er to log on D,$"1. 1. Use 3%ent ?iewer to eBamine the $ stem log on D,$"1. .. 3nable D,$ debug logging on D,$"1 and eBamine the log file. D. Use $ stem Monitor to loo/ for client registrations on D,$"1. )ns"er: ' E3#lanation: Debug logging logs e/ery #ac0et in and out o$ the DNS ser/er DNS debug logging is an o#tional logging tool $or DNS that stores the DNS in$ormation that you select 1ecause debug logging consumes ser%er resources, it is disabled b default. Debug logging is configured at the D,$ ser%er le%el. The debug logging settings therefore affect all 0ones hosted on the D,$ ser%er. Debug logging can be resource intensi%e, b affecting o%erall ser%er performance and consuming dis/ space. Therefore, it should onl be used temporaril , in cases where more detailed information about ser%er performance is needed. D,$ debug logging collects information b logging an D,$ traffic that fits the debug logging criteria. 4ogging continues until either the log file si0e specified is met or the dri%e where the log file is stored runs out of space. After the file limit is reached, the logging process will begin to o%erwrite the oldest entries. 1ecause log files can grow

6uite large, it is recommended that the be located on a separate dri%e. Incorrect )ns"ers: ): 3Bamining the D,$ ser%er to log on D,$"1 through the 3%ent ?iewer will not ield the proper information for our purposes. +: The s stem log on D,$"1 contains e%ents generated b !indows s stem components. D: To loo/ for client registrations on D,$"1 using $ stem Monitor will re%eal the li%e performance to ou, but not those that has alread ta/en place. Thus this option is not the answer. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31G 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 3-3, FF1, =;1 QUESTION NO: 7 You are the DNS administrator $or TestBing com TestBing is an &IS.( that host "eb sites $or many com#anies Test Bing DNS ser/er hosts multi#le DNS 1ones $or customers Se/eral TestBing administrators are allo"ed to add DNS 1ones You "ant to #roduce a "ee0ly re#ort that "ill list all the 1ones that are hosted on each DNS ser/er !hat should you do% A. Use the dnslint utilit to 6uer each D,$ ser%er. 1. Use the dnscmd utilit to 6uer each D,$ ser%er. .. Use the nsloo/up utilit to 6uer each D,$ ser%er. D. Use the adsiedit utilit to 6uer Acti%e Director for a list of D,$ 0ones. )ns"er: + E3#lanation: The dnscmd utility can be $ound "ith the su##ort tools on the !indo"s Ser/er 2==, 'D>DO? The dnscmd Kunum1ones list all the 1ones on a DNS ser/er Incorrect )ns"ers: ): The dnslint utilit can be used to %erif D,$ records from a list. &t does not list all the 0ones on a D,$ ser%er. ': The nsloo/up utilit can be used to list all records in a 0one, but it does not list all the 0ones on a D,$ ser%er. D: The adsiedit utilit is used to edit Acti%e Director attributes. &t does not list all the 0ones on a D,$ ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. --2, >F> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31> 2 QUESTION NO: 9DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o DNS domains named test0ing com and south test0ing com ) !indo"s Ser/er 2==, com#uter named TestBingSr/) is a domain controller and DNS ser/er $or test0ing com TestBingSr/) is also a secondary 1one ser/er $or south test0ing com ) !indo"s 2=== Ser/er com#uter named TestBingSr/+ is a domain controller and the DNS ser/er $or south test0ing com The t"o DNS domains are connected through an ISDN line You need to monitor the success$ul incremental 1one trans$ers $rom south test0ing com to test0ing com !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31= 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32" 2 The &<(R $uccess Recei%ed counter indicates the number of successful incremental 0one transfers recei%ed b a secondar D,$ ser%er. A<(R relates to an all 0one transfer. The D namic Update Recei%ed counter is t picall for determining whether D,$ clients are attempting to update their D,$ addresses. The $ecure Update Recei%ed counter is for determining the number of s stems that is

successfull performing secure updates in D,$. The !&,$ Re%erse 4oo/up counter relates to !&,$ re%erse loo/ups. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F3= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 321 2 QUESTION NO: ; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named TestBing' $unctions as the DNS ser/er $or the domain !ingti# Toys is a di/ision o$ TestBing The !ingti# Toys net"or0 consists o$ a single )cti/e Directory domain named "ingti#toys com TestBing' is a secondary 1one ser/er $or "ingti#toys com You are monitoring noti$ication tra$$ic bet"een the t"o domains You need to 0ee# a record o$ "hen the #rimary DNS ser/er $or "ingti#toys com in$orms TestBing' i$ a/ailable changes in the "ingti#toys com 1one !hat should you do% A. Use the 5erformance console to create a log of the D,$ performance counter ,otification Recei%ed on Test@ing.. 1. 3nable debug logging on Test@ing.. .onfigure the log to record ,otification e%ents. .. Run the replmon command to monitor replication e%ents on Test@ing.. D. Run the dcdiag command to chec/ D,$ registration on Test@ing.. )ns"er: + E3#lanation: Debug logging is disabled by de$ault and has to be enabled on TestBing' Select the Aog #ac0ets $or debugging chec0 bo3 to con$igure Debug Aogging To recei/e use$ul debug logging in$ormation* you should select a .ac0et direction* a Trans#ort #rotocol* and at least one more o#tion You can also s#eci$y the $ile #ath and name* and the ma3imum si1e $or the log $ile Enabling Debug Aogging slo"s DNS ser/er #er$ormance Incorrect )ns"ers: ): create a log of the D,$ performance counter. ': The debug logging logs e%er pac/et in and out of the D,$ ser%er, whereas the replmon command allows ou to monitor the status of Acti%e Director replication between domain controllers. &f 0one information is stored within Acti%e Director , this also enables ou to monitor replication between D,$ ser%ers. D: chec/ D,$ registration on Test@ing.. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 322 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$3 9 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. FF1 QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and are member o$ the domain The domain contains a single DNS ser/er named TestBing9 Doot hints are enabled on TestBing9 Internet access $or com#any is #ro/ided by a Net"or0 )ddress Translation &N)T( ser/er named TestBing; TestBing; is connected to the Internet by means o$ a #ermanent connection the com#anyJs IS. Users re#ort that they can no longer connect to htt#:KK""" test0ing com Users can connect to internal resources and to other Internet !eb sites You can success$ully access htt#:KK""" test0ing com $rom a com#uter outside the cor#orate net"or0 You need to ensure that the users can access htt#:KK""" test0ing com You must also ensure that users retain their ability to access internal resources !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Disable Routing and Remote Access on Test@ing=. 1. .reate a root 0one on Test@ing>. .. 'n all affected usersK computers, run the ipconfig Hflushdns command. D. .onfigure all affected usersK computers to use the &$5Ks D,$ ser%er. 3. Use the D,$ console on Test@ing> to clear the D,$ cache.

)ns"er: '* E E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 323 2 9 To clear the D,$ resol%er cache, ou can enter ipconfig Hflushdns at the command prompt. Alternati%el , ou can restart the D,$ .lient ser%ice b using the $er%ices console, an administrati%e tool accessible through the $tart menu. The &pconfig Hflushdns command purges the contents of the D,$ client cache. Thus running this command on the affected usersK computers will ensure that users can access the sites that the need access to and retain their abilit to access internal resources. Incorrect ans"ers: )9 &t is not a matter of disabling Routing and Remote Access on Test@ing=. Test@ing= is responsible for ,AT and ou will be shooting ouirself in the foot is ou disable Routing and Remote Access. +9 This approach creates an empt root 0one and ma/es the internal ser%er a root ser%er. &t would then ne%er use forwarders and would resol%e onl internal 6ueries. This approach is not a solution to this problem. D9 Merel configuring all affected computers to use the &$5Ks D,$ ser%er is not going to achie%e our goal here. &t is impractical. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, p. -9FQUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) !indo"s Ser/er 2==, com#uter named TestBing5 is the only DNS ser/er in the domain It hosts no other 1ones Users re#ort that connecting to com#uters "ithin the test0ing com domain is slo" You need to $ind out "hether DNS client tra$$ic on TestBing5 is causing this #roblem !hat should you do% A. Use $ stem Monitor to create a log of the D,$ counters D namic updatesHsec and Total 6ueriesHsec. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32- 2 1. Use $ stem Monitor to create a log of the ,etwor/&nterface counter Total b tesHsec. .. 3nable debug loggin on Test@ingF. .onfigure the log to capture ,otification e%ents. D. 3nable debug loggin on Test@ingF. .onfigure the log to capture Update e%ents. )ns"er: ) E3#lanation9 The $ stem Monitor utilit is used to collect and measure the real2time performance data for a local or remote computer on the networ/. Through $ stem Monitor, ou can %iew current data or data from a log file. !hen ou %iew current data, ou are monitoring real2time acti%it . !hen ou %iew data from a log file, ou are importing a log file from a pre%ious session. Using the $ stem Monitor, ou can generate statistics on the following t pes of information regarding D,$ ser%ices9 A<(R re6uests *all20one transfer re6uests+, &<(R re6uests *incremental 0one transfer re6uests+, D,$ ser%er memor usage, D namic updates, D,$ ,otif e%ents, Recursi%e 6ueries, T.5 and UD5 statistics, !&,$ statistics and Rone transfer issues. Thus to find out where D,$ client traffic is responsible for the slow speed at which computers connect within the test/ing.com domain, then ou should create a log of the D namic UpdatedHsec and the Total 6ueriesHsec gi%en the fact that Test@ingF is the onl D,$ ser%er in the domain. Incorrect ans"ers: +9 The ,etwor/&nterface counter Total b tesHsec is not going to ield the information that ou need to chec/. '* D9 This is inappropriate in the gi%en circumstances as it willnot ield the proper information that ou will need to chec/ to see if D,$ client traffic on Test@ingF is responsible for the slow connections within the domain. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. G"2G3, 3"Topic 3, &mplementing, Managing, and Maintaining ,etwor/ $ecurit *F; :uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32F 2 5art 19 &mplement secure networ/ administration procedures.

A9 &mplement securit baseline settings and audit securit settings b using securit templates and policies.*2F :uestions+ QUESTION NO: < You are the net"or0 administrator in the Ne" Yor0 o$$ice o$ TestBing The com#any net"or0 consists o$ a single )cti/e Directory domain test0ing com The Ne" Yor0 o$$ice currently contains one !indo"s Ser/er 2==, $ile ser/er named TestBing) )ll $ile ser/ers in the Ne" Yor0 o$$ice are in an organi1ational unit &OU( named Ne" Yor0 Ser/ers You ha/e been assigned the )llo" > 'hange #ermission $or a -rou# .olicy ob2ect &-.O( named NYSer/ers-.O* "hich is lin0ed to the Ne" Yor0 Ser/ers OU The "ritten com#any security #olicy states that all ne" ser/ers must be con$igured "ith s#eci$ied #rede$ined security settings "hen the ser/ers 2oin the domain These settings di$$er slightly $or the /arious com#any o$$ices You #lan to install !indo"s Se/er 2==,* on <5 ne" com#uters* "hich all $unctions as $ile ser/ers You "ill need to con$igure the s#eci$ied security settings on the ne" $ile ser/ers TestBing) currently has the s#eci$ied security settings con$igured in its local security #olicy You need to ensure that the security con$iguration o$ the ne" $ile ser/ers is identical to that o$ TestBing) You e3#ort a co#y o$ TestBing)Js local security #olicy settings to a tem#late $ile You need to con$igure the security settings o$ the ne" ser/ers* and you "ant to use the minimum amount o$ administrati/e e$$ort !hat should you do% A. Use the $ecurit .onfiguration and Anal sis tool on one of the new ser%ers to import the template file. 1. Use the default Domain $ecurit 5olic console on one of the new ser%ers to import the template file. .. Use the Croup 5olic 3ditor console to open ,I$er%ersC5' and import the template file. D. Use the default 4ocal $ecurit 5olic console on one of the new ser%ers to import the template file. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32; 2 )ns"er: ' E3#lanation: -rou# #olicy #ro/ides us "ith a sim#le "ay o$ a##lying settings to multi#le com#uters or users In this case* "e ha/e a tem#late $ile "ith the required security settings !e can sim#le im#ort this $ile into a grou# #olicy ob2ect and a##ly the grou# #olicy to the ser/ers Incorrect )ns"ers: ): This would configure the re6uired settings, but onl on one ser%er. +: This would appl the settings to all computers in the domain. !e onl want the settings to appl to the ser%ers. D: This cannot be done. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;-= QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains ,5 !indo"s Ser/er .ro$essional com#uters The "ritten com#any security #olicy states that all com#uters in the domain must be e3amined* "ith the $ollo"ing goals: 1. To $ind out "hether all a/ailable security u#dates are #resent 2. To $ind out "hether shared $olders are #resent 3. To record the $ile system ty#e on each hard dis0 You need to #ro/ide this security assessment o$ e/ery com#uter and /eri$y that the requirements o$ the "ritten security #olicy are met !hat should you do% A. 'pen the Default Domain 5olic and enable the .onfigure Automatic Updates polic . 1. 'pen the Default Domain 5olic and enable the Audit ob)ect access polic , the Audit account management polic , and the Audit s stem e%ents polic . 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32G 2 .. 'n a ser%er, install and run mbsacli.eBe with the appropriate configuration switches. D. 'n a ser%er, install and run A(,et.h/.eBe with the appropriate configuration switches. )ns"er: ' E3#lanation: The ?icroso$t +aseline Security )nalyser can #er$orm all the required

assessments ?bsacli e3e includes :ENet'h0 e3e "hich is used to scan $or missing security u#dates &n general, the M1$A scans for securit issues in the !indows operating s stems *!indows ,T -, !indows 2""", !indows <5+, such as Cuest account status, file s stem t pe, a%ailable file shares, members of the Administrators group, etc. Descriptions of each '$ chec/ are shown in the securit reports with instructions on fiBing an issues found. Incorrect )ns"ers: ): This wonKt chec/ for missing updates, shared folders or file s stem t pe. +: This wonKt chec/ for missing updates, shared folders or file s stem t pe. D: This will chec/ for missing updates but not shared folders or file s stem t pe. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. G>>2G=" QUESTION NO: , You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Security is the highest #riority $or the net"or0 management $or TestBing )ll net"or0 com#uters require smart cards to log on )n I.Sec #olicy is im#lemented to secure net"or0 tra$$ic )ll ser/ers are #hysically secured in an o$$>site location You must im#lement the most secure #rocedure $or ser/er management !hat should you do% A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32> 2 4og on to our client computer b using the built2in Administrator account for the domain. .onfigure a mandator profile for the Administrator account. .hange the password for the Administrator account on a wee/l basis. 1. 4og on to our client computer b using the built2in Administrator account for the domain. .onfigure a roaming profile for the Administrator account. Map a dri%e to the roaming profile b using the net use Hsmartcard command. .. .reate a new user account and add the account to onl the built2in Domain Users groups. 4og on to our client computer b using the new user account. Run all administrati%e tools b using the runas Hsmartcard command. D. .reate a new user account and add the account to the following built2in groups. Domain Users, $er%er 'perators, and Account 'perators. 4og on to our client computer b using the new user account. Run all administrati%e tools b using the runas Hsmartcard command. )ns"er: ' E3#lanation: You should $irst create a ne" user account and then add it to the built>in Domain Users grou# and log on to the ne" user account be$ore doing any ser/er management The run as command, also called secondar logon, will allow a user to run a specified program with permissions that are different from those belonging to the account with which the user is currentl logged on. $ince all networ/ computers re6uire smart cards to log on, in this scenario, ou should use the runas H smartcard command and run all the administrati%e tools. This represents the most secure procedure. Incorrect ans"ers: )9 .onfiguring a mandator profile is not the answer. Mandator profiles do not allow an alterations to des/top settings made b the user to be retained. Additionall , profiles are assigned to users, not computers. +9 A roaming profile is a profile that is stored in a networ/2accessible location, thus allowing a user to access their des/top, application data, and settings when the log on to the most secure option. Also, profiles are assigned to users, not computers. (urthermore roaming profile data cannot be encr pted b the ser%er. D9 Iou do not ha%e to add the new user account to all those %arious groups. This can result in an unnecessar securit ris/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F>3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32= 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, pp. F213 QUESTION NO: 4

You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )n a##lication named TestBing e3e is installed on all com#uters in the domain to remotely gather so$t"are in/entory in$ormation The a##lication runs as a ser/ice in the security conte3t o$ the Aocal System The startu# ty#e o$ the ser/ice is set to )utomatic In the De$ault Domain .olicy -.O* the security administrator has con$igured a so$t"are restricti/e #olicy that is a##lied to all com#uters in the domain The #olicy contains a hash rule $or the TestBing e3e a##lication* and the hash rule is con$igured "ith a security le/el o$ Unrestricted The client com#uters on the net"or0 are attac0ed by a "orm that is distributed by e>mail messages recei/ed o/er the Internet The "orm detects the #resence o$ TestBing e3e on a com#uter* then starts a ne" instance o$ the a##lication in the security conte3t o$ the logged>on user The "orm e3#loits a bug in the a##lication to cause the com#uter to $ail You need to ensure that TestBing e3e cannot be started by the "orm* "hile still allo"ing the a##lication to run as a ser/ice !hat should you do% A. &n the computer settings section of the Default Domain 5olic C5', configure a software restriction polic that contains a 0one rule for the &nternet Rone. .onfigure the 0one rule with a securit le%el of Disallowed. 1. &n the user settings section of the Default Domain 5olic C5', configure a software restriction polic that contains a 0one rule for the &nternet 0one. .onfigure the 0one rule with a securit le%el of Disallowed. .. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33" 2 &n the computer settings section of the Default Domain 5olic C5', configure a software restriction polic that contains a hash rule for the Test@ing.eBe application. .onfigure the 0one hash rule with a securit le%el of Disallowed. D. &n the user settings section of the Default Domain 5olic C5', configure a software restriction polic that contains a hash rule for the Test@ing.eBe application so that the hash rule has a securit le%el of Disallowed. )ns"er: D E3#lanation: ) hash is a $i3ed>si1e result that is obtained by a##lying a one>"ay mathematical $unction &sometimes called a hash algorithm( to an arbitrary amount o$ data The hash changes i$ there is a change in the in#ut data The hash can be used in many o#erations* including authentication and digital signing )lso called a message digest !e need to #re/ent unauthori1ed a##lications $rom running !e should set the de$ault security le/el to Disallo"ed I$ the so$t"are restriction #olicy containing the hash rule $or that a##lication is set to the disallo"ed le/el in the user settings section o$ the De$ault domain .olicy -.O* then it "ill still allo" the a##lication to be run "hilst ensuring that the "orm cannot start the TestBing e3e Incorrect ans"ers: )9 Rone rule is a rule can identif software from the &nternet 3Bplorer 0one from which it is downloaded. Iou should be setting a hash rule with the disallowed securit setting rather. Also ou should be appl ing the worm prohibiting measure from the user settings section of the Default Domain 5olic C5' and not the computer settings section. +9 Appl ing the measures that ou need to ta/e in the user settings section of the Default Domain 5olic C5' is correct, but it should be a hash rule rather than a 0one rule to ma/e it the appropriate rule with which to contain the worm '9 Appl ing the correct prohibiting measures through the hash rule, howe%er, ou should be appl ing the worm prohibiting measure from the user settings section of the Default Domain 5olic C5' and not the computer settings section. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ;FG 2;F= QUESTION NO: 5 E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 331 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll com#uters are members o$ the domain The Secure Ser/er &Dequire Security( I.Sec #olicy is assigned to a $ile ser/er named TestBing2 The #olicy is con$igured as sho"n in the e3hibit

Users re#ort that they cannot access shared $olders on TestBing2 Users "ere able to access shared $olders on TestBing2 #rior to the im#lementation o$ the I.Sec #olicy 4eading the wa in &T testing and certification tools, www.test/ing.com 2 332 2 You need to ensure that all client com#uters in the domain can access the shared $olders on TestBing2 You must ensure that all communications bet"een client com#uters and TestBing2 be encry#ted !hat should you do% A. 'n Test@ing2, enable the All &.M5 Traffic &5 $ecurit rule in the properties of the $ecure $er%er *Re6uire $ecurit + &5$ec polic . 1. 'n Test@ing2, enable the SD namicT &5 $ecurit rule in the properties of the $ecure $er%er *Re6uire $ecurit + &5$ec polic . .. 'n all client computers, assign the .lient *Respond 'nl + &5$ec polic . D. 'n all client computers, install an &5$ec communication certificate in the local machine store. )ns"er: ' E3#lanation9 &5$ec is used to protect data that is sent between hosts on a networ/, which can be remote access, ?5,, 4A,, or !A,. &5$ec ensures that data cannot be %iewed or modified b unauthori0ed users while being sent to its destination. 1efore data is sent between two hosts, the source computer encr pts the information. &t is decr pted at the destination computer. The .lient *Respond 'nl + &5$ec polic is used for computers that should not secure communications most of the time, but if re6uested to set up a secure communication, the can respond. 1 appl ing the .lient *Respond 'nl + &5$ec polic on the client computers ou will be ensure them access to the shard folders on Test@ing2 as well as ensure that communications between them and Test@ing2 be encr pted. Incorrect ans"ers: )9 !hen the $er%er $ecure *Re6uire $ecurit + option is selected, the ser%er re6uires all communications to be secure. &f a client is not &5$ec2aware, the session will not be allowed. !ith this setting on Test@ing2 ou will not compl with what is re6uired b the 6uestion. Iou need to appl settings to the client computers rather than the ser%er in this scenario. +9 &t does not matter whether ou enable the SD namicT &5 $ecurit rule in the properties of the $ecure $er%er *Re6uire $ecurit + &5$ec polic , it will not compl with the re6uirements of the 6uestion. D9 Appl ing the measures on the client computers is correct, howe%er ou need to assign .lient *Respond 'nl + &5$ec polic and not install &5$ec communication certificate on the local machine. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 333 2 De$erence9 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0inmg com !hile #er$orming net"or0 monitoring* you notice that the con$idential $iles that are stored on TestBing9 are being transmitted o/er the net"or0 "ithout encry#tion You must ensure that encry#tion is al"ays used "hen the con$idential $iles on TestBing9 are stored and transmitted o/er the net"or0 !hat are t"o #ossible solutions to accom#lish this goal% &Each ans"er is a com#lete solution 'hoose t"o( A. 3nable offline files for the confidential files that are stored on Test@ing>, and select the 3ncr pt offline files to secure data chec/ boB on the client computers of the users who need to access the files. 1. Use &5$ec encr ption between Test@ing> and the client computers of the users who need to access the confidential files. .. Use $er%er Message 1loc/ *$M1+ signing between Test@ing> and the client computers of the users who need to access the confidential files. D. Disable all 4M and ,T4M authentication methods on Test@ing>. 3. Use &&$ to publish the confidential files. 3nable $$4 on the &&$ ser%er. 'pen the files as a !eb folder. )ns"er: +* E E3#lanation: I.Sec #ro/ides t"o ser/ices: a "ay $or com#uters to decide i$ they trust each other &authentication( and a "ay to 0ee# net"or0 data #ri/ate &encry#tion( The I.Sec #rocess calls $or t"o com#uters to authenticate each other be$ore beginning an encry#ted connection )t that #oint* the t"o machines can use the Internet Bey E3change &IBE( #rotocol to agree on a secret 0ey to use $or

encry#ting the tra$$ic bet"een them This o#tion "ill ensure that encry#tion "ill al"ays be in use "hen con$idential $iles that are stored on TestBing9 are transmitted o/er the net"or0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33- 2 &&$ ;." offers four t pes of user2authentication methods. &n addition to the four basic t pes of user authentication that are a%ailable in &&$ ;.", ou can also configure client or ser%er certificates, each of which uses $$4 encr ption for secure communications. .lient certificates allow the ser%er to positi%el identif the client based on personal information contained in each clientKs certificate. $er%er certificates allow the client to positi%el identif the ser%er based on specific information contained in each ser%erKs certificate. therefore, ou need to select an authentication method based on the functionalit re6uired for a particular application or purpose. Thus with the confidential files in <M4 format and enabling $$4 on the &&$ ser%er, ou can ensure that files are encr pted when stored and when transmitted. Incorrect ans"ers: )9 3nabling offline files is alread a securit ris/. This also does not ensure that encr ption is alwa s used when the confidential files on Test@ing> are stored and transmitted o%er the networ/. '9 $M1 was primaril used for file and print sharing, but is also used for sharing serial ports and abstract communications technologies such as named pipes and mail slots. Ma/ing use of $M1 signing between Test@ing> and the client computers is not the answer. D9 A s stem configured with the Default securit template or not configured with an securit modifications will send 4A, Manager and ,T4M responses. Disabling 4M and ,T4M authentication methods on Test@ing> will thus not help in this scenario. De$erence9 4isa Donald, $u0an $age 4ondon and Qames .hellis, M.$AHM.$39 !indows $er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1G1 Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter G QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< Three administrators are members o$ the )dministrators local grou# on Test0ing< T"el/e other administrators are members o$ the Domain )dmins grou# The Domain )dmins grou# is also a member o$ the )dministrators local grou# on Test0ing< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33F 2 Someone ma0es an unauthori1ed change to the :BEYSAO')AS?)':INEQSYSTE? 0ey in the registry on Test0ing<* "hich causes the com#uter to $ail You $i3 the #roblem You need to log all attem#ts to access the :BEYSAO')AS?)':INEQSYSTE? 0ey in the registry on Test0ing< You decide to enable auditing in the local security #olicy on Test0ing< !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 3nable auditing in the local securit polic on Test/ing1. $elect the Audit ob)ect access *success and failure+ option in the audit polic . 1. 3nable auditing in the local securit polic on Test/ing1. $elect the Audit pri%ilege use *success and failure+ option in the audit polic . .. 3nable auditing in the local securit polic on Test/ing1. $elect the Audit s stems e%ents *success and failure+ option in the audit polic . D. .onfigure the $A.4 on the A@3IJ4'.A4JMA.A&,3W$I$T3M /e in the registr . $pecif auditing on the (ull .ontrol permission for 3%er one. 3. .onfigure the $A.4 on the A@3IJ4'.A4JMA.A&,3W$I$T3M /e in the registr . $pecif auditing on the $et ?alue permission for 3%er one. )ns"er: )* D E3#lanation9 Audit ob)ect access 2 This securit setting determines whether to audit the e%ent of a user accessing an ob)ect22for eBample, a file, folder, registr /e , printer, and so forth22that has its own s stem access control list *$A.4+ specified. Assign permissions to files, folders, and registr /e s Appropriate ob)ect manager and 5roperties page 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33; 2 Access control is the model for implementing authori0ation. 'nce a user account has recei%ed authentication and can access an ob)ect, the t pe of access granted is determined

b either the user rights that are assigned to the user or the permissions that are attached to the ob)ect. (or ob)ects within a domain, the ob)ect manager for that ob)ect t pe enforces access control. (or eBample, the registr enforces access control on registr /e s. 3%er ob)ect controlled b an ob)ect manager has an owner, a set of permissions that appl to specific users or groups, and auditing information. 1 setting the permissions on an ob)ect, the owner of the ob)ect controls which users and groups on the networ/ are allowed to access the ob)ect. The permission settings also define what t pe of access is allowed *such as readHwrite permission for a file+. The auditing information defines which users or groups are audited when attempting to access that ob)ect. Thus ou need to enable auditing in the local securit polic onTest/ing1 and select the Audit ob)ect access *$uccess and failure+ and then configure the $A.4 on the A@3IJ4'.A4JMA.A&,3W$I$T3M /e in the registr and specif the (ull .ontrol permission for 3%er one. Incorrect ans"ers: +9 3nabling auditing in the local securit polic of Test/ing1 is correct, but ou should select to Audit ob)ect access *success and failure+ and not the Audit pri%ilege use *success and failure+ as this option will not ield the information needed to chec/ when unauthori0ed changes are made in the registr on Test/ing1. Audit 5ri%ilege Use trac/s each instance of a user eBercising a user right. '9 Audit $ stem 3%ents trac/s s stem e%ents such as shutting down or restarting the computer, as well as e%ents that relate to the securit log within 3%ent ?iewer. Iou need to audit ob)ect access not audit s stems e%ents. E9 This option is correct up to the point where it suggests that ou specif auditing on the $et ?alue permission for e%er one. This part is wrong because ou need to set the auditing on the (ull .ontrol permission rather. De$erence9 Qames .hellis, 5aul RobichauB and and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 11F Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. GF-, GF2 QUESTION NO: 9 DD)- DDO. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33G 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain that contains the organi1ational units &OUs( sho"n in the "or0 are belo" The net"or0 contains !indo"s Ser/er 2==, com#uters* !indo"s @. .ro$essional com#uters* !indo"s NT !or0station 4 = com#uters* and !indo"s ?illennium Edition com#uters )n u#date to the "ritten com#any security #olicy states that the NTA?/2 and Berberos #rotocols must be the only #rotocols that are used to authenticate logons to all com#uters You need to con$igure security settings by using the a##ro#riate security tem#late to ensure that only the NTA?/2 and Berberos #rotocols are used "hen users log on to the domain You "ant to lin0 the minimum number o$ -rou# .olicy ob2ects &-.Os( to accom#lish this goal !hat should you do% To ans"er* drag the a##ro#riate in$ tem#late or tem#late to the correct OU or OUs )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33> 2 E3#lanation: The $ecure templates define enhanced securit settings that are least li/el to impact application compatibilit . (or instance, the $ecurit templates define stronger password, loc/out, and audit settings. &n addition to this, the $ecurit templates limit the use of 4A, Manager and ,T4M authentication protocols b configuring clients to send onl ,T4M%2 responses and configuring ser%ers to refuse 4A, Manager responses. The securews.inf template is used to increase securit on wor/stations and ser%ers, not to restore root file s stem permissions. This is wh it is applied to test/ing.com. The securedc.inf template on the other hand is applied to domain controllers. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+ .hapter Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G=> 4eading the wa in &T testing and certification tools, www.test/ing.com

2 33= 2 QUESTION NO: ; You are an administrator o$ an )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll com#uters are 2oined to the domain TestBing has a main o$$ice and $i/e branch o$$ices )t one o$ TestBingJs branch o$$ices* a net"or0 administrator named Hohn uses Demote Des0to# to assign the Secure Ser/er &Dequire Security( I.Sec #olicy to a domain controller named D'2 Users re#ort that they cannot access resources on D'2 Hohn re#orts that he can no longer establish a Demote Des0to# connection to D'2 On a client com#uter named Test0ing< in the branch o$$ice* you run the #ing dc2 command and recei/e a re#ly You do not ha/e #hysical access to D'2 You "ant to restore access to resources on D'2 $or all users You need to ma0e all con$iguration changes remotely !hich t"o actions should you #er$orm on Test0ing<% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Use the $er%ices console to connect to D.2 and stop the &5$ec $er%ices ser%ice. 1. Use &5 $ecurit Monitor to connect to D.2. .. Run the net stop 8ipsec ser%ices8 command. D. &nstall an &5$ec certificate in the local machine store. 3. Assign the .lient *Respond onl + &5$ec polic . )ns"er: )* E E3#lanation: I.Sec has #rede$ined security #olicies that can be im#lemented /ia the I. Security .olicy ?anagement console ) security #olicy can be described as a set o$ rules and $ilters that #ro/ide a le/el o$ security In this scenario* the Secure Ser/er &Dequire Security( #olicy "as assigned to D'2 This means that all I. communication to or $rom D'2 must use I.Sec The result being that all DNS* "eb requests and all else "hich uses an I. connection must either be secured "ith I.Sec or is sim#ly bloc0ed To sol/e this issue* $irst use the Ser/ices console to connect to D'2 and sto# the I.Sec Ser/ices ser/ice Ne3t* assign the 'lient &Des#ond only( I.Sec #olicy This #olicy s#eci$ies that a !indo"s 2===* @.* or a !indo"s Ser/er 2==, I.Sec client "ill negotiate I.Sec security "ith a #eer that su##orts it > it "ill not try to initiate security It acce#ts I.Sec "hen the remote end requires it 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-" 2 Incorrect )ns"ers: +: &5 $ecurit Monitor is to assist ou with the standard monitoring of &5$ec. ': Running the net stop 8ipsec ser%ices8 command does not ensure that ou will be able to connect to the remote des/top. D: &5$ec certificate installation in the local machine store is not going to help ou to accomplish our tas/ of enabling access to resources in this scenario. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >G1 Rac/er, .raig, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/, Microsoft 5ress, Redmond, 2""3, .hapter 12, pp. ;2> 2 ;2= QUESTION NO: <= You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional So$t"are U#date Ser/ices &SUS( is installed on a com#uter named Test0ing< )ll client com#uters are con$igured to recei/e their so$t"are u#dates $rom Test0ing< by using a -rou# .olicy ob2ect &-.O( Users re#ort that "hen client com#uters recei/e u#dates through SUS* they are #rom#ted to restart the com#uters Users do not ha/e the o#tion to delay restating* and they re#ort that restarting during business hours decreases their #roducti/ity You need to ensure that users ha/e the o#tion to delay restarting their com#uters a$ter u#dates are recei/ed !hat should you do% A. 3nable the Remo%e access to use all !indows Update features C5' setting. 1. Disable the Remo%e access to use all !indows Update features C5' setting. .. Assign users the $hut down the s stem user right in the local securit polic . D. Assign users the Act as part of the operating s stem user right in the local securit polic . 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-1 2 )ns"er: '

E3#lanation: The $olders in Aocal .olicies are )udit .olicy* User Dights and Security O#tions User Dights in this conte3t re$er to system access rather than resource access They determine "hich rights a user has on a com#uter )ssigning users the Shut do"n the system user right in the local security #olicy "ould allo" the users to shut do"n local !indo"s Ser/er 2==, com#uters This "ould enable users to delay restarting their com#uters a$ter u#dates are recei/ed Incorrect )ns"ers: ): 3nabling the Remo%e access to use all !indows Update features will not grant users the right to shut down or dela shut down when their s stems are updated. +: ,either will disabling the Remo%e access to use all !indows Update features. D: The Act as part of the operating s stem user right will be applied from the correct location, but it will be the wrong right in this scenario. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, .hapter 11, pp. ;F-, G=; QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains 2= !indo"s Ser/er 2==, com#uters and 4*=== !indo"s @. .ro$essional com#uters The "ritten TestBing security #olicy states that all ser/ers must al"ays ha/e the most current security u#dates The #olicy also states that all security u#dates must be tested in a lab be$ore they are installed on #roduction ser/ers You need to $ind out "hether domain ser/ers ha/e all a/ailable security u#dates and ser/ice #ac0s !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall Microsoft 1aseline $ecurit Anal 0er *M1$A+ on a ser%er. .onfigure M1$A to chec/ for !indows %ulnerabilities and to scan the range of &5 addresses for all ser%ers. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-2 2 1. &nstall Microsoft 1aseline $ecurit Anal 0er *M1$A+ on a ser%er. (rom a command prompt on the ser%er, run the mbsacli.eBe command. .. 'n each ser%er, connect to the !indows Update !eb site. $can for and install securit updates for !indows $er%er 2""3 computers. D. .onfigure the Automatic Updates client on all ser%ers to automaticall download and install securit updates. )ns"er: )* + E3#lanation: ?icroso$t +aseline Security )naly1er &?+S)( is the utility that can be used to ensure that you ha/e the most current security u#dates You can use the ?+S) to /eri$y "hether domain ser/ers ha/e all a/ailable security u#dates and ser/ice #ac0s The o#tions $or a scan include 'hec0 Eor !indo"s 8ulnerabilities* 'hec0 Eor !ea0 .ass"ords* 'hec0 Eor IIS 8ulnerabilities* 'hec0 Eor SQA 8ulnerabilities and 'hec0 Eor Security U#dates Once the scan is com#leted* a re#ort is accessible $or each machine that "as scanned Incorrect )ns"ers: ': $canning and installing all securit updates in this fashion will ma/e the rule of onl installing appro%ed and tested updates a farce especiall if it is done directl from the Microsoft !indows !eb site. D: Automaticall downloading updates will install all t pes of updates and not )ust appro%ed and tested updates that were made a%ailable. 1esides this option does not mention from where the updates are to be downloaded automaticall . De$erence: Rac/er, .raig, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/, Microsoft 5ress, Redmond, 2""3, .hapter 13, p. ;F= QUESTION NO: <2 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, T"o !eb ser/ers named Test0ing< and Test0ing2 host TestBingJs #ublic !eb site +oth ser/ers share the same !eb content 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-3 2 The !eb $iles on Test0ing< are modi$ied inad/ertently )$ter re/ie"ing the NTES $ile system security on Test0ing< and Test0ing2* you decide that the NTES $ile system security on Test0ing< should be modi$ied to match the NTES $ile system security on Test0ing2 You "ant to modi$y the NTES $ile system #ermissions on Test0ing< to be the same

as those on Test0ing2 You also "ant to be able to re#roduce these NTES $ile system #ermissions to ne" !eb ser/ers in the $uture by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 3Bport the securit settings from Test/ing2 to a securit template. &mport the securit template to Test/ing1. 1. &mport the Rootsec.inf securit template to Test/ing2. .. .reate a new securit template and manuall define the file s stem securit . &mport the securit template to Test/ing1. D. Run the ldifde command to modif the computer ob)ect. )ns"er: ) E3#lanation: ) security tem#late contains con$iguration #arameters $or /arious o#erating system settings $or di$$erent ser/er ty#es To a##ly the NTES $ile system #ermissions to Test0ing2 and ne" !eb ser/ers* e3#orting the security settings $rom Test0ing< to a security tem#late is the most $easible solution You can then utili1e the Security 'on$iguration and )nalysis ??' sna#>in to a##ly the #articular security tem#late to local machines Incorrect )ns"ers: +: Therootsec.inf securit template is used to restore permissions on the root file s stem. Iou would need the other .inf files as well for this scenario. ': .reating a new securit template and manuall defining the settings is a long wa of doing it. D: The ldifde*4D&( Director 3Bchange+ command can be used to create, modif , and delete director ob)ects on !indows $er%er 2""", !indows $er%er 2""3 and !indows <5 5rofessional. Aowe%er, in this scenario it is not applicable. De$erence: Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, 2""3, pp 321;, 322", -213, 132;. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-- 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, .hapter 11, pp. ;F12;F=, G=12G=3 QUESTION NO: <, You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure the security settings $or all ser/ers by using a security tem#late named 'or#sec in$ )$ter a recent security breach on a member ser/er named Test0ing2* you notice that the security settings are no longer con$igured as e3#ected You "ant to analy1e all the security settings on Test0ing2 that do not match the security settings in the 'or#sec in$ tem#late !hat should you do% A. &mport .orpsec.inf into the securit settings on Test/ing2 b using the 4ocal $ecurit 5olic console. 1. &mport .orpsec.inf into a new securit database b using the $ecurit .onfiguration and Anal sis console. .. Run the ds6uer .eBe computer command. D. &mport .orpsec.inf into the securit settings of the Default Domain 5olic Croup 5olic ob)ect *C5'+. )ns"er: + E3#lanation: !indo"s Ser/er 2==, includes the Security 'on$iguration and )nalysis tool ??' sna#>in You can use it to analy1e the local security settings o$ a com#uter The Security 'on$iguration and )nalysis tool is able to com#are your actual security con$iguration to the security tem#late 'or#sec in$* con$igured "ith your required settings In the Security 'on$iguration and )nalysis tool* you indicate a security database that "ill be used $or the security analysis You im#ort the security tem#late &'or#sec in$( that can be used as a basis $or the manner in "hich you "ant your security con$igured You then #er$orm the security analysis* and e/aluate your con$iguration against the security tem#late s#eci$ied #re/iously 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-F 2 Incorrect )ns"ers: ): The .orpsec.inf template should be imported into the securit database and not the securit settings. The database is being used for the securit anal sis. ': Running the ds6uer .eBe computer command finds computers in the director and is thus not applicable in this case. D: The template should be imported into a new database and not into the securit settings

of the C5'. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 2;= Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, pp. ;F12;FG Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, .hapter 11, p. ;FG QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters The net"or0 security administrator creates a ne" -rou# .olicy ob2ect &-.O( to con$igure security settings $or com#uters in the accounting de#artment You need to ensure that this -.O ta0es a$$ect as soon as #ossible on $i/e member ser/ers in the accounting de#artment !hat should you do% A. 'n each member ser%er, run the secedit command. 1. 'n each member ser%er, run the gpupdate command. .. 'n each domain controller, run the gpresult command. D. 'n each domain controller, run the dcgprofiB command. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-; 2 )ns"er: + E3#lanation: +y de$ault* grou# #olicies are a##lied each ;= minutes to com#uters Ty#ing g#u#date at the command #rom#t "ould ensure that the ne" -.O ta0es a$$ect as soon as #ossible This "ould $orce an u#date o$ the ne" security #olicy Incorrect )ns"ers: ): The secedit command pro%ides a command line interface to anal 0e, modif , and appl securit templates. Aowe%er, this has been replaced b the gpupdate command. ': The gpresult command displa s the Resultant $et of 5olic *R$o5+ information for a target user and computer. D: The dcgprofiB command is not used to ma/e C5's ta/e effect immediatel after being modified. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. G=F Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1", p. ;1" Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress, Roc/land, 2""3, p. 2G" QUESTION NO: <5 You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ) ser/er named Test0ing< contains con$idential data that is only a/ailable to users in the human resources &:D( de#artment You "ant all com#uters in the :D de#artment to connect to Test0ing< by using an I.Sec #olicy You assign the Ser/er &Dequest Security( I.sec #olicy $or Test0ing< Using Net"or0 ?onitor* you notice that some com#uters in the :D de#artment connect to Test0ing< "ithout using the I.Sec #olicy 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-G 2 You need to con$igure Test0ing< to ensure that all com#uters connect to it by using the I.Sec #olicy !hat should you do% A. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic . 1. Assign the .lient *Respond 'nl + &5$ec polic . .. Unassign the $er%er *Re6uest $ecurit + &5$ec polic . D. Restart the &5$ec $er%ices ser%ice. )ns"er: ) E3#lanation: The Secure Ser/er &Dequire Security( #olicy s#eci$ies that all I. tra$$ic must use I.Sec The Secure Ser/er &Dequire Security( de$ault #olicy is ideal $or

Test0ing< that needs high security !hen this o#tion is selected* the ser/er requires all communications to be secure I$ a client is not I.Sec>a"are* the session "ill not be allo"ed Incorrect )ns"ers: +: Assigning the .lient *Respond 'nl + &5$ec polic on Test/ing1 will not ensure that all computers that connect need to emplo &5$ec polic . This setting is used for computers that should not secure communications most of the time, but if re6uested to set up a secure communication, the can respond. ': Unassigning the $er%er *Re6uest $ecurit + &5$ec polic will defeat the purpose of ha%ing all computers that connect using the &5$ec polic . This is used for computers that should secure communications most of the time. &n this polic , the computer accepts unsecured traffic but alwa s attempts to secure additional communications b re6uesting securit from the original sender. D: Restarting &5$ec $er%ices ser%ice will not ensure that all connecting computers are &5$ec aware. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapters - L F Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. >;G2>;> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-> 2 Rac/er, .raig, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/, Microsoft 5ress, Redmond, 2""3, p. ;2= QUESTION NO: <6 DD)- DDO. You are a net"or0 administrator $or TestBing com The net"or0 contains t"o !indo"s Ser/er 2==, com#uters named Test0ing< and Test0ing2 The t"o ser/ers are con$igured as sho"n in the $ollo"ing table Ser/er Name Internal I. )ddress E3ternal I. )ddress Ser/er role )##lications and ser/ices Installed Test/ing1 1=2.1;>.2.1 ,HA !eb ser%er ,etwor/ Monitor, &&$ ;." Test/ing2 1=2.1;>.2.2 131.1"G.".1 &$A $er%er .omputer ,etwor/ Monitor, &$A $er%er 2""" You sus#ect that a user do"nloaded a /irus $rom the Internet and the /irus is attem#ting to #er$orm a denial>o$>ser/ice attac0 on Test0ing< You need to use Net"or0 ?onitor to $ind out "hich client com#uters are in$ected by the /irus !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-= 2 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F" 2 E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F1 2 .apture filters allow ou to isolate data transmitted to and from our machine on the networ/. The arrow should be both directions *4'.A4 S2T d A,I+ in this instance so that traffic in both directions can be monitored to isolate the client computers that are infected b the %irus. .apture filters will enable ou to specif the t pe of information that is captured. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter ; QUESTION NO: <7

You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains an organi1ational unit &OU( named !ebser/ers The !ebser/ers OU contains the com#uter accounts o$ <2 !indo"s Ser/er 2==, com#uters that $unction as intranet !eb ser/ers ) -rou# .olicy ob2ect &-.O( named !ebser/er.olicy is lin0ed to the !ebser/ers OU The -.O is used to con$igure /arious settings on the com#uters in the OU ) global grou# named !ebser/er)dmins is a member o$ the )dministrators local grou# on each intranet !eb ser/er You #lan to install a security scanning a##lication on each intranet !eb ser/er The documentation $or the a##lication states that it uses a ser/ice account* "hich must be able to modi$y the :BEYSAO')AS?)':INEQSYSTE? 0ey in the registry o$ e/ery com#uter on "hich the a##lication is installed You create the ser/ice account in the domain TestBingJs "ritten security #olicy states that ser/ice accounts must be assigned only the minimum rights and #ermissions that they require to $unction You need to con$igure the intranet !eb ser/ers so that they com#ly "ith the installation requirements o$ the security scanning a##lication You also need to com#ly "ith TestBingJs security #olicy You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Add the ser%ice account to the !ebser%erAdmins global group. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F2 2 1. .onfigure the re6uired permissions as registr securit settings in the !ebser%ers5olic C5'. .. Run the regedit.eBe command to add the re6uired permissions to the registr of each intranet !eb ser%er. D. Run the eBplorer.eBe command to modif ,T($ permissions on the $ stemrootW$ stem32W.onfigW$ stem file. Assign the ser%ice account the Allow 2 .hange permission. 3. .onfigure file s stem securit settings in the !ebser%ers5olic C5' to modif ,T($ permissions on the $ stemrootW$ stem32W.onfigW$ stem file. Assign the ser%ice account the Allow 2 .hange permission. )ns"er: + E3#lanation: Security tem#lates contain security settings $or all security areas You can a##ly tem#lates to indi/idual com#uters or de#loy them to grou#s o$ com#uters by using -rou# .olicy !hen you a##ly a tem#late to e3isting security settings* the settings in the tem#late are merged into the com#uters security settings You can con$igure and analy1e security settings $or com#uters by using the Security Settings -rou# .olicy e3tension or Security 'on$iguration and )nalysis You can change registry settings to con$igure security on registry 0eys This solution uses the minimum amount o$ administrati/e e$$ort To accom#lish this tas0 "ith the minimum administrati/e e$$ort* you can ma0e use o$ the Degistry Editor Degedit e3e to add the required #ermissions to the registry o$ each intranet !eb ser/er in the $ollo"ing sub0ey: :BEYSAO')AS?)':INEQSYSTE?Q'urrent'ontrolSetQSer/icesQTc#i#Q.arametersQInter$acesQinter$ Incorrect )ns"ers: ): 1 adding the ser%ice account to the !ebser%erAdmins global group ou will not be able to compl with the compan Ks securit polic . ': Adding the re6uired permissions to the registr of each intranet webser%er is not the answer in this scenario. D: Modif ing the ,T($ permissions on the $ stemrootW$ stem32W.onfigW$ stem file b running the eBplorer.eBe to assign the Allow2.hange permission is not what is needed when securit polic states that ser%ice accounts must be assigned onl the minimum rights and permissions that the re6uire to function with the minimum amount of administrati%e effort. E: .onfiguring file s stem securit settings to suit the compan securit polic as described in this option will re6uire more administrati%e effort than is necessar . De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F3 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, p. 19 1G. QUESTION NO: <9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <= !indo"s Ser/er 2==, com#uters and <*=== !indo"s @. .ro$essional com#uters )ll client com#uters are in the 'lients organi1ational unit &OU( You create and lin0

a -rou# .olicy ob2ect &-.O( named 'lient'on$ig to the 'lients OU The "ritten com#any security #olicy states that all !indo"s @. .ro$essional com#uters must ha/e identical security settings $or user rights assignment and security o#tions You need to de#loy these settings to all !indo"s @. .ro$essional com#uters in the domain You need to accom#lish this tas0 "ith the minimum amount o$ administrati/e e$$ort !hat should you do% A. Run Microsoft 1aseline $ecurit Anal 0er *M1$A+ on a ser%er and scan all computers in the domain. 1. Use the 4ocal $ecurit 5olic console on each !indows <5 5rofessional computer to appl the identical securit settings. .. .reate a logon script that runs the Cpupdate Htarget9computer command on all !indows <5 5rofessional computers in the domain. D. .reate a custom securit template that contains the settings. &mport the securit template into the .lientconfig C5'. )ns"er: D E3#lanation: ) -rou# .olicy Ob2ect &-.O( is a collection o$ #olicies stored in t"o locations: a -rou# .olicy container &-.'( and a -rou# .olicy tem#late &-.T( The -.' is an )cti/e Directory ob2ect that stores /ersion in$ormation* status in$ormation* and other #olicy in$ormation &$or e3am#le* a##lication ob2ects( A securit template is a collection of configured securit settings. !indows $er%er 2""3 pro%ides predefined securit templates that contain the recommended securit settings for different situations. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F- 2 Iou can use predefined securit templates to create securit policies that are customi0ed to meet different organi0ational re6uirements. Iou customi0e the templates with the $ecurit Templates snap2in. After ou customi0e the predefined securit templates, ou can use them to configure securit on an indi%idual computer or thousands of computers. Iou can configure indi%idual computers with the $ecurit .onfiguration and Anal sis snap2in or the secedit command2line tool or b importing the template into 4ocal $ecurit 5olic . Iou can configure multiple computers b importing a template into $ecurit $ettings, which is an eBtension of Croup 5olic . Iou can also use a securit template as a baseline for anal 0ing a s stem for potential securit holes or polic %iolations b using the $ecurit .onfiguration and Anal sis snap2in. 1 default, the predefined securit templates are stored in s stemrootH$ecurit HTemplates. Thus to create a custom securit template that contains the settings and to minimi0e the administrati%e effort and time this tas/ can ta/e, all ou need to do is to modif the appropriate C5'. &mport the securit template into the .lientconfig C5'. Incorrect )ns"ers: ): $canning all computers in the domain b running Microsoft 1aseline $ecurit Anal 0er *M1$A+ on a ser%er is not the wa to see whether all !indows <5 5rofessional computers must ha%e identical securit settings for user rights assignment and securit options. +: Appl ing identical securit settings b ma/ing use of the 4ocal $ecurit 5olic console on each !indows <5 5rofessional computer in%ol%es too much administrati%e effort than is necessar to compl with the compan polic . ': !riting a logon script to run the Cpupdate Htarget9computer command on all !indows <5 5rofessional computers in the domain will onl accomplish the tas/ on a per user basis whereas ou could ha%e )ust imported the appropriatel modified C5'. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter QUESTION NO: <; DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FF 2 The security administrator creates a ne" security #olicy* "hich states that auditing must be enabled $or all user logon attem#ts The security #olicy also states that a security e/ent must be generated e/ery time a com#uter is success$ully shut do"n You need to con$igure auditing $or the domain to com#ly "ith the ne" security #olicy You do not "ant to generate any other ty#e o$ security e/ent !hat should you do% )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 3F; 2 )udit logon e/ents: Determines whether to audit each instance of a user logging on, logging off, or ma/ing a networ/ connection to this computer. )udit #ri/ileged use: Determines whether to audit each instance of a user eBercising a user right Incorrect ans"ers: )udit ob2ect access: Determines whether to audit the e%ent of a user accessing an ob)ect, such as a file, folder, registr /e , or printer, which has its own s stem access control list *$A.4+ has specified. )udit #olicy change: Determines whether to audit e%er incidence of a change to user rights assignment policies, audit policies, or trust policies. )udit #rocess Trac0ing: Determines whether to audit detailed trac/ing information for e%ents such as program acti%ation, process eBit, handle duplication, and indirect ob)ect access. )udit system e/ents: Determines whether to audit when a user restarts or shuts down the securit log. )udit directory ser/ice access: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FG 2 Determines whether to audit the e%ent of a user accessing an Acti%e Director ob)ect that has its own s stem access control list *$A.4+ specified. )udit account management: Determines whether to audit each e%ent of account management on a computer. 3Bamples of account management e%ents include9 1. A user account or group is created, changed, or deleted. 2. A user account is renamed, disabled, or enabled. 3. A password is set or changed. )udit account logon e/ents: Determines whether to audit each instance of a user logging on or logging off of another computer where this computer was used to %alidate the account *mostl domain controllers+. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >G1 QUESTION NO: 2= You are the net"or0 administrator $or TestBing com The com#any consists o$ a main o$$ice and $i/e branch o$$ices Net"or0 ser/ers are installed in each o$$ice )ll ser/ers run !indo"s Ser/er 2==, The technical su##ort sta$$ is located in the main o$$ice Users in the branch o$$ices do not ha/e the Aog on locally right on local ser/ers Ser/ers in the branch o$$ices collect auditing in$ormation You need to ability to re/ie" the auditing in$ormation located on each branch o$$ice ser/er "hile you are "or0ing at the main o$$ice You also need to sa/e the auditing in$ormation on each branch o$$ice ser/er in the local hard dis0 !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. (rom the $ecurit .onfiguration and Anal sis snap2in, sa%e the appropriate .inf file on the local hard dis/. 1. $olicit Remote Assistance from each branch office ser%er. .. (rom .omputer Management, open 3%ent ?iewer. $a%e the appropriate .e%t file on the local hard dis/. D. Run $ecedit.eBe, specif ing the appropriate parameters. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F> 2 3. 3stablish a Remote Des/top client session with each branch office ser%er. )ns"er: '* E E3#lanation: You can connect to the branch o$$ice ser/ers by using a Demote Des0to# connection You can then use E/ent 8ie"er to sa/e the log $iles to the local hard dis0 Incorrect )ns"ers: ): Auditing information is not stored in .inf files. 3.g. rootsec.inf securit template is to suppl increased securit o%er a standard installation for wor/stations. The setup securit .inf securit template pro%ide configuration e6ui%alent to a default installation, etc. +: Iou do not need remote assistance. Iou can use a Remote Des/top client session. D: $ecedit is not used to sa%e auditing information. &t is used to enforce a group polic . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3,

pp. G=12G=3 QUESTION NO: 2< You are the net"or0 administrator $or Test Bing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The De$ault Domain .olicy has been modi$ied by im#orting a security tem#late $ile* "hich contain se/eral security settings ) ser/er named TestBing< cannot run a #rogram that us $unctioning on other similarly con$igured ser/ers You need to $ind out "hether additional security settings ha/e been added to the local security #olicy on TestBing< To troubleshoot* you "ant to use a tool to com#are the current security settings on TestBing< against the security tem#late $ile in order to automatically identi$y any settings that might ha/e been added to the local security #olicy !hich tool should you run on TestBing<% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F= 2 A. Microsoft 1aseline $ecurit Anal 0er *M1$A+ 1. $ecurit .onfiguration and Anal sis console .. gpresult.eBe D. Resultant $et of 5olic console in planning mode )ns"er: + E3#lanation: You can use the Security 'on$iguration and )nalysis console to analyse a system by com#aring the local security settings to a tem#late !hen you analyse a system* any di$$erences in con$iguration bet"een the local com#uter and the de$ined tem#late "ill be dis#layed $ecurit .onfiguration and Anal sis tool is used to compare the current securit configuration with a securit configuration that is stored in a database. Iou can create a database that contains a preferred le%el of securit and then run an anal sis that compares the current configuration to the settings in the database. $ecurit .onfiguration and Anal sis includes the following features9 1. $ecurit Templates 2. $ecurit .onfiguration and Anal sis 3. $ecedit command2line command To anal 0e the securit configuration of our computer, ou must perform the following two steps9 1. .reate the securit database b using a securit template 2. .ompare the computer securit anal sis to the database settings. Incorrect )ns"ers: ): The M1$A is used to chec/ for missing securit updates as well as other securit %ulnerabilities. &t will not howe%er compare the securit settings with a defined template. ': C5result.eBe is used to displa the resultant set of policies when multiple group policies are applied to an ob)ect. Aowe%er, it is not applicable to this scenario. D: This is similar to answer .. &t will displa what the resultant set of policies would be if multiple group policies were applied to an ob)ect, without actuall appl ing the group policies. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. G=G, >;> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;" 2 QUESTION NO: 22 You are the net"or0 security administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The human resources de#artment stores con$idential data on a ser/er named TestBing+ The "ritten com#any security #olicy states that T'.KI. tra$$ic sent to and $rom TestBing+ must be encry#ted You need to encry#t all T'.KI. tra$$ic that is sent bet"een TestBing+ and the client com#uters in the human resources de#artment !hat should you do% A. Use autoenrollment to re6uest and install an &5$ec certificate on all client computers in the human resources department and on Test@ing1. 1. Use autoenrollment to re6uest and install a .omputer certificate on all client computers in the human resources department and on Test@ing1. .. Use 3ncr pting (ile $ stem *3($+ to encr pt all human resources data that is stored on Test@ing1. D. Assign the $ecure $er%er &5$ec polic to Test@ing1. Assign the .lient &5$ec polic to all client computers in the human resources department.

)ns"er: D E3#lanation: I.SE' $or :igh security > 'om#uters that contain highly sensiti/e data are at ris0 $or data the$t* accidental or malicious disru#tion o$ the system &es#ecially in remote dial>u# scenarios(* or any #ublic net"or0 communications $ecure $er%er *Re6uire $ecurit + is a default polic , re6uires &5$ec protection for all traffic being sent or recei%ed *eBcept initial inbound communication+ with stronger securit methods. Unsecured communication with a non2&5$ec2aware computer is not allowed. Assigning the .lient &5$ec polic to all client computers in the human resources department will enable the clients to communicate with Test@ing1 using &5$ec. Incorrect )ns"ers: ): 5ro%iding certificates does not automaticall pro%ide encr ption. Iou would thus not be able to accomplish our tas/. +: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;1 2 5ro%iding certificates does not automaticall pro%ide encr ption. &t is a different process. ': 3($ encr pts and protects data at rest, the re6uirement is protecting data in transit. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F>; QUESTION NO: 2, You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )n unauthori1ed $ile sharing a##lication named Eileshare e3e is being used on your net"or0 The de$ault installation directory $or Eileshare e3e is ':Q.rogram EilesQEile ShareQ You need to #re/ent all users $rom using the unauthori1ed $ile sharing a##lication* e/en i$ they rename the a##lication You create a ne" so$t"are restriction #olicy in the De$ault Domain .olicy -rou# .olicy ob2ect &-.O( You no" need to con$igure the so$t"are restriction #olicy !hat should you do% A. .reate a new path rule for (ileshare.eBe. $et the securit le%el to Disallowed for the new rule. 1. .reate a new hash rule for (ileshare.eBe. $et the securit le%el to Disallowed for the new rule. .. .reate a new path rule for .9W5rogram (ilesW(ile $hareW. $et the securit le%el to Disallowed for the new rule. D. $et the default securit le%el to Disallowed for the software restriction polic . )ns"er: + E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;2 2 9 !hen ou create a hash rule, ou identif a specific file to which ou want the rule to appl , and the s stem generates a hash on the file, including attributes such as date and time of creation and file si0e. After the polic is in place, the s stem performs a hash on each file accessed, and if the hash matches the hash in the rule, the rule is applied. $ince se%eral rules can be applied to the same program, there is an established order of precedence that is applied. A rule based on a higher precedence will o%erride a conflicting rule applied with a lower precedence. Ta/e for eBample the following order9 1. Aash rule 2. .ertificate rule 3. 5ath rule -. &nternet 0one rule 1ased on this order, if a program is unrestricted based on a hash rule but disallowed based on a path rule, the program will run, as the hash rule has precedence o%er the path rule. (or path rules, there is an additional order of precedence based on the path specified. &f there are conflicting path rules, the more restricti%e path rule will appl . Incorrect ans"ers: )9 !hen ou create a path rule, ou identif a file or set of files based on their location on dis/. The path can identif the path to a folder, a specific file, or a set of files based on a wildcard. !hen the s stem processes a file re6uest when path rules are in place, it will compare the file re6uested to the path rules, and process the rule if there is a match. This is not what is needed. ' not .9W5rogram (ilesW(ile $hareW. D9 This is irrele%ant.

De$erence9 Michael .ross and Qeffer A. Martin, M.$3 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, 2""3, p. ;1G QUESTION NO: 24 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains ,5 !indo"s 2=== .ro$essional com#uters The "ritten com#any security #olicy states that all com#uters in the domain must be e3amined* "ith the $ollo"ing goals: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;3 2 1. To $ind out "hether all a/ailable security u#dates are #resent 2. To $ind out "hether shared $olders are #resent 3. To record the $ile system ty#e on each hard dis0 You need to #ro/ide this security assessment o$ e/ery com#uter and /eri$y that the requirements o$ the "ritten security #olicy are met !hat should you do% A. 'pen the Default Domain 5olic and enable the .onfigure Automatic Updates polic . 1. 'pen the Default Domain 5olic and enable the Audit ob)ect access polic , the Audit account management polic , and the Audit s stem e%ents polic . .. 'n a ser%er, install and run mbsacli.eBe with the appropriate configuration switches. D. 'n a ser%er, install and run A(,et.h/.eBe with the appropriate configuration switches. )ns"er: ' E3#lanation: The ?icroso$t +aseline Security )nalyser can #er$orm all the required assessments ?bsacli e3e includes :ENet'h0 e3e "hich is used to scan $or missing security u#dates &n general, the M1$A scans for securit issues in the !indows operating s stems *!indows ,T -, !indows 2""", !indows <5+, such as Cuest account status, file s stem t pe, a%ailable file shares, and members of the Administrators group, etc. Descriptions of each '$ chec/ are shown in the securit reports with instructions on fiBing an issues found. Incorrect )ns"ers: ): This would not chec/ for missing updates, shared folders or file s stem t pe. +: This would not chec/ for missing updates, shared folders or file s stem t pe. D: This would chec/ for missing updates but not for shared folders or file s stem t pe. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. G>>2G=" QUESTION NO: 25 SI?UA)TION 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The "ritten TestBing com security #olicy states that unnecessary ser/ices must be disabled and that ser/ers must ha/e the most recent* com#any>a##ro/ed security u#dates You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing7 TestBing6 is used only as a $ile and #rinter ser/er TestBing7 has You need to $ind out "hether TestBing6 is running unnecessary ser/ices and "hether it has all a/ailable a##ro/ed security u#dates To reduce the amount o$ net"or0 band"idth and time requirements* you need to scan $or only the required in$ormation !hat should you do% To ans"er con$igure the a##ro#riate o#tion or o#tions 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;F 2 )ns"er: In the 'om#uter name section* select TestBing6 $rom the dro# do"n list 'hec0 the L'hec0 $or !indo"s /ulnerabilitiesL chec0bo3 'hec0 the L 'hec0 $or security u#datesL chec0bo3 'hec0 the LUse SUS ser/erL chec0bo3 and select TestBing7 $rom the dro#do"n list 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;; 2 19 &mplement the principle of least pri%ilege.*1> :uestions+ QUESTION NO: < You install !indo"s Ser/er 2==, on a com#uter named Test0ing2 Test0ing2 "ill

host a mission>critical a##lication The system engineer as0s you to monitor Test0ing2 to ensure reliability and a/ailability You assign a com#uter maintenance engineer named Bim to assist you in maintaining Test0ing2 Bim "ill ha/e the $ollo"ing res#onsibilities on Test0ing2: 1. Use E/ent 8ie"er to monitor all e/ents logs e3ce#t the security logs 2. Use .er$ormance Aogs and )lerts to create ne" #er$ormance logs You need to assign Bim only the minimum rights on Test0ing2 that are required to #er$orm these tas0s Bim must be able to #er$orm the tas0s locally or $rom another com#uter To sim#li$y administration* you must use the minimum number o$ grou#s required To "hich local built>in security grou# or grou#s should you assign Bim% &'hoose all that a##ly( A. Administrators 1. 5erformance 4og Users .. 5erformance Monitor Users D. 5ower Users 3. Remote Des/top Users )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;G 2 .er$ormance Aogs and )lerts #ro/ide logging and alert ca#abilities $or both local and remote com#uters You use logging $or detailed analysis and record0ee#ing Detaining and analy1ing log data that is collected o/er time can be hel#$ul $or ca#acity and u#grade #lanning To #er$orm this #rocedure* you must be a member o$ the )dministrators grou#* or you must ha/e been delegated the a##ro#riate authority I$ the com#uter is connected to a domain* members o$ the Domain )dmins grou# might be able to #er$orm this #rocedure .er$ormance Aog Users members can manage #er$ormance counters* logs and alerts on the ser/er locally and $rom remote clients "ithout being a member o$ the )dministrators grou# Thus ma0ing Bim a member o$ the .er$ormance log users "ill grant her enough #ermissions to com#lete her tas0s "ithout granting her membershi# to too many grou#s Incorrect )ns"ers: ): Administrators ha%e the abilit to pro%ide both logging and alert capabilities for both local and remote computers. @im will not be needing membership to this group as well. 1eing a member of the 5erformance 4og Users is sufficient. ': 5erformance Monitor users can monitor performance counters on the ser%er locall and from remote clients without being a member of the Administrators or 5erformance 4og Users groups. D: 5ower Users membership will be too restricti%e to allow @im to complete her tas/s. E: Remote Des/top Users membership will not enable @im to complete her tas/s. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G>3 QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Three thousand client com#uters run !indo"s 2=== .ro$essional* and <*5== client com#uters run !indo"s @. .ro$essional ) ne" em#loyee named Dr Bing is hired to assist you in installing !indo"s @. .ro$essional on <5= ne" client com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;> 2 You need to ensure that Dr Bing has only the minimum #ermissions required to add ne" com#uter accounts to the domain and to o"n the accounts that he creates Dr Bing must not be able to delete com#uter accounts !hat should you do% A. Add Dr @ingKs user account to the $er%er 'perators group. 1. Add Dr @ingKs user account to the Account 'perators group. .. Use the Delegation of .ontrol !i0ard to permit Dr @ingKs user account to create new computer ob)ects in the .omputers container. D. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the domain. .onfigure the C5' to permit Dr @ingKs user account to add client computers to the domain. )ns"er: ' E3#lanation: )cti/e Directory enables you to e$$iciently manage ob2ects by

delegating administrati/e control o$ the ob2ects You can use the Delegation o$ 'ontrol !i1ard and customi1ed consoles in ?icroso$t ?anagement 'onsole &??'( to grant s#eci$ic users the #ermissions to #er$orm /arious administrati/e and management tas0s Iou use the Delegation of .ontrol !i0ard to select the user or group to which ou want to delegate control. Iou also use the wi0ard to grant users permissions to control organi0ational units and ob)ects and to access and modif ob)ects. The Delegation tab enables ou to use the computer for delegation. There are three choices for delegation9 1. Do not trust this computer for delegation 2 This is the default for !indows $er%er 2""3 machines. 2. Trust this computer for delegation to an ser%ice *@erberos onl + 2 This option ma/es all ser%ices under the 4ocal $ stem account trusted for delegation. &n other words, an installed ser%ice has the capabilit to access an networ/ resource b impersonating a user. 3. Trust this computer for delegation to specified ser%ices onl 2 This feature was not a%ailable in pre%ious %ersions of !indows. &t enables an administrator to choose the ser%ices that are delegated b selecting a specific ser%ice or computer account. This is commonl referred to as constrained delegation. Delegation of control can be done through the Delegation of .ontrol !i0ard or %ia Croup 5olic settings. Incorrect ans"ers: ) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;= 2 9 The $er%er operators group has the following abilities9 shut down the ser%er from the console, restore files and directories from a bac/up de%ise, can change s stem time and date, and log on to the ser%er console interacti%el , though the 6uestion onl as/s for the minimum permissions to add new computer accounts. +: The account operators group has the following abilities9 shut down the ser%er from the console and log on to the ser%er console interacti%el , though the 6uestion onl as/s for the minimum permissions to add new computer accounts D9 .reating a C5' and lin/ing it to the domain will be obsolete in this case. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 3FF, --1, >3". QUESTION NO: , You are the net"or0 administrator $or Test0ing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, 'on$idential $iles are stored on a member ser/er named TB< The com#uter ob2ect $or TB< resides in an organi1ational unit &OU( named 'on$idential ) -rou# .olicy ob2ect &-.O( named -.O< is lin0ed to the 'on$idential OU To audit access to the con$idential $iles* you enable auditing on all #ri/ate $olders on TB< Se/eral days later* you re/ie" the audit logs You disco/er that auditing is not success$ul You need to ensure that auditing occurs success$ully !hat should you do% A. $tart the $ stem 3%ent ,otification $er%ice *$3,$+ on T@1. 1. $tart the 3rror Reporting ser%ice on T@1. .. Modif the Default Domain .ontrollers C5' b selecting $uccess and (ailure as the Audit 'b)ect Access setting. D. Modif C5'1 b selecting $uccess and (ailure as the Audit 'b)ect Access setting. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G" 2 )ns"er: D E3#lanation: )udit Ob2ect )ccess > Determines "hether to audit the e/ent o$ a user accessing an ob2ect>>$or e3am#le* a $ile* $older* registry 0ey* #rinter* and so $orth>>that has its o"n system access control list &S)'A( s#eci$ied I$ you de$ine this #olicy setting* you can s#eci$y "hether to audit successes* audit $ailures* or not audit the e/ent ty#e at all Success audits generate an audit entry "hen a user success$ully accesses an ob2ect that has a S)'A s#eci$ied Eailure audits generate an audit entry "hen a user unsuccess$ully attem#ts to access an ob2ect that has a S)'A s#eci$ied To set this /alue to no auditing* in the .ro#erties dialog bo3 $or this #olicy setting* select the De$ine these #olicy settings chec0 bo3 and clear the Success and Eailure chec0 bo3es Note that you can set a S)'A on a $ile system ob2ect using the Security tab in that ob2ectJs .ro#erties dialog bo3 !e want to audit a ser%er that resides in the .onfidential 'U. !e do not want to audit

domain controllers. $ince C5'1 is lin/ed to the confidential 'U, it has to be modified as the Audit 'b)ect Access setting will be applicable to the confidential files. Incorrect ans"ers: ): $ stem 3%ent ,otification $er%ice 2 Trac/s s stem e%ents such as !indows logon, networ/, and power e%ents. &t notifies .'Ma 3%ent $ stem subscribers of these e%ents. +: 3rror Reporting $er%ice 2 Allows error reporting for ser%ices and applications running in non2standard en%ironments. ': Modif ing the Default Domain .ontrollers C5' b selecting $uccess and (ailure as the Audit 'b)ect Access setting will not sol%e our problem as ou need to monitor and modif the access setting to the confidential files. Also, we do not want to edit domain controllers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p, 3;QUESTION NO: 4 DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G1 2 The net"or0 security administrator re/ises the "ritten com#any security #olicy The security #olicy no" states that all com#uters must ha/e the ability to audit any attem#ts to change the registry To com#ly "ith the com#any security #olicy* you need to enable auditing $or the domain You do not "ant to generate any other ty#e o$ e/ent that is not related to the changes in the security #olicy :o" should you con$igure auditing% To ans"er* drag the a##ro#riate )udit .olicy setting or settings to the correct #olicy or #olices )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G2 2 Drag and dro# Success and Eailure to )udit Ob2ect )ccess )udit ob2ect access > This securit setting determines whether to audit the e%ent of a user accessing an ob)ect22for eBample, a file, folder, registr /e , printer, and so forth22that has its own s stem access control list *$A.4+ specified. Assign permissions to files, folders, and registr /e s Appropriate ob)ect manager and 5roperties page Access control is the model for implementing authori0ation. 'nce a user account has recei%ed authentication and can access an ob)ect, the t pe of access granted is determined b either the user rights that are assigned to the user or the permissions that are attached to the ob)ect. (or ob)ects within a domain, the ob)ect manager for that ob)ect t pe enforces access control. (or eBample, the registr enforces access control on registr /e s. 3%er ob)ect controlled b an ob)ect manager has an owner, a set of permissions that appl to specific users or groups, and auditing information. 1 setting the permissions on an ob)ect, the owner of the ob)ect controls which users and groups on the networ/ are allowed to access the ob)ect. The permission settings also define what t pe of access is allowed *such as readHwrite permission for a file+. The auditing information defines which users or groups are audited when attempting to access that ob)ect. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G3 2 After setting the audit refresh the polic and enabling the setting for the e%er one group on the regedit.eBe ou will be able to see an attempt to access. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. GF-, GF2 QUESTION NO: 5DD)- DDO. You are the net"or0 administrator $or TestBing ) ser/er named TestBingSr/' $unctions as a local $ile ser/er TestBingSr/' contains se/eral e3tremely con$idential $iles The com#anyJs security de#artment "ants all attem#ts to access the con$idential $iles on TestBingSr/' to be recorded in a log You need to con$igure the local security #olicy on TestBingSr/' to gi/e you the ability to com#ly "ith the security de#artmentJs requirements No other auditing

should be con$igured !hat should you do% To ans"er* drag the a##ro#riate security setting or settings to the correct #olicy or #olices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G- 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GF 2 Iou should audit $uccess and (ailure to log all attempts to access the files on Test@ing$r%.. The Audit ob)ect access polic setting determines whether the e%ent of a s stem access control list *$A.4+ specified, should be audited. Iou can configure whether to audit successes, audit failures, or not to audit the e%ent t pe. $uccess audits generate an audit entr when a user successfull accesses an ob)ect that has an appropriate $A.4 specified. (ailure audits generate an audit entr when a user unsuccessfull attempts to access an ob)ect that has a $A.4 specified. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. >G12>GF QUESTION NO: 6 DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, domain controllers and !indo"s @. .ro$essional com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G; 2 ) ser/er named TestBingSr/7 hosts a shared $older You "ant to use System ?onitor to con$igure monitoring o$ the ser/er #er$ormance ob2ect to alert you "hen in/alid logon attem#ts are made to the shared $older You "ant to monitor only e/ents that are associated "ith in/alid logons :o" should you con$igure the alert% To ans"er* drag one or more a##ro#riate instances o$ the ser/er #er$ormance ob2ect to the alter inter$ace 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GG 2 )ns"er: E3#lanation: Drag LErrors AogonL to the a##ro#riate location Ser/er Ob2ect and 'ounter Errors Aogon 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G> 2 E3#lanation9 A userKs credentials ha%e to be %alidated when a U,. name is utili0ed to connect to a remote networ/ resource. The U,. connection uses $er%er Messaging 1loc/s *$M1s+ to wor/ through the Multiple U,. 5ro%ider *MU5+. A $M1, called $3$$&', $3TU5 and <, is used for the connection. At this point, the userKs credentials are passed to the networ/ resource. ?alidation occurs locall on the computer when the resource is a domain controller that maintains the user account. A secure channel mechanism is utili0ed for user %alidation when the resource uses pass2through authentication. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G= 2 The networ/ resource re6uests a %alidation of the user from its domain controller. The domain controller returns an error to the networ/ resource when the userKs credentials are in%alid and increments its usri3JbadJpwJcount for the particular user. The networ/ resource returns a message that has the ,T status code "B.""""";D, $TATU$J4'C',J(A&4UR3, to the client wor/station. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;3QUESTION NO: 7 :OTS.OT You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The "ritten com#any security #olicy states that the audit #olicy on all $ile ser/ers in the domain must ha/e the ability to audit $ailure e/ents $or user access to $iles and $olders You create a custom security tem#late named $ileser/er You need to con$igure the $ileser/er security tem#late to en$orce the "ritten security

#olicy o$ TestBing $or all $ile ser/ers !hich #olicy or #olices should you modi$y% To ans"er* select the a##ro#riate audit #olicy or #olices in the list o$ audit #olices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>" 2 )ns"er: E3#lanation: )udit ob2ect access Ta0e care in the e3am not all the #olicies are in not de$ined state 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>1 2 The Audit ob)ect access polic setting determines whether the e%ent of a user accessing control list *$A.4+ specified, should be audited. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>2 2 Iou can set a $A.4 on a file s stem ob)ect b using the $ecurit tab in the ob)ectKs 5roperties dialog boB. Iou can configure whether to audit successes, audit failures, or not to audit the e%ent t pe. $uccess audits generate an audit entr when a user successfull accesses an ob)ect that has an appropriate $A.4 specified. (ailure audits generate an audit entr when a user unsuccessfull attempts to access an ob)ect that has a $A.4 specified. To disable auditing, select the 8Define these polic settings8 chec/ boB in the 5roperties dialog boB for this particular polic setting, and clear the $uccess and (ailure chec/ boBes. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G=> QUESTION NO: 9DD)- DDO. You are the net"or0 administrator $or Test0ing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains !indo"s Ser/er 2==, member ser/ers* !indo"s Ser/er 2==, domain controllers* and !indo"s @. .ro$essional com#uters The rele/ant #ortion o$ the )cti/e Directory structure is in the "or0 area belo" The "ritten com#any security #olicy allo"s users to use Encry#tion Eile System &EES( on only #ortable com#uters The net"or0 security administrator creates a se#arate domain account as the data reco/er agent &DD)( The De$ault Domain .olicy contains the Internet E3#lorer security settings that are required on all com#uters in the domain Users are currently able to use EES on any com#uter that "ill su##ort EES You need to con$igure -rou# .olicy to ensure com#liance "ith the com#any security #olicy You "ant to lin0 the minimum number o$ -.Os to accom#lish this goal )ll other domain -.Os must remain :o" should you con$igure -rou# .olicy to ensure that users can use EES on only #ortable com#uters% To ans"er* drag the a##ro#riate -rou# .olicy setting or settings to the correct organi1ational unit &OU( or OUs 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>3 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>- 2 The 6uestion does not as/ to add a DRA option for the domain. The 6uestion states, 8The networ/ securit administrator creates a separate domain account as the data reco%er agent *DRA+8 so it has been created alread and will permit to us to reco%er encr pted Data. $et do not permit 3($ to domain le%el and permit to the portable 'U le%el. 1 default9 C5' is referred to as 8scoping the C5'8. $coping a C5' is based on three factors9 1. The site*s+, domain*s+, or organi0ation unit*s+ where the C5' is lin/ed. 2. The securit filtering on the C5'. 3. The !M& filter on the C5'. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>F 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F>;

QUESTION NO: ; You are the regional net"or0 administrator $or the +oston branch o$$ice o$ TestBingJs net"or0 The com#any net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll com#uters in the +oston o$$ice run !indo"s @. .ro$essional The domain contains an organi1ational unit &OU( named +oston'lientsOU* "hich contains all the com#uter ob2ects $or the +oston o$$ice ) -rou# .olicy ob2ect &-.O( named +'lients-.O is lin0ed to +oston'lientsOU You ha/e been granted the right to modi$y the -.O +'lients-.O contains a so$t"are restriction #olicy that #re/ents the e3ecution o$ any $ile that has a /bs $ile e3tension )ll other a##lications are allo"ed to run You "ant to use a scri#t $ile named maintenance /bs* "hich you "ill schedule to run e/ery night on the com#uters in the +oston o$$ice The maintenance /bs $ile is located in the Scri#ts shared $older on a ser/er named TestBingSr/' The contents o$ maintenance /bs "ill $requently change based on the maintenance tas0s you "ant to #er$orm You need to modi$y the so$t"are restriction #olicy to #re/ent unauthori1ed /bs scri#ts $rom running on the com#uters in the +oston o$$ice* "hile allo"ing maintenance /bs to run You "ant to ensure that no other a##lications are a$$ected by your solution You "ant to im#lement a solution that you can con$igure once* "ithout requiring additional administration in the $uture* "hen maintenance /bs changes !hat should you do% A. 'btain a digital certificate. .reate a new certificate rule. $et the securit le%el of the rule to Unrestricted. Digitall sign maintenance.%bs. 1. .reate a new path rule. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>; 2 $et the securit le%el on the rule to Unrestricted. $et the path to WWTest@ing$r%.W$criptsWd.%bs. .. .reate a new path rule. $et the securit le%el on the rule to Unrestricted. $et the path to WWTest@ing$r%.W$criptsWmaintenance.%bs. D. .reate a new hash rule. $et the securit le%el on the rule to Unrestricted. .reate a file hash of maintenance.%bs. )ns"er: ' E3#lanation: The $ile "ill change so "e can only use a #ath rule The #ur#ose o$ a rule is to identi$y one or more so$t"are a##lications* and s#eci$y "hether or not they are allo"ed to run 'reating rules largely consists o$ identi$ying so$t"are that is an e3ce#tion to the de$ault rule Each rule can include descri#ti/e te3t to hel# communicate "hy the rule "as created A software restriction polic supports the following four wa s to identif software9 :ash2A cr ptographic fingerprint of the file. 'erti$icate2A software publisher certificate used to digitall sign a file. .ath2The local or uni%ersal naming con%ention *U,.+ path of where the file is stored. Yone2&nternet Rone A hash rule is a cr ptographic fingerprint that uni6uel identifies a file regardless of where it is accessed or what it is named. An administrator ma not want users to run a particular %ersion of a program. This ma be the case if the program has securit or pri%ac bugs, or compromises s stem stabilit . !ith a hash rule, software can be renamed or mo%ed into another location on a dis/, but it will still match the hash rule because the rule is based on a cr ptographic calculation in%ol%ing file contents. (iles that are digitall signed will use the hash %alue contained in the signature, which ma be $AA21 or MDF. (iles that are not digitall signed will use an MDF hash. A certificate rule specifies a code2signing, software publisher certificate. (or eBample, a compan can re6uire that all scripts and Acti%e< controls be signed with a particular set of publisher certificates. .ertificates used in a certificate rule can be issued from a commercial certificate authorit *.A+ such as ?eri$ign, a !indows 2"""H!indows $er%er 2""3 5@&, or a self2signed certificate. A certificate rule is a strong wa to identif software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. &f ou wish to ma/e eBceptions to a certificate rule, ou can use a hash rule to identif the eBceptions. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>G 2 A path rule can specif a folder or full 6ualified path to a program. !hen a path rule specifies a folder, it matches an program contained in that folder and an programs

contained in subfolders. 1oth local and U,. paths are supported. A rule can identif software from the &nternet 3Bplorer 0one from which it is downloaded. Incorrect ans"ers: ): !e canKt use a certificate because the file will change. +: d.%bs will allow an %bs script to run. D: The hash is calculated using the filename, filesi0e etc. The file will change so the si0e will change and therefore the hash will need to be changed. De$erence: Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;1G http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwinBpproHmaintainHrstrplc .a QUESTION NO: <= You are the net"or0 administrator $or the To0yo o$$ice o$ TestBing The com#any net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 in your o$$ice contains 2= !indo"s @. .ro$essional com#uters The domain contains an organi1ational unit &OU( named To0yoOU* "hich contains all the com#uter ob2ects $or your o$$ice You ha/e been granted the right to create and lin0 -rou# .olicy ob2ects &-.Os( on the To0yoOU You need to #re/ent the com#uters in your o$$ice $rom e3ecuting unauthori1ed scri#ts that are "ritten in the ?icroso$t 8isual +asic* Scri#ting Edition &8+Scri#t( language :o"e/er* you "ant to be able to use 8+Scri#t $iles as startu# scri#ts on all com#uters in your o$$ice You need to im#lement a solution that "ill not a$$ect any other a##lications You #lan to im#lement so$t"are restriction #olicies* by using a -.O on To0yoOU You "ill set the de$ault security le/el to Unrestricted 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>> 2 !hich t"o actions should you #er$orm to con$igure so$t"are restriction #olices% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a new certificate rule. $et the securit le%el on the rule to Unrestricted. Digitall sign all the .%bs files that ou want to use. 1. .reate a new certificate rule. $et the securit le%el on the rule to Restricted. Digitall sign all the .%bs files that ou want to use. .. .reate a new path rule. $et the securit le%el on the rule to Unrestricted. $et the path to d.%bs. D. .reate a new path rule. $et the securit le%el on the rule to Restricted. $et the path to d.%bs. 3. .reate a new &nternet 0one rule. $et the securit le%el on the rule to Unrestricted. $et the &nternet 0one to 4ocal computer. (. .reate a new &nternet 0one rule. $et the securit le%el on the rule to Restricted. $et the &nternet 0one to 4ocal computer. )ns"er: )* D E3#lanation: The #ur#ose o$ a rule is to identi$y one or more so$t"are a##lications* and s#eci$y "hether or not they are allo"ed to run 'reating rules largely consists o$ identi$ying so$t"are that is an e3ce#tion to the de$ault rule Each rule can include descri#ti/e te3t to hel# communicate "hy the rule "as created A software restriction polic supports the following four wa s to identif software9 Aash2A cr ptographic fingerprint of the file. .ertificate2A software publisher certificate used to digitall sign a file. 5ath2The local or uni%ersal naming con%ention *U,.+ path of where the file is stored. Rone2&nternet Rone A hash rule is a cr ptographic fingerprint that uni6uel identifies a file regardless of where it is accessed or what it is named. An administrator ma not want users to run a particular %ersion of a program. This ma be the case if the program has securit or pri%ac bugs, or compromises s stem stabilit . !ith a hash rule, software can be renamed or mo%ed into another location on a dis/, but it will still match the hash rule because the rule is based on a cr ptographic calculation in%ol%ing file contents. A hash rule consists of three pieces of data, separated b colons. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>= 2 A certificate rule specifies a code2signing, software publisher certificate. (or eBample, a compan can re6uire that all scripts and Acti%e< controls be signed with a particular set of publisher certificates. .ertificates used in a certificate rule can be issued from a

commercial certificate authorit *.A+ such as ?eri$ign, a !indows 2"""H!indows $er%er 2""3 5@&, or a self2signed certificate. A certificate rule is a strong wa to identif software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. &f ou wish to ma/e eBceptions to a certificate rule, ou can use a hash rule to identif the eBceptions. A path rule can specif a folder or full 6ualified path to a program. !hen a path rule specifies a folder, it matches an program contained in that folder and an programs contained in subfolders. 1oth local and U,. paths are supported. Incorrect )ns"er: +: This will allow all %bs script to run eBcept the ones ou want to run. ': This will allow all %bs scripts to run. E: Rone rules donKt appl in this scenario. E: Rone rules donKt appl in this scenario. De$erence: Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;1G QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, The domain contains a member ser/er named TestBing<* "hich is located in an organi1ational unit &OU( named Ser/ers TestBing< is managed by an a##lication administrator named Bing :is domain user account is a member o$ the local )dministrators grou# on the ser/er ?embers o$ this grou# are the only users "ho ha/e the Aog on locally user right on TestBing< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=" 2 The "ritten com#any security #olicy states that only authori1ed indi/iduals can access TestBing< :o"e/er* you disco/er that hel# des0 technicians use the Demote )ssistance $eature to share their ser/er logon session "ith unauthori1ed indi/iduals You need to recon$igure TestBing< so the Demote )ssistance $eature cannot be enabled or used by the hel# des0 technicians :o"e/er* Bing should ha/e the ability to enable and use this $eature !hat should you do% A. &n the $ stem 5roperties dialog boB on Test@ing1, disable the Turn on Remote Assistance and allow in%itations to be sent from this computer option. 1. &n the $ stem 5roperties dialog boB on Test@ing1, disable the Allow users to connect remotel to this computer option. .. 3dit the Croup 5olic ob)ect *C5'+ for the $er%ers 'U b disabling the 'ffer Remote Assistance setting. D. 3dit the Croup 5olic ob)ect *C5'+ for the $er%ers 'U b disabling the $olicited Remote Assistance setting. )ns"er: ) E3#lanation: Demote Des0to# 'onnection is installed by de$ault on all !indo"s Ser/er 2==, $amily o#erating systems* "hile Demote Des0to# $or )dministration is disabled by de$ault in !indo"s Ser/er 2==, $amily o#erating systems To enabling users to connect remotel to the ser%er Remote Des/top for Administration ou must ha%e the appropriate permissions. 1 default, members of the Administrator group can connect remotel to the ser%er. Aowe%er, the Remote Des/top Users group is not populated b default. Iou must decide which users and groups should ha%e permission to log on remotel , and then add them manuall to the group. Incorrect )ns"ers: +: Iou need to disable Remote Assistance, and not Remote Des/top. ': @ing needs to be able to enable Remote Assistance. A group polic applied to the ser%er would pre%ent @ing from enabling Remote Assistance. D: @ing needs to be able to enable Remote Assistance. A group polic applied to the ser%er would pre%ent @ing from enabling Remote Assistance. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=1 2 QUESTION NO: <2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional

You are res#onsible $or managing -rou# .olicy ob2ects &-.Os( in the domain ) des0to# su##ort team administers client com#uters The des0to# su##ort teamJs user accounts are all members o$ a global grou# named Su##ort The Su##ort global grou# belongs to the )dministrators local grou# on all client com#uters On all client com#uters* the )dministrators local grou# also contains the domain user account o$ the user "ho is assigned to use that com#uter* so that the user can install so$t"are The security administrator creates a -.O named DegTools and lin0s the -.O to the root o$ the domain :e con$igures a so$t"are restriction #olicy in the -.O that uses hash rules to #re/ent users $rom running registry editing tools The #olicy a##lies to all user accounts in the domain The des0to# su##ort team re#orts that "hen they attem#t to run registry editing tools* they recei/e the $ollo"ing error message: L!indo"s cannot o#en this #rogram because it has been #re/ented by a so$t"are restriction #olicy Eor more in$ormation* o#en E/ent 8ie"er or contact your system administratorL You need to ensure that only the des0to# su##ort team can run registry editing tools !hat should you do% A. .onfigure the enforcement options of the software restriction polic so that the polic applies to all users eBcept local administrators. 1. Ma/e all users members of the 5ower Users group instead of the Administrators group on their computers. .. Use file s stem securit settings in the Default Domain 5olic to modif the ,T($ permissions for the registr editing toolsK eBecutable files. Assign onl the $upport group the Allow 2 Read and 3Becute permission for the files. D. Use a startup script polic to ensure that the registr editing tools are mo%ed to a folder named RegTools. Assign onl the $upport group the Allow 2 Read and 3Becute permission for the RegTools folder. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=2 2 3. 3dit the permission of the RegTools C5' b assigning the $upport group the Den 2 Appl group polic permission. (. .hange the software restriction in the RegTools C5' to use a 0one rule. )ns"er: E E3#lanation: Edit the #ermission o$ the DegTools -.O by assigning the Su##ort grou# the Deny > )##ly grou# #olicy #ermission The -.O "ould not a##ly to members o$ this grou# irres#ecti/e o$ the #ermissions they ha/e in other security grou#s Incorrect )ns"ers: ): This will not wor/ in this case. ,ot all the users in the support group are necessaril local administrators. +: Ma/ing all users power users will not wor/. Usuall the most restricti%e properties ta/e precedence. ': The Allow 2 Read and 3Becute permission for files, albeit a Default domain polic , is not an ,T($ permissions issue. D: Iou need to edit the C5' and assign the appropriate permission. There is no need to mo%e an folders. E: Modif ing the RegTools C5' software restriction to ma/e use of a 0one rule will not help in this scenario. De$erence: Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1", pp. ;"1 2 ;"G Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 QUESTION NO: <, You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains a !indo"s Ser/er 2==, $ile ser/er named Test0ing< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=3 2 During a routine security audit* you e3amine the security log on Test0ing< in E/ent 8ie"er You disco/er that the security log contains thousands o$ e/ents that indicate $ailed logon attem#ts $rom a /ariety o$ com#uters $or the built>in )dministrator account on Test0ing< The local )dministrator account is ne/er used You sus#ect that an unauthori1ed user is attem#ting to access Test0ing< by using the built>in )dministrator account You need to #rotect Test0ing< $rom attac0s that attem#t to use the built>in )dministrator accounts* "hile ensuring that users can continue to use it as a $ile ser/er

!hat should you do on Test0ing<% A. 3nable the Do not allow anon mous enumeration of $AM accounts polic in the Default Domain securit settings. 1. Disable the local Administrator account. .. Modif the built2in Administrator account b enabling the Account in sensiti%e and cannot be delegated option. D. &n the local securit polic , assign the built2in Administrator account the Den log on locall user right. )ns"er: + E3#lanation9 $ince the local Administrator account is ne%er used and ou suspect it is being used b unauthori0ed users, it should be disabled because it allows unauthori0ed users access to Test/ing1 thus lea%ing Test/ing1 %ulnerable. Incorrect )ns"ers: ): Iou need to disable the local Administrator account since it is being used for unauthori0ed access. Iou still ha%e to ensure that users can continue to use the file ser%er thus this option will not do. ': This option will not wor/ as what needs to be done is to ta/e awa the right to access Test/ing1 and this means disabling the local Administrator account. D: The 1uilt2in Administrator account cannot be assigned the Den log on locall user right because onl Domain Admins and the local Administrator account remain members of the local Administrators group who can assign these rights. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G>3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=- 2 QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ single )cti/e directory domain test0ing com The domain contains a !indo" ser/er 2==, domain controller named TestBing2 The secure"s in$ security #olicy has been a##lied to the domain Ser/er6 hosts a net"or0 a##lication that installs a ne" ser/ice named Net)##Ser/ice Net)##Ser/ice is con$igurable in the Ser/ices console The net"or0 a##lication requires a ser/ice account The net"or0 a##lication runs constantly You create and con$igure a ser/ice account named Sr/)cct $or the net"or0 a##lication The so$t"are $unctions #ro#erly using the ne" account and ser/ice You disco/er an ongoing brute $orce attac0 against the Sr/)cct account The intruder a##ears to be attem#ting a distributed attac0 $rom se/eral !indo" @. .ro$essional domain member com#uters on the A)N The account has not been com#romised and you are able to sto# the attac0 You restart TestBing2 and attem#t to run the net"or0 a##lication* but the a##lication does not res#ond !hat should you do to run the a##lication so that it runs constantly% A. Reset the $r%Acct password, 1. .onfigure the default Domain .ontrollers polic to assign the $r%Acct account the right to log on locall . .. Unloc/ the $r%Acct account. D. Restart the ,etApp$er%ice ser%ice. )ns"er: ' E3#lanation9 Disabling the &nteracti%e logon9 Re6uire Domain .ontroller authentication to unloc/ wor/station will wea/en the securit configuration, but it will allow the application to run smoothl . Incorrect )ns"ers: ): Resetting the password for that specific account will not wor/ in this scenario. Iou want to be able to run the networ/ application after the attac/ has been stopped and thus loc/ed the account which first has to be unloc/ed to enable the application to run smoothl . +: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=F 2 need to unloc/ the account. D: Restarting the bac/up application is not sufficient as the account has to be unloc/ed for the application to respond. De$erence: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 31G231>. QUESTION NO: <5 DD)- DDO. You are the net"or0 administrator $or TestBing

) ser/er named TestBingSr/' $unctions as a local $ile ser/er TestBingSr/' contains se/eral e3tremely con$idential $iles The com#anyJs security de#artment "ants all attem#ts to access the con$idential $iles on TestBingSr/' to be recorded in a log You need to con$igure the local security #olicy on TestBingSr/' to gi/e you the ability to com#ly "ith the security de#artmentJs requirements No other auditing should be con$igured !hat should you do% To ans"er* drag the a##ro#riate security setting or settings to the correct #olicy or #olices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=; 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=G 2 Iou should audit $uccess and (ailure to log all attempts to access the files on Test@ing$r%.. The Audit ob)ect access polic setting determines whether the e%ent of a s stem access control list *$A.4+ specified, should be audited. Iou can configure whether to audit successes, audit failures, or not to audit the e%ent t pe. $uccess audits generate an audit entr when a user successfull accesses an ob)ect that has an appropriate $A.4 specified. (ailure audits generate an audit entr when a user unsuccessfull attempts to access an ob)ect that has a $A.4 specified. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. >G12>GF QUESTION NO: <6 :OTS.OT 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=> 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The "ritten com#any security #olicy states that the audit #olicy on all $ile ser/ers in the domain must ha/e the ability to audit $ailure e/ents $or user access to $iles and $olders You create a custom security tem#late named $ileser/er You need to con$igure the $ileser/er security tem#late to en$orce the "ritten security #olicy o$ TestBing $or all $ile ser/ers !hich #olicy or #olices should you modi$y% To ans"er* select the a##ro#riate audit #olicy or #olices in the list o$ audit #olices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3== 2 )ns"er: E3#lanation: )udit ob2ect access 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"" 2 The Audit ob)ect access polic setting determines whether the e%ent of a user accessing control list *$A.4+ specified, should be audited. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"1 2 Iou can set a $A.4 on a file s stem ob)ect b using the $ecurit tab in the ob)ectKs 5roperties dialog boB. Iou can configure whether to audit successes, audit failures, or not to audit the e%ent t pe. $uccess audits generate an audit entr when a user successfull accesses an ob)ect that has an appropriate $A.4 specified. (ailure audits generate an audit entr when a user unsuccessfull attempts to access an ob)ect that has a $A.4 specified. To disable auditing, select the 8Define these polic settings8 chec/ boB in the 5roperties dialog boB for this particular polic setting, and clear the $uccess and (ailure chec/ boBes. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G=> QUESTION NO: <7 You install !indo"s Ser/er 2==, on a com#uter named Test0ing2 Test0ing2 "ill host a mission>critical a##lication The system engineer as0s you to monitor Test0ing2 to ensure reliability and a/ailability

You assign a com#uter maintenance engineer named Bim to assist you in maintaining Test0ing2 Bim "ill ha/e the $ollo"ing res#onsibilities on Test0ing2: 1. Use E/ent 8ie"er to monitor all e/ents logs e3ce#t the security logs 2. Use .er$ormance Aogs and )lerts to create ne" #er$ormance logs You need to assign Bim only the minimum rights on Test0ing2 that are required to #er$orm these tas0s Bim must be able to #er$orm the tas0s locally or $rom another com#uter To sim#li$y administration* you must use the minimum number o$ grou#s required To "hich local built>in security grou# or grou#s should you assign Bim% &'hoose all that a##ly( (. Administrators C. 5erformance 4og Users 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"2 2 A. 5erformance Monitor Users &. 5ower Users Q. Remote Des/top Users )ns"er: + E3#lanation: .er$ormance Aogs and )lerts #ro/ide logging and alert ca#abilities $or both local and remote com#uters You use logging $or detailed analysis and record0ee#ing Detaining and analy1ing log data that is collected o/er time can be hel#$ul $or ca#acity and u#grade #lanning To #er$orm this #rocedure* you must be a member o$ the )dministrators grou#* or you must ha/e been delegated the a##ro#riate authority I$ the com#uter is connected to a domain* members o$ the Domain )dmins grou# might be able to #er$orm this #rocedure .er$ormance Aog Users members can manage #er$ormance counters* logs and alerts on the ser/er locally and $rom remote clients "ithout being a member o$ the )dministrators grou# Thus ma0ing Bim a member o$ the .er$ormance log users "ill grant her enough #ermissions to com#lete her tas0s "ithout granting her membershi# to too many grou#s Incorrect )ns"ers: ): Administrators ha%e the abilit to pro%ide both logging and alert capabilities for both local and remote computers. @im will not be needing membership to this group as well. 1eing a member of the 5erformance 4og Users is sufficient. ': 5erformance Monitor users can monitor performance counters on the ser%er locall and from remote clients without being a member of the Administrators or 5erformance 4og Users groups. D: 5ower Users membership will be too restricti%e to allow @im to complete her tas/s. E: Remote Des/top Users membership will not enable @im to complete her tas/s. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G>3 QUESTION NO: <9 SI?UA)TION 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"3 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, domain controllers and !indo"s @. .ro$essional com#uters ) ser/er named TestBingSr/7 hosts a shared $older You "ant to use System ?onitor to con$igure monitoring o$ the ser/er #er$ormance ob2ect to alert you "hen in/alid logon attem#ts are made to the shared $older You "ant to monitor only e/ents that are associated "ith in/alid logons :o" should you con$igure the alert% To ans"er* drag one or more a##ro#riate instances o$ the ser/er #er$ormance ob2ect to the alter inter$ace 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"- 2 )ns"er: Drag Errors Aogon to the a##ro#riate location Ser/er Ob2ect and 'ounter Errors Aogon 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"F 2 E3#lanation9 A userKs credentials ha%e to be %alidated when a U,. name is utili0ed to connect to a remote networ/ resource. The U,. connection uses $er%er Messaging 1loc/s *$M1s+ to wor/ through the Multiple U,. 5ro%ider *MU5+. A $M1, called $3$$&', $3TU5 and <, is used for the connection. At this point, the userKs credentials are passed to the networ/ resource. ?alidation occurs locall on the computer when the resource is a domain controller that maintains the user account.

A secure channel mechanism is utili0ed for user %alidation when the resource uses pass2through authentication. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"; 2 The networ/ resource re6uests a %alidation of the user from its domain controller. The domain controller returns an error to the networ/ resource when the userKs credentials are in%alid and increments its usri3JbadJpwJcount for the particular user. The networ/ resource returns a message that has the ,T status code "B.""""";D, $TATU$J4'C',J(A&4UR3, to the client wor/station. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;3QUESTION NO: <; :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll 5== client com#uters run !indo"s @. .ro$essional TestBing com in in/ol/ed in #ro2ects throughout the "orld and o$ten has a##ro3imately <5= #ro2ects in #rogress You "ant to ensure that the user accounts o$ em#loyees "hich are acti/e in each #ro2ect can easily be $ound in )cti/e Directory You hire a #art>time em#loyee named Tess Bing :er role "ill be to u#date the user account #ro#erties in )cti/e Directory You create a ne" user account $or Tess* and you run the Delegation o$ )dministration "i1ard $or the domain !hat should you do ne3t% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 in the "or0 area 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"G 2 )ns"er: E3#lanation: Tic0 the chec0bo3 to allo" the L?odi$y the membershi# o$ a grou#L #ermission 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"> 2 5art 29 Monitor networ/ protocol securit . Tools might include the &5 $ecurit Monitor Microsoft Management .onsole *MM.+ snap2in and @erberos support tools.*G :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"= 2 The net"or0 contains three email ser/ers These e>mail ser/ers send messages to each other by using S?T. TestBingJs "ritten security #olicy states that all Sim#le ?ail Trans$er .rotocol &S?T.( tra$$ic must be encry#ted by using an I.Sec #olicy You create an organi1ational unit &OU( named ?ail Ser/ers and #lace all the e>mail ser/ers in the OU You create an I.Sec #olicy that requires security $or all S?T. connections to the e>mail ser/ers You need to /eri$y that all S?T. tra$$ic sent bet"een the e>mail ser/ers is encry#ted !hat should you do% A. Use &5 $ecurit Monitor to find out which &5$ec policies are being applied to the e2mail ser%ers. 1. Use ,etwor/ Monitor to capture networ/ pac/ets sent between the e2mail ser%ers. .. Use Croup 5olic 3ditor to find out which &5$ec policies are being applied to the Mail $er%ers 'U. D. Run the gpresult command on each mail ser%er to find out which Croup 5olic ob)ects *C5's+ are being applied to the e2mail ser%ers. )ns"er: + E3#lanation: You can use Net"or0 ?onitor to design and create a ca#ture $ilter to ca#ture net"or0 #ac0ets sent bet"een the e>mail ser/ers Using a ca#ture $ilter "ould assist in isolating S?T. tra$$ic sent bet"een the e>mail ser/ers Incorrect )ns"ers: ): To assist ou with the standard monitoring of &5$ec, ou ha%e the &5$ec $ecurit monitor. (inding out which &5$ec policies are being applied to the e2mail ser%ers will not necessaril %erif which traffic is encr pted. The 6uestion pertinentl as/s for all $MT5

traffic sent between e2mail ser%ers is encr pted, not which policies are applied. ': Croup 5olic 3ditor is not used to monitor which &5$ec policies are applied. Also finding out which policies are applied where is not what the 6uestion as/s. D: This option will re6uire that ou are also aware of which Croup 5olicies entails which ob)ects. This will not necessaril help ou in %erif ing which $MT5 traffic is encr pted. The 6uestion wants %erification that all $MT5 traffic be encr pted. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, .hapter 3, pp. 1-2, F>;, >;> QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional T"o o$ the ser/ers on the net"or0 contain highly con$idential documents TestBingJs "ritten security #olicy states that all net"or0 connections "ith these ser/ers must be encry#ted by using an I.Sec #olicy You #lace the t"o ser/ers in an organi1ational unit &OU( named SecureSer/ers You con$igure a -rou# .olicy ob2ect &-.O( that requires encry#tion $or all connections You assign the -.O to the SecureSer/ers OU You need to /eri$y that users are connecting to the t"o ser/ers by using encry#ted connections !hat should you do% A. Run the net %iew command. 1. Run the gpresult command. .. Use the &5 $ecurit Monitor console. D. Use the &5$ec 5olic Management console. )ns"er: ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -11 2 )dministrators can use the I. Security ?onitor tool to con$irm "hether I. Security &I.Sec( communications are success$ully secured The tool can dis#lay the number o$ #ac0ets that ha/e been sent o/er the )uthentication :eader &):( or Enca#sulating Security .ayload &ES.( security #rotocols* and ho" many security associations and 0eys ha/e been generated since the com#uter "as last started The I. Security ?onitor is im#lemented as a ?icroso$t ?anagement 'onsole &??'( sna#>in on the !indo"s Ser/er 2==, and !indo"s @. .ro$essional o#erating systems It includes enhancements that allo" you to /ie" details about an acti/e I.Sec #olicy* in addition to Quic0 ?ode and ?ain ?ode statistics* and acti/e I.Sec S)s I. Security ?onitor also enables you to search $or s#eci$ic ?ain ?ode or Quic0 ?ode $ilters Incorrect )ns"ers: ): Running the net %iew command will not aid ou in %erif ing users connecting to the two ser%ers ma/e use of encr pted connections. +: The gpresult command displa s the Resultant $et of 5olic *R$o5+ information for a target user and computer. D: &f ou want to %erif whether users connecting to the two ser%ers ma/e use of encr pted connections then ou should use the &5 $ecurit Monitor console and not the &5$ec 5olic Management console. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, p. 1F9 2" Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p.G=F QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains three !indo"s Ser/er 2==, domain controllers* 2= !indo"s Ser/er 2==, member ser/ers* and 75= !indo"s @. .ro$essional com#uters The domain is con$igured to use only Berberos authentication $or all ser/er connections 4eading the wa in &T testing and certification tools, www.test/ing.com

2 -12 2 ) user re#orts that she recei/es an L)ccess deniedL error message "hen she attem#ts to connect to one o$ the member ser/ers You "ant to test the $unctionality o$ Berberos authentication on the userJs client com#uter !hich command should you run $rom the command #rom#t on the userJs com#uter% A. netsh 1. netdiag .. 0t#ass D. 0setu# )ns"er: + E3#lanation: Netdiag is a command>line diagnostic tool that you can use to test net"or0 connecti/ity It #er$orms a series o$ tests to determine the state and $unctionality o$ a net"or0 client You can use the results o$ these tests* and net"or0 status in$ormation #ro/ided by Netdiag to assist you in isolating net"or0 and connecti/ity #roblems on your !indo"s 2===>based "or0station or ser/er com#uter The netdiag command is used to run a diagnostics test against your ser/er to see i$ anything is not "or0ing correctly Incorrect )ns"ers: )9 !ith the ,etsh.eBe tool, ou can direct the conteBt commands ou enter to the appropriate helper, and the helper then carries out the command. A helper is a D namic 4in/ 4ibrar *.dll+ file that eBtends the functionalit of the ,etsh.eBe tool b pro%iding configuration, monitoring, and support for one or more ser%ices, utilities, or protocols. The helper ma also be used to eBtend other helpers. '9 &f ou want to configure our U,&< hosts to use a !indows 2"""2based ser%er as a @erberos @e Distribution .enter *@D.+, ou must generate a @erberos /e tab file. Iou can use the @tpass utilit , which is included with the Microsoft !indows 2""" Resource @it, to create a /e tab file for our U,&< host. D9 @$etup is a command2line tool that configures !indows 2""" clients to use an M&T @erberos ser%er instead of using a !indows 2""" domain for user authentication. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. >G12>G4eading the wa in &T testing and certification tools, www.test/ing.com 2 -13 2 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll com#uters are members o$ the domain )ll users in the TestBing Sales Sta$$ &TSS( use only their designated com#uters The TSS users $requently access con$idential data stored on ser/ers in the domain To ensure that con$idential data is not com#romised during data transmissions* you "ant to secure all communication bet"een the TSS com#uters and all domain ser/ers You must ensure that all other users "ill continue to ha/e access to the domains ser/ers !hich t"o actions should you #er$orm% &Each correct ans"er #resent #art o$ the solution Select t"o ( A. Assign the $er%er *Re6uest $ecurit + &5$ec polic on all ser%ers. 1. Assign the $ecure *Re6uire $ecurit + &5$ec polic on all ser%ers. .. Assign the .lient *Respond 'nl + &5$ec polic on all ser%ers. D. .reate and assign a new &5$ec polic on all ser%ers. Acti%ate the Default Response rule. 3. Assign the .lient *Respond 'nl + &5$ec polic on all T$$ computers. (. 3nable &nternet .onnection (irwall *&.(+ on all T$$ computers. )ns"er: )* E E3#lanation9 The .lient *Respond 'nl + polic specifies that a !indows 2""", <5, or $er%er 2""3 &5$ec client will negotiate &5$ec securit with an peer that supports it but that it wonKt attempt to initiate securit . 4etKs sa ou appl this polic to a $er%er 2""3 computer. !hen it initiates outbound networ/ connections, it wonKt attempt to use &5$ec. !hen someone opens a connection to it, though, it will accept &5$ec if the remote end as/s for it. The $er%er *Re6uest $ecurit + polic is a miB of the .lient *Respond 'nl + and the $ecure $er%er *Re6uire $ecurit + polic . &n this case, the machine will alwa s attempt to use &5$ec b re6uesting it when it connects to a remote machine and b allowing it when an incoming connection re6uests it. This polic pro%ides the best general balance between securit and interoperabilit . 4eading the wa in &T testing and certification tools, www.test/ing.com

2 -1- 2 To ensure that there is no compromise on confidential data during transmissions between the T$$ computers and all the domain ser%ers without disrupting acesss ou need to assign the $er%er *Re6uest $ecurit + &5$ec polic on all the ser%ers. &n addition ou also need to assign the .lient *Respond 'nl + &5$ec polic on all the T$$ computers. Incorrect ans"ers: +9 The $ecure $er%er *Re6uire $ecurit + polic specifies that all &5 communication to or from the polic target must use &5$ec. &n this case, all D,$, !&,$, and web re6uests and e%er thing else that uses an &5 connection either has to be secured with &5$ec or will be bloc/ed. This ma not be what ou want unless ou plan to implement &5$ec on our entire networ/. This is not what is re6uired on the ser%ers. '9 This is the incorrect &5$ec polic to assign to the ser%ers in this case. D9 There is no need to create and assign a new &5$ec polic on all the ser%ers. &t is not going to ensure the confidentialit of transmitted data oin this case as there are the T$$ computers also to ta/e into account. E9 &nternet .onnection (irewall on all T$$ computers is not going to ensure the confidentialit of transmitted data between T$$ clients and the ser%ers. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1GG QUESTION NO: 5 E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1F 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 includes a $ile ser/er named TestBing9* "hich contains highly con$idential data The com#anyJs "ritten security #olicy states that all connections to TestBing9 must be encry#ted by using I.Sec )nother net"or0 administrator creates an OU named Secure Ser/ers :e then creates a -.O named Secure Ser/ers :e con$igures an I.Sec #olicy as #art o$ the Secure Ser/ers -.O During a routine security chec0* the security o$$ice re#orts that client com#uters can still ma0e nonsecure connections to TestBing9 You o#en I. Security ?onitor on TestBing9* as sho"n in the e3hibit You need to identi$y "hy client com#uters still can ma0e nonsecure connections to Test0ing9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1; 2 !hat is the most li0ely cause o$ the #roblem% A. Test@ing> is located in the wrong Acti%e Director container. 1. The &5$ec polic is configured incorrectl . .. The $ecure $er%ers C5' is not lin/ed to the appropriate 'U. D. The &5$ec $er%ices ser%ice is not running on Test@ing>. )ns"er: + E3#lanation9 The securit office reports that client computers can still ma/e nonsecure connections to Test@ing> is due the &5$ec polic not being configured properl . The other optionsK suggestions does not eBplain wh unsecure connections can still be made. Incorrect ans"ers: )9 &t is not a matter of Test@ing> being in the wrong Acti%e Director container that has a bearing on the &5$ec polic in this case. '9 The C5' is lin/ed to the correct 'U. D9 This is not true. The eBhibit shows that there is &5$ec policies applied to Test@ing> and is acti%e. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 2"122"QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains $i/e ser/ers that contain highly con$idential in$ormation You #lace the $i/e ser/ers in an OU named SecureSer/ers You create a -.O named I.Sec-.O The -.O con$igures an I.Sec #olicy that requires secure connections $or all connections to ser/ers in the SecureSer/ers OU You need to /eri$y that the I.Sec-.O -.O is being a##lied to each o$ the ser/ers in the SecureSer/ers OU

!hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1G 2 A. Use the &5$ec 5olic Management console. 1. Use the Microsoft 1aseline $ecurit Anal ser *M1$A+. .. Run the gpresult command on each of the ser%ers. D. &n the Croup 5olic Management .onsole *C5M.+, configure a Resultant $et of 5olic *R$o5+ modelling report for the $ecure$er%ers 'U. )ns"er: ' E3#lanation9 The gpresult command displa s the Resultant $et of 5olic *R$o5+ information for a target user and computer. Incorrect ans"ers: )9 The &5$ec 5olic Management tool is used to ensure that the &5$ec policies are assigned to both computers and that the are compatible with each other. ou need to %erif that the appropriate C5' is applied to each of the ser%ers in the $ecure$er%ers 'U. +9 The M1$A is used to to ensure that ou ha%e the most current securit updates. This is not what is re6uired. This does not tell ou what ou aha%e applied to the ser%ers. D9 &5$ec support for Resultant $et of 5olic *R$o5+ pro%ides the abilit to see eBactl how the %arious policies within the domain will appl to a specific user or computer. &5$ec pro%ides an eBtension to the R$o5 console that ou can use to %iew detailed settings for the &5$ec polic that is being applied. Aowe%er, ou should run the gpresult command to be able to see the R$o5 reports and not configure an R$o5 modelling report. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, p. 1F9 2" Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 1G3, 2"G, G=F QUESTION NO: 7 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1> 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains t"o domain controllers that are con$igured as DNS ser/ers Eor"ard and re/erse DNS loo0u# 1ones are con$igured on both DNS ser/ers You install the !indo"s Ser/er 2==, administrati/e tools on your client com#uter You use I. Security ?onitor to /ie" net"or0 in$ormation You notice that many ser/ers on the net"or0 are identi$ied only by I. address "ithin the I. Security ?onitor inter$ace You need to ensure that ser/ers on the net"or0 are listed by ser/er names rather than I. addresses !hat should you do% A. .onfigure our client computer to use the domain controllers for D,$ loo/ups. 1. 3nable D,$ name resolution in &5 $ecurit Monitor. .. (orce a registration of D,$ information on all ser%ers on the networ/. D. .onfigure all ser%ers on the networ/ to support ,et1&'$ o%er T.5H&5. )ns"er: + 5art 39 Troubleshoot networ/ protocol securit . Tools might include the &5 $ecurit Monitor MM. snap2in, 3%ent ?iewer, and ,etwor/ Monitor.*; :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing< is con$igured "ith IIS Test0ing< hosts a !eb site $or the engineering de#artment The engineering !eb site is con$igured to su##ort communications by using :TT.S You use Net"or0 ?onitor on Test0ing< and disco/er that users are connecting to the engineering !eb site by using both :TT. and :TT.S You must ensure that all access to the engineering !eb site on Test0ing< is gained by using :TT.S 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1= 2 !hat should you do on Test0ing<% A. &nstall a new ser%er certificate. 1. .hange the T.5 port on the engineering !eb site to port >">". .. .onfigure the engineering !eb site to use onl &ntegrated !indows authentication. D. Use the &&$ .ertificate wi0ard to renew the current certificate for the engineering !eb

site. 3. .onfigure the engineering !eb site to re6uire a secure channel. )ns"er: E E3#lanation: :TT.S ma0es use o$ T'. #ort 44, )ny time you /isit a !eb site that uses an htt#s:KK #re$i3 instead o$ htt#:KK* youJre seeing Secure Soc0ets Aayer &SSA( encry#tion in action !eb #age encry#tion is im#lemented using the Secure Soc0ets Aayer &SSA( #rotocol This is use$ul "hen you need to ensure that all access to the engineering !eb site is gained by means o$ :TT.S Incorrect ans"ers: )9 &nstalling a new ser%er certificate will not ensure all access occur through ATT5$. +9 .hanging the port of the !eb site to >">" will not wor/ as ATT5$ ma/es use of port --3. '9 The &ntegrated !indows Authentication option emplo s a cr ptographic eBchange between the web ser%er and the userKs &nternet 3Bplorer web browser to confirm the userKs identit . Ma/ing use of onl &ntegrated !indows authentication is not ensuring that all access is through ATT5$. D9 Renewing the current certificate with the &&$ .ertificate wi0ard will not ensure that all access will be through ATT5$. De$erence9 4isa Donald, $u0an $age 4ondon and Qames .hellis, M.$AHM.$39 !indows $er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 32> QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters run !indo"s @. .ro$essional* !indo"s 2=== .ro$essional* and !indo"s NT !or0station 4 = 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2" 2 The net"or0 contains a $ile ser/er named Test0ing< Test0ing< hosts a shared $older that contains con$idential $inancial data This data is accessible only by users in the $inance de#artment TestBingJs "ritten security #olicy states that all net"or0 tra$$ic $rom Test0ing< to client com#uters in the $inance de#artment must be encry#ted by using an I.Sec #olicy To satis$y this requirement* you con$igure an I.Sec #olicy $or Test0ing< The Quic0 ?ode $ilters a##lied by the #olicy are sho"n in the e3hibit You monitor the connections on Test0ing< You notice that all users in the $inance de#artment are connecting to Test0ing< by using the I.Sec #olicy "ith the e3ce#tion o$ one user This user can connect to the ser/er "ithout using a secure connection You need to identi$y "hy the user cannot connect to Test0ing< by using an I.Sec connection !hat is the most li0ely cause o$ the #roblem% A. The client computer does not support the &5$ec polic . 1. The client computer has an &5 address that is not on the appropriate subnet. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -21 2 .. The client computer is using an incorrect port number to connect to Test/ing1. D. The client computer is not configured to respond as an &5$ec client. )ns"er: ' E3#lanation: You can thin0 o$ I.Sec #olicies as a collection o$ #ac0et $ilters that en$orce security #olicy on I. tra$$ic Each $ilter describes some net"or0 #rotocol action You con$igured an I.Sec #olicy $or Test0ing< This I.Sec #olicy contains a set or rules including selected $ilter lists &#rotocols and #orts to "hich you "ant the $ilter to a##ly(* $ilter actions* authentication methods* connection ty#es* and tunnel settings !hen a client com#uter uses an incorrect #ort number to connect to Test0ing<* it "ould #re/ent the user $rom connecting to Test0ing< by /ia an I.Sec connection Incorrect )ns"ers: ): The issue of whether the client computer is configured to support &5$ec polic is not the issue. The problem stems from the client computer ma/ing use of the wrong port number when attempting to connect to Test/ing1. +: The &5 address is no the cause of the problem. Thus this option is irrele%ant. D: The problem originated due to an incorrect port number being used as not due to a configuration problem regarding &5$ec client. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""-, pp. ;G32;GRac/er, .raig, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft

!indows $er%er 2""3 ,etwor/, Microsoft 5ress, Redmond, 2""3, .hapter 12, p. ;3" QUESTION NO: , :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e directory domain test0ing com The domain contains !indo"s Ser/er 2==, domain controllers and !indo"s @. .ro$essional com#uters )ll client com#uters are #ortable com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -22 2 The com#any hires a consultant to de#loy a "ireless net"or0 in$rastructure The name o$ the "ireless net"or0 is !A)NSEDT:'E To ensure the highest le/el o$ security on the "ireless net"or0* you create and lin0 a -rou# .olicy ob2ect &-.O( to enable .rotected E). &.E).( 9=2 <3 authentication on all "ireless client com#uters You name the -.O !A)NS.E). )ll !ireless access .oints are con$igured to use the same D)DIUS ser/er 'erti$icate ser/ices are not de#loyed in TestBing com )$ter the !A)NS.E). -.O is a##lied to client com#uters* users re#ort that their "ireless connection $unctions #ro#erly* but it disconnects "hen they carry their "ireless #ortable com#uters $rom one area to another in their o$$ice building You need to ensure that client com#uters are not disconnected !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -23 2 )ns"er: E3#lanation: Select the Enable East Deconnect chec0 bo3 The chec0bo3 is at the bottom o$ the dialog bo3 To ensure that client computers are not disconnected one should enable (ast Reconnect because it has the capabilit to reconnect to a wireless access point using cached session /e s facilitating 6uic/ roaming between wireless access points, T4$2generated d namic /e ing material, and ser%er authentication that pre%ents deplo ment of unauthori0ed wireless access points. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2- 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;=G QUESTION NO: 4 The TestBing net"or0 design requires secure net"or0 connections across all I. #ublic communication media On a daily basis* you must /eri$y that secure net"or0 connections are $unctioning #ro#erly !hat should you do% A. (rom a command prompt, run the netdiag command. 1. Use the &5 $ecurit Monitor snap2in. .. .reate an &5$ec $ecurit Croup 5olic ob)ect *C5'+. D. (rom a command prompt, run the ipsec; command. )ns"er: + E3#lanation: To assist you "ith the standard monitoring o$ I.Sec* you ha/e the I.Sec Security monitor You should use the I. Security ?onitor included in !indo"s Ser/er 2==, and im#lemented as an ??' sna#>in* to monitor I.Sec in$ormation on local com#uters and remote machines You can e3amine in$ormation on I.Sec #olicies* generic and s#eci$ic $ilters* security associations and statistics Incorrect )ns"ers: ): Running the netdiag command from a command prompt will run a diagnostics test against our ser%er to see if an thing is not wor/ing correctl . This does not mean that it will chec/ up on whether secure networ/ connections are operational. Although netdiag.eBe can still be used to obtain information about networ/ing, !indows $er%er the netsh commands for &5$ec. ': This option suggests a group polic ob)ect which will not wor/ in this particular scenario. D: Running the ipsec; command from a command prompt will not wor/. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2F 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, .hapter 11, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ;>2, >;>, >G1

QUESTION NO: 5 You are the net"or0 administrator $or TestBing ) !indo"s Ser/er 2==, com#uter named Test0ing<< is used to connect the net"or0 to the Internet You $ind out that some com#uters on the net"or0 are in$ected "ith a "orm* "hich occasionally sends out tra$$ic to /arious hosts on the Internet This tra$$ic al"ays uses a certain source T'. #ort number You need to identi$y "hich com#uters are in$ected "ith the "orm You need to con$igure a solution on Test0ing<< that "ill #er$orm the $ollo"ing t"o tas0s: 1. Detect and identi$y tra$$ic that is sent by the "orm 2. Immediately send a noti$ication to a net"or0 administrator that the in$ected com#uter needs to be re#aired !hat should you do% A. .onfigure a !M& e%ent trigger. 1. .onfigure a ,etwor/ Monitor capture filter. .. .onfigure a ,etwor/ Monitor trigger. D. .onfigure a $ stem Monitor Alert. )ns"er: ' E3#lanation9 ,etwor/ Monitor captures and displa s networ/ pac/ets at b te2le%el. This is too much information, and %iew and capture filters can be configured so that ou can either %iew onl the traffic that ou are interested in, or capture onl that traffic. Iou can create a %iew filter b specif ing source or destination &5 address, or protocol. .apture filters can be triggered b a pattern match, for eBample, so that ou can specif when the capture starts. Incorrect ans"ers: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2; 2 )9 !M& .ontrol is a !indows $er%er 2""3 utilit that pro%ides an interface for monitoring and controlling s stem resources. !M& stands for !indows Management &nstrumentation. This is not what is re6uired, ou need a ,etwor/ Monitor trigger. + D9 A $ stem Monitor Alert is not going to compl with the Test@ing11 re6uirements as set out in the 6uestion. De$erence9 Q... Mac/in, &an Mc4ean M.$AHM.$3 $elf2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, pp. 1G9 -21" QUESTION NO: 6 You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< The net"or0 contains another !indo"s Ser/er 2==, com#uter named Test0ing2 that has the DNS and !INS ser/ices installed T"o hundred !indo"s 2=== .ro$essional com#uters regularly connect to Test0ing< to access $ile and #rint resources )dministrators re#ort that net"or0 tra$$ic has increased and that res#onse times $or requests $or net"or0 resources on Test0ing< ha/e increased You need to identi$y "hether Test0ing< is recei/ing requests $or resources through Net+IOS broadcasts !hat should you do% A. Use ,etwor/ Monitor to capture traffic between Test/ing1 and all client computers. 1. Use ,etwor/ Monitor to capture traffic between Test/ing1 and Test/ing2. .. Monitor 3%ent ?iewer for ,et 4ogon error or warning e%ents. D. Run the tracert command on Test/ing1. )ns"er: ) E3#lanation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2G 2 9 ,etwor/ Monitor captures and displa s networ/ pac/ets at b te2le%el. This is too much information, and %iew and capture filters can be configured so that ou can either %iew onl the traffic that ou are interested in, or capture onl that traffic. Iou can create a %iew filter b specif ing source or destination &5 address, or protocol. .apture filters can be triggered b a pattern match, for eBample, so that ou can specif when the capture starts. &f ou capture traffic between Test@ing1 and all client computers then ou will be able to %iew the proper information to see whether Test@ing1 is recei%ing re6uests for resources through ,et1&'$ broadcasts. Incorrect ans"ers: +9 .apturing traffic between Test@ing1 and Test@ing2 will not ield the information necessar in this case. '9 Monitoring ,et 4ogon error or warning e%ents using 3%ent ?iewer will not ield the information that ou need. D9 Tracert re%eals brea/s in connecti%it but does not pro%ide statistics about router performance. Tracert is a route2tracing utilit that allows ou to trac/ the path of a

forwarded pac/et from router to router for up to 3" hops. Running tracert on Test@ing1 will not ield thei formation that ou need. De$erence9 Q... Mac/in, &an Mc4ean M.$AHM.$3 $elf2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, pp. 1G9 -21" Topic -, &mplementing, Managing, and Maintaining Routing and Remote Access*3> :uestions+ 5art 19 .onfigure Routing and Remote Access user authentication. A9 .onfigure remote access authentication protocols.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, The net"or0 con$iguration is sho"n in the e3hibit NNN?ISSIN-NNN 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2> 2 You need to con$igure a redundant secure Internet connection bet"een the t"o o$$ices You install and enable Douting and Demote )ccess on a !indo"s Ser/er 2==, com#uter in each o$$ice You con$igure the ser/ers to use A2T. #orts $or the connection You need to ensure that the communication bet"een the t"o ser/ers is authenticated and encry#ted You must also ensure that the com#uter authentication attem#ts do not $ail !hat should you do ne3t on each o$ the t"o ser/ers% A. &nstall one certificate that has the ser%er eBtensions and another certificate that has the client eBtensions. 1. &nstall a single certificate that has the client eBtensions and the ser%er eBtensions. .. .reate a remote access polic that filters on tunnel t pe and enforces 12>2bit M553 encr ption. D. .reate a remote access polic that filters on tunnel t pe and enforces $5A5 as the authentication method. )ns"er: + E3#lanation9 1 installing a single certificate with both the client and the ser%er eBtensions on both of the ser%ers, would pro%ide the redundanc between the two offices with regard to a secure &nternet connection whilst ensuring authenticated and encr pted communication between the two. Incorrect ans"ers: )9 1 ha%ing separate certrificates for the ser%er and the client eBtensions, ou will not compl with with is re6uired. '9 M553 is a 12>2bit /e or -"2bit /e encr ption algorithm using R$A R.- that pro%ides for pac/et confidentialit between the remote access client and the remote access or tunnel ser%er, and it is useful where &nternet 5rotocol $ecurit *&5$ec+ is not a%ailable. 1ut it cannot be utili0ed in this case. D9 $5A5 does not support encr ption of connection data. De$erence9 Q... Mac/in, &an Mc4ean M.$AHM.$3 $elf2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, pp. 1"911, 1F91; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2= 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com ) !indo"s Ser/er 2==, com#uter named TestBingE runs Douting and Demote )ccess TestBing sales re#resentati/es use !indo"s @. .ro$essional #ortable com#uters You need con$igure TestBingE to allo" the sales re#resentati/es to dial in to the net"or0 Eor security #ur#oses* you "ant to im#lement mutual authentication $or all connection attem#ts and to require all dial>in users to use smart cards $or both local and dial>u# logon !hich authentication #rotocol should you use% A. .AA5 1. M$2.AA5 .. M$2.AA5 %2 D. 3A52T4$ )ns"er: D E3#lanation: The use o$ smart cards $or user authentication is the strongest $orm o$ authentication in the !indo"s Ser/er 2==, $amily Eor remote access connections* you must use E). "ith the Smart card or other certi$icate &TAS( E). ty#e* also 0no"n as E).>TAS E).>TAS is the only authentication method su##orted "hen

smart cards are used $or remote authentication ) #ublic 0ey in$rastructure &.BI( is required to im#lement E).>TAS A trusted certification authorit %erifies the userKs identification based on the /e the user pro%ides. A trusted certificate authorit also %erifies the identit of the remote access ser%er, to secure both ends of the communication channel. 3A5 is supported on !indows 2""", !indows <5, as well as !indows $er%er 2""3 $tandalone remote access ser%ers belong to a domain can do so. Incorrect )ns"ers: ): .AA5 will not sol%e the dilemma of the need to use smart cards for logon purposes. +: M$2.AA5 is not a mutual authentication process. ': M$2.AA5 %2 does pro%ide mutual authentication, but in this case 3A52T4$ would be more appropriate because the 6uestion also states a need to ma/e use of smart cards for both local and dial2up logon. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F=1, F=-2F=F QUESTION NO: , You con$igure the Douting and Demote )ccess ser/ice on a ser/er named TestBing< TestBing< is connected to a modem #ool and su##ort eight simultaneous inbound connections You instruct remote users to dial on to TestBing< $rom their home com#uters TestBing comJs "ritten business #olicy states that the only client com#uter o#erating systems that should be su##orted $or dial>u# access are !indo"s ;5* !indo"s ;9* !indo"s 2=== .ro$essional* and !indo"s @. .ro$essional You need to con$igure the remote access #olicy to su##ort the most secure authentication methods #ossible You "ant to enable only the necessary authentication methods based on the su##orted client com#uters that "ill be connecting !hich authentication method or methods should you enable% 'hoose all that a##ly A. 5A5 1. $5A5 .. .AA5 D. M$2.AA5 ?ersion 1 3. M$2.AA5 ?ersion 2 )ns"er: D* E E3#lanation9 M$2.AA5 %2 is a mutual authentication method offering encr ption of both authentication data and connection data. ,ew cr ptographic /e is used for each connection and each direction of transmission. &t is enabled b default in !indows 2""", !indows <5, and !indows $er%er 2""3. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -31 2 M$2.AA5 %1 is a one2wa authentication method offering encr ption of both authentication data and connection data. $ame cr ptographic /e is used in all connections. &t supports older !indows clients such as Microsoft !indows =F and Microsoft !indows =>. These two options represent the most secure authentication methods to emplo . Incorrect ans"ers: )9 5A5 is a generic authentication method that does not encr pt authentication data. User credentials are sent o%er the networ/ in plainteBt. &t does not support encr ption of connection data. +9 $5A5 is a wea/l encr pted authentication protocol offering interoperabilit with $hi%a remote networ/ing products. &t does not support encr ption of connection data. '9 .AA5is a generic authentication method offering encr ption of authentication data through the MDF hash ing scheme. &t pro%ides compatibilit with non2Microsoft clients. The group polic applied to accounts using this authentication method must be configured to store passwords using re%ersible encr ption. *5asswords must be reset after this new polic is applied.+ &t does not support encr ption of connection data. De$erence9 Q... Mac/in, &an Mc4ean M.$AHM.$3 $elf2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, pp. 1"9 1"211 19 .onfigure &nternet Authentication $er%ice *&A$+ to pro%ide authentication for Routing and Remote Access clients.*" :uestions+ .9 .onfigure Routing and Remote Access policies to permit or den access.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com The $unctional le/el o$ test0ing com is !indo"s Ser/er 2==, The sales di/ision has 5== users These users belong to global grou#s as sho"n in the $ollo"ing table -rou# name Users ?ember o$ $ales Users All sales personnel ,one &nternal $ales &nternal sales personnel $ales Users 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -32 2 )ll sales #ersonnel "ith the e3ce#tion o$ the em#loyees in the Internal Sales grou#* are roaming users "ho require access to the net"or0 $rom remote locations You con$igure a ser/er named TestBing<, to $unction as a Douting and Demote )ccess ser/er In the #ro#erties o$ all user accounts* you enable the 'ontrol access through remote access #olicy setting You need to con$igure remote access #olices on TestBing<, You also need to ensure that only roaming users are able to connect to TestBing<, $rom remote locations !hat should you do% A. 1. .reate a remote access polic named 5olic 1. 'n 5olic 1, add the polic condition !indows2Croups matches 8test/ing.comW$ales Users8. .onfigure 5olic 1 to allow access based on this polic condition. 2. .reate a remote access polic named 5olic 2. 'n 5olic 2, add the polic condition !indows2Croups matches 8test/ing.comW&nternal $ales8. .onfigure 5olic 2 to den access based on this polic condition. 3. Assign 5olic 2 an order of 2. Assign 5olic 1 an order of 1 1. 1. .reate a remote access polic named 5olic 1. 'n 5olic 1, add the following condition !indows s2Croups matches 8test/ing.comW$ales Users8. .onfigure 5olic 1 to allow access based on this polic condition. 2. .reate a remote access polic named 5olic 2. 'n 5olic 2, add the polic condition !indows s2Croups matches 8test/ing.comW&nternal $ales8. .onfigure 5olic 2 to den access based on this polic condition. 3. Assign 5olic 2 an order of 1. Assign 5olic 1 an order of 2. .. 1. .reate a remote access polic named 5olic 1. 'n 5olic 1, add the polic condition !indows s2Croups matches 8test/ing.comW$ales Users8. 2. 'n 5olic 1, add the second polic condition !indows s2Croups matches 8test/ing.comW&nternal $ales8. 3. .onfigure 5olic 1 to den access based on these polic conditions. D. 1. .reate a remote access polic named 5olic 1. 'n 5olic 1, add the following condition 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -33 2 !indows s2Croups matches 8test/ing.comW$ales Users8. 2. 'n 5olic 1, add the second polic condition !indows s2Croups matches !indows s2Croups matches 8test/ing.comW&nternal $ales8. 3. .onfigure 5olic 1 to allow access based on these polic conditions. )ns"er: + E3#lanation: You should allo" remote access to members o$ the Sales grou# "ho are not members o$ the Internal Sales grou# Thus* you initially ha/e to determine i$ the user is a member o$ this grou# Eollo"ing this* you need to /eri$y that the user Incorrect )ns"ers: ): 5art of the answer is missing. This does not represent a complete solution to the problem. ': This will den access to members of the $ales group and members of the &nternal $ales group. D: This will allow access to members of the $ales group and members of the &nternal $ales group. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 3>323>; QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com* and t"o subnets The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing6 On TestBing6* Douting and Demote )ccess is enabled and is con$igured as a dial>u# ser/er )

!indo"s Ser/er 2==, com#uter named TestBing7 $unctions as a D:'. ser/er TestBing7 is authori1ed in the domain and leases <;2 <69 < =K24 addresses to des0to# client com#uters on the A)N and to TestBing6 $or dial>u# user connections 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3- 2 On Thursday* se/eral dial>u# users re#ort that they cannot connect to TestBing6 You o#en Dhc#Sr/AogThu log and notice se/eral lines that are #artially sho"n in the $ollo"ing list <5* N)'B*<;2 <69 < <=7* test0ing6 <5* N)'B*<;2 <69 < <=,* test0ing6 <5* N)'B*<;2 <69 < <=4* test0ing6 <5* N)'B*<;2 <69 < <=5* test0ing6 <5* N)'B*<;2 <69 < <=6* test0ing6 <5* N)'B*<;2 <69 < <=9* test0ing6 <5* N)'B*<;2 <69 < <<=* test0ing6 You "ant the dial>u# users to ha/e success$ul connections* and you "ant to a/oid disru#ting the A)N !hat should you do% A. Delete the scope and create one in the 1"."."." class 1. 'n Test@ingG, configure the .onflict detection attempts setting to 2. .. (or the default Routing and Remote .lass, create a "F1 4ease scope option lease duration that uses a longer lease duration than the 4A,. D. .onfigure a static address pool on Test@ing; for the dial2up client computers. )ns"er: D E3#lanation9 $tatic routing pro%ides predefined routes in a static routing table. $tatic routing s stems donKt ma/e an attempt to disco%er other routers or s stems on their networ/s. Thus if ou configure a static address pool on Test@ing; for the dial2up client computers it will result in the dial2up users ha%ing successful connection without disrupting the local area networ/. This should wor/ since Test@ingG is configured as the DA.5 ser%er. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3F 2 &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. 3-2, -1F QUESTION NO: , You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The domain contains t"o domain controllers named D'< and D'2 The domain also contains t"o ser/ers that run Douting and Demote )ccess named Test0ing< and Test0ing2 Test0ing< and Test0ing2 #ro/ide users "ith dial>u# access to the cor#orate net"or0 You install a ne" ser/er named Test0ing, You con$igure Test0ing, "ith Internet )uthentication Ser/ice &I)S( You "ant to centrally manage Douting and Demote )ccess authentication !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. 'n Test/ing1, use the Routing and Remote Access console to set the authentication pro%ider to !indows authentication. 1. 'n Test/ing1, use the Routing and Remote Access console to set the authentication pro%ider to RAD&U$ authentication. .. 'n Test/ing2, use the Routing and Remote Access console to set the authentication pro%ider to !indows authentication. D. 'n Test/ing2, use Routing and Remote Access console to set the authentication pro%ider to RAD&U$ authentication. 3. .onfigure all remote access policies on Test/ing3. (. 3Bport the local securit settings from Test/ing3 to a securit template. &mport the securit template into the local securit settings on Test/ing1 and Test/ing2. C. &nstall the Routing and Remote Access ser%ice on D.1 and D.2. )ns"er: +* D* E E3#lanation9 RAD&U$ Authentication allows ou to send all authentication re6uests heard b our ser%er on to a RAD&U$ ser%er for appro%al or denial. Iou manage remote access policies through the Remote Access 5olicies folder in the RRA$ snap2in. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3; 2 To manage Routing and Remote Access authentication centrall , ou should ma/e ha%e the authentication pro%ider use of RAD&U$ authentication on Test@ing1 and Test@ing2 and then configure all the remote access policies as described in options D and 3.

Incorrect ans"ers: )9 !indows Authentication is a built2in authentication suite included with !indows $er%er 2""3. Iou need an authentication that will wor/ with RAD&U$. &f ou want the local machine to authenticate our remote access users, then ou ma/e use of !indows authentication, but not in this case. '9 Test@ing1 should ha%e the authentication pro%ider set up and not Test@ing2. (urthermore ou would need to ma/e use of RAD&U$ authentication and not !indows authentication. E9 4ocal $ecurit settings being eBported and imported to the different ser%ers will not result in central management of authentication. -9 This is not necessar as it will not help in centrall managing authentication. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. 3=-23=> 5art 29 Manage remote access. A9 Manage pac/et filters.*1 :uestion+ QUESTION NO: < You are the administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, TestBing has a main o$$ice and three branch o$$ices ) ser/er named Test0ing2 in one o$ the branch o$$ices is con$igured "ith Douting and Demote )ccess Test0ing2 connects the branch o$$ice to the main o$$ice by using a demand>dial connection The demand>dial connection is used #rimarily to allo" users to access a custom a##lication by using #ort ;=== on a ser/er in the main o$$ice Test0ing2 is con$igured "ith t"o net"or0 inter$aces* as sho"n in the e3hibit NN?ISSIN-NN 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3G 2 You "ant to conser/e costs by controlling "hat causes the demand>dial connection to be established You only "ant Test0ing2 to use the demand>dial connection "hen a user requires access to the custom a##lication by using #ort ;=== )$ter the demand>dial connection is established* you "ill allo" all tra$$ic to be routed o/er the connection You "ant to accom#lish this by using Douting and Demote )ccess on Test0ing2 !hat should you do% A. .reate an inbound filter on the demand2dial connection to drop all traffic eBcept for port =""". 1. .reate an outbound filter on the demand2dial connection to drop all traffic eBcept for port =""". .. .reate a demand2dial filter on the demand2dial connection to drop for all traffic eBcept for port =""". D. .reate an inbound filter on the 4ocal Area .onnection to drop all traffic eBcept for port =""". 3. .reate an outbound filter on the 4ocal Area .onnection to drop all traffic eBcept for port =""". )ns"er: ' E3#lanation: 'on$iguring a demand>dial $ilter on the demand>dial connection to dro# all tra$$ic e3ce#t $or #ort ;=== "ould ensure that your ISDN connection is only being used "hen necessary Thus 0ee#ing costs to the minimum Incorrect )ns"ers: )* +: An inbound or outbound filter on the demand2dial connection will still ha%e to deal with all traffic before it can prohibit the connection. This means that the &$D, connection is used constantl . The best wa to /eep costs low would be to create a filter to drop A44 traffic eBcept for port =""". D* E: !hether in2 or outbound filters, traffic on the local area networ/ does not mean that ou ha%e to ma/e use of routing and remote access. This ma/es these options irrele%ant in this scenario. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter =, p. F"2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3> 2 19 Manage Routing and Remote Access routing interfaces.*1 :uestion+ QUESTION NO: < Net"or0 to#ology E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3= 2 You "or0 as a net"or0 administrator at the TestBing main o$$ice in Toronto

TestBing ha/e se/eral o$$ices s#read across North )merica Each o$$ice has a !indo"s Ser/er 2==, com#uter that is con$igured as a router These ser/ers relay net"or0 tra$$ic on the internal net"or0 by using only I.Sec to ensure secure deli/ery o$ net"or0 #ac0ets T"enty #orts are currently a/ailable $or this net"or0 tra$$ic TestBingJs net"or0 connections are sho"n in the e3hibit You #lan to con$igure a ne" secure direct net"or0 connection bet"een the Ne" Yor0 o$$ice and the Toronto o$$ice by using the Internet Eor this secure connection* you also #lan to use the same tunneling #rotocol that is used on the internal com#any net"or0 You need to con$igure the ser/er in the Ne" Yor0 o$$ice to route tra$$ic to the Toronto o$$ice an to the o$$ices You need to ensure the $astest #ossible transmission o$ in$ormation o/er the ne" connection !hat should you do% A. .reate a new demand2dial interface that uses 55T5. 1. .reate a new demand2dial interface that uses 42T5. .. .onfigure an inbound &5 filter for the &CM5 *&nternet Croup Management 5rotocol+ protocol. D. .onfigure an outbound &5 filter fore the &CM5 *&nternet Croup Management 5rotocol+ protocol. )ns"er: + E3#lanation: +ecause each o$$ice already has a !indo"s Ser/er 2==, com#uter that is con$igured as a router* you can con$igure a demand>dial inter$ace on each com#uter These com#uters "ould then o#erate as a demand>dial router "ith the demand>dial inter$aces building connections bet"een the remote routers in the branch o$$ices !indo"s Ser/er 2==, ser/ers include built in A2T.KI.Sec su##ort Using this im#lementation "ould #ro/ide the highest le/el o$ security by ensuring authentication* data con$identiality* data integrity and data origin Incorrect )ns"ers: ): Although 55T52based ?5, connections do pro%ide data confidentialit *captured pac/ets cannot be interpreted without the encr ption /e +, the do not pro%ide data integrit *proof that the data was not modified in transit+ or data origin authentication *proof that the data was sent b the authori0ed user+. Thus ma/ing this option unwanted. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --" 2 ': .onfiguring a filter on inbound traffic onl as suggested in this option is not ad%isable when ou want fast transmission of information for a secure &5$ec connection with the same tunnelling protocol as the internal networ/. D: $ame as abo%e. This option would also onl represent half of a possible solution. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, p. 1"9FG Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, .hapters = L 1" .9 Manage de%ices and ports.*" :uestions+ D9 Manage routing protocols.*- :uestions+ QUESTION NO: < E3hibit Setting TestBing+ranch< demand dial inter$ace TestBing+ranch2 demand dial inter$ace 'peration mode 5eriodic update mode 5eriodic update mode 'utgoing pac/et protocol R&5 %ersion 2 broadcast R&5 %ersion 2 broadcast &ncoming pac/et protocol R&5 %ersion 1 and 2 R&5 %ersion 1 and 2 You are the net"or0 administrator $or TestBing com TestBing com has si3 branch o$$ices named TestBing+ranch< through TestBing+ranch6 You #lan to create redundant demand>dial connections bet"een all branch o$$ices You "ill begin the im#lementation by con$iguring a demand>dial connection bet"een TestBing+ranch< and TestBing+ranch2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --1 2 You create one demand>dial inter$ace on a !indo"s Ser/er 2==, com#uter in TestBing+ranch< and another on a !indo"s Ser/er 2==, com#uter in TestBing+ranch2 The ser/ers are named TestBing< and TestBing2 You add each demand>dial inter$ace to the DI. #rotocol and con$igure the DI. #ro#erties $or each inter$ace as sho"n in the e3hibit

!hen you test the connection* you disco/er that neither ser/er is inheriting the routes $rom the other ser/er You need to ensure that the routes are inherited "hen you enable the inter$aces You also need to ensure that the routes #ersist on each ser/er i$ a lin0 $ailure occurs or i$ either ser/er restarts You need to reduce con/ergence time bet"een the routers !hat should you do% A. .onfigure both routers to use auto2static update mode. .onfigure the outgoing pac/et protocols as R&5 %ersion 2 broadcast. .onfigure the incoming pac/et protocols with R&5 %ersion 2 onl . 1. .onfigure both routers to use auto2static update mode. .onfigure the outgoing pac/et protocols as R&5 %ersion 2 broadcast. .onfigure the incoming pac/et protocols with R&5 %ersion 1 onl . .. .onfigure both routers to use periodic update mode. .onfigure the outgoing pac/et protocols as R&5 %ersion 2 broadcast. .onfigure the incoming pac/et protocols with R&5 %ersion 2 onl . D. .onfigure both routers to use periodic update mode. .onfigure the outgoing pac/et protocols as R&5 %ersion 2 broadcast. .onfigure the incoming pac/et protocols with R&5 %ersion 1 onl . )ns"er: ) E3#lanation9 &n auto2static update mode, the RRA$ router onl broadcasts the contents of its routing table when a remote router as/s for it. The routes that the RRA$ router learns from its R&5 neighbors are mar/ed as static routes in the routing table, and the persist until ou manuall delete them2e%en if the router is stopped and restarted or if R&5 is disabled for that interface. Auto2static mode is the default for demand2dial interfaces. The primar difference between R&5%1 and R&5%2 is the manner in which updates are routes change. R&5%2 also supports simple *e.g., plain teBt+ usernameHpassword authentication, which is hand to pre%ent unwanted changes from cluttering our routing tables. R&5%2 routers also add the abilit to recei%e triggered updates. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --2 2 $', if ou want to ensure that routes are inherited when ou enable interfaces and that these routes persist on each ser%er in case of lin/ failure whilst minimi0ing con%ergence time, then option A is the solution. Incorrect ans"ers: +9 Ma/ing use of auto2static update mode would be correct. Aowe%er the incoming pac/et protocol should be configured with R&5 %ersion 2 onl . '9 5eriodic update mode is a R&5 update mode in which routing table updates are automaticall sent to all other R&5 routers on the internetwor/. This is the wrong update mode to use when ou want to satisf the re6uirements of this 6uestion. D9 &n this option both the update mode and the incoming pac/et protocol configuration that is suggested is wrong. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. -1G2 -1> QUESTION NO: 2 DD)- DDO. You are a net"or0 administrator $or TestBing com You need to change the I. addresses and subnet mas0s $or t"o !indo"s Ser/er 2==, domain controllers named TestBing, and TestBing4 You ha/e been allocated the #ublic I. net"or0 address <,< <=7 < =K24 You "ant the subnet mas0 on Subnet ) to su##ort 59 hosts You "ant the subnet mas0 on Subnet + to su##ort 29 hosts +ecause you "ant to conser/e I. addresses* you "ant the subnet mas0 $or each net"or0 to allo" $or subnets that are close in si1e to the number o$ required hosts You ha/e been assigned a de$ault gate"ay o$ <,< <=7 < < $or subnet ) and a de$ault gate"ay o$ <,< <=7 < 65 $or subnet + !hich I. address and subnet mas0 should you con$igure $or each o$ the domain controllers% Drag and Dro# 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --3 2 )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --- 2 A 2FF.2FF.2FF.22- subnet mas/ gi%es fi%e host address bits, so the maBimum number of host addresses is 2 e F 2 2 \ 3" host addresses. Thus this option suggests the onl subnet mas/ that will allow for sufficient &5 addresses in case of further growth, whilst still conser%ing as man current addresses as possible.

De$erence9 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. ;2 QUESTION NO: , E3hibit* Net"or0 to#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --F 2 E3hibit G2 You are the net"or0 administrator o$ TestBing com The TestBing com net"or0 contains t"o subnets that are connected by a router )ll ser/ers run !indo"s Ser/er 2==, )ll net"or0 hosts are manually con$igured "ith T'.KI. in$ormation The net"or0 is con$igured as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --; 2 ) de/elo#er named Sandra users a com#uter named TestBing, $or testing Sandra re#orts that she cannot access resources on a ser/er named TestBing5 )ll other hosts on subnet ) are able to access resources on TestBing5 Erom TestBing, you success$ully #ing the I. address o$ the router inter$ace on the local subnet :o"e/er* you cannot #ing the I. address o$ TestBing5 or the I. address o$ the router inter$ace on subnet + You run the route print command on Test@ing3 and recei%e the output shown in eBhibit b2. You need to ensure that TestBing, can connect to TestBing5 and any other hosts on Subnet + !hat should you do% A. .hange the &5 address on Test@ing3 to 131.1"G.1-2.12>. 1. .hange the subnet mas/ on Test@ing3 to 2FF.2FF.".". .. .hange the default gatewa on Test@ing3 to 131.1"G.12>.1 D. .hange the &5 address of the router interface connecting to subnet A to 131.1"G.1-2.1 3. .hange the &5 address of the router interface connecting to subnet A to 131.1"G.1=-.1 )ns"er: ' E3#lanation9 The default gatewa is used to route traffic between our computer and computers on different subnets. 3ach gatewa has an &5 address *to which the client sends outbound pac/ets+. !hen deciding where to send pac/ets bound for other networ/s, !indows $er%er 2""3 will eBamine its internal T.5H&5 routing table to see whether it alread /nows how to get pac/ets to the destination networ/. &f so, it uses that route. &f not, it uses the default gatewa . &n the eBhibit one sees that Test@ing3 must go through the router *131.1"G.12>.1+ to connect to Test@ingF. Incorrect ans"ers: )9 .hanging the &5 address on Test@ing3 is not going to enable connection to Test@ingF. The default gatewa has to be changed. +9 &t is not a subnet mas/ problem that is pre%enting $andra from connecting to Test@ingF. D* E9 There is no need to change the &5 address of the router interface when all that is needed is to change the Test@ing3 default gatewa so as to enable $andra to connect to Test@ingF under the gi%en circumstances. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --G 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 *3Bam9 G"22=1+ &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. GF Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. -= QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 contains se/en hard"are routers and se/en !indo"s Ser/er 2==, routers Each o$ the current hard"are routers su##orts DI. /ersion <* DI. /ersion 2 =* and OS.E You are #rocess o$ u#grading the net"or0 hard"are During the u#grade* net"or0 routes "ill $luctuate You e3#ect the $inal u#grades to be com#leted in si3 months ) static route connects a net"or0 stub "here net"or0 hard"are and so$t"are testing ta0es #lace You need to ensure that con/ergance "ill occure in less than $i/e minutes as you u#grade net"or0 hard"are !hich routing #rotocol should you use% A. Use R&5 %ersion 2.". .onfigure the outgoing pac/et protocol to be R&5 %ersion 1

broadcast and the incoming pac/et control to be R&5 %ersion 1 and %ersion 2. 1. Use R&5 %ersion 2. .onfigure the outgoing pac/et protocol to be R&5 %ersion 2 broadcast and the incoming pac/et protocol to be R&5 %ersion 2 onl . .. Use the &CM5 Router and 5roB protocol. D. Use the '$5( routing protocol and configure an area number of ".".".". )ns"er: D 39 Manage Routing and Remote Access clients.*3 :uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --> 2 QUESTION NO: < You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure a ser/er named Test0ing2 as a Net"or0 )ddress Translation &N)T( ser/er Test0ing2 has a single net"or0 ada#ter and a modem Test0ing2 connects to the Internet through a demand>dial connection Users re#ort that "hen they attem#t to connect to Internet !eb sites* they intermittently recei/e the $ollo"ing error message: L.age not $oundL )$ter "aiting $or se/eral minutes* they can connect to the !eb sites These errors occur throughout the day You need to con$igure Test0ing2 to allo" users to al"ays connect to Internet !eb sites !hat should you do% A. $et the demand2dial connection to 5ersistent. 1. $et the dial2out hours on the demand2dial connection to an da and an time. .. $et a demand2dial filter. .onfigure the filter for 'nl allow the following traffic. $pecif a new filter outbound port >". D. .onfigure the demand2dial interface as the pri%ate interface. )ns"er: ) E3#lanation: Demand>dial connection is a connection* ty#ically using a circuit>s"itched "ide area net"or0 &!)N( lin0 that is initiated "hen data needs to be $or"arded The demand>dial connection is ty#ically terminated "hen there is no tra$$ic To allo" users to al"ays success$ully connect to the Internet you need to con$igure the demand>dial connection as #ersistent as this "ill #re/ent the #roblem they are currently e3#eriencing Incorrect ans"ers: +9 $etting dial2out hours does not ensure consistent connecti%it . '9 T.5 port >" is used for ATT5 traffic. !hen one sets a demand2dial filter it is )ust to prohibit certain t pes of traffic o%er certain ports. This is not what is re6uired in this scenario. D9 The &nternet is a 5ublic interface and this option suggests that the demand2dial be configured as the pri%ate interface. This will not do. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --= 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$3 9 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ;F12;F2 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The com#any has a high>s#eed Internet connection ) !indo"s Ser/er 2==, com#uter named Ser/er5 has Douting and Demote )ccess installed Some com#any em#loyees use !indo"s @. .ro$essional #ortable com#uters to connect to Ser/er5 I$ these users o#en Internet E3#lorer* a dial>u# connection starts and automatically connects to Ser/er5 )ll #ortable com#uters and user accounts are in the Aa#to#s organi1ational unit &OU( ) -rou# .olicy ob2ect &-.O( named Aa#to#-.O is lin0ed to the Aa#to#s OU The net"or0 contains the additional ser/ers sho"n in the $ollo"ing in the $ollo"ing table Ser/er name Dole Test@ing3 DA.5 ser%er Test@ing- D,$ ser%er Test@ingF &nternet !eb serer TestBing com #urchases t"o other com#anies .ortable com#uter users $rom the t"o other com#anies re#ort that "hen they o#en Internet E3#lorer* a dial>u# connection starts* but does not connect* to ser/er5 You $ind out that the #ortable com#uters are attem#ting to connect to old ser/ers $rom the #re/ious com#anies

You add the ne" #ortable com#uter and user accounts to the Aa#to#s OU You "ant all #ortable com#uter users to immediately connect to Ser/er5 through a single dial>u# connection "hen they o#en Internet E3#lorer You "ant to accom#lish this con$iguration "ith the minimum amount o$ administrati/e e$$ort !hat should do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F" 2 A. Add an alias *.,AM3+ resource record named wpad that points to Test@ingF. 'n Test@ingF configure a wpad.dat automatic configuration file the points to a .ins configuration file. 3dit the 4aptopC5' C5' and select Automaticall detect configuration settings in the Automatic 1rowser .onfiguration polic . 1. 3dit the 4aptopC5' C5' and select 3nable Automatic .onfiguration in the Automatic 1rower .onfiguration polic . .. .onfigure a dial2up connection to $er%erF. 3dit the 4aptopC5' C5' and in the .onnection $ettings polic , select &mport the .urrent .onnection $ettings from this machine and Delete eBisting Dial2up .onnection $ettings. D. .onfigure dial2up connection settings to ser%erF. 3Bport the settings to a .ins file in a shared folder for which the portable computer users ha%e Read access. 'n the portable computers, import the .ins file a logon script. )ns"er: + E3#lanation: To cut do"n on administrati/e e$$ort a grou# #olicy modi$ication that "ill enable automatic con$iguration "ill ha/e the desired e$$ect Thus all you need to is to select Enable)utomatic 'on$iguration in the )utomatic +ro"er 'on$iguration #olicy on Ser/er5 Incorrect )ns"ers: ): An Alias *.,AM3+ record specifies another D,$ domain name for a name that is alread referenced in another resource record. This is not what the 6uestion as/s for. 'nl the latter part of the option is correct. ': The problem is not so much the connection settings from the machine, but rather a case of old non2eBistent ser%ers of the pre%ious compan . Iou do not need to configure a dial2up connection to ser%erF. All that is necessar is to edit the 4aptopC5' and enabling automatic configuration. 3%er thing else that is needed is alread in place. D: This option suggests too much administrati%e effort. All that is needed is to edit the 4aptopC5' and enabling automatic configuration. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 3 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F1 2 The net"or0 contains a ser/er named TestBing7 that runs the Douting and Demote )ccess ser/ice Users connect to TestBing7 by using 8.Ns through the Internet at any time o$ day The com#anyJs "ritten security #olicy states that you must collect in$ormation about all 8.N connections to the net"or0 This in$ormation includes "hen users logged on* ho" long they "ere connected* and ho" much data "as sent across the 8.N connection You need to con$igure TestBing7 to collect the required in$ormation !hat should you do% A. .onfigure RRA$ login on Test@ingG to log all e%ents. Archi%e the s stem log on Test@ingG. 1. .onfigure an audit polic on the Domain .ontrollers 'U. Audit all successful logon connections to the networ/. .. Use the Routing and Remote Access console to monitor the remote access client list. D. Use the Routing and Remote Access console to monitor the ports list. )ns"er: ) E3#lanation9 The scenario described abo%e mentions that ser%er Test@ingG runs RRA$ and since users ma/e use of Test@ingG through ?5, to connect to the &nternet, ou should configure RRA$ login to log all e%ents and archi%e the s stem log on Test@ingG. Incorrect ans"ers: +9 .onfiguring audit polic and auditing all successful logon connections to the networ/ will onl ield half of the information that is re6uested. 'C D9 The Routing and Remote Access console will ield information regarding routing. The information re6uired in this 6uestion is for information about the ?5, connections. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows

$er%er 2""3, $ beB &nc. Alameda, 2""3, p. 2;2 5art 39 Manage T.5H&5 routing. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F2 2 A9 Manage routing protocols.*" :uestions+ 19 Manage routing tables.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com TestBing has a main o$$ice and $our branch o$$ices TestBingJs net"or0 is con$igured a sho"n in the e3hibit You need to establish net"or0 connecti/ity bet"een the main o$$ice and +ranch4 In the main o$$ice* you con$igure a ser/er named Test0ing<* "hich has Douting and Demote )ccess installed* to be a demand>dial router You need to ensure that com#uters in only the main o$$ice can initiate a connection to +ranch4 on Test0ing< You con$igure the in#ut I. #ac0et $ilters on Test0ing< to dro# all tra$$ic e3ce#t tra$$ic $rom +ranch4 You analy1e the net"or0 tra$$ic to Test0ing< and disco/er that Test0ing< is still initiating connections $rom ser/ers in other branch o$$ices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F3 2 You need to ensure that Test0ing< does not initiate any connections $rom ser/ers in the other branch o$$ices !hat should you do% A. (or the demand2dial interface, set a filter that has a source address of 1=2.1;>.1." and a subnet mas/ of 2FF.2FF.2FF.2FF. 1. (or the demand2dial interface, set a filter that has a source address of 1=2.1;>.1." and a subnet mas/ of 2FF.2FF.2FF.". .. Add the demand2dial interface to the ,ATH1asic (irewall ob)ect. Add an address pool of 1=2.1;>.1." 1=2.1;>.1.2F- with a subnet mas/ of 2FF.2FF.2FF.2FF. D. Add the demand2dial interface to the ,ATH1asic (irewall ob)ect. Add an address pool of 1=2.1;>.1." 1=2.1;>.1.2F- with a subnet mas/ of 2FF.2FF.2FF." )ns"er: + E3#lanation9 Iou need to pre%ent Test/ing1 from initiating an connections from ser%ers in the other branch offices and onl computers in the main office can initiate a connection to 1ranch- on Test/ing1. $ince there is alread a filter on input &5 pac/ets on Test/ing1 to drop all traffic eBcept from 1ranch-, ou onl need to set a filter with source address of 1=2.1;>.1." and a subnet mas/ of 2FF.2FF.2FF.". Incorrect ans"ers: )9 The filter has to be set for source address of 1=2.1;>.1." and a subnet mas/ of 2FF.2FF.2FF." on the demand2dial interface and not for the 2FF.2FF.2FF.2FF subnet mas/. '* D9 This will not pre%ent Test/ing1 from initiating an connections from ser%ers in the other branch offices to 1ranch-. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter =, p. G2 QUESTION NO: 2 E3hibit* Net"or0 To#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F- 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ t"o subnets and t"o routers as sho"n in the e3hibit !hile monitoring the net"or0* you notice that the net"or0 utili1ation on router TestBing2 is near ca#acity The net"or0 utili1ation on router TestBing< is /ery lo" You need to con$igure TestBing' to ensure that it can still communicate "ith hosts on the Internet "hile using minimum number o$ ho#s You also need to ensure that TestBing' "ill communicate "ith the client com#uters in the <= ; 9 = subnet by using router TestBing< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FF 2 !hich t"o actions should you #er$orm on TestBing'% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. (rom a command prompt, t pe9 route ># add <= ; 9 = mas0 255 255 255 = <= ; ; 254 metric < 1. (rom a command prompt, t pe9 route ># add <= ; 9 = mas0 255 255 255 = <= ; ; < metric < .. (rom a command prompt, t pe9 route ># add = = = = mas0 = = = = <= ; ; 254 metric < D. (rom a command prompt, t pe9 route ># add = = = = mas0 = = = = <= ; ; < metric <

)ns"er: +* ' E3#lanation9 !hen adding routes, itKs important to remember that these are temporar additions to the routing table.!hen the computer is rebooted, these additions are erased.To ma/e a permanent or persistent entr in the routing table, use the 2p parameter. Adding the 2p switch to the Route Add command ma/es the static route persistent, which means it remains e%en after the router is rebooted. &t ma/es the route permanent. Ma/ing use of options 1 and . will ensure that Test@ing. can communicate with client computers in the 1".=.>." subnet b using the Test@ing1 router and still communicate with hosts on the &nternet. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, p. =92G QUESTION NO: , E3hibit* Net"or0 To#ology 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F; 2 E3hibit* Tracert out#ut You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FG 2 The TestBing com net"or0 consists o$ three subnets The subnets are connected by t"o 'isco hard"are routers Each subnet contains one !indo"s Ser/er 2==, com#uter "ith the Douting and Demote )ccess ser/ice enabled and con$igured The rele/ant #ortion o$ the net"or0 is con$igured as sho"n in the To#ology e3hibit Users in the <;2 <69 ,= =K24 subnet re#ort that they cannot access resources on TestBing< You /eri$y that TestBing< and TestBing2 can connect to each other You run the tracert command on test@ing3 and %iew the output shown in the Tracert eBhibit. You need to ensure that users on all three segments o$ the net"or0 can access resources on TestBing< !hat should you do% A. Modif the route to the 1=2.1;>.3"." networ/ in the routing table on router Test@ingA. 1. Modif the route to the 1=2.1;>.1"." networ/ in the routing table on router Test@ing1. .. Modif the route to the 1=2.1;>.3"." networ/ in the routing table on ser%er Test@ing1. D. Modif the route to the 1=2.1;>.1"." networ/ in the routing table on ser%er Test@ing2. 3. Modif the route to the 1=2.1;>.1"." networ/ in the routing table on ser%er Test@ing3. )ns"er: + E3#lanation9 !hen deciding where to send pac/ets bound for other networ/s, !indows $er%er 2""3 will eBamine its internal T.5H&5 routing table to see whether it alread /nows how to get pac/ets to the destination networ/. &f so, it uses that route. &f not, it uses the default gatewa . &n this case howe%er, ou need to route 1=2.1;>.1".1 in the routing table of the Test@ing1 router. That will ensure that all three segments will ha%e accessibilit to resources on Test@ing1. Incorrect ans"ers: )9 The modification to the routing table should be on the router of Test@ing1 and not Test@ingA. '* D C E 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F> 2 9 Iou should be modif ing the route *irrespecti%e of the %arious options posted b these three options+ in the routing table on the Test@ing1 router and not on the ser%er Test@ing1, Test@ing2 or Test@ing3. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. -= .9 Manage routing ports.*" :uestions+ 5art -9 &mplement secure access between pri%ate networ/s. A9 Troubleshoot user access to remote access ser%ices.*> :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com TestBing has a main o$$ice and se/eral branch o$$ices You "or0 in the main o$$ice The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters ) user named Batherine "or0s in a branch o$$ice She re#orts that her client

com#uter cannot connect to a remote 8.N ser/er You sus#ect that her client com#uter did not recei/e a recent hot$i3 You need to /eri$y "hich hot$i3es are installed on BatherineJs com#uter !hat should you do% A. (rom a command prompt, run the update.eBe command. 1. (rom a command prompt, run the wmic 6fe command. .. ?iew the Aistor 2s nch.Bml file. D. ?iew the Aistor 2appro%e.Bml file. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F= 2 !?I' e3tends !?I $or o#eration $rom se/eral command>line inter$aces and through batch scri#ts !?I is a !+E?>com#liant utility $or accessing management in$ormation in a net"or0 Its command line inter$ace is !?I' !?I' uses aliases* s"itches* /erbs and #arameters to obtain in$ormation $rom a com#uter system +ecause !?I' can connect to any com#uter remotely* )dministrators can #er$orm remote administration "ith !?I and !?I' This is the ideal solution to determine "hich hot$i3es are installed on BatherineJs com#uter Incorrect O#tions: ): hotfiBes has alread been installed. ': ?iewing the Aistor 2s nch.Bml file does not necessaril s nchroni0e the ser%er and ha%e connecting abilit with the ?5, ser%er. &t )ust gi%es ou the abilit to %iew the s nchroni0ation log. D: ?iewing the Aistor 2appro%e.Bml file will not enable @atherine to connect to the ?5, ser%er. &t is the appro%al log that ou will be %iewing. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 2"G Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, 2""3, .hapter 12, p. -=F QUESTION NO: 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory $orest named test0ing com The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing< that $unctions as a 8.N ser/er You set the remote access #ermissions $or members o$ the TestBingQDomain )dmins grou# and the TestBingQSales grou# in )cti/e Directory to 'ontrol )ccess through Demote )ccess .olicy The remote access #ermissions in )cti/e Directory are not standardi1ed $or users "ho are not members o$ the TestBingQDomain )dmins grou# and the TestBingQSales grou# 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;" 2 You create three remote access #olicies as sho"n in the $ollo"ing table .olicy name Order 'ondition .ermission All Users 1 Da 2And2Time2Restrictions An Time Den Admin 2 !indows2Croup matches Test@ingWDomain Admins Allow $ales 3 !indows2Croup matches Test@ingW$ales You need to ensure that only members o$ the TestBingQDomain )dmins grou# and TestBing QSales grou# can establish a 8.N connection to TestBing< !hat should you do% A. Add the following polic condition to all Users 5olic 9 !indows2Croup matches 8Test@ingWDomain Users.8 1. .hange the polic order to Admin21, All Users22, $ales23. .. .hange the Remote Access 5ermission in Acti%e Director to Allow for all members of the Test@ingWDomain Admins and the Test@ingW$ales group. D. Delete the All Users polic .

)ns"er: D E3#lanation: ) /irtual #ri/ate net"or0 &8.N( is the e3tension o$ a #ri/ate net"or0 that encom#asses enca#sulated* encry#ted* and authenticated lin0s across shared or #ublic net"or0s 8.N connections can #ro/ide remote access and routed connections to #ri/ate net"or0s o/er the Internet 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;1 2 &n this ser%er en%ironment, onl Allow Access and Den Access remote access permissions are a%ailable for user accounts. &n this case, the Allow Access setting is the default and is the e6ui%alent of the .ontrol Access Through Remote Access 5olic setting in all other ser%er en%ironments. ,o setting at this functional le%el allows ou to o%erride user2le%el remote access permissions in remote access policies. ,ote that b default the Remote Access 5ermission is set to Den Access. Thus if ou are to delete the restricti%e All Users polic whose order is first, then ou will enable the members of Test@ingWDomain Admins group and the Test@ingW$ales group will be able to establish ?5, connections to Test@ing1. Incorrect ans"ers: )9 &n this scenario there is no need to add further polic conditions to the All Users 5olic . &n fact it needs to be deleted since it is ta/ing priorit due to its order ran/ing. +9 $hifting the polic order around is not going to enable the members of Test@ingWDomain Admins group and the Test@ingW$ales group to establish ?5, connections to Test@ing1 '9 3%en if ou changed the Remote Access 5ermission in Acti%e Director to Allow, the All Users polic would still ta/e preference since it is first in the polic order ran/ing. Iou need to delete the All Users polic . De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1", p. 2; QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing,* "hich runs Internet )uthentication Ser/ice &I)S( Three 8.N ser/ers are located in branch o$$ices at I. addresses <,< <=7 <= 5* <,< <=7 ; 4* and <,< <=7 9 , You e3#ect no more than ,= concurrent connections #er 8.N ser/er )ll 8.N ser/ers recei/e the same settings "hen they dial in The e3isting remote access #olicy* the ?inutes clients can be connected &Session>Timeout( setting has a dial>in constraint o$ <= minutes You do not ha/e a certi$ication authority &')( on the net"or0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;2 2 !hen users attem#t to connect to one o$ the 8.N ser/ers* you "ant each 8.N ser/er to im#lement a di$$erent dial>in constraint $or the ?inutes clients can be connected &Session>Timeout( setting !hat should you do% A. .onfigure a separate remote access polic for each ?5, ser%er. 'n Test@ing3, configure a .lient2&52Address polic condition for each ?5, polic . 1. .onfigure a separate remote access polic for each ?5, ser%er. 'n Test@ing3, configure an 42T5 Tunnel2T pe remote access polic condition for each ?5, polic . 'n each ?5, ser%er, configure 42T5 ports with the ser%erKs &5 address in the 5hone number for this de%ice setting. .. .onfigure a single remote access polic . 'n each ?5, ser%er, configure 55T5 ports with the ser%erKs &5 address in the 5hone number for this de%ice setting. D. .onfigure a single remote access polic . 'n each ?5, ser%er, configure 42T5 ports with the ser%erKs &5 address in the 5hone number for this de%ice setting. )ns"er: ) E3#lanation: I)S is the ?icroso$t im#lementation o$ a Demote )uthentication Dial>In User Ser/ice &D)DIUS( ser/er and #ro3y* "hich #ro/ides authentication and accounting $or net"or0 access You should be con$iguring a se#arate remote access #olicy $or each 8.N ser/er Since TestBing, runs Internet )uthentication ser/ice* you should con$igure a 'lient>I.>)ddress #olicy condition $or each 8.N #olicy on it Incorrect ans"ers: +9 .onfiguring a separate remote access polic for each ?5, ser%er is correct. 1ut ou should be configuring a .lient2&52Address polic condition for each ?5, polic on Test@ing3 and not 42T5 Tunnel2t pe remote access polic conditions. '* D9 Using a single remote access polic will not ensure that each ?5, ser%er implements a different dial2in constraint. !hether it is 55T5 ports or 42T5 ports that are configured with the ser%erKs &5 address, it will not wor/ in this case. De$erence9

Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 4 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;3 2 You are the administrator o$ an )cti/e Directory domain )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing< is con$igured "ith Douting and Demote )ccess Test0ing< is con$igured to gi/e members o$ the Domain )dmins grou# 8.N access to the cor#orate net"or0 The dial>in #ermission $or all user accounts in )cti/e Directory is set to 'ontrol )ccess through Demote )ccess .olicy ) single remote access #olicy is con$igured on Test0ing< The remote access #olicy is con$igured as sho"n in the $ollo"ing table Name 'ondition .ermission Admin RRA$ 5olic !indows2Croups matches Domain Admins Allow TestBingJs "ritten security #olicy states that all cor#orate e3ecuti/es should be allo"ed 8.N access to the net"or0 )ll e3ecuti/es are members o$ a grou# named E3ecuti/e8.N You need to #ro/ide all e3ecuti/es "ith 8.N access to the net"or0 ?embers o$ the Domain )dmins grou# must continue to ha/e 8.N access No other users should be allo"ed 8.N access to the net"or0 !hat should you do% A. .reate a new remote access polic that has the condition of !indows2Croups matches 8Domain Users8. $et the permission on the polic to Den and configure the polic order to 1. 1. .reate a new remote access polic that has the condition of !indows2Croups matches 83Becuti%e?5,8. $et the permission on the polic to Allow and configure the polic order to 2. .. .reate a new remote access polic that has the condition of !indows2Croups matches 8Domain Users8. $e the permission on the polic to Allow and configure the polic order to 2. D. .reate a new remote access polic that has the condition of !indows2Croups matches 83Becuti%e?5,8. $et the permission on the polic to Den and configure the polic order to 2. 3. 'n the properties of all user accounts eBcept for the accounts of users who are members of the Domain Admins group, set the dial2in permission to Den . )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;- 2 ) remote access #olicy is a set o$ rules that are used to determine access rights or #ermissions $or remote users and hosts You basically de$ine rules "ith conditions* "hich the system in turn e/aluates to ascertain "hether a #articular user can connect or not !hen t"o or multi#le #olicies e3ist* the #olicies are e/aluated according to the order that you s#eci$y There$ore* creating a ne" remote access #olicy that has the condition o$ !indo"s>-rou#s matches LE3ecuti/e8.NL* and then setting the #ermission on the #olicy to )llo" "ith a #olicy order o$ 2 "ould #ro/ide e3ecuti/es "ith 8.N access to the net"or0 Incorrect )ns"ers: ): !ith the permission setting onDen ou will not be granting the proper permissions. $econdl the new remote access polic !indows2Croups conditions should math the 3Becuti%e ?5, and not Domain Users. ': The permission set to Allow is correct. Aowe%er, the new remote access polic !indows2Croups conditions should math the 3Becuti%e ?5, and not Domain Users. D: All eBecuti%es must be pro%ided ?5, access to the networ/ and Den ing them will thus not wor/. E: Members of the Domain Admins group must continue to ha%e ?5, access. Thus setting the dial2in permission to Den will not ha%e the desired effect. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1", pp. F>G 2 F=3 QUESTION NO: 5 You are an administrator o$ a single )cti/e Directory $orest that contains one domain )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named Test0ing< is con$igured "ith Douting and Demote )ccess Test0ing< is con$igured to allo" only inbound 8.N connections that use A2T. You assign the Ser/er &Dequest Security( I.Sec #olicy on Test0ing< You con$igure the

#olicy to use Berberos and certi$icates $or authentication Erom a !indo"s @. .ro$essional com#uter named 'lientTB<* "hich does not belong to the domain* you attem#t to establish a 8.N connection to Test0ing< and recei/e the error message sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;F 2 You /eri$y that the 8.N #orts on Test0ing< are not being bloc0ed by any intermediate de/ices You need to con$igure 'lientTB< to allo" it to establish a 8.N connection to Test0ing< !hat should you do% A. Assign the .lient *Respond 'nl + &5$ec polic . 1. Assign the $er%er *Re6uest $ecurit + &5$ec polic . .. &nstall a %alid &5$ec certificate in the local machine store. D. .onfigure the ?5, connection so that onl 42T5 &5$ec ?5, is enabled. )ns"er: ' E3#lanation: A2T.KI.Sec requires a certi$icate in$rastructure or a #reshared 0ey to issue com#uter certi$icates to the 8.N ser/er and all 8.N clients ?achine certi$icates are digital certi$icates issued to machines instead o$ users They allo" each end o$ the connection to authenticate the com#uters in/ol/ed ?achine end#oints are authenticated be$ore the 8.N client e/er sends an authentication request ?achine le/el authentication is a #rerequisite ste# $or a A2T. 8.N You can manually enroll machines by using the certi$icate authority tools to request a com#uter certi$icate $or each machine that needs one )lternati/ely* you $orce the ') to issue a certi$icate to the 8.N ser/er This is done by restarting the 8.N ser/er or re$reshing the local security #olicy Incorrect )ns"ers: ): 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;; 2 .lient *Respond 'nl + is used for computers that should not secure communications most of the time, but if re6uested to set up a secure communication, the can respond. 1 assigning the .lient *Respond 'nl + &5$ec polic ou will not allow the establishment of a ?5, connection to Test/ing1. +: $er%er *Re6uest $ecurit + is used for computers that should secure communications most of the time. &n this polic , the computer accepts unsecured traffic but alwa s attempts to secure additional communications b re6uesting securit from the original sender. Thus b assigning this setting ou will not accomplish our goal of allowing the establishment of a ?5, connection to Test/ing1. D: To enable onl 42T5 &5$ec ?5, will not wor/ as Test/ing1 is configured to allow onl inbound ?5, connections that ma/e use of 42T5 and there are two ends to a connection. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1", pp. ;1= 2 22" QUESTION NO: 6 The net"or0 contains a ser/er named DD)S< that runs the Douting and Demote )ccess ser/ice Users connect to DD)S< by using 8.Ns through the Internet DD)S< is con$igured to su##ort 8.N connections by using both ..T. and A2T. TestBing management in$orms you that su##ort $or ..T. "ill be #hased out o/er the ne3t t"o months You enable all o$ TestBingJs #ortable com#uters to use A2T. to connect to DD)S< :o"e/er* some users also access DD)S< by using their home com#uters The home com#uters must be enabled $or A2T. You need to /ie" the current 8.N connections to DD)S< to $ind out "hich users are connecting to the ser/er by using ..T. !hat should you do% A. .onfigure auditing in the local securit polic on RRA$1 to log all logon e%ents. 1. .onfigure an audit polic on the Domain .ontrollers organi0ational unit *'U+. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;G 2 Audit all successful logons to the networ/. .. Use the Routing and Remote Access console to re%iew the remote access clients list. D. Use the Routing and Remote Access console to re%iew the properties for each acti%e 55T5 port. )ns"er: D E3#lanation: You can use a number o$ tools "ith the Douting and Demote )ccess

management console to manage remote access clients The management console #ro/ides administrators "ith a quic0 and easy "ay o$ /ie"ing "hich clients are currently connected to a remote access ser/er To do so* clic0 the Demote )ccess 'lients container listed under your remote access ser/er The le$t #ane dis#lays the users currently connected You can /ie" status in$ormation $or s#eci$ic users by right>clic0ing their username and clic0ing the Status o#tion You can also disconnect a s#eci$ic user by right>clic0ing the username and selecting the Disconnect o#tion Incorrect ans"ers: )9 4ogging all logon e%ents is not )ust a schlep, but it will also not re%eal to ou current ?5, connections to RRA$1 to chec/ who uses the 55T5 port. +9 This option will result in all the logon being audited and not )ust the current ?5, connections to RRA$1 to chec/ who uses the 55T5 port. '9 This option can also wor/, but this would onl be half a solution whereas if ou could re%iew the properties for each acti%e 55T5 port, ou would be doing it properl . De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, ) !indo"s Ser/er 2==, com#uter named DD)S< $unctions as the Douting and Demote )ccess ser/er DD)S< test0ing com is located in the com#anyJs main o$$ice 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;> 2 One hundred managers dial in to DD)S< $rom !indo"s @. .ro$essional com#uters in com#any retail stores to submit sales re#orts The managerJs dial>in #ermissions are set to control access through Demote )ccess .olicy These dial>u# connections occur e/ery day* ?onday through Eriday* bet"een 4:== . ? and 6:== . ? The re#orts ta0e no more than one hour to com#lete You "ant to narro" the o##ortunity $or unauthori1ed attem#ts to access DD)S< On Thursday night* you as0 another administrator to con$igure the a##ro#riate time restriction settings On Eriday* store managers re#ort that they are unable to connect to DD)S< DD)S< contains only one remote access #olicy The #olicy is con$igured to -rant remote access #ermission In the #olicyJs conditions* in the Time o$ day constraints* you see the con$iguration sho"n in the .olicy 'ondition e3hibit The #olicy #ro$ile>dial in constraint is con$igured to allo" access as sho"n in the .olicy .ro$ile e3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;= 2 You need to ensure that store managers are able to dial in to DD)S< to submit their sales re#orts !hat should you do% A. .hange the polic profile dial2in constraint for the Allow access onl on these da s and at these times setting to Monda through (rida from -9"" 5.M. to 1"9"" 5.M. 1. .hange the polic condition Time of da constraints to All. .. .hange the polic condition Time of da constraints to Monda through (rida from -."" 5.M. to 129"" A.M. D. .onfigure the !indows <5 computers to Automaticall s nchroni0e with an &nternet time ser%er to ensure that their cloc/s differ b no more than fi%e minutes from the .oordinated Uni%ersal Time on RRA$1. )ns"er: ' E3#lanation: The #olicy condition 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G" 2 Time o$ day constraints are set to restrict access to bet"een 4)? and 6)? This need to be changed to allo" access bet"een 4:==#m and 6:==#m &#lus one hour $or the re#orts to com#lete( 'hanging the the #olicy condition Time o$ day constraints to ?onday through Eriday $rom 4 == . ? to <2:== ) ? "ill accom#lish this QUESTION NO: 9DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains three domains named test0ing com* sales test0ing com* and mar0eting test0ing com The rele/ant #ortion o$ the $orest is sho"n in the "or0 area belo" The current ?aster O#eration roles held by each domain controller are sho"n in the $ollo"ing table Users in the sales test0ing com re#ort that they are unable to access resources in mar0eting test0ing com The net"or0 security administrator disco/ers that

Berberos authentication is $ailing because o$ a time synchroni1ation error You need to identi$y the ser/ers that are #ro/iding time synchroni1ation ser/ices to the client com#uters in each child domain !hich ser/ers should you identi$y% To ans"er* drag the a##ro#riate ser/er to the corres#onding child domain You can use a ser/er name more than once 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G1 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G2 2 @erberos b default re)ects authentication when time s nchroni0ation errors occur. 1 default, the first domain controller on each domain is the ,T5 ser%er for that domain. The first domain controller in a domain is b default also the 5D. emulator. Therefore, we can deduce that Test/ing1 is the ,T5 ser%er for the test/ing.com domain. Iou can configure the domain controllers in each child domain to s nchroni0e time with the root domain9 net time WWser%er2 Hdomain9contoso.com Hsetsntp9ser%er1.test/ing.com. net time WWser%er3 Hdomain9sales.contoso.com Hsetsntp9ser%er1.test/ing.com. net time WWser%er- Hdomain9mar/eting.contoso.com Hsetsntp9ser%er1.test/ing.com. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G3 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 2=G 19 Diagnose and resol%e issues related to remote access ?5,s.*F :uestions+ QUESTION NO: < You administer a !indo"s Ser/er 2==, com#uter named TestBing' "hich $unctions as a D:'. ser/er TestBing' is con$igured to lease addresses in the <= 4= ,= < > <= 4= ,= 254 range )ll addresses in this sco#e are reser/ed $or com#uters on the internal net"or0 )nother sco#e is con$igured to lease addresses in the <,< <=7 2= < > <,< <=7 2= 254 range This sco#e is intended to #ro/ide addresses $or Douting and Demote )ccess clients You con$igure a ne" !indo"s Ser/er 2==, com#uter named TestBingD to $unction as a Demote )ccess ser/er $or 8.N connections Users "ill connect to TestBingD by using ..T. TestBingD is con$igured to assign I. addresses to Douting and Demote )ccess clients by using D:'. The rele/ant #ortion o$ the net"or0 is sho"n in the $ollo"ing diagram 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G- 2 You connect to TestBingD $rom a remote test com#uter by using a ..T. connection The test com#uter success$ully #ings TestBingD :o"e/er* "hen you run the #ing command to connect to other com#uters on the internal net"or0* you are unsuccess$ul You need to be able to access resources on the internal net"or0 $rom client com#uters that are connected to TestBingD by a 8.N connection :o" should you con$igure Douting and Demote )ccess on TestBingD% A. 3nable the R&5 protocol, and assign the demand2dial interface to it. 1. 3nable 4A, and demand2dial routing. .. .onfigure the 55T5 ports to allow demand2dial routing connections. D. .reate a static address pool in the 131.1"G.2".1H2- range. )ns"er: + E3#lanation: To enable Douting )nd Demote )ccess $or demand>dial routing* you ha/e to select the A)N )nd Demand>Dial Douting o#tion on TestBingD This is necessary to lin0 the remote net"or0 "ith your A)N Incorrect )ns"ers: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GF 2 ): 3nabling R&5 5rotocol and assigning the demand2dial interface to it will not wor/ in this scenario. ': Allowing demand2dial routing connections b configuring the 55T5 ports will not wor/ as ou need to acti%ate the 4A, And Demand2Dial Routing option on Test/ingD. D: The creation of a static address pool in that particular range will not allow ou to accomplish our tas/. Iou need to lin/ the remote networ/ with the local area networ/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter,

&mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, .hapter =, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F11, G12 QUESTION NO: 2 You are the net"or0 administrator $or TestBing ) ne" !indo"s Ser/er 2==, com#uter named TestBing6 is located in a small branch o$$ice TestBing6 runs third>#arty u#date so$t"are and needs to connect to the Internet to do"nload so$t"are u#dates TestBing6 distributes the u#dates to !indo"s @. .ro$essional client com#uters in the branch o$$ice You con$igure TestBing6 so that "hen you double>clic0 the Internet E3#lorer icon* a 8.N dial>u# connection to the main o$$ice automatically starts You "ant TestBing6 to access the Internet through a ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter named IS)< in the main o$$ice IS)< uses I. address <,< <=7 69 ;2 on the Internet and is also the Douting and Demote )ccess ser/er to the A)N The IS)< A)N inter$ace uses I. address <= <= = < Inbound 8.N connections recei/e <= <= = = I. addresses 'lient com#uters can connect to the Internet only through IS)< IS)< has dynamically u#dates host &)( resource records $or both IS)< inter$aces On TestBing6* you double>clic0 the Internet E3#lorer icon to initiate an Internet connection TestBing6 success$ully establishes a 8.N connection to IS)<* but cannot connect to the Internet The Internet E3#lorer settings $or the 8.N dial>u# connection are sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G; 2 Some users on other 8.N connections to IS)< re#ort that they can connect to the Internet* and other users re#ort that they cannot You "ant TestBing6 and all other 8.N connections to IS)< to consistently connect to the Internet !hat should you do% A. &n the &nternet 3Bplorer settings for the ?5, dial2up connection on Test@ing;, select the 1 pass proB ser%er for local addresses chec/ boB. 1. &n the &nternet 3Bplorer settings for the ?5, dial2up connection on Test@ing;, enter 1".1".".1 for the proB ser%er address. .. &n the &nternet 3Bplorer settings for the ?5, dial2up connection on Test@ing;, select the Automaticall detect settings chec/ boB. D. 'n the networ/ properties for the 131.1"G.;>.=2 connection on &$A1, clear the Register this connectionKs addresses in D,$ chec/ boB. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GG 2 )ns"er: D E3#lanation: The address o$ the #ro3y ser/er is IS)< and needs to be resol/ed by ma0ing use o$ DNS The question states that IS)< has dynamically u#dated host &)( resource records $or both IS)< inter$aces Thus "hen you query DNS $or the I. address o$ IS)< you could recei/e the I. address o$ the e3ternal inter$ace* or the I. address o$ the internal inter$ace You should clear the Degister this connectionJs addresses in DNS chec0 bo3 $or the e3ternal inter$ace o$ IS)< because you only "ant the I. address o$ the internal inter$ace Incorrect ans"ers: ): $electing the 1 pass proB ser%er for local addresses option would reduce traffic to the &$A ser%er because onl data that is intended for an eBternal address would be sent to the &$A $er%er. This will not correct the problem of inconsistent connections. +: This approach of ma/ing the proB ser%er address 1".1".".1 relates onl to Test@ing;. The re6uirement is that Test@ing; and all other ?5, connections to &$A1 should consistentl connect to the &nternet. ': This approach too onl in%ol%es Test@ing;, and not all the clients. The other users will still be facing the same problem of inconsistent connections. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 3F= QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 ser/es a main o$$ice and one branch o$$ice +oth o$$ices are con$igured to route tra$$ic to the Internet ) !indo"s Ser/er 2==, com#uter named Test0ing< is located in the main o$$ice ) !indo"s 2==, com#uter named Test0ing2 is located in the branch o$$ice You need to create an Internet connection bet"een the main o$$ice and the branch o$$ice You also need to ensure that the connection meets the $ollo"ing requirements:

1. .ro/ides the highest #ossible le/el o$ encry#tion $or tra$$ic bet"een the t"o o$$ices 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G> 2 2. .ro/ides mutual authentication bet"een the t"o ser/ers 3. Dequires no additional hard"are or so$t"are !hich connection or connections should you con$igure% &'hoose all that a##ly( A. An 42T5 ?5, connection. 1. An 55T5 ?5, connection. .. A 555 o%er 3thernet *555o3+ connection. D. An &5$ec tunnel )ns"er: )* D E3#lanation: ) /irtual #ri/ate net"or0 &8.N( is a #ri/ate net"or0 o$ com#uters that is at least #artially connected using #ublic channels or lines* such as the Internet The t"o #rotocols used $or accessing a 8.N ser/er are the .oint>to>.oint Tunneling .rotocol &..T.( and the Aayer 2 Tunneling .rotocol &A2T.( 8.Ns use encry#tion and secure #rotocols such as ..T. and A2T. to ensure that unauthori1ed #arties do not interce#t data transmissions A2T. uses I.Sec $or data encry#tion thus you "ould also ma0e use o$ an I.Sec tunnel This should ensure that you get the highest #ossible le/el o$ encry#tion $or tra$$ic bet"een the t"o o$$ices* mutual authentication "ithout necessitating additional hard"are or so$t"are Incorrect ans"ers: +9 55T5 is used o%er a 555 connection on an &5 based networ/ to create a secure tunnel. '9 This is an &5 based networ/ and ma/ing use of 555 o%er 5oint2to25oint 5rotocol o%er 3thernet *555o3+ will not wor/. Thus this option is not the answer. De$erence9 Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 contains 4== !indo"s @. .ro$essional com#uters and a !indo"s Ser/er 2==, com#uter that runs ?icroso$t Internet Security and )cceleration &IS)( Ser/er Three hundred em#loyees "or0 $rom remote locations These users dial in to the com#any A)N to establish an Internet connection and then using a 8.N connection to connect to a !indo"s Ser/er 2==, com#uter named TESTBIN-D)S Internet access s#eeds among the dial>in users range $rom 29 9 Bb#s to , ?b#s 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G= 2 The #ro3y ser/er logs a higher le/el o$ Internet acti/ity "hen the dial>in users connect The DNS ser/er $or"ards DNS queries to t"o Internet ser/ice #ro/ider &IS.( DNS ser/ers Degardless o$ Internet access s#eed* dial>in users re#ort that local !eb bro"sing $or #ublic Internet #ages slo"s dramatically "hene/er they establish a 8.N connection to TESTBIN-D)S You run a net"or0 monitoring utility and /eri$y that the A)N band"idth utili1ation is "ithin acce#table limits You need to resol/e the slo" Internet #er$ormance issue You #lan to use the 'onnection ?anager )dministration Bit "i1ard to con$igure all the dial>in user connections !hat should you do% A. .onfigure the &nternet 3Bplorer 4A, settings to Automaticall detect settings. 1. &n the T.5H&5 settings for each ?5, client connection, add the D,$ &5 addresses of the two D,$ ser%ers hosted b the &$5 as the primar D,$ address. .. &n the T.5H&5 settings for each ?5, client connection, add the D,$ &5 address of Test@ingKs D,$ ser%er as the primar D,$ address. D. &n the T.5H&5 settings for each ?5, client connection, clear the Ma/e this connection the clientKs default gatewa chec/ boB. )ns"er: D E3#lanation: !hen the users dial into the net"or0* they use the A)N router as their de$ault gate"ay to access the Internet :o"e/er* "hen they connect to the 8.N ser/er* the 8.N ser/er becomes the clientsJ de$ault gate"ay This indicates that all Internet tra$$ic is mo/ing through the 8.N ser/er To #re/ent this $rom occurring* con$igure the T'.KI. settings $or each 8.N client connection by clearing the ?a0e this connection the clientJs de$ault gate"ay chec0 bo3 Incorrect )ns"ers: ): Iou should pre%ent all &nternet traffic mo%ing through the ?5, ser%er, thus ou need to reconfigure the T.5H&5 settings for the ?5, client connections, not the 4A, &nternet 3Bplorer settings. +* ':

4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->" 2 Adding D,$ &5 addresses as primar D,$ addresses, whether it is of the two D,$ ser%ers hosted b the &$5 or the Test@ing D,$ ser%er, will not ser%e the same purpose as clearing the Ma/e this connection the clientKs default gatewa . Thus these options will not wor/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. G3 QUESTION NO: 5 E3hibit* Net"or0 To#ology You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBing com has a main o$$ice and one branch o$$ice The #erimeter net"or0s $or each o$$ice are con$igured as sho"n in the e3hibit You con$igure an A2T.KI.Sec 8.N tunnel bet"een TestBing< and Test0ing2 You also con$igure and assign an I.Sec #olicy named TestBingI.Sec that required secure communications You need to ensure that no unsecured tra$$ic $rom the Internet reaches the internal net"or0 through this 8.N You also need to ensure that access to the 8.N ser/ers $rom their res#ecti/e internal net"or0s is not disru#ted !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->1 2 A. .onfigure input and output 42T5H&5$ec pac/et filters on the internal interfaces on Test/ing1 and Test@ing2. 1. .onfigure input and output 42T5H&5$ec pac/et filters on the eBternal interfaces on Test/ing1 and Test@ing2. .. &n the properties of RA$&5$ec, edit the All &5 Traffic &5 (ilter list to include the &5 addresses for onl Test@ing1 and Test@ing2. D. &n the properties of RA$&5$ec, edit the All &.M5 Traffic &5 (ilter list to include the &5 addresses for onl Test@ing1 and Test@ing2. )ns"er: + E3#lanation9 5ac/et filtering is a technolog that filters what t pe of traffic is allowed into and out of the router. 'ne of the most useful features in RRA$ is its abilit to selecti%el filter T.5H&5 pac/ets in both directions. Iou can construct filters that allow or den traffic into or out of our networ/ based on rules that specif source and destination addresses and ports. The basic idea behind pac/et filtering is simple9 Iou specif filter rules and incoming pac/ets are measured against those rules. Iou ha%e two choices9 Accept all pac/ets eBcept those prohibited b a rule or drop all pac/ets eBcept those permitted b a rule. (ilters are normall used to bloc/ out undesirable traffic. &n general, the idea is to /eep out pac/ets that our machines shouldnKt see. &f ou want to ensure that no unsecured traffic from the &nternet reaches our internal networ/ through the ?5, whilst ensuring access to the ?5, ser%ers from their respecti%e internal networ/s, then ou should configure input and output 42T5 H &5$ec pac/et filters on the eBternal interfaces on both Test@ing1 and Test@ing2. Incorrect ans"ers: )9 The filters should be onfigured on the eBternal interfaces pof both Test@ing1 and Test@ing2 and not on the internal interfaces. ' C D9 3diting the All &5 Traffic &5 (ilter to include the Test@ing1 and Test@ing2 &5 addresses is not going to address the problem that ou are tr ing to a%oid. ,either will editing the All &.M5 traffic &5 (ilter list. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. -22, --G 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->2 2 .9 Diagnose and resol%e issues related to establishing a remote access connection.*3 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters On a ser/er named Test0ing<* you con$igure Douting and Demote )ccess to be a

8.N ser/er Test0ing< is con$igured to use only the T'.KI. #rotocol Each day* a /endor establishes a 8.N connection to Test0ing< and u#loads data to Test0ing< Only the /endor has remote access #ermissions $or Test0ing< You disco/er that the /endor has accessed others com#uters on the net"or0 You need to #re/ent the /endor $rom gaining access to the net"or0 to "hich Test0ing< is connected !hat should you do% A. (rom a command prompt on Test/ing1, run the route 2p command. 1. .reate a remote access polic for the %endor. Add the ,A$25ort2T pe matches ?irtual *?5,+ condition for incoming connection re6uests to the remote access polic . .. 'pen the Routing and Remote Access console on Test/ing1. .lear the Multilin/ connections chec/ boB in the ser%er properties. D. 'pen the Routing and Remote Access console on Test/ing1. .lear the 3nable &5 routing chec/ boB in the ser%er properties. )ns"er: D E3#lanation: The Enable I. Douting chec0bo3 regulates "hether DD)S "ill route I. #ac0ets bet"een a remote client and the other inter$aces on a DD)S ser/er There$ore* "hen the o#tion is enabled* a #ac0et o$ a remote client can mo/e to any host to "hich the DD)S ser/er has a route The o#tion is enabled by de$ault 'lear the Enable I. routing chec0 bo3 in the ser/er #ro#erties to restrict the /endor to accessing resources on only the DD)S ser/er +y clearing this chec0bo3 you disable the /endor accessing the other com#uters on the net"or0 "ithout denying the /endor access to Test0ing< Incorrect )ns"ers: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->3 2 ): Running the route 2p command is to create a persistent routing table entr . This is eBactl what ou want to a%oid. +: This is unnecessar when all ou need to is to access the Routing and Remote Access console and clear the 3nable &5 Routing chec/ boB. ': .learing the Multilin/ connections chec/ boB will not stop the %endor from being able to access the other computers that Test/ing1 in lin/ed to. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 13F Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1", p. ;"" QUESTION NO: 2 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains t"o !indo"s Ser/er 2==, com#uters named TestBing5 and TestBing6 You con$igure TestBing6 as a 8.N ser/er You need to con$igure a secure remote ..T. connection to TestBing6 The connection "ill be used by users "ho connect to the TestBing com net"or0 "hen the "or0 $rom home These users are members o$ the domain and use !indo"s @. .ro$essional com#uters You "ill require these users to use smart cards $or remote access You create a global grou# named :ome Users and add the a##ro#riate users to that grou# You install and con$igure 'erti$icate Ser/ices on TestBing5* and you enrol the smart cards You need to #rotect the remote connection $rom malicious users on the Internet You need to ensure that TestBing6 recei/es 8.N tra$$ic $rom only members o$ the :ome users grou# You also need to minimi1e the e$$ort required by members o$ the :ome Users grou# to con$igure their connections !hat should you do on TestBing6% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->- 2 To ans"er* drag the a##ro#riate action or actions to the "or0 area Order is not im#ortant Drag and Dro# )ns"er: E3#lanation9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->F 2 &n the 6uestion it was not necessar to put them in the right order. 3Btensible Authentication 5rotocol *3A5+ is a protocol that allows third parties to write

modules that implement new authentication methods and retrofit them to fielded ser%ers. M$.AA5 %2 authentication.The process begins with a challenge, consisting of a session &D and a challenge string, sent from the remote access ser%er *also called the authenticator+ to the remote client.The remote client responds with the username, a peer challenge, the recei%ed challenge string, the session identifier, and the userKs password.These last three are in encr pted format.The remote access ser%er chec/s the client responses and replies with a success or failure indication and an authentication response based on the sent challenge, the peer challenge, the encr pted response of the client, and the userKs password.The client then %erifies the authentication response of the ser%er and completes the connection if the response is correct. &f the client recei%es an in%alid response from the remote access ser%er, the connection is dropped.This two2wa , mutual authentication process ensures authenticit of the client and ser%er. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->; 2 De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 3=F Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 *3Bam9 G"22=1+ &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F=3 QUESTION NO: , E3hibit* Net"or0 To#ology You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The com#any has a main o$$ice in Ne" Yor0 and one branch o$$ice in Aos )ngeles The #erimeter net"or0s $or each o$$ice are con$igured as sho"n in the e3hibit TestBing< and TestBing2 are each con$igured "ith a dedicated e3ternal connection to the Internet You need to con$igure a #ri/ate net"or0 that allo"s $or Internet>based communication bet"een the maino$$ice ser/ers and client com#uters and bet"een the branch o$$ice ser/ers and client com#uters You also need to ensure that this communication is secured by using I.Sec encry#tion 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->G 2 !hich t"o actions should you #er$orm% Each correct ans"er #resents #art o$ the solution Select t"o A. .onfigure a ?5, connection between Test@ing1 and Test@ing2 that uses the 42T5 tunnelling protocol. 1. .onfigure a ?5, connection between Test@ing1 and Test@ing2 that uses the 55T5 tunnelling protocol. .. &nstall and configure a certification authorit *.A+ in the Acti%e Director domain. D. &nstall a third2part $HM&M3 certificate on Test@ing1 and Test@ing2. 3. (or each perimeter networ/ ser%er, configure a remote access polic to re6uire the use of the 3A52T4$ authentication protocol. )ns"er: )* ' E3#lanation9 A %irtual pri%ate networ/ *?5,+ is a pri%ate networ/ that uses lin/s across pri%ate or public networ/s *such as the &nternet+. !hen data is sent o%er the remote lin/, it is encapsulated, encr pted, and re6uires authentication ser%ices. And 4a er 2 Tunneling 5rotocol *42T5+ is a generic tunneling protocol that allows encapsulation of one networ/ protocolKs data within another protocol. &t is used in con)unction with &5$ec to enable %irtual pri%ate networ/ *?5,+ access to !indows 2""3 networ/s. &f ou want the &nternet2based communication between the main office serf%ers and client computers and between the branch office ser%ers and client computers to be secure and ma/e use of &5$ec encr ption, then it would be logical to ma/e use of a ?5, that uses 42T5 tunnelling between the main office and the branch office. &n addition, to secure the communication, ou should also ma/e use of a certification authorit in the Acti%e Director domain. Incorrect ans"ers: +9 55T5 tunnelling, though also a tunnelling protocol is not as suited to the situation as 42T5 is to the situation at hand. D9 Ma/ing use of a third2part certificate ser%ice+, but the are slightl less secure because ou need to gi%e the same /e to e%er remote access user. Thus this option should not be considered. E9 3A52Transport 4e%el $ecurit *T4$+ allows ou to use public2/e certificates as an authenticator. T4$ is %er similar to the familiar $ecure $oc/ets 4a er *$$4+ protocol used for web browsers. !hen 3A52T4$ is turned on, the client and ser%er send T4$2encr pted messages bac/ and forth. 3A52T4$ is the strongest authentication method

ser%er to be part of a !indows 2""" or $er%er 2""3 domain. This is not what is re6uired under the gi%en circumstances. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->> 2 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. 3--23-;, -G= D9 Diagnose and resol%e user access to resources be ond the remote access ser%er.*" :uestions+ 5art F9 Troubleshoot Routing and Remote Access routing. A9 Troubleshoot demand2dial routing.*3 :uestions+ QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing com TestBing has a main o$$ice and $i/e branch o$$ices +usiness hours are ;:== ) ? to 5:== . ? $rom ?onday through Eriday There is a demand>dial connection named +ranch< bet"een the main o$$ice and the 'hicago branch o$$ice +ranch< is con$igured as sho"n in the dialog bo3 On Saturday* an administrator in the main o$$ice attem#ts to #er$orm a bac0u# o$ a ser/er in the 'hicago o$$ice :e re#orts that he is unable to connect You need to ensure that the connection is a/ailable at all times You also need to ensure that the connection "ill automatically attem#t to connect i$ it $ails $or any reason !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->= 2 )ns"er: )cti/ate the .ersistent connection as the 'onnection ty#e tab in the O#tions Tab in the #ro#erties "indo" You also need to set the redial attem#ts higher than <5 in the Dialing #olicy tab E3#lanation: !hen a demand>dial connection has been created* you can con$igure it $urther using the .ro#erties "indo" $or the connection Erom the O#tions tab* con$igure the connection ty#e: either demand dial or #ersistent You can also set the dialing #olicy by s#eci$ying the number o$ times that the calling router should redial i$ there is no ans"er and by s#eci$ying the inter/al bet"een redial attem#ts In this s#eci$ic scenario you "ould acti/ate the .ersistent connection so as to ha/e the connection a/ailable at all times as "ell as increase the redial attem#t setting in case o$ recei/ing no ans"er $rom the router Aa%ing a 5ersistent connection does not preclude the e%ent of connections being se%ered due to interruptions from a telnet ser%ice, etc. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;2" QUESTION NO: 2 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and are member o$ the domain On a ser/er named TestBing,* you con$igure Douting and Demote )ccess to be a remote access ser/er )ll remote access client com#uters obtain an I. address $rom a D:'. ser/er You create remote access #olicies and /eri$y that users can establish dial>u# connections to TestBing, Users re#ort that they cannot access other com#uters on the net"or0 "hile dialed in to TestBing, You need to ensure that remote access users can connect to all com#uters on the TestBing com net"or0 "hile dialed in to TestBing, In the Douting and Demote )ccess console* you select the #ro#erties #age $or TestBing, !hat should you do ne3t% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the TestBing, #ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=1 2 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 -=2 2 E3#lanation: The Enable I. Douting chec/boB controls whether or not RRA$ will route &5 pac/ets between the remote client and other interfaces on our RRA$ ser%er. !hen this boB is chec/ed, as it is b default, remote clientsK pac/ets can go to the RRA$ ser%er or to an other host to which the RRA$ ser%er has a route. To limit clients to onl accessing resources on the RRA$ ser%er itself, unchec/ this boB. The 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=3 2 Allow &521ased Remote Access And Demand2Dial .onnections chec/boB controls whether clients ma use &5 o%er 555. &t might seem odd to ha%e this choice because the o%erwhelming ma)orit of 555 connections use &5, but if ou want to limit our ser%er to ,et13U&, &5<, or AppleTal/ remote clients, ou can do so b ma/ing sure this boB is unchec/ed. The &5 Address Assignment control group lets ou specif how ou want remote clients to get their &5 addresses. The default setting here will %ar , depending on what ou told the RRA$ $etup !i0ard during setup. &f ou want to use a DA.5 ser%er on our networ/ as the source of &5 addresses for remote clients, select the D namic Aost .onfiguration 5rotocol *DA.5+ radio button * ou need to ma/e that ouK%e got the DA.5 rela agent installed and running+. &f ouKd rather use static address allocation, select the $tatic Address 5ool button and then specif which &5 address ranges ou want issued to clients in the list below. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 3-2 QUESTION NO: , You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional and are members o$ the domain You con$igure a ser/er named TestBing<4 to be a 8.N ser/er You #lace TestBing<4 in the com#anyJs #erimeter net"or0 Eour days later* remote access users re#ort that they are ha/ing di$$iculty establishing remote access sessions to Test0ing<4 You sus#ect that a com#uter in the Internet is conducting a denial>o$>ser/ice attac0 on TestBing<4 You need to $ind out "hether this ty#e o$ attac0 is in #rogress !hat should you do% A. &nstall Microsoft 1aseline $ecurit Anal 0er *M1$A+ on Test@ing1-. Run mbsa.eBe and scan Test@ing1- for !indows %ulnerabilities. Anal 0e the resulting data. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=- 2 1. &nstall ,etwor/ Monitor Tools on Test@ing1-. Run ,etwor/ Monitor and capture networ/ traffic. $a%e the results to a file and anal 0e the data in the file. .. (rom the command prompt on a ser%er, run the pathping test/ing1- command. $a%e the results to a file and anal 0e the data in the file. D. (rom the command prompt on a ser%er, run the tracert test/ing1- command. $a%e the results to a file and anal 0e the data in the file. )ns"er: + E3#lanation9 $ometimes the best wa to see whatKs happening on our networ/ is to watch the traffic as it passes. ,etwor/ Monitor is a tool that will allow ou to do )ust that. ,etwor/ Monitor is a networ/ anal 0er *or 8sniffer8 after the ,etwor/ Ceneral $niffer toolset+. ,etwor/ anal 0ers capture raw traffic from the networ/ and then decode it )ust as the protocol stac/ would. 1ecause the donKt depend on a protocol stac/, ou can use an anal 0er to monitor traffic for protocol t pes ou donKt actuall ha%e installed. (or eBample, ou might use ,etwor/ Monitor to capture and decode AppleTal/ pac/ets while troubleshooting a Mac connecti%it problem, e%en without ha%ing AppleTal/ on our wor/station. Incorrect ans"ers: )9 Microsoft 1aseline $ecurit Anal 0er *M1$A+ is a utilit ou can download from the Microsoft website to ensure that ou ha%e the most current securit updates. This is not going to aid ou in this 6uestion. ' L D9 The pathping tool pro%ides the functionalit of both ping and tracert and adds pac/et loss information as well. The most useful switch to /now is the 2n switch, which onl displa s the &5 address of each hop rather than resol%ing each name. Running either pathping or tracert is thus not the solution in this case. De$erence9 Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indowsO $er%er 2""3 ,etwor/

&nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, pp. ;2, >;, 133 19 Troubleshoot router2to2router ?5,s.*1 :uestion+ QUESTION NO: < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=F 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The main o$$ice is in Ne" Yor0* and a branch o$$ice is in 'hicago In the 'hicago o$$ice* you con$igure a ser/er named Test0ing2 to be a demand>dial 8.N router You create a demand>dial inter$ace $or dialing out !hen you are creating this inter$ace* you name it NYDouter You use your domain user credentials* and you add a static route to the Ne" Yor0 o$$ice You need to establish a router>to>router 8.N connection $rom Test0ing2 to a ser/er named Test0ing<* "hich is located in the Ne" Yor0 o$$ice Test0ing< is con$igured to be a demand>dial 8.N router that has a demand>dial inter$ace named 'or#Test0ing The 'or#Test0ing inter$ace is used $or dialing in and uses the de$ault Demote )ccess .olicy $or connection requests !hen you attem#t to establish a router>to>router connection by using the NYDouter demand>dial inter$ace* you recei/e the $ollo"ing error message: LThe account does not ha/e #ermission to dial inL You need to ensure that Test0ing2 can establish a router>to>router 8.N connection to Test0ing< !hat should you do% A. .onfigure Test/ing1Ks authentication pro%ider to be RAD&U$ authentication. 1. .onfigure Test/ing2Ks authentication pro%ider to be RAD&U$ authentication. .. $et the credentials for the .orpTest/ing demand2dial interface to use the Test/ingWRA$ and &A$ $er%ers domain local group for dialing in. D. $et the credentials for the ,IRouter demand2dial interface to use the Test/ing1W.orpTest/ing user account for dialing out. )ns"er: D E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=; 2 !hen you "ish to allo" remote routers to dial in to a DD)S machine* you ha/e to create a user account "ith the a##ro#riate #ermissions DD)S uses the in$ormation you enter in the Dial In 'redentials #age The Demand>Dial Inter$ace !i1ard "ould create the user account i$ you com#lete the Dial In 'redentials #age 'redentials must match the credentials the remote router is e3#ecting )uthentication "ould not occur i$ the credentials do not match You ha/e to grant dial>in #ermissions to the account that "ill be used to initiate the demand>dial connection To sol/e the #roblem 2ust outlined* the credentials $or the demand>dial inter$ace ha/e to be con$igured to use the Test0ing<Q'or#Test0ing user account Incorrect )ns"ers: ): Iou must ha%e a RAD&U$ ser%er on the networ/ in order to use RAD&U$ for authentication. 'therwise, an error will be generated. ?5, clients will fail to be authenticated and will not be able to connect. Thus to ha%e Test/ing2 establish a router2to2router ?5, connection to Test/ing1 ou need to ,IRouter demand2dial interface credential set properl . +: &f ou want Test/ing2 to establish a successful router2to2router ?5, connection to Test/ing1 then this option is not %iable. Dial2in permissions to the account that will be used to initiate the demand2dial connection has to be set. ': This option outlines the demand2dial interface credentials, but unfortunatel to Test/ingWRA$ and &A$ $er%ers domain local group for dialing in instead of to Test/ing1W.orpTest/ing user account for dialing out. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ;"G2;13 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter =, pp. F1"2F12 Topic F, Maintaining a ,etwor/ &nfrastructure*3> :uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=G 2 5art 19 Monitor networ/ traffic. Tools might include ,etwor/ Monitor and $ stem Monitor.*1G :uestions+

QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e directory domain test0ing com The domain contains !indo"s Ser/er 2===, com#uters and !indo"s @. .ro$essional 'om#uters You con$igure a ser/er named TestBing) to be a $ile ser/er The "ritten com#any security #olicy states that you must analy1e net"or0 tra$$ic that is sent to and $rom all $ile ser/ers You need to ca#ture $ile>trans$er net"or0 tra$$ic that is being sent to and $rom TestBing) You install net"or0 ?onitor tools $rom a !indo"s Ser/er 2==, #roduct 'D>DO? on a ser/er named TestBing+* "hich is on the same net"or0 segment as TestBing) You run net"or0 ?onitor on TestBing+ :o"e/er* Net"or0 ?onitor ca#tures only net"or0 tra$$ic that is sent to and $rom TestBing+ You need to ca#ture all net"or0 tra$$ic that is sent to and $rom TestBing) !hat should you do% A. &nstall the ,etwor/ Monitor dri%er on Test@ingA. Run ,etwor/ Monitor Test@ing1 to capture networ/ traffic. 1. 'pen ,etwor/ Monitor on Test@ing1 and create a capture filter to enable the capture of all protocols. Run ,etwor/ Monitor to capture networ/ traffic. .. &nstall ,etwor/ Monitor Tools on Test@ingA. Run ,etwor/ Monitor to capture networ/ traffic. D. 'pen ,etwor/ Monitor on Test@ing1 and increase the capture buffer from 1 M1 to 2" M1 in si0e. Run ,etwor/ Monitor to capture networ/ traffic. )ns"er: ' E3#lanation: Only the /ersion that shi#s "ith ?icroso$t S?S Ser/er allo"s you to monitor all tra$$ic on the same net"or0 segment The question ho"e/er states that Net"or0 ?onitor "as installed $rom the !indo"s Ser/er 2==, #roduct 'D>DO? on the ser/er named TestBing+ Net"or0 ?onitor is there$ore only installed on the ser/er named TestBing+ To ca#ture $ile>trans$er net"or0 tra$$ic being sent to and $rom TestBing)* you ha/e to install the Net"or0 ?onitor a##lication on TestBing) and run Net"or0 ?onitor to ca#ture net"or0 tra$$ic 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=> 2 Incorrect )ns"ers: ): Iou should be installing ,etwor/ Monitor Tools on Test@ingA and not the dri%er. &n other wor/s the ,etwor/ Monitor application. +: The 6uestion states that ou need to monitor all traffic sent to and from Test@ingA as well as Test@ing1. This option suggests onl the capture of networ/ traffic on Test@ing1. D: Test@ing1 is not the onl ser%er that should be monitored. And furthermore increasing the capture buffer thus has no effect on whether Test@ingA traffic is also captured. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 3, pp. 13G21-;. QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 is connected to the Internet by using a multihomed !indo"s Ser/er 2==, com#uter named TestBingDouter TestBingDouter has Douting and Demote )ccess installed and is con$igured as a demand>dial router TestBingDouter has t"o net"or0 inter$aces One net"or0 inter$ace is a net"or0 ada#ter that is connected to the A)N The other net"or0 inter$ace is a modem that is used $or connecting to an Internet ser/ice #ro/ider &IS.( TestBingDouter is con$igured to dial out "hene/er an Internet connection is required !hen you ins#ect the tele#hone records* you notice that the dial>u# connection to the Internet is being acti/ated se/eral times an hour* all day long* e/en "hen the o$$ice is em#ty You sus#ect that one o$ the com#uters on the A)N is running an a##lication that is con$igured to #eriodically connect to a host on the Internet To hel# you identi$y the a##lication* you "ant to identi$y "hich com#uter is initiating the Internet connection* "hich host the com#uter is attem#ting to connect to* and "hat ty#e o$ tra$$ic it is attem#ting to send You need to $ind a solution that "ill enable you to ins#ect the initial #ac0ets sent to the Internet a$ter the connection is established Due to the /olume o$ data trans$erred to and $rom the Internet during normal O#erations* you do not "ant to ca#ture constantly 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -== 2 !hat should you do% A. .reate and acti%ate a $ stem Monitor alert to run a script that will initiate a ,etwor/ Monitor capture when pac/ets are sent or recei%ed b the networ/ adapter.

1. .reate and acti%ate a $ stem Monitor alert to run a script that will initiate a ,etwor/ Monitor capture when pac/ets are sent or recei%ed b the modem. .. .reate and acti%ate a ,etwor/ Monitor trigger to run a script that will initiate a ,etwor/ Monitor capture when pac/ets are sent or recei%ed b the networ/ adapter. D. .reate a ,etwor/ Monitor trigger to run a script that will initiate a ,etwor/ Monitor capture when pac/ets are sent or recei%ed b the modem. )ns"er: D E3#lanation: Net"or0 ?onitor triggers can send you a message "hen the #ac0ets you are on the loo0out $or emerge on the net"or0 Net"or0 ?onitor can trac0 the net"or0 data stream It "ill there$ore assist in determining the source address o$ the com#uter that sent the message* the destination address o$ the com#uter that recei/ed the $rame* and the data being sent to the destination com#uter Incorrect )ns"ers: ): Ma/ing use of $ stem Monitor is the wrong tool in use for this )ob. Iou need to ma/e use of ,etwor/ Monitor. +: Iou need a ,etwor/ monitor trigger and not a $ stem Monitor alert to chec/ when pac/ets are sent or recei%ed b the modem. $ stem Monitor is used to monitor how ser%ices are performing. ': The modem is the hardware that enables connection to the &nternet, so if ou monitor acti%it on the modem b ma/ing use of a ,etwor/ Monitor trigger ou will be able to trac/ the computer responsible for initiating connection to the &nternet, not the networ/ adapter. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 3;=23G2, 3G; QUESTION NO: , You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< is an ET. ser/er located in TestBingJs internal net"or0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"" 2 )dministrators re#ort an increased amount o$ ET. tra$$ic to Test0ing< You need to con$igure Test0ing< to achie/e the $ollo"ing goals: 1. Identi$y the media access control &?)'( address o$ any com#uter that is #er$orming ET. trans$ers $rom Test0ing< 2. Eind out the e3act ET. commands that "ere e3ecuted 3. Ensure that you do not disru#t the o#eration o$ Test0ing< !hat should you do% A. .onfigure a performance alert to write an e%ent to the application e%ent log whene%er the number of established (T5 connections eBceeds 1. 1. Use a ,etwor/ Monitor filter to capture &5 traffic from an computer to Test/ing1. .. Run the finger command on Test/ing1 to identif the source of the (T5 re6uests. D. Run the arp command on Test/ing1 to identif the source of the (T5 re6uests. )ns"er: + E3#lanation: Net"or0 ?onitor is a /ery use$ul tool included "ith !indo"s Ser/er 2==, that #ro/ides a method $or detecting and isolating net"or0 issues It allo"s you to ca#ture data* identi$y its source* and analy1e the content o$ the message +ecause Net"or0 ?onitor ca#tures data by $rames* e/ery #ac0et includes the source and destination address* the header in$ormation* and the actual data There$ore* to achie/e all three ob2ecti/es highlighted in this question* use a Net"or0 ?onitor ca#ture $ilter to ca#ture I. tra$$ic $rom any com#uter to Test0ing<* and a##ly the ca#ture $ilter be$ore ca#turing the data Use the ca#ture $ilter to ca#ture only the necessary I. tra$$ic to hel# you identi$y the reason $or the increased amount o$ ET. tra$$ic to Test0ing<* and to dro# the $rames you not interested in Incorrect )ns"ers: ): .onfiguring a performance alert to log e%ent when the established (T5 connections eBceed 1, will onl help ou in some of ou ob)ecti%es. Iou need to use a ,etwor/ Monitor capture filter to accomplish all three of our ob)ecti%es. ': Running the finger command will not assist ou in all the tas/s that ou ha%e to perform in this 6uestion. D: Running the arp command to find the MA. address of the client computer if ou are unable to %isit the client computer ph sicall . 1ut this is onl a fraction of what is re6uired from ou in this 6uestion. Iou also need to find out the eBact (T5 commands that were eBecuted and not )ust the source of these commands, without disrupting operations on Test/ing1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"1 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter,

M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 1=>, F-3 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 3, pp. 1-", 1--, 1-F. QUESTION NO: 4 You are the administrator o$ an )cti/e Directory domain The net"or0 contains a !indo"s Ser/er 2==, domain controller named Test0ing< Users re#ort that they e3#erience intermittent delays "hen they log on to Test0ing< )dministrators re#ort that re#lication attem#ts bet"een Test0ing< and other domain controllers are occasionally delayed You need to /eri$y the cause o$ the intermittent connection delays to Test0ing< You also need to $ind out "hether the #roblem is related to a hard"are de$iciency on Test0ing< You need to trac0 these delays o/er a #eriod o$ one day !hat should you do $irst% A. Run the netdiag H %erbose command to perform a networ/ diagnostic test on Test/ing1. 1. Run the replmon command to %iew the Acti%e Director replication status on Test/ing1. .. Use ,etwor/ Monitor to %iew the networ/ traffic pac/et contents between Test/ing1 and all other computers. D. .reate a $ stem Monitor counter to trac/ the 6ueue lengths on the networ/ adapter on Test/ing1. )ns"er: D E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"2 2 System monitor can dis#lay #er$ormance data about the local com#uter* or it can dis#lay #er$ormance data on one or more remote com#uters in real time The System ?onitor tool can also log a history o$ #er$ormance results o/er time $or local or remote com#uters To monitor system #er$ormance* you must s#eci$y #er$ormance ob2ects* counters* and instances o$ those ob2ects so that the System ?onitor 0no"s "hich areas o$ system #er$ormance to trac0 and dis#lay Thus o#tion D "ould be best suited to /eri$y the causes o$ intermittent connection delays to TestBing< Incorrect ans"ers: )9 The netdiag command is used to run a diagnostics test against our ser%er to see if an thing is not wor/ing correctl , this does not mean causes of problems. &t )ust states what is wor/ing and what is not. The %erbose parameter will displa the configuration of default gatewa s, d namic &5 addressing from DA.5, D,$, &5 addressing and !&,$. &t is not used to %erif the causes of intermittent connection dela s. +9 Replication Monitor, i.e. the replmon command, is used to monitor the status of Acti%e Director replication between domain controllers. &f 0one information is stored within Acti%e Director , this also enables ou to monitor replication between D,$ ser%ers. 1ut this is not what is re6uired in this scenario. '9 ,etwor/ Monitor is a tool included with !indows $er%er 2""3 used to monitor and capture networ/ traffic. This is not what is needed to be %erified. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapter ; Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. FF1 QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You con$igure se/eral -rou# .olicy ob2ects &-.Os( to en$orce the use o$ I.Sec $or certain ty#es o$ communication bet"een s#eci$ied com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"3 2 ) ser/er named TestBing5 runs the Telnet ser/ice ) -.O is su##osed to ensure that all Telnet connections to TestBing5 are encry#ted by using I.Sec :o"e/er* "hen you monitor net"or0 tra$$ic* you notice that Telnet connections are not being encry#ted You need to /ie" all o$ the I.Sec settings that are a##lied to TestBing5 by -.Os !hich tool should you use% A. The &5 $ecurit 5olic Management console

1. The &5 $ecurit Monitor console .. The Resultant $et of 5olic console D. Microsoft 1aseline $ecurit Anal 0er *M1$A+ )ns"er: ' E3#lanation9 The R$o5 console is used in !indows $er%er 2""3 to determine which &5$ec policies are assigned2but are not being applied2 to &5$ec clients. The !indows <5 implementation of the R$o5 console does not support the displa of &5$ec policies. R$'5 pro%ides a machine2specific o%er%iew of the 5olic state for the defined machine. &t is a term for the resulting *effecti%e+ group policies that are applied to a computer and user. Iou will thus be able to see which &5 settings are applied to Test@ingF b means of Croup 5olic 'b)ects. Incorrect ans"ers: )9 The &5$ec $ecurit Management console displa s the acti%e &5$ec polic name. This means that ou will not be able to %iew all the &5$ec policies that are applied. +9 'ne ma/es use of the &5 $ecurit Monitor tool to %alidate that communications between hosts are indeed secure. &t pro%ides information such as which &5$ec polic is acti%e and whether a secure communication channel is being established between computers. This is not the same as chec/ing all &5$ec settings that are applied. D9 The M1$A is not used to chec/ &5$ec policies that are applied. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >;G Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, p. 2; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"- 2 QUESTION NO: 6 You are the Net"or0 )dministrator $or TestBing com The net"or0 contains <*2== !indo"s @. .ro$essional com#uters and the !indo"s Ser/er 2==, com#uters sho"n in the $ollo"ing table Ser/er name Dole Test@ingA Domain .ontroller, D,$ $er%er !&,$1 !&,$ $er%er Test@ing1 (ile ser%er Test@ing2 Application ser%er Test@ing3 DA.5 ser%er 'lient com#uters recei/e I. addresses $rom TestBing, 'lient com#uters require Net+IOS o/er T'.KI. to access an a##lication on TestBing2 )ll ser/ers use static I. addresses TestBing< stores con$idential com#any documents You run net"or0 monitoring so$t"are* and you notice Net+IOS queries to TestBing< The queries are $rom source I. addresses that are not in use on your net"or0 You sus#ect that an intruder is attem#ting to access TestBing< o/er Net+IOS #orts You need to #re/ent access to TestBing< through Net+IOS #orts !hat should you do% A. 'n Test@ing3, in the DA.5 ser%er options, select the ""1 Microsoft Disable ,etbios 'ption option. 1. 'n !&,$1, delete the !&,$ record for Test@ing1. .. 'n Test@ing1, on the Ad%anced T.5H&5 properties dialog boB, select the Disable ,et1&'$ o%er T.5H&5 option. D. 'n Test@ing1, on the &nternet 5rotocol *T.5H&5+ properties dialog boB, remo%e the !&,$1 &5 address. 3. 'n all ser%ers, in the &nternet .onnection (irewall $er%ices tab, add a ser%ice entr for the ,et1&'$ ports )ns"er: ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"F 2 Net+IOS is enabled by de$ault $or all local area connections in !indo"s Ser/er 2==, :o"e/er* i$ you ha/e im#lemented DNS on your net"or0 and do not need to #ro/ide com#atibility "ith /ersions o$ !indo"s earlier than !indo"s 2===* you ha/e the o#tion o$ disabling Net+IOS $or any or all net"or0 connections The main ad/antage o$ disabling Net+IOS is im#ro/ed net"or0 security Net+IOS as a ser/ice stores in$ormation about net"or0 resources that can be collected by any host through broadcast>based queries Eeasibly* this in$ormation could be e3#loited by a malicious intruder )nother ad/antage o$ disabling Net+IOS is that doing so can sim#li$y administration by reducing the number o$ naming in$rastructures that you must con$igure* maintain* and su##ort Thus to #re/ent an intruder $rom accessing

TestBing< through Net+IOS #orts* disabling the Net+IOS o/er T'.KI. o#tion "ould be the ans"er Incorrect ans"ers: )9 ,et1&'$ is not a DA.5 issue but rather a !&,$ issue. +9 Deleting the !&,$ record for Test@ing1 on !&,$1 is not going to help in this scenario. !indows &nternet ,ame $er%ice *!&,$+ is used to centrali0e the process of registering and resol%ing ,et1&'$ names to &5 addresses. .entrali0ing the processes is not the same as pre%enting ,et1&'$ 6ueries to Test@ing1. D9 Remo%ing !&,$1 &5 address from the Test@ing1 T.5H&5 properties dialogue boB will not pre%ent ,et1&'$ 6ueries to Test@ing1. E9 Adding a ser%ice entr for the ,et1&'$ ports on all ser%ers will defeat the purpose of pre%enting unauthori0ed ,et1&'$ intruding on Test@ing1 that hosts the confidential files. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter -, p. > Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter 2 QUESTION NO: 7 You are the net"or0 administrator $or TestBing com The net"or0 contains <2 !indo"s Ser/er 2==, com#uters and ,== !indo"s @. .ro$essional com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"; 2 Three ser/ers named TestBing4* TestBing5* and TestBing6 run a critical business a##lication !hen #er$orming #er$ormance baselining on these three ser/ers* you notice that TestBing6 has a larger number o$ concurrently connected users at any gi/en moment than TestBing4 or TestBing5 The additional "or0load is causing #er$ormance #roblems on TestBing6 You need to identi$y "hich client com#uters are connected to TestBing6 You #lan to run Net"or0 ?onitor on TestBing6 to ca#ture all #ac0ets sent to TestBing6 The ca#ture tas0 must be con$igured to meet the $ollo"ing requirements: 1. To reduce the si1e o$ the ca#tured data* you "ant to ca#ture only the #ac0et headers 2. I$ a large number o$ #ac0ets are ca#tured* the #ac0ets must be retained on the ser/er 'a#tured #ac0ets must not o/er"rite #re/iously ca#tured #ac0ets !hich t"o tas0s should you #er$orm to con$igure Net"or0 ?onitor% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure the ,etwor/ Monitor displa filters. 1. .onfigure the ,etwor/ Monitor capture filters. .. &ncrease the ,etwor/ Monitor buffer si0e setting. D. Decrease the ,etwor/ Monitor buffer si0e setting. 3. &ncrease the ,etwor/ Monitor frame si0e setting. (. Decrease the ,etwor/ Monitor frame si0e setting. )ns"er: '* E E3#lanation: Use the 'a#ture +u$$er Settings dialog bo3 to increase the Net"or0 ?onitor bu$$er si1e setting $rom the de$ault o$ < ?+ .er$orming this con$iguration "ould result in the bu$$er being less li0ely to become $ull Data "ould there$ore not be o/er"ritten The $rame si1e setting should be decreased $rom its de$ault setting o$ 65*472 bytes so that additional $rames can be stored #rior to the bu$$er becoming $ull Incorrect )ns"ers: ): .onfiguring the ,etwor/ Monitor displa filters would not assist in meeting the re6uirements. +: This would also not assist in meeting the re6uirements. D: The buffer si0e has to be increased. E: The frame si0e has to be decreased. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"G 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >-1 QUESTION NO: 9 You are a net"or0 administrator $or TestBing ) !indo"s Ser/er 2==, com#uter named TestBingSr/) is e3hibiting connecti/ity #roblems You monitor TestBingSr/) by using System ?onitor and Net"or0 ?onitor !hile monitoring* you notice that TestBingSr/) has a##ro3imately 4 ?+

o$ a/ailable memory* and the a/erage '.U utili1ation is running at ;5 #ercent !hen you in/estigate the Net"or0 ?onitor ca#ture* you notice that some net"or0 #ac0ets sent to TestBingSr/) during the ca#ture ha/e not been ca#tured You need to ensure that the im#act o$ monitoring on TestBingSr/) is reduced and that all #ac0ets sent to the com#uter are ca#tured !hat should you do% A. (rom a command prompt, run the dis/perf command. 1. Run ,etwor/ Monitor in dedicated capture mode. .. .onfigure a ,etwor/ Monitor capture filter. D. &ncrease the buffer si0e in ,etwor/ Monitor. )ns"er: + E3#lanation: The question states that the central #rocessing unit runs on ;5R on a/erage This means that there is #robable not enough resources to the net"or0 ?onitor to ma0e use o$ Dunning Net"or0 ?onitor in dedicated ca#ture mode $rees resources on the com#uter $or ca#turing data This results in $e"er $rames being dro##ed The ca#ture statistics are not dis#layed or re$reshed because the $rames are co#ied to the ca#ture bu$$er Incorrect )ns"ers: ): Running the dis/perf command will not sol%e our problem. The problem is resources not being a%ailable for the ,etwor/ Monitor to wor/ optimall . ': (iltering would mean that ou will be selecti%e in what ou want to ha%e filtered, with the result that selected frames will be dropped. D: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"> 2 &ncreasing the buffer si0e will not necessaril wor/ as the buffer si0e determines how much data ou can capture at one time before ceasing to gather data. &t has nothing to do with the =FZ .5U usage. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >-1 QUESTION NO: ; Net"or0 to#ology e3hibit: You are the net"or0 administrator $or TestBing com The TestBing net"or0 consists o$ t"o subnets named subnet TestBing) and subnet TestBing+* "hich are connected by a !indo"s Ser/er 2==, com#uter named TestBing6 TestBing6 has t"o net"or0 ada#ters and is con$igured as a A)N router TestBing6 has Douting and Demote )ccess enabled Subnet TestBing) contains si3 !indo"s Ser/er 2==, com#uters that are con$igured as a##lication ser/ers Subnet TestBing+ contains only !indo"s @. .ro$essional com#uters The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"= 2 To im#ro/e security* you #lan to con$igure I. #ac0et $ilters on TestBing6 In order to create the correct I. #ac0et $ilters on TestBing6* you need a list o$ all net"or0 #rotocols and #orts that are used in communications bet"een the a##lication ser/ers and the !indo"s @. .ro$essional com#uters In order to gather the list o$ #rotocols and #orts* you "ant to monitor the tra$$ic that is $or"arded by TestBing6 during a 24>hour #eriod !hat should you do on TestBing6% A. Run the netstat.eBe command at the end of a 2-2hour period. 1. Run the net session command at the end of a 2-2hour period. .. Use ,etwor/ Monitor to perform a capture during a 2-2hour period. D. Use $ stem Monitor to log all counters for the ,etwor/ &nterface ob)ect during a 2-2hour period. )ns"er: ' E3#lanation: You need to #er$orm a ca#ture during a 24>hour #eriod by ma0ing use o$ Net"or0 ?onitor i$ you "ant to gather the list o$ #rotocols and #orts and monitor the tra$$ic $or"arded during a 24>hour #eriod Iou use ,etwor/ Monitor to capture and displa the frames that a computer running !indows 2""" $er%er recei%es from a local area networ/ *4A,+. ,etwor/ administrators can use ,etwor/ Monitor to detect and troubleshoot networ/ing problems that the local computer ma eBperience. ,etwor/ Monitor is a tool included with !indows $er%er 2""3 used to monitor and capture networ/ traffic. &t is useful for troubleshooting networ/ problems. Incorrect )ns"ers: ): Running the netstat.eBe command will show information about eBisting networ/ connections and networ/ acti%it .

+: The net session command will not ield the correct information. D: Iou do not want to log all the counters for the ,etwor/ &nterface ob)ect. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. =9;>, >FF 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1" 2 QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains a !eb ser/er named Test0ing< that runs IIS 6 = and hosts a secure !eb site The !eb site is accessible $rom the intranet* as "ell as $rom the Internet )ll users must authenticate "hen they connect to Test0ing< )ll ser/ers on the Internet must use a secure #rotocol to connect to the !eb site Users on the intranet do not need to use a secure #rotocol You need to /eri$y that all users are using a secure #rotocol to connect to Test0ing< $rom the Internet !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Monitor the e%ents in the application log on Test/ing1. 1. Monitor the e%ents in the securit log on Test/ing1. .. Monitor the !eb ser%er connections on Test/ing1 b using a performance log. D. Monitor networ/ traffic to Test/ing1 b using ,etwor/ Monitor. 3. Monitor the &&$ logs on Test/ing1. )ns"er: D* E E3#lanation: To /eri$y "hether all users are ma0ing use o$ a secure #rotocol to connect to the ser/er< $rom the Internet* you must use the Net"or0 ?onitor Net"or0 ?onitor is a so$t"are>based tra$$ic analysis tool that allo"s a user to #er$orm these tas0s: 1. .apture frames directl from the networ/ 2. Displa and filter captured frames, immediatel after capture or at a later time 3. 3dit captured frames and transmit them on the networ/ *full %ersion onl + -. .apture frames from a remote computer *full %ersion onl + Incorrect )ns"ers: ): 3%ents in the application log on Test/ing1 is accessible through the 3%ent ?iewer, onl displa s e%ents pertaining to applications and programs running on the computer. Iou do not need this specific log. +: 3%ents in the securit log, accessible through the 3%ent ?iewer, on Test/ing1, displa s contains e%ents pertaining to securit as defined in the Audit polic . 3.g. this includes successful logons, resource access, and use of user rights. This is not what is as/ed for in the 6uestion. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F11 2 ': Monitoring !eb ser%er connections on Test/ing1 through a performance log is not what ou want to accomplish, ou need to %erif whether all users are using a secure protocol to connect to Test/ing1 from the &nternet. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, 2""3, 19 2;, 39 3. QUESTION NO: << DD)- DDO. You are the administrator o$ an )cti/e Directory domain The domain contains a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< $unctions as a domain controller and a DNS ser/er The domain also contains a !indo"s @. .ro$essional client com#uter named 'lient< You need to establish a detailed record o$ all the communications that occur "hen a ty#ical member o$ the Domain Users grou# named User< logs on to the )cti/e Directory domain $rom 'lient< You might need to use this in$ormation as a troubleshooting tool i$ communications bet"een 'lient< and Test0ing< are disru#ted or degraded You "ant to use Net"or0 ?onitor to obtain this baseline in$ormation !hat should you do% To ans"er* mo/e the a##ro#riate actions $rom the list o$ actions to the ans"er area* and arrange them in to correct order 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F12 2 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F13 2 E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1- 2 'nce ,etwor/ Monitor is installed, users can capture all the frames sent to, or retained b the networ/ adapter of the computer on which it is installed to a file. These captured frames can then be %iewed or sa%ed for later anal sis. Users can design a capture filter so that onl certain frames are captured. This filter can be configured to capture frames based on criteria such as source address, destination address, or protocol. ,etwor/ Monitor also ma/es it possible for a user to design a capture trigger to initiate a specified action when ,etwor/ Monitor detects a particular set of conditions on the networ/. This can include starting a capture, ending a capture, or starting a program. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F-2 QUESTION NO: <2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters )ll con$idential com#any $iles are stored on a $ile ser/er named Ser/erTB5 The "ritten com#any security #olicy states that all con$idential data must be stored and transmitted in a secure manner To com#ly "ith the security #olicy* you enable Encry#ting Eile System &EES( on the con$idential $iles You also add EES certi$icates to the data decry#tion $ield &DDE( o$ the con$idential $iles $or the users "ho need to access them !hile #er$orming net"or0 monitoring* you notice that the con$idential $iles that are stored on Ser/erTB5 are being transmitted o/er the net"or0 "ithout encry#tion You need to ensure the data is encry#ted o/er the net"or0 !hat are t"o #ossible "ays to accom#lish this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 3nable offline files for the confidential files that are stored on $er%erT@F, and select the 3ncr pt offline files to secure data chec/ boB on the client computers of the users who need to access the files. 1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1F 2 Use &5$ec encr ption between $er%erT@F and the client computers of the users who need to access the confidential files. .. Use $er%er Message 1loc/ *$M1+ signing between $er%erT@F and the client computers of the users who need to access the confidential files. D. Disable all 4M and ,T4M authentication methods on $er%erT@F. 3. Use &&$ to publish the confidential files. 3nable $$4 on the &&$ ser%er. 'pen the files as a !eb folder. )ns"er: +* E E3#lanation: You can use I.SE' to encry#t net"or0 tra$$ic or you can use SSA to encry#t net"or0 tra$$ic $hort for $ecure $oc/ets 4a er *$$4+ is a protocol de%eloped b ,etscape for transmitting pri%ate documents %ia the &nternet. $$4 wor/s b using a pri%ate /e to encr pt data that is transferred o%er the $$4 connection. 1oth ,etscape ,a%igator and &nternet 3Bplorer support $$4. Man !eb sites use the protocol to obtain confidential user information, such as credit card numbers. 1 con%ention, UR4s that re6uire an $$4 connection start with https9 instead of http9. Incorrect )ns"ers: ): .onfidential files should not be allowed to be accessed when offline. &t is a securit ris/ that can be a%oided. Thus this option will not suffice. ': $M1 is primaril used for file and print sharing, but is also used for sharing serial ports and abstract communications technologies such as named pipes and mail slots, ma/ing it inapplicable in this case. D: 4A, Manager and ,T4M authentication are used b Microsoft s stems for networ/ authentication. &mplementing $ecure and Aighl $ecure securit templates affects networ/ securit b altering the t pical 4A, Manager and ,T4M authentication re6uest protocols. Disabling 4M and ,T4M authentication methods on $er%erT@F will thus not wor/ in this scenario. De$erence:

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 3G, G>F QUESTION NO: <, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1; 2 You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, !eb ser/er named !ebSer/erTB< !ebSer/erTB< is connected to the Internet by means o$ a dedicated lin0 You are res#onsible $or monitoring the band"idth utili1ation o$ !ebSer/erTB< You run a System ?onitor log on !ebSer/erTB<* "hich monitors the +ytes TotalKsec counter on the Net"or0 Inter$ace ob2ect The sam#le rate $or the counter is set to <5 seconds The log is archi/ed once each day The si1e o$ the System ?onitor log is becoming too large $or the a/ailable dis0 s#ace You need to recon$igure the System ?onitor log settings to reduce the amount o$ data that is ca#tured !hat should you do% A. Retain the current counter, but set the sample rate to F seconds. 1. Retain the current counter, but set the sample rate to ;" seconds. .. .hange the counter to Total 1 tes, and set the sample rate to 1F seconds. D. .hange the counter to .urrent 1andwidth, and set the sample rate to ;" seconds. )ns"er: + E3#lanation: The Net"or0 Inter$ace +ytes TotalKSec counter measures the total number o$ bytes that are sentK recei/ed $rom the net"or0 inter$ace It incor#orates all net"or0 #rotocols You use less #rocessor cycles "hen you reduce the sam#ling $requency because the slo"er a counter is sam#led* the less the '.U has to be utili1ed Incorrect )ns"ers: ): The 6uic/er the time setting, the more .5U intensi%e it becomes to run $ stem Monitor. Thus setting the sample rate to F seconds will result in too much data being captured. ': ?iewing a different log will not ield the re6uired information. Iou need the amount of data that is captured reduced. The time setting of 1F seconds is thus irrele%ant to this scenario. D: $etting the sample rate to ;" seconds is ideal. Aowe%er, if ou change the counter to .urrent 1andwidth ou will not get the desired information. De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, 2""3, .hapter 12, p. -G= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1G 2 QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains 25 !indo"s Ser/er 2==, com#uters and 6*=== !indo"s @. .ro$essional com#uters The "ritten com#any security #olicy states that net"or0 tra$$ic to !eb ser/ers must be audited on a regular basis ) ser/er named Test0ing< is con$igured as a !eb ser/er on TestBingJs intranet You install Net"or0 ?onitor Tools $rom a !indo"s Ser/er 2==, #roduct 'D>DO? on Test0ing< You run Net"or0 ?onitor on Test0ing< $or three hours !hen you sto# the net"or0 ca#ture* you see that Net"or0 ?onitor ca#tured o/er 4=*=== $rames )s you loo0 at the ca#tured $rames* you notice that an e3tremely large number o$ T'. connection requests ha/e all come $rom the <,< <=7 = < I. address In Net"or0 ?onitor* you need to /ie" only the $rames $or net"or0 tra$$ic that are ca#tured bet"een Test0ing< and the <,< <=7 = < I. address !hat should you do% A. .reate an Address .apture filter for all networ/ traffic between Test/ing1 and the 131.1"G.".1 &5 address. 1. .reate a (in (rame 3Bpression filter for networ/ traffic captured between Test/ing1 and the 131.1"G.".1 &5 address. .. .reate an Address Displa filter for all networ/ traffic captured between Test/ing1 and the 131.1"G.".1 &5 address. D. .reate a 5attern Match capture trigger for the 131.1"G.".1 &5 address. )ns"er: ' E3#lanation: Once Net"or0 ?onitor is installed* users can ca#ture all the $rames sent to* or retained by the net"or0 ada#ter o$ the com#uter on "hich it is installed to a $ile These ca#tured $rames can then be /ie"ed or sa/ed $or later analysis Users can design a ca#ture $ilter so that only certain $rames are ca#tured This $ilter can

be con$igured to ca#ture $rames based on criteria such as source address* destination address* or #rotocol Net"or0 ?onitor also ma0es it #ossible $or a user to design a ca#ture trigger to initiate a s#eci$ied action "hen Net"or0 ?onitor detects a #articular set o$ conditions on the net"or0 This can include starting a ca#ture* ending a ca#ture* or starting a #rogram 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1> 2 A capture filter functions li/e a database 6uer that ou can use to specif the t pes of networ/ information ou want to monitor. (or instance, to %iew onl a specific subset of computers or protocols, ou can create an address database, and use the database to add addresses to our filter. The filter can then be sa%ed to a file. Iou sa%e both buffer resources and time b filtering frames. 4ater, if necessar , ou can load the capture filter file and use the filter again. Incorrect )ns"ers: )* +* D9 An address capture filter, a (in (rame 3Bpression filter or a 5attern Match capture trigger will not ield the correct information that ou need to %iew. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >33 QUESTION NO: <5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain consists o$ 25 !indo"s Ser/er 2==, com#uters and 6*=== !indo"s @. .ro$essional com#uters ) ser/er named TestBing, is con$igured as a DNS ser/er You recei/e re#orts that host name resolution $or com#uters on the net"or0 is slo"er than usual To hel# $ind the cause o$ the #roblem* you need to ca#ture all net"or0 tra$$ic that is being sent to and $rom TestBing, You install Net"or0 ?onitor 'a#ture Utility &Netca# e3e( $rom a !indo"s @. .ro$essional #roduct 'D>DO? on a client com#uter named client< You need to ca#ture* /ie"* and analy1e all net"or0 tra$$ic that is sent to and $rom TestBing, !hat should you do% A. &nstall the ,etwor/ Monitor dri%er on all computers on the networ/. Run ,etwor/ Monitor on .lient1 to capture networ/ traffic. 1. Run $ stem Monitor on Test@ing3. .reate a counter log to capture networ/ traffic to Test@ing3 b using the ,etwor/ &nterface ob)ect and the 5ac/ets Recei%ed H sec counter. .. &nstall the ,etwor/ Monitor Tools from a !indows $er%er 2""3 product .D2R'M on Test@ing3. Run ,etwor/ Monitor to capture networ/ traffic. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1= 2 D. &nstall the Tcpip.dll protocol parser on Test@ing3. Run ,etcap.eBe on client1 to capture networ/ traffic. )ns"er: ' E3#lanation: !indo"s Ser/er 2==, also has a Net"or0 ?onitor tool that can monitor data tra/elling bet"een the monitored com#uter and the rest o$ the net"or0* and not net"or0 tra$$ic in general Thus this is the tool to use "hen you need to ca#ture* /ie"* and analy1e all net"or0 tra$$ic that is sent to and $rom TestBing, Since the client com#uters run !indo"s @. .ro$essional you need to install the net"or0 ?onitor tools $rom a !indo"s Ser/er 2==, #roduct 'D>DO? Incorrect )ns"ers: ): &t is correct to run ,etwor/ Monitor to capture networ/ traffic, but this option will ield improper results for ou since it suggests that the ,etwor/ Monitor dri%er alone has to be installed on all the computers on the networ/ and it is stated in the 6uestion that the client computers run !indows <5 5rofessional and the $er%ers operate in a !indows $er%er 2""3 en%ironment. +: $ stem Monitor is a tool included with !indows $er%er 2""3 that can be used to monitor the real2time performance of s stem components as well as ser%ices and applications. $ stem Monitor can be used to collect and %iew real2time performance data, %iew data sa%ed in a counter log, and present captured data using %arious %iews. 1ut it is ,etwor/ Monitor that monitor data tra%elling between the monitored computer and the rest of the networ/, and not networ/ traffic in general. D: &nstalling Tcpip.dll protocol parser on Test@ing3 will not assist ou in our tas/. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter QUESTION NO: <6 You are the net"or0 administrator $or TestBing com The ?umbai o$$ice is currently connected to the cor#orate !)N by using a !indo"s Ser/er 2==, com#uter named TestBing5

TestBing5 is con$igured as a dial>u# router TestBing5 has t"o net"or0 ada#ters One net"or0 ada#ter connects to the Ethernet A)N The other net"or0 ada#ter is a broadband net"or0ing de/ice 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2" 2 TestBing com #lans to increase the number o$ em#loyees in the ?umbai o$$ice by at least 25 #ercent You need to con$irm that the current net"or0 band"idth o$ the broadband connection "ill be su$$icient $or the $uture e3#ansion o$ the ?umbai o$$ice You "ant to use System ?onitor on testBing5 to $ind out the current utili1ation o$ the broadband net"or0 connection !hat should you do% A. Monitor the 1 tes TotalHsec counter on the ,etwor/ &nterface 'b)ect. 1. Monitor the 1 tes TotalHsec counter on the $er%er 'b)ect. .. Monitor the $er%erWW5ac/etsHsec counter on the $er%er 'b)ect. D. Monitor the .urrent 1andwidth counter on the ,etwor/ &nterface 'b)ect. )ns"er: ) E3#lanation9 The following is a counter that is useful for monitoring the networ/ subs stem9 ,etwor/ &nterface T 1 tes TotalH$ec. &t measures the total number of b tes that are sent or recei%ed from the networ/ interface and includes all networ/ protocols. &t incorporates all networ/ protocols. This is the counter on the $ stem Monitor to use if ou want to find out the current utili0ation of the broadband connection. Incorrect ans"ers: + L .9 The $er%er 'b)ect is not going to ield the proper information for our purposes. D9 This is the correct ob)ect to monitor, but the wrong counter for the purposes of this 6uestion. De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. 12-" Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""3, p. 2GQUESTION NO: <7 E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F21 2 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You and an administrator named Sandra are members o$ the )dministrators grou# on a ser/er named TestBing2 Sandra is res#onsible $or monitoring TestBing2 She #eriodically re/ie"s the system and a##lication logs You are res#onsible $or #er$orming all administrati/e $unctions on TestBing2 The domain administrators #eriodically re/ie" the security log to in/estigate unauthori1ed access attem#ts TestBing comJs "ritten security #olicy states that all e/ents in the security log must be retained until they are archi/ed You archi/e and clear the logs on TestBing2 once each month !hen you o#en the security log on TestBing2* you notice that the log has $e"er e/ents than usual The oldest entry in the audit log contains the in$ormation dis#layed in the e3hibit You must ensure that the TestBing com security #olicy is en$orced !hat should you do on TestBing2% A. &n the local securit polic , assign the Manage auditing and securit log user right to our user account and remo%e all other entries. 1. &n the local securit polic , configure audit settings to enable Audit pri%ilege use *success and failure+. .. Assign the $ stem group the Den 2 (ull .ontrol permissions for the $ece%ent.e%t file. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F22 2 D. Remo%e $andraKs user account from the Administrators group and add her user account to the 5ower users group. 3. &n the properties of the securit log, select the Do not o%erwrite e%ents *clear log manuall + option. )ns"er: D E3#lanation9 The 5ower Users group onl eBists as a machine local group on 2""" and <5 !or/stations, and on nondomain controller ser%ers. Members ha%e a subset of the AdministratorKs rights. 5ower users can create user accounts and local groups and can manage the membership of Users, 5ower Users, and Cuests, as well as administer other users and groups that the ha%e created. $ince $andra is responsible for periodicall

re%iewing the s stem and application logs, she does not ha%e to be a member of the Administrators group. The eBhibit shows that $andra has been the last entr to ha%e been logged. &f ou want all e%ents in the securit log to be retained until archi%al, then ou should add $andra to the 5ower users group. 1eing a member of the 5ower users group will grant her enough permissions to carr out her tas/s while compl ing with the compan securit polic . De$erence9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. G21 5art 29 Troubleshoot connecti%it to the &nternet.*11 :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 contains a DNS ser/er named Test0ing< Test0ing< is con$igured to resol/e queries $or e3ternal internet resources Test0ing< also hosts the test0ing com internal 1one $or )cti/e Directory Users re#ort that they are directed to the "rong !eb site "hen bro"sing $or "ell>0no"n Internet !eb sites You need to minimi1e the occurrence o$ une3#ected results "hen users bro"se the Internet in the $uture You also need to minimi1e disru#tion to users 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F23 2 !hat should you do% A. 3nable the Disable recursion setting in the ad%anced properties of Test/ing1. 1. 3nable (ail on load if bad 0one data setting in the ad%anced properties of Test/ing1. .. 3nable the $ecure cache against pollution setting in the ad%anced properties of Test/ing1. D. 3nable the 3nable automatic sca%enging of stale resource records setting in the ad%anced properties of Test/ing1 and set it to G da s. )ns"er: ' E3#lanation: !hen the Secure cache against #ollution setting is disabled* all records recei/ed in res#onse to DNS queries are cached This is true e/en "hen the records do not match to a queried domain name Enabling the Secure cache against #ollution setting disables the ability to #ollute the DNS cache "ith incorrect in$ormation* and s#oo$ DNS queries !ith !indo"s Ser/er 2==, the de$ault setting is that caches are secured against #ollution This "ill then #re/ent users that bro"se the Internet $rom being directed to the "rong "ebsites Incorrect )ns"ers: ): .hec/ing this option enables the use of recursi%e forwarders+ loo/ups on the entire ser%er regardless of conditional settings on the (orwarders tab. &t disables the use of forwarders. This is not what is re6uired in this scenario. +: 1 default, !indows $er%er 2""3 D,$ ser%ers load their 0ones regardless of an errors in 0one files. The (ail on load if bad 0one data option can be used to alter that beha%ior so that the D,$ ser%er ser%ice logs errors, but fails to load a 0one file containing records data that is determined to ha%e errors. Aowe%er in this case it is a matter of 6ueries not being resol%ed. D: 1ecause stale resource records can accumulate within a 0one o%er a period of time. 3.g., if a computer registers its own resource record and is shut down improperl , the record might not be remo%ed from the 0one file. $ca%enging stale resource records can eliminate an problems, such as outdated information. Thus 3nabling automatic sca%enging of stale resource records and setting it to G da s ma still allow users to be directed to the wrong web sites. &nformation can still become outdated within G da s. Iou need to secure the cache from pollution. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2- 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -=;2-=G Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 3, pp. 2>F, 2=1 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You im#lement a ne" test subnet $or testing #ur#oses You connect the test subnet to the cor#orate net"or0 by using a multihomed ser/er named Testser/er< that has the Douting and Demote )ccess ser/ice enabled )ll Internet access $or TestBing is

#ro/ided by a Net"or0 )ddress Translation &N)T( ser/er named N)T< The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit You notice that com#uters on the test subnet cannot connect to any Internet resources by host name or I. address Erom a com#uter on the test subnet* you success$ully #ing <;2 <69 < < You need to con$igure the net"or0 so that com#uters on the test subnet can access the Internet 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2F 2 !hat should you do% A. .hange the default gatewa to 1=2.1;>.1.1 for all computers on the test subnet. 1. .hange the default gatewa on Testser%er1 to 1=2.1;>.1.1. .. .onfigure ,AT on Testser%er1. D. Run the route add command on all computers on the test subnet. )ns"er: + E3#lanation: Eor the test subnet com#uters to be able to access the Internet they need to ha/e Testser/er<Js de$ault gate"ay to be <;2 <69 < < since it already has the Douting and Demote )ccess ser/ice enabled and N)T ser/ices is #ro/ided by N)T< as illustrated in the e3hibit and N)T< is connected to the Internet Incorrect )ns"ers: ): The default gatewa on the Testser%er1 has to be changed to 1=2.1;>.1.1 and not the other wa around. ': .onfiguring ,etwor/ Address Translation on Testser%er1 is obsolete since Test@ing is pro%ided b a ,etwor/ Address Translation *,AT+ ser%er named ,AT1. D: !hen ou run the route2add command, ou are actuall configuring the computers with a static &5 address. Iou can run into trouble with static &5 addresses in a number of situations. This is impractical since ,AT1 pro%ides ,etwor/ Address Translation. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 13> QUESTION NO: , You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure a ser/er named Test0ing< "ith Douting and Demote )ccess Test0ing< $unctions as a Net"or0 )ddress Translation &N)T( ser/er You con$igure t"o net"or0 connections on Test0ing<* as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2; 2 'onnection name I. address 'onnected to 4ocal Area .onnection 1=2.1;>.1.2F- &nternal networ/ 4ocal Area .onnection 2 131.1"G.2.;G &nternet Users re#ort that they cannot connect to the Internet They can success$ully access Test0ing< $rom remote subnets on the net"or0 You need to con$igure Test0ing< so that users can connect to the Internet !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .onfigure 4ocal Area .onnection at the pri%ate interface. 1. .onfigure 4ocal Area .onnection as the public interface. .. .onfigure 4ocal Area .onnection 2 as the pri%ate interface. D. .onfigure 4ocal Area .onnection 2 as the public interface. 3. 3nable ,AT on the public interface. (. 3nable 1asic (irewall on 4ocal Area .onnection. C. 3nable 1asic (irewall on 4ocal Area .onnection 2. )ns"er: )* D* E E3#lanation: N)T is one o$ the #rotocols su##orted by the Douting and Demote )ccess ser/ice in !indo"s Ser/er 2==, I$ you use N)T* you must include the Douting and Demote )ccess ser/ice in your solution The $eatures o$ N)T #ro/ide you "ith a sim#le solution $or Internet connecti/ity Net"or0 )ddress Translation &N)T( is a method o$ allo"ing com#uters internal to your net"or0 that has been gi/en non>#ublic addresses to communicate "ith com#uters on the Internet ,AT is an appropriate solution for &nternet connecti%it when9 1. Re6uirements for &nternet access and access to the pri%ate networ/ do not re6uire restrictions on a user2b 2user basis. 2. The pri%ate networ/ consists of an number of users in a non2routed en%ironment. 3. The organi0ation re6uires pri%ate addressing for the computers on the pri%ate networ/. Incorrect )ns"ers: +: A 4ocal Area .onnection is usuall not the public interface but rather the pri%ate interface.

': &n this scenario 4ocal Area .onnection 2 is not the pri%ate interface because it is connected to the &nternet. E* -: 3nabling a firewall on either 4ocal Area .onnection or 4ocal Area .onnection 2 is not what is needed. Iou must enable ,AT on the 5ublic &nterface. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2G 2 De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, pp. 1911, =9-F2-G QUESTION NO: 4 You are the net"or0 administrator $or TestBing You "or0 in the TestBingJs branch o$$ice in 'a#e To"n The net"or0 in your o$$ice consists o$ 4= !indo"s @. .ro$essional des0to# com#uters and one !indo"s Ser/er 2==, com#uter named TestBing, TestBing, connects to the Internet through a 5<2>Bb#s leased line The main o$$ice o$ the com#any is in Hohannesburg Users o$ the des0to# com#uters in the 'a#e To"n o$$ice are de/elo#ers "ho are de/elo#ing a ne" so$t"are #roduct You "ant these users to #lace daily builds o$ the #roduct in a shared $older on TestBing, You "ant de/elo#ers in the Hohannesburg o$$ice to be able to do"nload the daily builds $rom TestBing, by using ET. You install IIS on TestBing, and con$igure the ET. site so that it is a/ailable to the de/elo#ers in the Hohannesburg o$$ice :o"e/er* "hen you monitor inbound Internet connection attem#ts to TestBing,* you notice many attem#ted :TT. connections You "ant to secure TestBing, so that it is not susce#tible to malicious Internet users TestBing, must also connect to the Internet to use !indo"s U#date and to do"nload /irus de$inition u#dates You do not "ant to #urchase additional hard"are or so$t"are !hat should you do on TestBing,% A. 3nable &nternet .onnection $haring *&.$+. 1. .onfigure port filtering on the networ/ adapter to allow onl T.5 port >" and T.5 port 21. .. 3nable &nternet .onnection (irewall *&.(+ and create ser%ice setting in the &nternet .onnection (irewall settings that allows9 &nternal and eBternal T.5 port 21 to Test@ing3. &nternal and eBternal T.5 port >" to Test@ing3. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2> 2 D. 3nable &nternet .onnection (irewall *&.(+ and select the (T5 $er%er chec/ boB in the $er%ices tab. 3nter Test@ing3 as the ser%er hosting the (T5 ser%ices. )ns"er: D E3#lanation: To a/oid #urchasing additional hard"are or so$t"are* the Internet 'onnection Sharing &I'S( $eature included in !indo"s Ser/er 2==, should be utili1ed to #ro/ide sim#li$ied N)T ser/ices to clients in the #ri/ate net"or0 I'S is a $orm o$ N)T and is sim#ler to im#lement than N)T ET. is used to co#y $iles bet"een t"o com#uters on the Internet This "ould be $or the daily builds o$ the #roduct that is #laced in the shared $older To enable de/elo#ers in the Hohannesburg o$$ice to do"nload the daily builds $rom TestBing, using ET.* you ha/e to select the ET. Ser/er chec0 bo3 in the Ser/ices tab and s#eci$y TestBing, as the ser/er hosting the ET. ser/ices Incorrect )ns"ers: ): &.$ is a limited implementation of ,AT. 1asicall &.$ allows one public address to be translated for the internal pri%ate subnet s stems. Also, &.$ pro%ides a form of d namic address allocation to clients on the networ/ in a wa similar to DA.5. This d namic address allocation does not pro%ide an configuration options or features to control it when compared to standard DA.5. &.$ also pro%ides name resolution for the &.$ clients. This option is thus not the answer since Test@ing3 hosts the (T5 site and is installed with &&$. +: 5ort filtering on the adapter to allow onl port 21 and port >"2traffic is ris/ because T.5 5orts 2" and 21 are well2/nown port numbers and hac/ers often tr to eBploit these ports. 5ort >" is for ATT5 and thus cannot be disabled since ou would Test@ing3 is configured with &&$ and has the shared folder that is supposed to be a%ailable to the remote (T5 ser%er. ': 3nabling &.( and configuring the settings to allow internal as well as eBternal port 212 and port >"2traffic to Test@ing3 would not be ad%isable since Test@ing3 also hosts shared files for the (T5 ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/

&nfrastructure Cuide L D?D Training $ stem, .hapter =, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. -2, F1= 2 F2>, GG" QUESTION NO: 5 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2= 2 You are the net"or0 administrator $or TestBing com The net"or0 con$iguration is sho"n in the Net"or0 e3hibit ) D:'. ser/er on the local subnet is con$igured to assign I. addresses to client com#uters in the <= <= 22 2= > <= <= 22 254 range )ll client com#uters connect to the Internet by using the ser/er named TESTBIN-N)T TESTBIN-N)T is a !indo"s 2==, Ser/er that has Douting and Demote )ccess installed TESTBIN-N)T has the N)TK+asic Eire"all routing #rotocol enabled The net"or0 inter$aces on TESTBIN-N)T are con$igured as sho"n in the $ollo"ing table Inter$ace name I. address 'onnect to 3thernet1 1".1".22.1" 4A, 3thernet2 131.1"G.1"".2"2 &nternet The con$iguration o$ the N)TK+asic Eire"all routing on TESTBIN-N)T is sho"n in the N)T 'on$iguration e3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3" 2 'lient com#uters are unable to connect to the Internet You run the #ing command $rom a command #rom#t on !indo"s @. .ro$essional com#uter on the local net"or0* and you recei/e the $ollo"ing result C:\>ping 10.10.22.10 Pinging 10.10.22.10 with 32 bytes of data: Request timed out: Request timed out: Request timed out: Request timed out: Ping statistics for 10.10.22.10: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), You need to ensure that client com#uters are able to connect to the Internet !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F31 2 A. .onfigure the DA.5 ser%er to assign a default gatewa of 131.1"G.1"".2"2 to client computers. 1. .onfigure the DA.5 ser%er to assign a default gatewa of 131.1"G.1"".2"1 to client computers. .. .onfigure the ,ATH1asic (irewall interface t pe for 3thernet1 to be a pri%ate interface. D. .onfigure the ,ATH1asic (irewall interface t pe for 3thernet2 to be a public interface. 3. .onfigure the outbound port filters on 3thernet1 to allow all networ/ protocols. (. .onfigure the outbound port filters on 3thernet2 to allow all networ/ protocols. )ns"er: '* D E3#lanation: You can determine $rom the e3hibits that Ethernet< is the inter$ace connected to the A)N* and Ethernet2 is the inter$ace connected to the Internet Ethernet< should be con$igured as the #ri/ate inter$ace* and Ethernet2 should be con$igured as the #ublic inter$ace Incorrect )ns"ers: ): The default gatewa for the client computers should be set to 1".1".22.1". +: The default gatewa for the client computers should be set to 1".1".22.1". E: This is not a port filter problem. The ,AT interfaces are incorrectl configured. E: This is not a port filter problem. The ,AT interfaces are incorrectl configured. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F QUESTION NO: 6 You are the net"or0 administrator $or TestBing com The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F32 2 You need to con$igure TestBingSr/) to communicate "ith TestBingSr/+* TestBingSr/'* and the Internet You o#en the T'.KI. #ro#erties o$ TestBingSr/)* and you notice that the $ollo"ing de$ault gate"ays are already con$igured in the order sho"n: 1. <,< <=7 69 5 2. <= ; 7 2

3. <= ; 9 < -. <= ; 7 < F. <= ; ; < !hich I. address or addresses should you remo/e $rom the de$ault gate"ay addresses on TestBingSr/)% &'hoose all that a##ly( A. 131.1"G.;>.F 1. 1".=.G.2 .. 1".=.>.1 D. 1".=.G.1 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F33 2 )ns"er: )* +* '* D E3#lanation: TestBingSr/< only needs one de$ault gate"ay con$igured This should be the address o$ the internal inter$ace o$ the router In this case* it is <= ; ; < )ll other de$ault gate"ays should be remo/ed ,ote9 Iou would onl configure multiple default gatewa s if there are multiple routers on the same subnet as our computer. De$erence: Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. FQUESTION NO: 7 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains <= !indo"s Ser/er 2==, com#uters and <*=== !indo"s @. .ro$essional com#uters You con$igure a ser/er named TestBingSr/ as a Net"or0 )ddress Translator &N)T( ser/er TestBingSr/ is used to connect all com#uters on the com#any net"or0 to the Internet You remo/e both o$ the old <=>?b#s net"or0 ada#ters in TestBingSr/* and you re#lace them "ith <=K<==>?b#s net"or0 ada#ters )ll users no" re#ort that they are not able to connect to com#uters on the Internet On TestBingSr/* you con$irm that the net"or0 ada#ter connected to the Internet has a #ublic I. address* but you cannot connect to com#uters on the Internet You can connect to com#uters that are on the com#any net"or0 You need to ensure that com#uters on the com#any net"or0 can connect to the Internet through TestBingSr/ On TestBingSr/* you o#en the Douting and Demote )ccess console* and you o#en the #ro#erties o$ the net"or0 ada#ter that is connected to the Internet !hat should you do ne3t% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3- 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3F 2 A ,AT ser%er needs a minimum of two networ/ connections. 'ne connects to the public internet and one connects to the pri%ate 4A,. !hen ou configure a ,AT ser%er, ou need to configure each networ/ adapter as either a 5ublic interface connected to the internet or a .ri/ate inter$ace connected to #ri/ate net"or0 The 6uestion states that this is the networ/ adapter that is connected to the &nternet. Therefore, this networ/ adapter must be configured as the public interface b selecting the 5ublic interface connected to the internet option. The ser%er will be used as a ,AT ser%er, so we need to chec/ the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3; 2 3nable ,AT on this interface chec/boB. De$erence: Diana Auggins, !indows $er%er 2""3 ,etwor/ &nfrastructure 3Bam .ram 2 *3Bam G"22=1+, .hapter F Qames .hellis, 5aul RobichauB and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, pp. 3F;23FG QUESTION NO: 9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) su##lier named )d/enture !or0s allo"s TestBing to directly /ie" the )d/enture !or0s in/entory )d/enture !or0s hosts a !eb site that buyers can access through a 8.N connection Users in the #urchasing de#artment at TestBing access the )d/enture !or0s !eb

site e/ery day During each /isit to htt#:KKin/entory ad/enture>"or0s com* users clic0 on u# to si3 hy#erlin0s to access the desired data In con/ersation "ith )d/enture !or0s net"or0 administrators* you $ind out that the htt#:KKin/entory ad/enture>"or0s com !eb site should cause coo0ies to be created on the #urchasing de#artment usersJ com#uters The coo0ies cause the !eb #age to dis#lay the LYour last search resultsL hy#erlin0 This hy#erlin0 "ould be /ery use$ul $or users in your #urchasing de#artment* because they usually search $or the same data during each /isit to the !eb site :o"e/er* none o$ your users see this hy#erlin0 You /ie" the Internet E3#lorer Internet o#tions on one o$ the #urchasing de#artment userJs !indo"s @. .ro$essional com#uters The .ri/acy tab indicates a setting o$ :igh Your com#any #laces a high #riority on #rotecting user #ri/acy and con$idential data You "ant to allo" coo0ies that "ill cause htt#:KKin/entory ad/enture>"or0s com to dis#lay the last search results $or each #urchasing de#artment user 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3G 2 :o" should you con$igure the Internet o#tions on #urchasing de#artment com#uters% A. &n the 5ri%ac tab, use the $ites button to allow http9HHin%entor .ad%enture.wor/s.com. 1. &n the 5ri%ac tab, change the pri%ac setting to Medium. .. $et the ad%anced pri%ac settings to '%erride automatic coo/ie handling. 1loc/ first2part coo/ies and accept third2part coo/ies. D. $et the ad%anced pri%ac settings to '%erride automatic coo/ie handling. Accept first2part coo/ies and bloc/ third2part coo/ies )ns"er: ) E3#lanation: The .ri/acy tab indicates a setting o$ high* "hich is "hy coo0ies are being bloc0ed You need to Edit the settings in the .ri/acy tab to allo" coo0ies that "ill cause htt#:KKin/entory ad/enture>"or0s com to dis#lay the last search results $or each #urchasing de#artment user Incorrect )ns"ers: +: .hanging the pri%ac setting to Medium has to be done b ma/ing use of the 3dit button. (urthermore, ma/ing it Medium is not going to allow coo/ies. There will still be bloc/ing of coo/ies. '* D: 1oth these options still suggests some sort of bloc/ing. 1loc/ing is not what is re6uired in this situation. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. >F"2>F3 QUESTION NO: ; You are the net"or0 administrator $or TestBing com TestBing has si3 regional o$$ices The main o$$ice is in Seattle The com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com The #rimary DNS ser/er $or the domain is in the Seattle o$$ice Each regional o$$ice has the $ollo"ing ser/ers 1. ) secondary DNS ser/er 2. ) D:'. ser/er 3. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3> 2 ) ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter that connects to the A)N to the Internet 'om#any sales re#resentati/es /isit each regional o$$ice se/eral times each month )ll sales re#resentati/es use !indo"s @. .ro$essional #ortable com#uters :el# des0 technicians re#ort that sales re#resentati/es are $requently unable to connect to the Internet "hen they /isit a regional o$$ice )ll sales re#resentati/es ha/e instructions about ho" to change the IS) ser/er in their Internet E3#lorer O#tions settings so that they can use the Internet in each regional o$$ice :o"e/er* the sales re#resentati/es o$ten lose the instructions or e3#ress $rustration "ith the need to $requently recon$igure their Internet E3#lorer settings You "ant to eliminate the need $or the sales re#resentati/es to recon$igure their Internet E3#lorer settings each time they /isit a di$$erent regional o$$ice You con$igure a "#ad dat scri#t $ile in each o$$ice You create and con$igure a 252 .ro3y )utodisco/ery o#tion in each D:'. ser/er sco#e !hat should you do ne3t% A. .onfigure each !indows <5 5rofessional portable computerKs &nternet 3Bplorer 4A, settings to Automaticall detect settings. 1. 'n each !indows <5 5rofessional portable computer, in the &nternet 3Bplorer 4A, settings, select the Use automatic configuration script chec/ boB.

.. .reate an alias *.,AM3+ resource record named 5roB for each &$A $er%er computer. D. .onfigure the re%erse loo/up 0one on the D,$ ser%er with pointer *5TR+ resource records for each &$A $er%er computer. )ns"er: + E3#lanation: Eor a !eb .ro3y client or a Eire"all client to connect to an IS) Ser/er com#uter* you must con$igure the bro"ser or Eire"all client to $or"ard Internet requests to a s#eci$ic IS) Ser/er com#uter I$ the IS) Ser/er com#uter becomes una/ailable or you "ant to use a di$$erent IS) Ser/er com#uter* you must change this con$iguration !hen you enable automatic disco/ery* Eire"all clients and !eb .ro3y clients can automatically detect an IS) Ser/er com#uter on the net"or0 Using automatic disco/ery can hel# you to minimi1e the time s#ent troubleshooting connection #roblems on client com#uters 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3= 2 !eb 5roB clients enable automatic disco%er b using !eb 5roB AutoDisco%er 5rotocol *!5AD+ information. (irewall clients use !insoc/ 5roB AutoDetect 5rotocol *!$5AD+. 1oth clients connect to an &$A $er%er computer and re6uest configuration information after locating the &$A $er%er computer b using a !5AD entr on the D namic Aost .onfiguration 5rotocol *DA.5+ ser%er or the Domain ,ame $ stem *D,$+ ser%er. Automatic disco%er is especiall useful when ou mo%e our computer from one networ/ to another. Thus this option will ma/e the need for sales representati%es to reconfigure their &nternet 3Bplorer settings each time the %isit a different regional office, obsolete. Incorrect )ns"ers: ): Automaticall detect settings to be set on each portable computer is not eliminating the need to reconfigure &nternet 3Bplorer settings ou need to select the Use automatic configuration script because it is a matter of changing the script. ': .reating an alias *.,AM3+ will )ust hide networ/ details form the client it connects to. This is not sol%ing the problem that the portable computer users are eBperiencing. D: The Re%erse 4oo/up Rones folder contains all of the re%erse loo/up D,$ domain 0ones that are hosted on the D,$ ser%er ou are loo/ing at. 1 configuring re%erse loo/up 0one on the D,$ ser%er with a pointer resource record for each &$A $er%er computer will thus not wor/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. ->", F2"2F22 QUESTION NO: <= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ $i/e !indo"s Ser/er 2==, com#uters and 5= !indo"s @. .ro$essional com#uters on a single subnet On Sunday* another administrator installs a ne" $ire"all bet"een the A)N and the com#anyJs T< Internet connection The net"or0 is con$igured as sho"n in the e3hibit Aocal host names are resol/ed on the net"or0 by using a !INS ser/er )ll client com#uters are con$igured to use IS.< $or DNS name resolution 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-" 2 On ?onday morning* users re#ort that they are no longer able to access secure and nonsecure Internet !eb sites Erom a !indo"s @. .ro$essional com#uter* you are able to success$ully #er$orm the $ollo"ing tas0s: 1. .ing the I. addresses o$ !eb ser/ers on the Internet 2. Use Internet E3#lorer to o#en both secure and nonsecure !eb sites by using an I. address in #lace o$ the UDA You run the nsloo/up command and attempt to resol%e an &nternet full 6ualified domain name *(:D,+. Iou recei%e the following error message9 NNN ]<,< <=7 <== 2==^ canJt $ind """ test0ingcom: No res#onse $rom ser/er U You need to use minimum amount o$ administrati/e e$$ort to #ro/ide users "ith the ability to bro"se "eb sites on the Internet !hat should you do% A. .onfigure the firewall to allow traffic on T.5 ports >" and --3. 1. .onfigure the firewall to allow traffic on T.5 ports F3 and UD5 port F3. .. &nstall and configure the D,$ ser%ice on one of the local ser%ers. D. &nstall and configure Microsoft &nternet $ecurit and Acceleration *&$A+ ser%er on one of the local ser%ers. )ns"er: + E3#lanation9 5ort F3 is used for Domain ,ame $ stem *D,$+ ,ame :ueries. This would be the minimum effort that can be applied to pro%ide web browse abilities on the

&nternet for users. Incorrect ans"ers: )9 5ort >" is onl to allow ATT5 traffic. ' C D9 These options suggest too much administrati%e effort as there is no need to install and configure either D,$ ser%ice or Microsoft &nternet $ecurit and Acceleration *&$A+ ser%er on one of the local ser%ers. All that has to be done is to configure the firewall to allow traffic on the appropriate ports. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-1 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 3QUESTION NO: << You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, One domain controller on the net"or0 is con$igured as a certi$ication authority &')( The net"or0 contains a !eb ser/er that runs IIS 6 = and hosts a secure intranet site The ser/er also hosts other sites that do not require :TT.S You con$igure a ser/er certi$icate on the IIS ser/er by using a certi$icate $rom your internal ') )ll users are required to connect to the intranet site by using :TT.S Some users re#ort that they cannot connect to the secure intranet site by using :TT.S You con$irm that all users can connect to the nonsecure sites hosted on the !eb ser/er by using :TT. You "ant to /ie" the $ailed :TT.S requests !hat should you do% A. Re%iew the log fields created b &&$ on the !eb ser%er. 1. Re%iew the securit log in 3%ent ?iewer on the !eb ser%er. .. Re%iew the securit log in 3%ent ?iewer on the .A. D. Re%iew the contents of the (ailed Re6uests folder on the .A. )ns"er: ) E3#lanation9 &nternet &nformation $er%ices *&&$+ is software ser%ices that support !eb site creation, configuration, and management, along with other &nternet functions. &nternet &nformation $er%ices include ,etwor/ ,ews Transfer 5rotocol *,,T5+, (ile Transfer 5rotocol *(T5+, and $imple Mail Transfer 5rotocol *$MT5+. Re%iewing the log fields created b the &&$ on the !eb se%er will ield the necessar information to see the failed ATT5$ re6uests. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-2 2 De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, p. 1193F 5art 39 Troubleshoot ser%er ser%ices. A9 Diagnose and resol%e issues related to ser%ice dependenc .*; :uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains a !indo"s Ser/er 2==, member ser/er named TestBing)* "hich contains con$idential in$ormation TestBing) also runs IIS and $unctions as a !eb ser/er $or the com#any intranet You "ant to secure the !eb tra$$ic to and $rom TestBing) You con$igure IIS to require only secure communications Users must be authenticated on TestBing) by using a domain user name and #ass"ord TestBing) has been $unctioning #ro#erly $or $i/e months No"* "hen users attem#t to connect to TestBing) by using Internet E3#lorer* an error message a##ears TestBing) res#onds to the #ing command by host name and I. address You /ie" the ser/ices on TestBing)* some o$ "hich are sho"n in the $ollo"ing "indo" You need to enable users to access the intranet !eb content on TestBing) !hich t"o actions should you #er$orm on TestBing)% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-3 2 A. $tart the .omputer 1rowser ser%ice. 1. $tart the ATT5 $$4 ser%ice. .. $tart the ,et 4ogon ser%ice. D. Restart the $econdar 4ogon ser%ice. 3. Restart the !eb .lient ser%ice.

)ns"er: +* ' E3#lanation: You ha/e to start the :TT. SSA ser/ice $or IIS to use encry#tion* and you ha/e to start the Net Aogon ser/ice to #ro/ide authentication Incorrect )ns"ers: ): To be able to connect to the intranet !eb users ha%e to be authenticated since &&$ was configured. $tarting the .omputer 1rowser ser%ice will thus not be sufficient. D: Also called run as9 this ser%ice allows a user to run a specified program with permissions that are different from those belonging to the account with which the user is currentl logged on. 1ut then ou will not be granting accessibilit to the primar user in this case. According to the eBhibit this ser%ice was alread started and still users could not access the intranet !eb. Iour brief is to enable all users to access the intranet !eb. E: Restarting the !eb .lient ser%ice will not wor/. &t did not wor/ earlier while it was started. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. F>3 QUESTION NO: 2 You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Users re#ort that they cannot locate or access shared $olders on Test0ing< )dministrators re#ort that they cannot log on or connect to Test0ing<* and that they cannot recei/e administrati/e alerts You disco/er that the $ollo"ing ser/ices on Test0ing< are disabled: 1. Distributed Ain0 Trac0ing Ser/er 2. Inde3ing Ser/ice 3. Douting and Demote )ccess 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-- 2 -. Telnet F. !or0station You need to resol/e all o$ the #roblems that ha/e been re#orted !hich ser/ice should you enable and start on Test0ing<% A. Distributed 4in/ Trac/ing $er%er 1. &ndeBing $er%ice .. Routing and Remote Access D. Telnet 3. !or/station )ns"er: E E3#lanation: The !or0station ser/ice has to be enabled on TestBing< $or clients to access shared $olders Incorrect )ns"ers: )* +* '* D: Distributed 4in/ Trac/ing $er%ice, &ndeBing $er%ice, Routing and Remote Access $er%ice enables remote clients to dial into a !indows $er%er 2""3 ser%er and access networ/ resources as though the were ph sicall attached to the networ/ L Telnet will not resol%e the problem of recei%ing administrati%e alerts. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >F> QUESTION NO: , You are a net"or0 administrator $or TestBing com The net"or0 contains an )cti/e Directory domain named test0ing com The domain contains three domain controllers named TB<* TB2* and TB, )ll three domain controllers are con$igured as DNS ser/ers You monitor all three domain controllers You notice that TB, is not #rocessing user logon requests You /ie" DNS on TB<* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-F 2 You must ensure that TB, can #rocess user logon requests !hat should you do on TB,% A. Run the ipconfig Hregisterdns command. 1. Run the nsloo/up command, and then run the set t pe \ sr% command. .. Restart the ,et 4ogon ser%ice. D. Restart the D,$ $er%er ser%ice. )ns"er: ' E3#lanation: The e3hibit sho"s that there are no sr/ records $or TB, Destarting the Net Aogon ser/ice "ill register TB,s sr/ records in DNS 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F-; 2 Incorrect o#tions: ): The ipconfig Hregisterdns command will onl flush the resolution cache and update the clients records in D,$. +: The nsloo/up is an interacti%e command2line utilit used to test D,$ name resolution. The nsloo/up command can be used from the command line to interacti%el perform name 6ueries against a D,$ ser%er. The Monitoring tab allows similar functionalit as nsloo/up, where ou are able to perform tests on the domain name resolution ser%er such as iterati%e and simple tests. Running the set t pe \ sr% command is to %erif sr% records. D: ,ame chec/ing is used b our D,$ $er%er ser%ice to find a compatible means to chec/ names it recei%es and processes during normal operations. 1esides all three domain controllers are configured as D,$ ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. -=>, >F>, >;"2>;2, =>3 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""-, 5art 1, .hapters - L 11 pp. 21", ;>>2;>= QUESTION NO: 4 E3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-G 2 You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional or !indo"s 2=== .ro$essional The net"or0 contains t"o domain controllers and three member ser/ers The net"or0 contains a single DNS ser/er named TestBing< The DNS ser/er $ails You install a ne" ser/er that runs !indo"s Ser/er 2==, You reassign the $ailed DNS ser/erJs I. address to the ne" ser/er You install DNS on the ser/er You con$igure a ne" #rimary 1one named test0ing com* and you con$igure the 1one to su##ort dynamic u#dates Users re#ort that they cannot log on to the domain You re/ie" the DNS domain in$ormation The in$ormation is sho"n in the e3hibit You need to ensure that all users can log on to the domain !hat should you do% A. Restart the ,et 4ogon ser%ice on the domain controllers. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-> 2 1. (orce a D,$ registration on each of the member ser%ers in the domain. .. &nstall D,$ on a domain controller. .reate a 0one named test/ing.com. .onfigure the 0one to be an Acti%e Director 2integrated 0one and to support onl secure updates. D. (or each of the domain controllers, create a host *A+ resource record in the test/ing.com domain. )ns"er: ) E3#lanation: The Net Aogon ser/ice is a ser/ice that acce#ts logon requests $rom any client and #ro/ides authentication $rom the Security )ccounts ?anager &S)?( database o$ accounts +y restarting this ser/ice on the domain controllers you "ill enable all users to log on to the domain Incorrect ans"ers: +9 (orcing D,$ registration will not allow all users to log on. '9 There is no need to create 0ones and configuring it to be Acti%e Director 2integrated 0one. All that is necessar is to restart the ,et 4ogon ser%ice on the domain controllers to enable all users to logon. D9 This record maps a D,$ name to an &5 address. .reating a host *A+ resource record will thus not be enough in this case. De$erence: Q. .. Mac/in and &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter -, pp. 2"F 2 21", -2> QUESTION NO: 5 :OTS.OT You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< The A)N connection T'.KI. #ro#erties on Test0ing< are con$igured to use a static I. address )n administrator re#orts that Test0ing< is recei/ing incorrect results to a query $or test0ing2 test0ing com You log on to Test0ing< and run the i#con$ig K$lushdns command You recei/e the $ollo"ing message 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F-= 2 You need to start the a##ro#riate ser/ice or ser/ices to ensure that Test0ing< can correctly resol/e name resolution queries You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hich ser/ice or ser/ices should you start% To ans"er* select the a##ro#riate ser/ice or ser/ices in the "or0 area 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF" 2 )ns"er: E3#lanation: Select the LDNS 'lientL ser/ice To ensure that Test/ing1 can correctl resol%e name resolution 6ueries ou need to enable the 8D,$ .lient8 ser%ice as is responsible for directing name resolution. The D,$ .lient then submits the name to ,et1&'$. &n other words it acts as a resol%er. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF1 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, .hapter -, pp. 32QUESTION NO: 6 DD)- DDO. You are the net"or0 administrator $or TestBing com The net"or0 contains t"o !indo"s Ser/er 2==, com#uters named TestBing< and TestBing2 The t"o ser/ers are con$igured as sho"n in the $ollo"ing table Ser/er name Static I. address Net"or0 Ser/ices Test@ing1 1=2.1;>.2.1 DA.5 Test@ing2 1=2.1;>.2.2 D,$, !&,$ Users re#ort that they cannot log on to the net"or0 by using their client com#uters )dministrators re#ort that I. addresses are not being rene"ed on these client com#uters You obser/e that all net"or0 ser/ices are running on each ser/er You start Net"or0 ?onitor on TestBing< You need to $ind out "hy the client com#uters are not recei/ing ne" I. addresses You need to con$igure an address $ilter on TestBing< to ca#ture the minimum amount o$ data required !hat should you do% To ans"er* drag the a##ro#riate source or sources to the correct location or locations 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF2 2 )ns"er: E3#lanation: <;2 <69 2 <* +roadcast* Include 19 Use ser%ice reco%er options to diagnose and resol%e ser%ice2related issues.*:uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You con$igure a ser/er named TestBingSr/ as a #rint ser/er The name o$ the #rint queue is QQTestBingSr/Qlaser#rinter You assign the E/eryone grou# the )llo" > .rint #ermissions 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF3 2 Three days later* you disco/er that #rint 2obs submitted to QQTestBingSr/Qlaser#rinter are not being #rinted You log on to the client com#uter named 'lient< 'lient< is con$igured to use QQTestBingSr/Qlaser#rinter as its de$ault #rinter You submit se/eral #rint 2obs* but none o$ them #rint and no error message is dis#layed In .rinters and Ea3es on 'lient<* you o#en QQTestBingSr/ Qlaser#rinter You see the $ollo"ing status o$ the #rint queue: Llaser#rinter on TestBingSr/ is unable to connectL You are able to connect to TestBingSr/ by running the #ing command You need to ensure that #rint 2obs submitted to QQTestBingSr/ Qlaser#rinter "ill be #rinted !hat should you do% A. .reate a shared printer ob)ect in Acti%e Director for WWTest@ing$r% Wlaserprinter. 1. (rom a command prompt on .lient1, run the ,et 5rint WWTest@ing$r% Wlasterprinter command. .. 'n .lient1, open the $er%ices console and restart the 5rint $pooler ser%ice. D. 'n .lient1, open the $er%ices console and connect to Test@ing$r%. Restart the 5rint $pooler ser%ice. )ns"er: D

E3#lanation: ) stalled #rint s#ooler ser/ice is ty#ically the #roblem "hen #rint 2obs are not being #rinted* and errors are not being recei/ed !hen di$$erent #eo#le e3#erience the same #roblem* the #roblem is li0ely to be connected to the ser/er* and not the client Erom a client com#uter* you can connect to the ser/er and restart the .rint S#ooler ser/ice Incorrect )ns"ers: ): .reating another share will not sol%e the problem because the printer is alread shared. +: This command would not fiB the printing problem as it will not address the problem at hand. ': 1ecause different people are eBperiencing the same problem, the problem is li/el to be with the ser%er and not the client. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. >2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF- 2 QUESTION NO: 2 You are the administrator o$ an )cti/e Directory domain TestBingJs !)N consists o$ eight regional o$$ices Each regional o$$ice has a $ile and #rint ser/er )ll o$ these ser/ers are located in the same organi1ational unit &OU( The .rint S#ooler ser/ice #eriodically $ails on these ser/ers You need to be able to remotely restart the .rint S#ooler ser/ice on one o$ the ser/ers in case o$ a $ailure !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ that sets the 5rint $pooler ser%ice to Automatic. 4in/ the C5' to the 'U that contains the ser%ers. 1. Use Remote Des/top to configure the $er%ice Reco%er options on each ser%er to restart the 5rint $pooler ser%ice on the first failure. .. .reate a batch file in the ,etlogon share that contains the net start 8print spooler8 command. .reate a Croup 5olic ob)ect *C5'+ on the 'U that lin/s the batch file to the startup scripts. D. .reate an alert that triggers the eBecution of the net start 8print spooler8 command when the MaB Qobs $pooling 5rint :ueue counter eBceeds ". )ns"er: + E3#lanation: Demote Des0to# Eor )dministration enables administrators to #er$orm administrati/e tas0s on remote ser/ers and clients $rom a centrali1ed console such as setting the Ser/ice Deco/ery o#tions on each remote ser/er to restart the .rint S#ooler ser/ice !ith Demote Des0to# Eor )dministration* you can remotely administer any !indo"s Ser/er 2==, ser/er o/er any T'.KI. connection Other administrati/e tas0s that can be #er$ormed include running a bac0u# 2ob* changing 'ontrol .anel con$iguration settings* de$ragging a ser/erJs dis0s* installing an a##lication* and #romotingKdemoting a domain controller* among other tas0s Incorrect )ns"ers: ): 4in/ing a C5' that sets the 5rint $pooler ser%ice to Automatic to the ser%ersK 'U will not allow ou to remotel restart the 5rint $pooler on ser%er failure. ': 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FFF 2 4in/ing a ,etlogon batch file with the net start 8print spooler8 command to the startup scripts will not restart a print spooler remotel . Iou need to ma/e use of Remote Des/top to configure $er%ice Reco%er options. D: !hen there is a print spooler failure then what is needed is to do a ser%ice reco%er remotel in this case. This can onl be done through the Remote Des/top if ou are to be able to restart the ser%ice remotel . De$erence: Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, 2""3, .hapter 2, p. ;; QUESTION NO: , You are the administrator o$ a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< has a third>#arty a##lication installed on it The third>#arty a##lication runs as a ser/ice that is named Ser/ice< Ser/ice< $ails #eriodically You need to con$igure the reco/ery o#tions $or Ser/ice< to meet the $ollo"ing requirements: 1. I$ Ser/ice< runs success$ully $or a day or more* you need to ensure that only the ser/ice is immediately restarted u#on $ailure

2. I$* a$ter this $ailure* Ser/ice< does not run success$ully $or another day* you must ensure the entire ser/er is immediately restarted !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .onfigure the Reset fail count after %alue for $er%ice1 to 1 da . 1. .onfigure the Restart ser%ice after %alue for $er%ice1 to 1,--" minutes. .. .onfigure the response to the first failure to be restart $er%ice1. D. .onfigure the response to the first failure to be restart Test/ing1. 3. .onfigure the response to the second failure to be restart $er%ice1. (. .onfigure the response to the second failure to be restart Test/ing1. )ns"er: )* '* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF; 2 This question basically in/ol/es managing ser/ices through 'ontrol .anel You can indicate the number o$ days a$ter "hich the number o$ times a $ailure has occurred should be reset to = in the Deset $ail 'ount dialog bo3 The Destart Ser/ice )$ter dialog bo3 is "here you indicate the number o$ minutes to "ait #rior to trying to restarting a ser/ice &Ser/ice<( subsequent to a $ailure The Destart 'om#uter O#tions dialog bo3 is "here you indicate the number o$ minutes to "ait #rior to restarting the com#uter &Test0ing<( Incorrect )ns"ers: +: 1--" minutes is a 2- hour period which is one da . Thus the time period is correct, but ou need to configure the Reset fail count after %alue and not the Restart ser%ice after. D: Test/ing1 should not be used to configure the response to the first failure for restart. Iou should be ma/ing use of $er%ice1 E: Test/ing1 should not be used to configure the response to the second failure for restart. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, .hapter 12, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. GGG 2 G>3 QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 contains a ser/er named TestBing4 that has Terminal Ser/ices enabled )n administrator named Tess is res#onsible $or bac0ing u# TestBing4 She is a member o$ the +ac0u# O#erators local grou# on TestBing4 You "ant to allo" Tess to #er$orm her assigned tas0s remotely by connecting to TestBing4 through a Terminal Ser/ices connection !hen Tess attem#ts to connect to TestBing4* she cannot log on You can success$ully connect and log on to TestBing4 You need to ensure that Tess can success$ully connect and log on to TestBing4 You must assign Tess only minimum rights that she needs to do her "or0 !hat should you do on TestBing4% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FFG 2 A. Add Tess to the local 5ower Users group. 1. Add Tess to the local Remote Des/top Users group. .. &n the local securit polic , assign Tess the Allow log on locall user right. D. &n Terminal $er%ices .onfiguration, set the connection encr ption le%el to .lient .ompatible. )ns"er: + E3#lanation9 Iou can easil manage permissions and rights for a terminal ser%er on a per2computer basis, b using the Remote Des/top Users group. The Remote Des/top Users group is one of the built2in users groups a%ailable when ou install one of the !indows $er%er 2""3 operating s stems. Members of this group are able to log on remotel to a terminal ser%er on which Remote Des/top is enabled. Incorrect ans"ers: )9 5ower Users group is a group whose members can manage accounts, resources, and applications that are installed on a wor/station, stand2alone ser%er, or member ser%er. This group does not eBist on domain controllers. Administrati%e tas/s that can be shares. The 5ower Users group does not ha%e permission to connect to a ser%er using Terminal $er%ices. '9 &n !indows 2""", this would be necessar . Aowe%er, in !indows $er%er 2""3, we ha%e a Remote Des/top Users group to a%oid ha%ing to allow someone to log on locall . D9 &n Terminal $er%ices .onfiguration there is a Ceneral tab. This tab identifies the connection t pe *RD52Tcp+ and RD5 %ersion number.There is a .omment teBt boB in which ou can store information for administrati%e purposes. More importantl , this tab

enables ou to specif the le%el of encr ption that will be re6uired for connection to Terminal $er%ices.The default encr ption setting is .lient .ompatible.This setting attempts to use the maBimum le%el of encr ption allowed on the client. This setting does not affect who has permission to access the ser%er using Terminal $er%ices. De$erence9 4isa Donald, $u0an $age 4ondon L Qames .hellis, M.$AHM.$39 !indows $er%er 2""3 3n%ironment Management and Maintenance $tud Cuide, $ beB &nc. Alameda, 2""3, p. 1-2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. --", F-=, F;" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF> 2 Topic ;, Miscellaneous *G> :uestions+ QUESTION NO: < The net"or0 is connected to the Internet through a ?icroso$t Internet Security and )cceleration &IS)( Ser/er com#uter named Test0ing4 Test0ing4 is set to automatically con$igure client #ro3y settings Your su#er/isor tells you to install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing5 Test0ing5 is the only SUS ser/er on your net"or0 SUS installation must com#ly "ith the $ollo"ing limitations: 1. Use the least amount o$ dis0 s#ace on Test0ing5 2. )ll u#dates must be tested o$$line be$ore being de#loyed to the client com#uters 3. The I. addressing schemes in TestBing change o$ten Test0ing5 should return its Net+IOS name "hen client com#uters connect !hich action or actions should you #er$orm% &'hoose all that a##ly( A. .onfigure Test/ingF to maintain the updates on a !indows Update ser%er. 1. .onfigure Test/ingF to not automaticall appro%e new %ersions of pre%iousl appro%ed updates. .. .onfigure the $pecif the name that our clients use to locate this update ser%er setting to Test/ingF. D. .onfigure Test/ingF to not use a proB ser%er to access the &nternet. 3. .onfigure Test/ingF to s nchroni0e from a local $U$ ser%er. )ns"er: )* +* ' E3#lanation: !hen selecting a storage location "hile con$iguring a SUS ser/er* the o#tions are to store the u#dates on a ?icroso$t !indo"s U#date ser/er or to store the u#dates on a local $older !hen using the ?icroso$t !indo"s U#date ser/er o#tion* you can control "hich u#dates your clients "ill recei/e This o#tion also leads to a reduction in the amount o$ $ree dis0 s#ace needed on the Test0ing5 SUS ser/er You ha/e to use the Set O#tions screen to con$igure the S#eci$y the name that your clients use to locate this u#date ser/er setting to Test0ing5 Incorrect )ns"ers: D: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF= 2 A proB ser%er acts on behalf of the client to establish an &5 connection with a remote machine. $ince Test/ing- is set to automaticall configure client proB settings as well as being the networ/Ks connection to the &nternet, this option will lea%e ou without an &nternet connection which must be used to download the updates. E: To ha%e Test/ingF s nchroni0ing from the local $U$ ser%er is impractical since Test/ingF is the onl $U$ ser%er in this scenario. De$erence: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter, p. 3F1 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >"22>"3 QUESTION NO: 2 You are the administrator o$ an )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s 2=== .ro$essional "ith Ser/ice .ac0 2 You install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing<* and you a##ro/e all do"nloaded u#dates You a##ly the a##ro#riate -rou# .olicy ob2ect &-.O( settings to con$igure domain com#uters to do"nload critical u#dates $rom Test0ing< You disco/er that no u#dates "ere a##lied since you installed SUS on Test0ing< You con$irm that all the !indo"s Ser/er 2==, com#uters recei/e u#dates $rom Test0ing<

You need to ensure that all client com#uters recei/e u#dates $rom Test0ing< !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall $er%ice 5ac/ 3 on all client computers. 1. Mo%e all client computers out of the .omputers contain and into a new organi0ational unit *'U+. .. 3nable the ,o '%erride C5' setting. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;" 2 D. &nstall the Automatic Updates client on all client computers. 3. .onfigure Test/ing1 to authenticate against a proB ser%er to recei%e updates from the !indows Update ser%ers. )ns"er: )* D E3#lanation: )utomatic U#dates can be con$igured on client com#uters to access the local SUS ser/er in #lace o$ the !indo"s U#date site The client com#uters need the )utomatic U#date $eature installed in order to connect to the SUS ser/er* Test0ing<* to do"nload critical u#dates Ser/ers running !indo"s Ser/er 2==, and client com#uters running !indo"s 2=== Ser/ice .ac0 , can be con$igured to automatically recei/e their SUS u#dates Incorrect )ns"ers: +: 'rgani0ational unit containers and default containers ser%e the same purpose. The organi0e ob)ects within a domain. Mo%ing all client computers into a new 'U will thus not ensure that all client computers recei%e their updates from Test/ing1. Iou need to ensure that client computers ha%e Automatic Updates installed in order to be connected to Test/ing1. ': The ,o '%erride C5' setting is irrele%ant is this case as there is alread an appropriate C5' to download updates. (urthermore the problem is that the client computers should also ha%e Automatic Updates installed. E: This is not necessar . All that is needed is to ha%e $er%ice 5ac/ 3 and Automatic Updates installed on the client computers since Test/ing1 is alread reconfigured. De$erence: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, pp. 3F-, 3;2 QUESTION NO: , You are res#onsible $or administering the .roduction OU You are assigned the )llo" > Eull 'ontrol #ermission $or the OU )ll com#uter ob2ects in the .roduction OU are administered by another administrator named Tom The .roduction OU contains the com#uter account $or a !indo"s Ser/er 2==, com#uter named Test0ing< Tom submits a list o$ con$iguration settings that he "ants to a##ly to Test0ing< by means o$ a -rou# .olicy ob2ect &-.O( ) -.O that contains TomJs required settings is created in another OU by the domain administrator 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;1 2 You only "ant to allo" Tom to lin0 e3isting -.Os to the .roduction OU :e must not ha/e any more rights than he needs to #er$orm the required tas0s !hat should you do% A. Add TomKs user account to the Croup 5olic .reator 'wners group in the domain. 1. Run the Delegation of .ontrol !i0ard and assign TomKs user account the Allow 2 Manage group polic lin/s permission for the 5roduction 'U. .. Run the Delegation of .ontrol wi0ard and assign TomKs user account the Allow 2 .hange permission for the 5roduction 'U. D. Run the Delegation of .ontrol wi0ard and assign TomKs user account the Allow 2 Appl group polic permission for all C5's that are lin/ed to the 5roduction 'U. )ns"er: + E3#lanation: You can delegate #ermissions to manage -rou# .olicies o$ the .roduction OU This is done through delegation o$ control Dight clic0 the designated container in )cti/e Directory Users and 'om#uters Select Delegate 'ontrol Once the Delegate 'ontrol !i1ard runs* select the user &Tom( "hom should be granted control in the container Then* add ?anage -rou# .olicy Ain0s $rom the .ermissions list* and com#lete the Delegate 'ontrol !i1ard Tom "ill only be able to create -.O lin0s in containers "here he has been allo"ed the #articular #ermission Thus restricting him to only "hat he needs to be able to do his 2ob Incorrect )ns"ers: )9 This t pe of group permissions should be applied at the root of the %olume. The .reator 'wner group e.g. is a special group that determines the access that a user has to files and folders he or she has created. 1 default, the (ull .ontrol special permissions assigned to this group automaticall appl to e%er folder created on the %olume. Thus the default permissions of being .reator 'wner would grant Tom too man permissions than

is necessar . ' C D9 Acti%e Director enables ou to efficientl manage ob)ects b delegating administrati%e control of the ob)ects. Iou can use the Delegation of .ontrol !i0ard and customi0ed consoles in Microsoft Management .onsole *MM.+ to grant specific users the permissions to perform %arious administrati%e and management tas/s. Iou use the Delegation of .ontrol !i0ard to select the user or group to which ou want to delegate control. Iou also use the wi0ard to grant users permissions to control organi0ational units and ob)ects and to access and modif ob)ects. Aowe%er, these options, whether Allowchange or Allow 2 Appl group polic permission, will grant Tom more than the necessar permissions to perform his tas/s. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;2 2 De$erence: Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1" p. ;"1 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -32, >3" QUESTION NO: 4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You use a non>administrati/e user account named Hose#h to log on to a client com#uter You need to change the #ass"ord $or a domain user account named So#hia You o#en the )cti/e Directory Users and 'om#uters console !hen you attem#t to change So#hiaJs #ass"ord* you recei/e the $ollo"ing error message: L)ccess is deniedL You need to remain logged on to the client com#uter as Hose#h* and you need to be able to change So#hiaJs #ass"ord !hat should you do% A. Add the non2administrati%e domain user account to the local Administrators group. 1. Use the runas command to run Acti%e Director Users and .omputers with domain administrati%e credentials. .. (rom a command prompt, run the net user $ophia Hadd Hpasswordre69 es command. D. (rom a command prompt, run the net accounts Huni6uepw9 Hdomain command. )ns"er: + 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;3 2 E3#lanation: The runas command can be used to #er$orm administrati/e tas0s Dun as* also called secondary logon* is a use$ul tool that allo"s a user to run a s#eci$ied #rogram "ith #ermissions that are di$$erent $rom those belonging to the account "ith "hich the user is currently logged on You can use this command to run e3ecutable $iles* and 'ontrol .anel items* among other tas0s It allo"s you to run a s#eci$ied #rogram "ith #ermissions that are di$$erent $rom that associated to the account &user account named Hose#h( "ith "hich you are currently logged on There$ore* you can use the runas command to run )cti/e Directory Users and 'om#uters "ith domain administrati/e credentials to change So#hiaJs #ass"ord Incorrect )ns"ers: ): Adding a non2administrati%e account to the local administrators group will allow ou to complete this tas/. 1ut the 6uestion states that ou need to remain logged on the client computer as Qoseph. This results in ou needing a secondar logon rather than being added to the local administrators group. ': This command allows ou to add or modif user accounts or displa user account info. And as this command is used in this scenario, it also specifies that the user must ha%e a password. This will not allow ou to change $ophiaKs password because ou need to ha%e either administrator status or use the run as command especiall since the 6uestion states that ou need to remain logged on to the client computer as Qoseph who is a non2administrati%e account. D: This specific command updates user accounts database and modifies password and logon re6uirements for all accounts. (urthermore it re6uires the user not to use same password for the number of password changes and it performs the operation on the primar domain controller of the current domain, else the modification will be performed on the local computer. Aowe%er, this assumes that ou are wor/ing from an administratorKs account rather than a non2administrati%e user account named Qoseph. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, .hapter 1, p. 3;

QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single I. subnet )ll ser/ers are !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;- 2 The cor#orate $ire"all bloc0s all requests $rom the local client com#uters to #ort 9= in the Internet Dequests sent o/er #ort 44, are allo"ed through the $ire"all Ser/er com#uters can communicate by using #ort 9= and 44, to the Internet You need to install So$t"are U#date Ser/ices &SUS( on a com#uter named Test0ing5 Test0ing5 has limited hard dri/e s#ace and stores a minimal amount o$ in$ormation daily 'lient com#uters must install ?icroso$t critical u#dates You need to ensure that Test0ing5 does not run out o$ hard dri/e s#ace a$ter the installation o$ SUS !hat should you do% A. 'n Test/ingF, clear the selection of all locales not used on our networ/. 1. 'n Test/ingF, select the option to maintain the updates on a !indows Update ser%er. .. Modif the default home page for all client computers to https9HHwindowsupdate.microsoft.com. D. Modif the proB ser%er setting for all client computers to http9HHtest/ingF. )ns"er: ) E3#lanation: The o#tions "hen selecting a storage location $or u#dates are to maintain the u#dates on a ?icroso$t !indo"s U#date ser/er or to sa/e the u#dates to a local $older Each locale that is selected "ill increase the amount o$ storage s#ace necessary to maintain u#dates on your ser/er Thus i$ you clear the selection o$ all locales not used on your net"or0* you "ill #re/ent the SUS $rom using that s#eci$ic hard dri/e s#ace as "ell Incorrect ans"ers: +9 The options a%ailable are to maintain the updates on a Microsoft !indows Update ser%er or to sa%e the updates to a local folder. Aowe%er, deselecting locales after s nchroni0ation has alread occurred will not free up dis/ space because the pac/ages that ha%e alread been downloaded will remain on the $U$ ser%er. '9 Modif ing the default home page for all client computers to https9HHwindowsupdate.microsoft.com will not sol%e the problem because $U$ has to be installed on Test@ingF. D9 This problem will onl be sol%ed b clearing the selection of all locales not used on the networ/, not b modif ing the proB ser%er settings for the client computers to http9HHtest/ingF. De$erence9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;F 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >"22>"3 QUESTION NO: 6 SI?UA)TION You are the net"or0 administrator $or TestBing You install and con$igure So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing2 You install the )utomatic U#dates client on all !indo"s @. .ro$essional com#uters )ll !indo"s @. .ro$essional com#uter accounts are in the 'lients organi1ation unit &OU( You need to con$igure )utomatic U#dates on all !indo"s @. .ro$essional com#uters to automatically do"nload and install u#dates "hether users log on to their com#uters "ith administrati/e credentials or nonadministrati/e credentials The day and time that u#dates are installed is not im#ortant !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;; 2 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;G 2 E3#lanation: To con$igure )utomatic U#dates on all !indo"s @. .ro$essional com#uters to automatically do"nload and install u#dates "hether users log on to their com#uters "ith administrati/e credentials or non>administrati/e credentials You need to enable )utomatic U#dates and since the question states that the day and time that u#dates are installed is not im#ortant* con$igure the automatic u#dating to occur on a daily basis Dange Z =W<W2W,W4W5W6W7 7 Z the days o$ the "ee0 $rom Sunday &<( to Saturday &7( 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F;> 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >"=2>12 QUESTION NO: 7 DD)- DDO. You are the net"or0 administrator $or Test0ing com The net"or0 contains 25 ser/ers and <*=== client com#uters The net"or0 architect has designed a so$t"are u#date in$rastructure You need to con$igure the so$t"are u#date in$rastructure The con$iguration must meet the $ollo"ing requirements: 1. 'lient com#uters must recei/e critical u#dates $rom a So$t"are U#date Ser/ices &SuS( ser/er 2. Three SUS ser/ers must be a/ailable $or critical u#dates 3. Only ser/ers in the #erimeter net"or0 must be able to connect to the Internet -. 'lient com#uters must not be able to connect to ser/ers in the #erimeter net"or0 You install SUS on $our ser/ers on the net"or0 !hich con$iguration should you a##ly to the $our SUS ser/ers% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F;= 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG" 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG1 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG2 2 $oftware Update $er%ices *$U$+ lets ou download a limited %ersion of the !indows Update site and distribute updates to clients through Automatic Updates. As a result, ou can control how and when updates are deplo ed, and deli%er updates to users through our intranet and inside our firewall. Automatic Updates can be configured so that a client 5. can recei%e updates from a ser%er on its networ/. Iou would need $U$ if users were permitted to access an internal !eb ser%er as if the were accessing the &nternet, and download and install the rele%ant programs. &n the abo%e scenario ou need to configure $U$ on Test@ing12 to s nchroni0e directl from the !indows Update ser%er and to Maintain updates on the !indows Update ser%er. !hilst Test@ing13, 21- and 21F needs to be configured to s nchroni0e from the local $U$ ser%er and to sa%e the updates to a local folder. This should compl with the stated re6uirements since Test@ing12 is the onl one in the perimeter connecting to the &nternet. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, 5art 1, .hapter 1F, pp. 1;, 1> QUESTION NO: 9 E3hibit You are the net"or0 administrator $or Test0ing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG3 2 ) ne" lo">#riority u#date is released and is synchroni1ed "ith the So$t"are U#date Ser/ices &SUS( ser/er on the net"or0 You decide to a##ro/e the u#date "ithout testing )$ter the u#date is a##lied to client com#uters* users re#ort that they can no longer run their account a##lication On the SUS ser/er* you /ie" the details o$ the u#date as sho"n in the e3hibit You need to remo/e the u#date $rom all client com#uters until you can test the u#date !hat should you do% A. .lear the Automaticall appro%e new %ersions of pre%iousl appro%ed updates option on the $U$ ser%er. 1. .lear the update for appro%al on the $U$ ser%er, and the res nchroni0e the ser%er with the !indows Update ser%ers. .. Run the spuninst command from $ stemrootW`,tUninstall:31>13>`Wspuninst director on each client computer. D. Delete the $ stemrootW`,tUninstall:31>13>c director on each client computer. )ns"er: '

E3#lanation: This command "ill remo/e the u#date $rom all the client com#uters as this is "hat is necessary in this scenario Incorrect ans"ers: )9 This option in the light of this specific scenario is reactionar and the damage is alread done. .learing the Automaticall appro%e new %ersions of pre%iousl appro%ed updates option will not help. +9 Iou cannot clear an update for appro%al if it was alread applied to the ser%er as well as the client computers, what ou need to do is to uninstall it. D9 This option will not help as the update has to be uninstalled since it was alread applied to the client computers and the ser%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 $tud Cuide L D?D Training $ stem, pp. >112>1; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG- 2 QUESTION NO: ; :OTS.OT You are the net"or0 administrator $or Test0ing com The net"or0 contains a third>#arty a##lication that runs as a ser/ice The a##lication ser/ice is secured "ith a domain>le/el ser/ice account The #ro#erties o$ the ser/ice account are dis#layed in e3hibit Users re#ort that the a##lication is no longer a/ailable The a##lication ser/ice is sto##ed )n administrator re#orts that the #ass"ord o$ the ser/ice account had e3#ired and "as changed You reset the #ass"ord on the ser/ice to match the ne" #ass"ord o$ the ser/ice account You unsuccess$ully attem#t to restart the ser/ice You need to ensure that the ser/ice "ill start You need to #re/ent this #roblem $rom ha##ening again "hile retaining administrati/e control o/er the ser/ice account #ass"ord !hat should you do% )ns"er: E3#lanation: Enable .ass"ord ne/er e3#ires $ince the 6uestion states that the password of the ser%ice account had eBpired and was changed, ou need to enable the 5assword ne%er eBpires option especiall in lieu of ou alread ha%ing has the password reset to match the new password of the ser%ice account and ou still unable to restart the ser%ice. This option will enable ou to start the ser%ice and also pre%ent this situation from occurring again, whilst it will allow ou to retain administrati%e control o%er the password. De$erences: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FGF 2 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, pp. G912213 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 31G231>. QUESTION NO: <= You are the administrator o$ a !indo"s 2==, #rint ser/er named Ser/er) Ser/er) is a member o$ a !indo"s 2==, Domain You install a high>s#eed laser #rint de/ice on the net"or0 You create and share a #rinter on Ser/er) named EastAsr "ith the de$ault settings You "ant all o$ the users in TestBing to be able to use to EastAsr You "ant the users in the .ayroll domain local grou# to ha/e e3clusi/e use o$ the #rint de/ice bet"een the hours o$ <=:== ) ? and ,:== . ? and shared use o$ the #rint de/ice during all other times !hat should you do% A. .onfigure and share (ast4sr to be a%ailable from 39"" 5.M to 1"9"" A.M. (or the print de%ice, create a second printer that has default a%ailabilit . (or the second printer, assign the 3%er one group the Den 25rint permission and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. 1. .onfigure and share (ast4sr to be a%ailable from 39"" 5.M to 1"9"" A.M. (or the print de%ice, create a second printer that has default a%ailabilit . (or the second printer, remo%e permissions for the 3%er one group and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. .. .reate and share a second printer de%ice and configure it to be a%ailable from 1"9"" A.M to 39"" 5.M. (or the second printer, assign the 3%er one group the Den 25rint permission and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. D. .reate and share a second printer for the print de%ice and configure it to be a%ailable

from 1"9"" A.M to 39"" 5.M. (or the second printer, remo%e permissions for the 3%er one group and assign the 5a roll group the Allow25rint permission. &nstruct users in the 5a roll group to use the second printer. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG; 2 )ns"er: + E3#lanation: You ha/e a shared #rinter named EastAsr The de$ault #ermission $or a shared #rinter is to allo" e/eryone to #rint at any time You need to change the a/ailability o$ EastAsr so that it is accessible $or e/eryone to #rint $rom ,:== . ? to <=:== ) ? This means that no one can #rint to it bet"een <=:== ) ? and ,:== . ? Only the .ayroll grou# should be #ermitted to #rint bet"een <=:== ) ? and ,:== . ? There$ore* you need to create a second shared #rinter and change this #rinterJs a/ailability to bet"een <=:== ) ? and ,:== . ? You also need to con$igure the #ermissions to only enable the .ayroll grou# to use the second shared #rinter Incorrect )ns"ers: ): &f ou assign the 3%er one group the Den 25rint permission, then nobod , including the 5a roll group, would be able to use the printer. ': &f ou assign the 3%er one group the Den 25rint permission, then nobod , including the 5a roll group, would be able to use the printer. D: This answer is incomplete because it omits the configuration necessar on the shared printer named (ast4sr. This printer allows an one to print at an time. The a%ailabilit of (ast4sr has to be reconfigured. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3;;23;G QUESTION NO: << You are the administrator o$ some o$ TestBingJs $ile ser/ers .eter is hired as an intern in the human resources de#artment .eter needs access to some :D $iles :e also needs to be able to read the $ile named :andboo0 doc* but he must not be able to ma0e changes to it :andboo0 doc e3ists in a $older named :DDesources .eter needs to ha/e Dead and ?odi$y #ermissions $or the other $iles in the :DDesources $older .eter is a member o$ the Domain Users grou# and the :D grou# The #ermissions on the :DDesources $older are sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FGG 2 -rou# .ermission Ty#e o$ #ermission Domain Users Read $hare AR .hange $hare Domain Users Read ,T($ AR Modif ,T($ You need to ensure that .eter can access the a##ro#riate $iles and that he cannot ma0e changes to :andboo0 doc !hat should you do% A. $et the hidden and s stem attributes on Aandboo/.Doc. 1. Disable permissions inheritance on Aandboo/.doc. .. Assign 5eter the Allow2Read permission for Aandboo/.doc. D. Assign 5eter the Den 2!rite ,T($ permission for Aandboo/.doc. )ns"er: D E3#lanation: 5eter has .hangeHModif permission on the Aandboo/.doc file because of his membership to the AR group. Iou need to ensure that 5eter cannot ma/e changes to the Aandboo/.doc file. Iou can pre%ent 5eter from ma/ing changes to Aandboo/.doc b den ing him the write permission on the file. Incorrect )ns"ers: ): $etting the hidden and s stem attributes would onl hide the file. &t would not pre%ent 5eter from editing the file if he opens it b entering the correct file path. +: &f ou disable permission inheritance, ou would ha%e to manuall configure the appropriate permissions for 5eter and e%er one else. This solution would sol%e the problem but it is impractical. ': 5eter alread has .hangeHModif permission on the file. Assigning the Allow2Read permission would not affect his eBisting permissions. De$erence: $er%er Aelp http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. >222>23. Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er

4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG> 2 Dan Aolme and Thomas 'rin, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. 2>"22>; QUESTION NO: <2 You are the administrator o$ the TestBing com com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 includes <= ser/ers running !indo"s Ser/er 2==, and 2== client com#uters running !indo"s @. .ro$essional You install and con$igure a ser/er named TestBingSr/ as a #rint ser/er The name o$ the #rint queue is QQTestBingSr/Qlaser#rinter You assign the E/eryone grou# the )llo" > .rint #ermissions ) user named Aisa in the Einance de#artment re#orts that she is unable to #rint to QQTestBingSr/Qlaser#rinter Se/eral other users re#ort that they are unable to #rint to QQTestBingSr/Qlaser#rinter You log on to AisaJs com#uter and submit se/eral #rint 2obs* but none o$ them #rint and no error message is dis#layed In .rinters and Ea3es on AisaJs com#uter* you o#en QQTestBingSr/Qlaser#rinter You see the $ollo"ing status o$ the #rint queue: Llaser#rinter on TestBingSr/ is unable to connectL You are able to #ing TestBingSr/ You need to ensure that #rint 2obs submitted to QQTestBingSr/Qlaser#rinter "ill be #rinted !hat should you do% A. 'n a domain controller, create a shared printer ob)ect in Acti%e Director for WWTest@ing$r% Wlaserprinter. 1. (rom a command prompt on 4isaKs compute, run the ,et 5rint WWTest@ing$r% Wlasterprinter command. .. 'n 4isaKs computer, open the $er%ices console and restart the 5rint $pooler ser%ice. D. 'n 4isaKs computer, open the $er%ices console and connect to Test@ing$r%. Restart the 5rint $pooler ser%ice. )ns"er: D E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG= 2 The 5rint $pooler ser%ice loads files to memor for printing. At times, it ma be necessar to stop and restart the ser%ice to delete 6ueues. Iou do this b using the net stop spooler command to stop the ser%ice. Iou can delete the printer ob)ects from the 6ueue in .9W!&,D'!$W$ stem32WspoolW5R&,T3R$, and then start the ser%ice with the net start spooler command. The users will need to resubmit their print )obs once the 6ueues are deleted. Incorrect )ns"ers: ): The printer is alread shared. &t does not ha%e to be published in Acti%e Director . +: This command is used to connect to a shared printer. This has alread been done. ': 'ther users are also eBperiencing printing problems. The problem is therefore more li/el to be associated with the print ser%er, and not onl 4isaKs computer. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. >2 QUESTION NO: <, DD)- DDO. You are the net"or0 administrator $or 'ontoso* Atd Your net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, You need to audit all logon attem#ts by domain users You must ensure that the minimum amount o$ necessary in$ormation is audited To achie/e this goal* you "ill edit the De$ault Domain 'ontroller -rou# .olicy ob2ect &-.O( !hat should you do% To ans"er* drag the #olicy setting to the correct location or locations in the "or0 area 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>" 2 )ns"er: E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>1 2 This setting will audit all logon e%ents that use domain user accounts. The Audit 4ogon 3%ents polic is for auditing log on attempts using local user accounts. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura 3. Aunter, M.$AHM.$3 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. >G1

4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>2 2 QUESTION NO: <4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Deco/ery 'onsole is installed on each domain controller The dis0 con$iguration $or each domain controller is sho"n in the $ollo"ing table ?)IN is con$igured "ith both the system #artition and the boot #artition E/ery Eriday at 6:== . ? * you run the )utomated System Deco/ery &)SD( "i1ard in con2unction "ith remo/able storage media E/ery night at midnight* you use third>#arty so$t"are to #er$orm $ull bac0u#s o$ user #ro$iles and user data on remo/able storage media One Eriday at 9:== . ? * an administrator re#orts that the ') database on a domain controller named D'< is corru#ted You need to restore the database as quic0ly as #ossible !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Restart D.1 b using Director $er%ices Restore Mode. 1. Restart D.1 b using the installation .D2R'M. .. 5erform a nonauthorati%e restoration of Acti%e Director . D. 5erform an authoritati%e restoration of Acti%e Director . 3. Use the A$R dis/ to restore the content of the A$R bac/ file. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>3 2 )ns"er: )* ' E3#lanation: To restore the ') database* "e must restart the ser/er in Directory Ser/ices Destore ?ode Directory Ser/ices Destore mode is a s#ecial mode that can be used to reco/er the )cti/e Directory database Erom Directory Ser/ices Destore mode the administrator can choose "hether to do an authoritati/e or non>authoritati/e restore o$ the )cti/e Directory database This is similar to Sa$e ?ode and "ill not start any )cti/e Directory ser/ices During a normal restore operation, 1ac/up operates in non authoritati%e restore mode. That is, an data that ou restore, including Acti%e Director ob)ects, will ha%e their original update se6uence number. The Acti%e Director replication s stem uses this number to detect and propagate Acti%e Director changes among the ser%ers in our organi0ation. Thus an data that is restored non2authoritati%el will appear to the Acti%e Director replication s stem as though it is old, which means the data will ne%er get replicated to our other ser%ers. &nstead, if newer data is a%ailable from our other ser%ers, the Acti%e Director replication s stem will use this to update the restored data. Incorrect O#tions: +: Due to it not being necessar to use A$R, ou do not need to start with the .D2R'M. D: normal AD replication from other D.s. E: !e do not need to use A$R because the ser%er is operational. De$erence: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, pp. F22, G"2 QUESTION NO: <5 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You install So$t"are U#date Ser/ices on a ser/er named TestBing) You create a ne" -rou# .olicy ob2ect &-.O( at the domain le/el 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>- 2 You need to #ro#erly con$igure the -.O so that all com#uters recei/e their u#dates $rom TestBing) :o" should you con$igure the -.O% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: Select the Enabled radio button In the Set the intranet u#date ser/ice $or detecting u#dates bo3* enter the name o$ the ser/er in this case you "ould enter htt#:KKTestBing) You should also enter htt#:KKTestBing) as the address o$ the intranet statistics ser/er $ince the $oftware Update $er%ices has been installed on Test@ingA, the group polic ob)ect on the domain should enable the intranet update ser%ices to detect and set from Test@ingA. De$erences: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F>F 2 QUESTION NO: <6 You are the net"or0 administrator $or TestBing com On a "indo"s Ser/er 2==, com#uter named TestBingE* you use the bac0u# #rogram to automatically bac0 u# eight ser/ers You use a scheduled tas0 named )uto+ac0 The tas0 runs in the security conte3t o$ a domain account named Night+ac0u# The De$ault Domain .olicy -rou# .olicy ob2ect &-.O( is con$igured "ith the $ollo"ing account #olicies settings: ?inimum #ass"ord length: 9 characters .ass"ord e3#iration: ,= days En$orce #ass"ord history: <2 #ass"ords remembered )ccount loc0out threshold: , in/alid logon attem#ts )ccount loc0out duration: ,= minutes The bac0u# #rogram runs success$ully $or $our "ee0s )$ter $our "ee0s* you notice that nightly bac0u#s no longer occur ) success$ul bac0u# occurs "hen you log on the TestBingE "ith your o"n user account and #er$orm a local bac0u# Your user account is member o$ the Domain )dmins grou# You "ant the )uto+ac0 scheduled tas0 to #er$orm unattended bac0u#s e/ery night at <<:== . ? !hich t"o actions should you #er$orm in order to resume the nightly bac0u#s by using the )uto+ac0 scheduled tas0% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. Unloc/ the ,ight1ac/up user account. 1. 3nable the ,ight1ac/up user account. .. 'n the properties sheet for the Auto1ac/. Qob scheduled tas/, reset the password. D. Reset the password for the ,ight1ac/up user account. 3. .onfigure the local securit polic on Test@ing( to grant the ser%ice account the 4ogon locall right. (. .onfigure the local securit polic on Test@ing( to grant the ser%ice account the 4ogon as a ser%ice right. )ns"er: '* D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>; 2 E3#lanation: The question states that the bac0u# #rogram ran success$ully $or $our "ee0s* "hich is more or less ,= days +ecause o$ the #ass"ord e3#iration being ,= days* the #ass"ords listed in ' and D has to be reset Incorrect )ns"ers: ): The problem is not a case where ou could unloc/ the account to be able to resume 5olic group polic ob)ect. +: Disabled accounts ha%e as a conse6uence the inabilit to log on with the account. &t does not alter or modif password settings. Thus enabling an account also has nothing to do with the password that has to be reset for ou to be able to ha%e Auto1ac/ running its scheduled bac/ups. E C E: These options are irrele%ant to the problem stated here. De$erence: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter 3, pp. 123212> QUESTION NO: <7 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>G 2 You are the net"or0 administrator $or TestBing com The com#any has o$$ices in three countries The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The net"or0 is con$igured as sho"n in the e3hibit So$t"are U#date Ser/ices &SUS( is installed on one ser/er in each o$$ice Each SUS ser/er is con$igured to synchroni1e by using the de$ault settings +ecause band"idth at each o$$ice is limited* you "ant to ensure that u#dates require the minimum amount o$ time !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>> 2 A. $ nchroni0e the update with a $U$ ser%er at another office. 1. $elect onl the locales that are needed. .. .onfigure 1ac/ground &ntelligent transfer $er%ices *1&T$+ to limit file transfer si0e to = M1. D. .onfigure 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to delete incomplete )obs after 2" minutes. )ns"er: +

E3#lanation: +ecause the SUS ser/ers are con$igured to synchroni1e by using the de$ault con$iguration settings* it is #ossible to customi1e the ser/er con$iguration to sa/e band"idth Each locale selected increases the amount o$ storage s#ace necessary to maintain u#dates on the ser/er in each o$$ice Thus you should select only the locales that are needed Incorrect )ns"ers: ): $ nchroni0ing updates with a $U$ ser%er at another office would mean bandwidth usage as the offices are in three different countries. ': 1ac/ground &ntelligent Transfer $er%ice *1&T$+ to transfer files as nchronousl between a client and an ATT5 ser%er. This ser%ice controls bandwidth utili0ation through http downloads while pro%iding a connection histor . &f a client is downloading software that uses 1&T$ technolog , if the user is disconnected, shuts the s stem down, or logs off, the connection will be re2established the neBt time the user is connected to the networ/. This ensures updates are recei%ed without o%erburdening the networ/ with large amounts of traffic. This ta/es care of bandwidth restraints. 1ut limiting the transfer file si0e to = M1 will not ensure that ou get all the necessar updates, since some update files could be larger. (urthermore 1&T$ is to transfer files between client and ATT5 ser%er. D: (ollowing the argument stated in option .Ks eBplanation, deleting incomplete )obs after 2" minutes would not be practical. Then ou would onl be able to wor/ on the time constraint, but ou will not be sure of ha%ing all the necessar updates. De$erence: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, p. 3F; Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$3 9 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, 2""3, p. >"> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F>= 2 QUESTION NO: <9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install Terminal Ser/er on three member ser/ers named TestBing<* TestBing2* and TestBing, You add a domain grou# named :D to the Demote Des0to# Users grou# on all three terminal ser/ers One "ee0 later* you disco/er that $iles on TestBing< and TestBing2 "ere deleted by a user named Tess* "ho is a member o$ the :D grou# You need to #re/ent Tess $rom connecting to any o$ the terminal ser/ers !hat should you do% A. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Den 2 Users Access and the Den 2 Cuest Access permissions to the AR group. 1. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Allow 2 Cuest Access permission to TessKs user account. .. &n the properties of TessKs user account, disable the Allow logon to a terminal ser%er option. D. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Den 2 User Access and the Den 2Cuest Access permissions to the Remote Des/top Users group. 3. &n the properties of TessKs user account, enable the 3nd session option. )ns"er: ' E3#lanation: Tess is a member o$ the :D grou# that "as added to the Demote Des0to# Users grou# on the member ser/ers This #ermits Tess to log on to the member ser/ers You deny this #ermission by disabling the )llo" logon to a terminal ser/er o#tion on the Terminal Ser/ices .ro$ile tab* in the #ro#erties o$ her user account This setting "ill o/erride the #ermissions assigned to her through grou# membershi# Incorrect )ns"ers: ): 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=" 2 The Den 2 Users access permission will den all the users access to the terminal ser%ers. +: Iou need to pre%ent Tess from connecting to the terminal ser%ers. Allowing Cuest 2 access will still enable her to connect. D: This will pre%ent e%er one from connecting to the terminal ser%ers. E: The 3nd $ession option will onl limit the time Tess can connect to the ser%ers. &t will not pre%ent her connecting to the ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/

&nfrastructure Cuide L D?D Training $ stem, p. FGQUESTION NO: <; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, Deco/ery 'onsole is installed on each domain controller The dis0 con$iguration $or each domain controller is sho"n in the $ollo"ing table ?)IN is con$igured "ith both the system #artition and the boot #artition 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=1 2 E/ery Eriday at 6:== . ? * you run the )utomated System Deco/er &)SD( "i1ard in con2unction "ith remo/able storage media E/ery night at midnight* you use third>#arty so$t"are to #er$orm $ull bac0u#s o$ user #ro$iles and user data on remo/able storage media One Eriday at 9:== . ? * an administrator re#orts that the ') database on a domain controller named TESTBIN-D'2 is corru#ted You need to restore the database as quic0ly as #ossible !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Restart T3$T@&,CD.2 b using Director $er%ices Restore Mode. 1. Restart T3$T@&,CD.2 b using the installation .D2R'M. .. 5erform a nonauthoritati%e restoration of Acti%e Director . D. 5erform an authoritati%e restoration of Acti%e Director . 3. Use the A$R dis/ to restore the contents of the A$R bac/up file. )ns"er: )* ' E3#lanation: Use a nonauthoritati/e or normal restore "hen you are restoring )cti/e Directory on a net"or0 "ith multi#le domain controllers !hen )cti/e Directory is restored to the domain controller* it is generally older than the directory in$ormation stored on other D's in the domain To ensure all domain controllers ha/e identical co#ies o$ )cti/e Directory* these other domain controllers re#licate u#dated data to the restored ser/er The reason a nonauthoritati%e restore has its information updated from other domain controllers is because of the wa updates to the director are recorded. !hen the $ stem $tate data changes on a domain controller that participates in replication, an update se6uence number is incremented to indicate a change has occurred. 1ecause the $ stem $tate data on other domain controllers has a lower update se6uence, the /now that the do not ha%e the most up2to2date data. The $ stem $tate data with the higher update se6uence number is then replicated to other domain controllers so the ha%e duplicate information. !hen a nonauthoritati%e restore is performed, the domain controller generall has older data restored to it. (or eBample, a bac/up might ha%e been performed se%eral da s ago, in which time a considerable number of changes could ha%e been made on other domain controllers on the networ/. To ensure the domain controller being restored has the most 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=2 2 To restore the .A database, ou must restart the ser%er in Director $er%ices Restore Mode. This is similar to $afe Mode and will not start an Acti%e Director ser%ices. Incorrect )ns"ers: +: Iou do not need to Restart T3$T@&,CD.2 using the .D2R'M because A$R will not be utili0ed. D: Iou do not need an authoritati%e restore because Acti%e Director data will be updated during normal AD replication from other D.s. E: An A$R dis/would be obsolete since the ser%er is operational. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er QUESTION NO: 2= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) member ser/er named TestBing) runs !indo"s Ser/er 2==, You need to use the +ac0u# utility to bac0 u# all data on TestBing) three times #er day Eiles that are currently o#ened by a##lications must not be bac0ed u# !hat should you do% A. Run a differential bac/up. 1. Disable %olume shadow copies. .. $elect the 3Bclude (iles option. D. $elect the .ompute selection information before bac/up and restore operations option. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=3 2

The +ac0u# #rogram "ill bac0 u# any o#en $iles "hen /olume shado" co#ies are enabled It does this by tem#orarily J$ree1ingJ the a##lication running the $ile "hile it bac0s it u# !hile the $ile is J$ro1enJ* any "rites to the $ile are stored in a bu$$er* until the $ile is bac0ed u# and un$ro1en You can #re/ent o#en $iles $rom being bac0ed u# by disabling /olume shado" co#ies The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies to ma0e sure that all o#en $iles are bac0ed u# "isable #olume shadow cop 2 !hen performing a bac/up, the !indows $er%er 2""3 1ac/up utilit b default creates a %olume shadow cop , which is a duplicate of the %olume at the time the cop process began. This enables the 1ac/up utilit to bac/ up all selected files, including those that are currentl open b users or the operating s stem. 1ecause the 1ac/up utilit uses a %olume shadow cop , it ensures that all selected data is bac/ed up and an open files are not corrupted during the process. &f this chec/ boB is chec/ed, files that is open or in use is s/ipped when the bac/up is performed. Incorrect )ns"ers: ): Differential 1ac/up is a bac/up that copies files created or changed since the last normal or incremental bac/up. A differential bac/up does not mar/ files as ha%ing been bac/ed up. *&n other words, the archi%e attribute is not cleared.+ &f ou are performing a combination of normal and differential bac/ups, when ou restore files and folders, ou need the last normal bac/up as well as the last differential bac/up. A differential bac/up bac/s up open files if shadow copies are enabled. ': Iou cannot select the 3Bclude files option at the time the bac/up runs because ou do not /now which files would be open. D: !hen this option is selected, information about the si0e of the bac/up etc is calculated. This does not pre%ent open files from being bac/ed up. De$erences: http9HHwww.seagate.comHsupportH/bHtapeH-";2.html Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2;. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=- 2 QUESTION NO: 2< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create a shared $older named TestBing Docs on a member ser/er named TestBing, TestBing Docs "ill store #ro2ect documents You need to ensure that users can access #re/ious /ersion o$ the documents in TestBing Docs !hat should you do% A. Modif the 'ffline $ettings option for Test@ing Docs to ma/e all files a%ailable offline. 1. .onfigure shadow copies of the %olume containing Test@ing Docs. .. Use Tas/ $cheduler to create a )ob that uses the .op command to cop all changed documents to another folder e%er da . D. Use the 1ac/up utilit to schedule a bac/up of all changed documents e%er hour. )ns"er: + E3#lanation: Shado" 'o#ies o$ Shared Eolders: Shado" 'o#ies o$ Shared Eolders #ro/ides #oint>in>time co#ies o$ $iles that are located on shared resources such as a $ile ser/er !ith Shado" 'o#ies o$ Shared Eolders* you can /ie" shared $iles and $olders as they e3isted at a #oint o$ time in the #ast )ccessing #re/ious /ersions o$ your $iles* or shado" co#ies* is use$ul because you can: Deco/er $iles that "ere accidentally deleted* Deco/er $rom accidentally o/er"riting a $ile* and 'om#are /ersions o$ a $ile "hile "or0ing 1 default .opies are scheduled to be ta/en at G9"" A.M. and 129"" noon, Monda through (rida . Restoring a pre%ious %ersion will delete the current %ersion. &f ou choose to restore a pre%ious %ersion of a folder, the folder will be restored to its state at the date and time of the %ersion ou selected. Iou will lose an changes that ou ha%e made to files in the folder since that time. &f ou do not want to delete the current %ersion of a file or folder, use .op to cop the pre%ious %ersion to a different location. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=F 2 Incorrect )ns"ers:

): Ma/ing files a%ailable 'ffline is irrele%ant in this scenario. ': schtas/s.eBe 2 Iou use schtas/s.eBe to set programs to run at scheduled inter%als, delete or change eBisting scheduled tas/s, and stop or run a scheduled tas/ immediatel . schtas/s does not pro%ide as much control o%er scheduled tas/s as using the graphical interface D: Using the 1ac/up Utilit to ma/e bac/ups e%er hour of changed documents does not necessaril ma/e these bac/ups accessible to the users. &t will first ha%e to be restored. Ma/ing use of shadow copies is a better option. De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. ;1=2;2". QUESTION NO: 22 You are the net"or0 administrator $or TestBing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) member ser/er named TestBingSr/ is con$igured to run shado" co#ies "ithout a storage limit TestBingSr/ has the dis0 con$iguration sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=; 2 You need to create additional $ree s#ace on TESTBIN-D)T)< You also need to im#ro/e the #er$ormance o$ TestBingSr/ and ensure it has su$$icient s#ace $or shado" co#ies in the $uture !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Delete the shadow copies on T3$T@&,CDATA1. 1. Delete 1ac/up.b/f on T3$T@&,CDATA3. .. &n the properties of T3$T@&,CDATA1, relocate the shadow copies to T3$T@&,CDATA2. D. &n the properties of T3$T@&,CDATA1, relocate the shadow copies to T3$T@&,CDATA3. 3. Delete T3$T@&,CDATA3 and eBtend the T3$T@&,CDATA1 partition to include the space on T3$T@&,CDATA3. )ns"er: )* D E3#lanation: The 8olume Shado" 'o#y Ser/ices allo"s you to create a sna#shot &an e3act co#y( o$ /olumes on your S)N 'lients can then #er$orm shado" co#y restores on their o"n In other "ords* clients can loo0 at a list o$ shado" co#ies #er$ormed on their data and choose to restore their o"n data $rom a gi/en sna#shot NT+ac0u# also uses shado" co#ies to ma0e sure that all o#en $iles are bac0ed u# Iou can create additional free space on Test/ingdata1 b configuring the ?olume $hadow $er%ice to store the shadow copies on another %olume. Iou perform this b first deleting the eBisting shadow copies on Test/ingdata1 b disabling $hadow .opies. The shadow copies then need to be relocated to Test/ingdata3 when ou re2enable $hadow .opies on Test/ingdata1. Incorrect )ns"ers: +: 1ac/up.b/f is used b the A$R process to restore a damaged s stem. Iou should not delete this file. ': (or performance reasons, ou should relocate the shadow copies to Test/ingdata3, not Test/ingdata2. E: Deleting Test/ingdata3 will result in a loss of data, this being the 1ac/up.b/f file. De$erences: Dan Aolme L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, p. 2=2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F=G 2 Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 3>, >2;. QUESTION: 2, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional )ll client com#uter accounts $or the sales de#artment are located in an organi1ational unit &OU( named Sales ) user named Tess* in the sales de#artment* uses a client com#uter named TestBing< :er com#uter is a member o$ the domain :o"e/er* Tess re#orts that she cannot log on to the domain You /eri$y that a com#uter account $or TestBing< e3ists in the Sales OU Then you log on to TestBing< as a local )dministrator and use E/ent 8ie"er to /ie" the contents o$ the e/ent log* as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F=> 2 You need to ensure that Tess can log on to the domain !hat should you do% A. Mo%e the Test@ing1 account to the .omputers 'U. 1. Reset the password for TessKs user account. .. Reset the Test@ing1 account. D. .onfigure the properties for the Test@ing1 accounts so Test@ing1 is managed b TessKs user account. )ns"er: ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F== 2 The secure channelJs #ass"ord is stored along "ith the com#uter account on all domain controllers Eor !indo"s 2=== or !indo"s @.* the de$ault com#uter account #ass"ord change #eriod is each ,= days You thus need to reset the TestBing< account Incorrect )ns"ers: ): &f ou are to mo%e the Test@ing1 account to the .omputers 'U then ou might be shifting the account to another domain which will render TessKs attempts to log on to Test@ing1 fruitless since Tess is a member of the same domain that Test@ing1 is in currentl . The problem is not mo%ing the account, but rather a matter of resetting the account. +: Resetting TessKs password is not the solution because it is the Tset@ing1 account that needs to be reset. D: (or this option to be %iable ou need to grant Tess administrator rights or the logon locall permission. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 1=>, F-3 QUESTION NO: 24 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The domain contains a grou# named Sales)dmin ?embers o$ the Sales)dmin grou# need the #ermission to add -rou# .olicy lin0s and create -rou# .olicy ob2ects &-.Os( $or only the Sales organi1ational unit &OU( You need to con$igure the domain to #ro/ide the Sales)dmin grou# "ith the minimum #ermissions necessary to meet these requirements !hat should you do% A. Add the $alesAdmins group to the Croup 5olic .reator 'wners group. 1. .onfigure the discretionar access control list *DA.4+ on all of the Croup 5olic lin/s for the $ales 'U to assign the $alesAdmins group the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"" 2 Allow 2 Appl Croup 5olic permission. .. Run the Delegation of .ontrol wi0ard on the domain to assign the $alesAdmin group the Manage Croup 5olic lin/s tas/. D. Run the Delegation of .ontrol wi0ard on the $ales 'U to assign the $alesAdmins group the Manage Croup 5olic lin/s tas/. )ns"er: D E3#lanation: To s#eci$y "hich -rou# .olicy ob2ects are lin0ed to a gi/en site* domain* or OU* use the -rou# .olicy tab in the .ro#erties #age $or a site* domain* or OU This #ro#erty #age stores the userJs choices in t"o )cti/e Directory #ro#erties called g.Ain0 and g.O#tions The g.Ain0 #ro#erty contains the #rioriti1ed list o$ -rou# .olicy ob2ects* and the g.O#tions #ro#erty contains the +loc0 .olicy Inheritance setting To manage C5' lin/s to a site, domain, or 'U, ou must ha%e Read and !rite access to the g54in/ and g5'ptions properties. 1 default, Domain Administrators ha%e this permission for domains and 'Us. 3nterprise Administrators and Domain Administrators of the forest root domain can manage lin/s to sites. Iou can delegate rights to additional groups and users b using the Delegation !i0ard and selecting the Manage Croup 5olic lin/s predefined tas/. Incorrect )ns"ers: ): The .reator 'wner group permissions should be applied at the root of the %olume. The .reator 'wner group e.g. is a special group that determines the access that a user has to files and folders he or she has created. 1 default, the (ull .ontrol special permissions assigned to this group automaticall appl to e%er folder created on the %olume. Thus the default permissions of being .reator 'wner would grant the $alesAdmins group too man permissions than is necessar .

+: The DA.4 is the part of the securit descriptor that grants or denies access to indi%iduals or groups for the ob)ect. These permissions can be assigned b an one with 8change permissions8 credentials. Aence, it is under the discretion of the owner to assign and ob)ects to their own group. This t pe of permission will allow them to appl their wor/ to all on the domain. ': Iou should be running the Delegation of .ontrol !i0ard on the $ales 'U and not on the domain. De$erence: Designing a Croup 5olic &nfrastructure !indows Resource @its Delegating Croup 5olic 2Related 5ermissions on $ites, Domains, and 'Us Managing C5' lin/s 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"1 2 Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1" .hapter 1", p. ;"1 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. -32, -GG, >3" QUESTION NO: 25 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, You install Terminal Ser/ices on all domain controllers :o"e/er* your technical su##ort s#ecialists re#ort that they cannot use Terminal Ser/ices to access any domain controllers !hich action or actions should you #er$orm to sol/e this #roblem% &'hoose all that a##ly( A. &nstall Remote Des/top for Administration. 1. Re6uire the support specialists to use a console session to connect to the terminal ser%ers. .. Add the Remote Administrators group to the Account 'perators group. D. Add the support specialists to the Remote Des/top group. 3. Modif the Default Domain .ontroller Croup 5olic ob)ect *C5'+ to grant the 4og on locall user right to the support specialists. )ns"er: D* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"2 2 The Demote Des0to# grou# has the necessary #ermissions to connect to the ser/ers using Terminal Ser/ices Terminal Ser/ices is a built>in ser/ice that enables you to use the Demote Des0to# 'onnection so$t"are to connect to a session that is running on a remote com#uter "hile you are sitting at another com#uter in a di$$erent location This #rocess is e3tremely use$ul $or em#loyees "ho "ant to "or0 $rom home but need to access their com#uters at "or0 Terminal Ser/er mode* de#loyed traditionally* allo"s multi#le remote clients to simultaneously access !indo"s>based a##lications that run on the ser/er Remote Des/top for Administration is used to remotel manage !indows $er%er 2""3 ser%ers. !e need to add the support specialists to the Remote Des/top group. As the ser%ers are domain controllers, we must to grant the 4og on locall user right to the support specialists. Incorrect )ns"ers: ): Remote Des/top for Administration is installed b default in !indows $er%er 2""3. (or securit reasons it is disabled b default. &t can be enabled through the $ stem control panel. There is thus no need to install it. +: The do not re6uire a console session. ': The Account 'perators do not ha%e permission to connect using Terminal $er%ices. De$erence: Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment 3Bam .ram 2 *3Bam G"22="+, .hapters F L G QUESTION NO: 26 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ t"o )cti/e Directory domains Each de#artment has its o"n organi1ational unit &OU( $or de#artmental user accounts Each OU has a se#arate -rou# .olicy ob2ect &-.O( ) single terminal ser/er named TestBingTerm< is reser/ed $or remote users In addition* se/eral de#artments ha/e their o"n terminal ser/ers $or de#artmental use Your hel# des0 re#orts that user sessions on TestBingTerm< remain connected e/en i$ the sessions are inacti/e $or days Users in the accounting de#artment re#ort slo" res#onse times on their terminal ser/er 4eading the wa in &T testing and certification tools, www.test/ing.com

2 ;"3 2 You need to ensure that users o$ TestBingTerm< are automatically logged o$$ "hen their sessions are inacti/e $or more than t"o hours Your solution must not a$$ect users o$ any other terminal ser/ers !hat should you do% A. (or all Accounting users, change the session limit settings. 1. 'n Test@ingTerm1, use the Terminal $er%ices configuration tool to change the session limit settings. .. Modif the C5' lin/ed to the Accounting 'U b changing the session limit settings in user2le%el group polices. D. Modif the C5' lin/ed to the Accounting 'U b changing the session limit settings in computer2le%el group polices. )ns"er: + E3#lanation: You can limit the amount o$ time that acti/e* disconnected* and idle &"ithout client acti/ity( sessions remain on the ser/er 'on$iguring session limits is e$$ecti/e since sessions "hich run inde$initely on the ser/er ty#ically consume /aluable system resources !hen a session limit is reached $or acti/e or idle sessions* you can select to either disconnect the user $rom the session or end the session ) user "ho is disconnected $rom a session can later reconnect to the same session !hen a session ends* it is #ermanently deleted $rom the ser/er and any running a##lications are $orced to shut do"n This can result in a loss o$ data $or the client !hen a session limit is reached $or a disconnected session* the session ends This #ermanently deletes it $rom the ser/er The 6uestion states the following re6uirement9 8Iou need to ensure that users of Test@ingTerm1 are automaticall logged off when their sessions are inacti%e for more than two hours.8 Therefore, ou need to configure Test@ingTerm1 to change the session limit settings. Incorrect )ns"ers: ): Iou need to change the session limit setting for all users of Test@ingTerm1, and not onl for the Accounting users. ': Iou need to configure Test@ingTerm1 to change the session limit settings. D: Iou need to configure Test@ingTerm1 to change the session limit settings. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. G""2G"3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"- 2 QUESTION NO: 27 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You create a shared $older named 'lient Docs on a member ser/er named TestBing<, 'lient Docs "ill store #ro2ect documents You con$igure shado" co#ies $or the /olume containing 'lient Docs You need to enable client com#uters to access #re/ious /ersion o$ the documents in 'lient Docs !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ to enable 'ffline (iles on all client computers. 1. 'n each client computer, customi0e the %iew for .lient Docs to use the Documents *for an file t pe+ folder template. .. .reate a Croup 5olic ob)ect *C5'+ that installs the 5re%ious ?ersions client software on all client computers. D. Assign the Allow 2 (ull .ontrol permission on .lient Docs to all users. 3. 'n each client computer, install the 1ac/up utilit and schedule a dail bac/up. )ns"er: ' E3#lanation: To enable users to access #re/ious /ersions o$ the $iles* you must install the .re/ious 8ersions client so$t"are on all client com#uters The easiest "ay to do this is to de#loy the .re/ious 8ersions client so$t"are using a -rou# .olicy Ob2ect Incorrect )ns"ers: ): 'ffline (iles are irrele%ant in this scenario. +: This is not applicable either. D: The users do not need (ull .ontrol access to the files. Aa%ing this permission will not enable users to access pre%ious %ersions of the files. E: The files do not need to be bac/ed up on each client computer. The $hadow .op ser%ice creates bac/ups of pre%ious %ersions of the files on the ser%er. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"F 2

Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2=, 1-" QUESTION NO: 29 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains !indo"s Ser/er 2==, domain controllers* !indo"s Ser/er 2==, member ser/ers* and !indo"s @. .ro$essional com#uters )ll com#any net"or0 administrators need to ha/e the remote administrati/e tools a/ailable on any com#uter that they log on to )ll net"or0 administrators are members o$ the domain )dministrators grou# The net"or0 administrator accounts are located in multi#le organi1ational units &OUs( You need to ensure that the administrati/e tools are a/ailable to net"or0 administrators You also need to ensure that the administrati/e tools are al"ays installed on com#uters that ha/e <== ?+ or more $ree dis0s s#ace !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .reate a Croup 5olic ob)ect *C5'+ that will appl adminpa/.msi at the domain le%el. 1. .reate a Croup 5olic ob)ect *C5'+ that will lin/ adminpa/.msi to the Domain .ontrollers 'U. .. 3nsure that onl the domain Administrators group is assigned the Allow 2 Read permission and the Allow 2 Appl Croup 5olic permission for the new Croup 5olic ob)ect *C5'+. D. Assign the domain Users group the Den 2 Read permission on the Den 2 Appl Croup 5olic permission for the new Croup 5olic ob)ect *C5'+. 3. .reate a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for more than 1"" M1 of free space. (. .reate a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for less than 1"" M1 of free space. )ns"er: )* '* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"; 2 ): Iou can assign the administrati%e tools *contained in adminpa/.msi+ to the administrators using a group polic . ': Ensuring that only the domain )dministrators grou# is assigned the )llo" > Dead #ermission and the )llo" > )##ly -rou# .olicy permission for the new Croup 5olic ob)ect *C5'+ will ensure that onl the domain administrators recei%e the administrati%e tools. E9 .reating a !M& filter that 6ueries the !in32J4ogicalDis/ ob)ect for more than 1"" M1 of free space will ensure that the tools are onl installed if there is more than 1""M1 of free dis/ space. Incorrect )ns"ers: +: This would onl install the tools on the domain controllers if a domain administrator logged in locall . The C5' needs to be assigned at domain le%el. Therefore, the tools are installed on an machine an administrator logs in to. D: The domain admins are members of the domain users group. This would pre%ent the C5' appl ing to all users including the domain admins. E: The software should be installed if there is more than 1""M1 of free dis/ space, not less than 1""M1. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. -"1 QUESTION NO: 2; You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==, ) single ser/er running Terminal Ser/er is a/ailable to remote users Your hel# des0 sta$$ is res#onsible $or monitoring user acti/ity on the terminal ser/er The sta$$ is also res#onsible $or sending message to users about ne" #rograms and about modi$ications to the terminal ser/er ) com#any de/elo#er "rites a scri#t that "ill log the rele/ant user in$ormation in a $ile and #ro/ide #o#>u# messages as needed You need to ensure that the scri#t runs e/ery time a user logs on to the terminal ser/er 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"G 2 !hat should you do% A. Deplo a client connection ob)ect for remote users. .onfigure the client connection ob)ect to run the script.

1. 'n the terminal ser%er, configure the RD52Tcp properties with the name of the script. '%erride other settings. .. &n the Default Domain Croup 5olic ob)ect *C5'+, select the $tart a program on startup option and specif the name of the script. D. 'n the terminal ser%er, configure the RD5 client properties with the name of the script. )ns"er: + E3#lanation: Aocate the DD. >Tc# ob2ect Double clic0 the DD. >Tc# ob2ect and na/igate to the En/ironment tab 'hec0 the O/erride settings $rom user #ro$ile and Demote Des0to# 'onnection on Terminal Ser/ices client bo3 to enable the setting .roceed to #ro/ide the #ath to the scri#t in the .rogram #ath and $ile name bo3* $or e3am#le: QQTes0ingSr/'Qscri#tsQ#o#u# /bs Incorrect )ns"ers: ): A connection ob)ect is created when a user connects to the terminal ser%er. Iou cannot manuall create this ob)ect. ': This option is not related to Terminal $er%ices. 5erforming this configuration would result in a program running on e%er computer when a user logs in. D: Iou need to configure the ser%er properties and not the RD5 client properties. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. G32 QUESTION NO: ,= SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters You install So$t"are U#date Ser/ices on a ser/er named TestBing, You create a ne" -rou# .olicy ob2ect &-.O( at the domain le/el 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"> 2 You need to #ro#erly con$igure the -.O so that all com#uters recei/e their u#dates $rom TestBing, :o" should you con$igure the -.O% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: Select the Enabled radio button Enter Lhtt#:KKTestBing,L in the Set the intranet u#date ser/ice $or detecting u#dates bo3 Enter Lhtt#:KKTestBing)L in the Set the intranet statistics ser/er bo3 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. G>" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;"= 2 QUESTION NO: ,< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You install !indo"s Ser/er 2==, on a com#uter named Test0ing6 Test0ing6 is a member o$ a "or0grou# You con$igure Test0ing6 as the !eb ser/er $or TestBingJs intranet !eb site TestBingJs "ritten security #olicy states the $ollo"ing requirements: 1. Smart cards are required to log on to all ser/ers 2. ?embershi# to the Demote Des0to# Users grou# should remain em#ty 3. Users should not be able to log on through Terminal Ser/er by using a blan0 #ass"ord -. Third>#arty a##lications should not be installed on net"or0 ser/ers !hen you attem#t to log on to Test0ing6 by using your smart card* you recei/e an error message You /eri$y that your user account is a member o$ the Domain )dmins global grou# in your domain You need to be able to log on to Test0ing6 by using your smart card !hat should you do% A. Qoin Test/ing; to the domain. 1. &n .omputer Management, add our user account to the Administrators local group. .. Restart Test/ing; in safe mode. (rom a command prompt, run the runas.eBe Hsmartcard command. D. &n the local securit polic , assign our user account the Allow log on locall user right. )ns"er: ) E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1" 2 Smart cards are small credit>card>si1ed cards that usually store encry#tion 0eys*

#ublic 0ey certi$icates* and other ty#es o$ account in$ormation The card is inserted into a card reader attached to the com#uter* "hich reads the in$ormation stored on the card Ty#ically* a #ass"ord or .ersonal Identi$ication Number &.IN( is required to release the account in$ormation $or authentication "ithin a net"or0 This means that* in order to authenticate* a user must both ha/e #hysical #ossession o$ the card and ha/e 0no"ledge o$ the .IN This is commonly used "ith E).>TAS authentication !hat should also be 0e#t in mind is that $or you to be able to log on to Test0ing6 using the smart card is that Test0ing6 should also be 2oined to the domain Incorrect )ns"ers: +: Adding our user account to the Administrators local group will not wor/ when ou want to ma/e use of smart cards to log on to Test/ing;. $ince ou user account is alread a member of the Domain Admins global group, ou need to )oin Test/ing; to the domain. ': Restarting Test/ing; and running the runas.eBeHsmartcard command is not enough, Test/ing; has to be part of the domain as well. D: Allow logging on locall will ma/e the use of smart cards obsolete and the 6uestion states pertinentl that ou want to log on b means of the smart card so as to compl with compan polic . De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. ;3G2;3> QUESTION NO: ,2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install Terminal Ser/er on three member ser/ers named TestBing<* TestBing2* and TestBing, You add a domain grou# named :D to the Demote Des0to# Users grou# on all three terminal ser/ers One "ee0 later* you disco/er that $iles on TestBing< and TestBing2 "ere deleted by a user named Tess* "ho is a member o$ the :D grou# 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;11 2 You need to #re/ent Tess $rom connecting to any o$ the terminal ser/ers !hat should you do% A. 'n all three terminal ser%ers, modif the permissions to assign the Den 2 Users Access and the Den 2 Cuest Access permissions to the AR group. 1. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Allow 2 Cuest Access permission to TessKs user account. .. &n the properties of TessKs user account, disable the Allow logon to a terminal ser%er option. D. 'n all three terminal ser%ers, modif the RD52Tcp connection permissions to assign the Den 2 User Access and the Den 2Cuest Access permissions to the Remote Des/top Users group. 3. &n the properties of TessKs user account, enable the 3nd session option. )ns"er: ' E3#lanation: Since Tess is a member o$ the :D grou# that is a member o$ the Demote Des0to# Users grou# on the member ser/ers it grants her #ermission to log on to the member ser/ers You can deny this #ermission by disabling the )llo" logon to a terminal ser/er o#tion on the Terminal Ser/ices .ro$ile tab in the #ro#erties o$ her user account This setting "ill o/erride the #ermissions gi/en to her by "ay o$ grou# membershi# Incorrect )ns"ers: ): The Den 2 Users access permission will den all the users access to the terminal ser%ers. +: Allowing Cuest 2 access will still enable her to connect to the terminal ser%ers. Iou need to pre%ent Tess from connecting to the terminal ser%ers. D: 5erforming this configuration will pre%ent e%er bod from connecting to the terminal ser%ers. E: The 3nd $ession option will onl limit the time that Tess is able to connect to the ser%ers. &t will not pre%ent her from connecting to the ser%ers. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. G32 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;12 2 QUESTION NO: ,, You are the administrator o$ the TestBing com com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0

includes ,5 ser/ers running !indo"s Ser/er 2==, and ,=== client com#uters running !indo"s @. .ro$essional Se/eral com#any de#artments ha/e their o"n ser/ers running Terminal Ser/ices $or de#artmental use )nother terminal ser/er named TestBingTerm< is reser/ed $or remote users You disco/er that user sessions on TestBingTerm< remain connected e/en i$ the sessions are inacti/e $or days Users in the Einance de#artment re#ort slo" res#onse times on their terminal ser/er You need to ensure that users o$ TestBingTerm< are automatically logged o$$ "hen their sessions are inacti/e $or more than t"o hours Your solution must not a$$ect users o$ any other terminal ser/ers !hat should you do% A. (or all (inance users, change the session limit settings. 1. 'n Test@ingTerm1, use the Terminal $er%ices configuration tool to change the session limit settings. .. .reate a C5' lin/ed to the (inance 'U and set the session limit settings in user2le%el group policies. D. .reate a C5' lin/ed to the (inance 'U and set the session limit settings in computer2le%el group policies. )ns"er: + E3#lanation: The question states that you need to ensure that users o$ TestBingTerm< are automatically logged o$$ "hen their sessions are inacti/e $or more than t"o hours There$ore* you need to con$igure TestBingTerm< by changing the session limit settings 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;13 2 Iou can limit the amount of time that acti%e, disconnected, and idle *without client acti%it + sessions remain on the ser%er. This is effecti%e since sessions which remain running indefinitel on the ser%er, t picall consume %aluable s stem resources. !hen a session limit is reached for acti%e or idle sessions, ou can select to either disconnect the user from the session or end the session. A user who is disconnected from a session can reconnect to the same session later. !hen a session ends, it is permanentl deleted from the ser%er, and an running applications are forced to shut down. This can result in data loss at the client. !hen a session limit is reached for a disconnected session, the session ends. This permanentl deletes it from the ser%er. $essions can also be allowed to continue indefinitel . Incorrect )ns"ers: ): Iou need to change the session limit for all users of Test@ingTerm1, not onl for the (inance users. ': Iou need to configure Test@ingTerm1 to change the session limit settings. D: Iou need to configure Test@ingTerm1 to change the session limit settings. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. ;;F QUESTION NO: ,4 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all are members o$ the domain )ll client com#uters run !indo"s @. .ro$essional Ei/e !eb ser/ers host the content $or the internal net"or0 Each one runs IIS and has Demote Des0to# connections enabled !eb de/elo#ers are $requently required to u#date content on the !eb ser/ers You need to ensure that the !eb de/elo#ers can use Demote Des0to# 'onnections to trans$er !eb documents $rom their client com#uters to the $i/e !eb ser/ers !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1- 2 A. &nstall the Terminal $er%er option on all fi%e !eb ser%ers. Use Terminal $er%ices .onfiguration Manager to modif the session director setting. 1. &nstall the Terminal $er%er option on all fi%e !eb ser%ers. Use Terminal $er%ices .onfiguration Manager to create a new Microsoft RD5 F.2 connection. .. 'n each !eb de%eloperKs client computer, select the Dis/ Dri%es chec/ boB in the properties of Remote Des/top .onnection. D. 'n each !eb de%eloperKs client computer, select the Allow users to connect remotel to this computer chec/ boB in the $ stem 5roperties dialog boB. )ns"er: ' E3#lanation: !hen this o#tion is enabled* you can o#en ?y 'om#uter on the remote ser/er* and /ie" the dis0 dri/es $rom the client com#uter listed alongside the

dis0 dri/es $rom the ser/er )lso a connection to a !eb 'lient Net"or0 is attem#ted only "hen the $irst t"o #ro/iders $ail to res#ond Incorrect )ns"ers: ): Using the Terminal $er%ices .onfiguration Manager to modif the session director setting will not wor/ +: Terminal $er%ices pro%ides remote control capabilities but using the Terminal $er%ices .onfiguration Manager to create a new RD5 connection will not wor/. There is alread a connection. D: To select the Allow users to connect remotel to this computer chec/ boB in the $ stem 5roperties dialog boB will not ensure that !eb de%elopers will be able to ma/e use of Remote Des/top .onnections to transfer !eb documents from their client computers to the fi%e !eb ser%ers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, p. >93Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. 3;, FG-, F>3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1F 2 QUESTION NO: ,5 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional @?A !eb ser/ices $or the internal net"or0 run on a member ser/er named TestBingSr/<* "hich is con$igured "ith de$ault settings You are a member o$ the local )dministrators grou# on TestBingSr/< You need the ability to remotely manage TestBingSr/< You ha/e no budget to #urchase any additional licensing $or your net"or0 until the ne3t $iscal year :o" should you recon$igure TestBingSr/<% A. &n the $ stem 5roperties dialog boB, enable Remote Des/top. 1. Add our user account to the Remote Des/top Users local group. .. &n the $ stem 5roperties dialog boB, enable Remote Assistance. D. &nstall Terminal $er%ices b using Add or Remo%e 5rograms. )ns"er: ) E3#lanation: Enabling users to connect remotely to the ser/er $or Demote Des0to# $or )dministration #ur#oses* you must ha/e the a##ro#riate #ermissions +y de$ault* members o$ the )dministrator grou# can connect remotely to the ser/er +ut Demote Des0to# Users grou# #o#ulation does not ha##en by de$ault You must decide "hich users and grou#s should ha/e #ermission to log on remotely* and then manually add them to the grou# To enable or disable remote connections: 'pen the $ stem 5roperties dialog boB in .ontrol 5anel. 'n the Remote tab, select or clear the Allow users to connect remotel to our computer chec/ boB. .lic/ '@. Incorrect )ns"ers: +: Adding ou user account to the Remote Des/top Users local group does not gi%e ou administrati%e rights which is needed to reconfigure the ser%er, Test@ing$r%1. ': Remote Des/top should be enabled not Remote Assistance. D: &nstalling Terminal $er%ices is not the wa to remotel manage Test@ing$r%1. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. -G22-G4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1; 2 G"22=1+, .hapter F QUESTION NO: ,6 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional The net"or0 includes a member ser/er named TestBingSr/+ You need to create a shared $older on TestBingSr/+ to store #ro2ect documents You must $ul$il the $ollo"ing requirements: 1. Users must be able to access #re/ious /ersions o$ the documents in the shared $older 2. 'o#ies o$ the documents must be retained e/ery hour during business hours 3. ) history o$ the last <= /ersions o$ each document must be maintained -. Documents that are not contained in the shared $older must not be retained !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the

solution 'hoose t"o( A. .reate the shared folder in the root of the s stem dis/ on Test@ing$r%1. 1. .reate a new %olume on Test@ing$r%1. .reate the shared folder on the new %olume. .. 3nable the 'ffline (iles option to ma/e the shared folder a%ailable offline. D. 3nable the 'ffline (iles option to ma/e the shared folder automaticall a%ailable offline. 3. Use Dis/ Management to configure shadow copies of the %olume that contains the shared folder. )ns"er: +* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1G 2 To be able to sa/e #re/ious /ersion o$ $iles* you need to enable Shado" 'o#ies !hene/er changes to a $ile are sa/ed* a co#y o$ the #re/ious /ersion o$ the $ile is automatically sa/ed The shared $older must be on a ne" /olume on the member ser/er* Ser/er< )$ter you enable shado" co#ies on the ser/er and install the shado" co#y client so$t"are on the des0to# com#uter* end users can right>clic0 on a $ile and /ie" #re/ious /ersions that "ere bac0ed u# /ia shado" co#ies They can then 0ee# the current /ersion o$ the $ile or roll bac0 to an early /ersion Incorrect O#tions: ): !e should a%oid using the s stem dis/ to configure $hadow .opies for better performance and to not waste dis/ space. !e should create a new %olume and configure the shared folder in that %olume for pro)ect documents. ': !e need to enable $hadow .opies, not offline files. 'ffline files is a feature in !indows $er%er 2""3, !indows <5, and !indows 2""" that allows users to continue to wor/ with networ/ files and programs e%en when the are not connected to the networ/. !hen a networ/ connection is restored or when users doc/ their mobile computers, an changes that were made while users were wor/ing offline are updated to the networ/. !hen more than one user on the networ/ has made changes to the same file, users are gi%en the option of sa%ing their specific %ersion of the file to the networ/, /eeping the other %ersion, or sa%ing both. D: !e need to enable $hadow .opies, not offline files. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter L !ill $chmied, M.$AHM.$39 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, p. 2= Dan 1alter, M.$AHM.$3 Managing and Maintaining a Microsoft !indowsO $er%er QUESTION NO: ,7 You are the net"or0 administrator $or TestBing com The net"or0 originally consists o$ a single !indo"s NT 4 = domain You u#grade the domain to a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers no" run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1> 2 Your sta$$ #ro/ides technical su##ort to the net"or0 They $requently establish Demote Des0to# connections "ith a domain controller named D'< You hire 25 ne" su##ort s#ecialists $or your sta$$ You use 's/de e3e to create )cti/e Directory user accounts $or all 25 ) ne" su##ort s#ecialist named Bing re#orts that he cannot establish a Demote Des0to# connection "ith D'< :e recei/es the message sho"n in the Aogon ?essage e3hibit: You o#en -#edit msc on D'< You see the dis#lay sho"n in the Security .olicy e3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1= 2 You need to ensure that Bing can establish Demote Des0to# connections "ith D'< !hat should you do% A. Direct @ing to establish a ?5, connection with D.1 before he starts Remote Des/top .onnection. 1. Direct @ing to set a password for his user account before he starts Remote Des/top .onnection. .. &n the local securit polic of D.1, disable the Re6uire strong *!indows 2""" or later+ session /e setting. D. &n the local securit polic of D.1, enable the Disable machine account password changes setting. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 ;2" 2 The e3hibit indicates that logons by accounts "ith blan0 #ass"ords are limited to console logons only This is the de$ault setting The error message indicates this being the reason that Bing is unable to connect "ith a Demote Des0to# connection You sol/e this #roblem by instructing Bing to set a #ass"ord $or his user account be$ore he starts a Demote Des0to# 'onnection Incorrect )ns"ers: ): 'ne does not ha%e to create a ?5, connection before starting a Remote Des/top .onnection. ': This will not sol%e the problem because the client computer is running !indows <5 5rofessional which can use a strong session /e . D: This is unrelated to Remote Des/top connections. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. FGQUESTION NO: ,9 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains 2= !indo"s Ser/er 2==, com#uters and 4== !indo"s @. .ro$essional com#uters So$t"are U#date Ser/ices &SUS( is installed on a ser/er named Test0ing2 The net"or0 security administrator "ants you to ensure that the administrati/e #ass"ord is not com#romised "hen an administrator connects to Test0ing2Js SUS)dmin !eb site remotely by using :TT. You "ant only SSA to be used to connect to the SUS)dmin !eb site The net"or0 security administrator creates a digital certi$icate and enables communication $or SSA on #ort 44, o$ Test0ing2 :o"e/er* administrators are still able to connect to the SUS)dmin !eb site by using :TT. You need to ensure that communication to the SUS)dmin !eb site is al"ays secure !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;21 2 A. Disable port >" on the $U$Admin !eb site. 1. Re6uire 12>21it $$4 on all directories related to the $U$Admin !eb site. .. .hange the default !eb site to re6uire 12>21it $$4. D. 3nable &5$ec on Test/ing2 with the Re6uest $ecurit &5sec template. )ns"er: ' E3#lanation: SSA "or0s by using a combination o$ #ublic and #ri/ate 0eys The Session or Encry#tion 0ey that is used to encry#t communication "ith the ser/er and the client is created according to the security certi$icate The strength o$ the encry#tion a##lied is measured by the length o$ the encry#tion 0ey* or in bits The encry#tion strength selected "ould de#end on the sensiti/ity or im#ortance o$ the data Encry#tion strength can be 4=>+its or <29>+its Dequiring <29>+it SSA on all directories related to the SUS)dmin !eb site "ould ensure that communication to the SUS)dmin !eb site is al"ays secure !eb #age encry#tion is im#lemented using the Secure Soc0ets Aayer &SSA( #rotocol This #rotocol uses T'. #ort 44, I$ administrators can still connect to SUS)dmin through :TT.* then you should change the setting o$ the de$ault "ebsite to require <29>+it SSA i$ you "ant only SSA to be used to connect to SUS)dmin Incorrect )ns"ers: )9 Disabling port >" will not mean that the $U$Admin site will sta secure. T.5 port >" handles !orld !ide !eb *!!!+ ser%ice. +: Re6uiring 12>2bit $$4 on all directories related to the U$Admin would be o%er/ill in this situation as all ou need to do is to change the default !eb site to re6uire 12>2bit $$4. D: 3nabling &5$ec in this situation would be irrele%ant. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. =;> Ton ,orthrup L 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22==+9 &mplementing and Administering $ecurit in a Microsoft !indows $er%er 2""3 ,etwor/, .hapter 11 2 Deplo ing, .onfiguring, and Managing $$4 .ertificates 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;22 2 QUESTION NO: ,; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com Ser/ers run either !indo"s 2=== Ser/er or !indo"s Ser/er 2==, 'lient com#uters run either !indo"s 2=== .ro$essional Ser/ice .ac0 2 or !indo"s @. .ro$essional

You need to im#lement a ne" so$t"are u#date in$rastructure You disco/er that security #atches* critical u#dates* and ser/ice #ac0s ha/e ne/er been installed on any client com#uter on the net"or0 You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing5 You must ensure that all client com#uters recei/e all ?icroso$t security #atches* critical u#dates* and ser/ice #ac0s You "ant to achie/e this goal as quic0ly as #ossible !hich three actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. &nstall the Automatic Updates client on all !indows 2""" 5rofessional client computers. 1. &nstall the Automatic Updates client on all !indows <5 5rofessional client computers. .. &nstall $U$ on a !indows 2""" $er%er computer. D. Modif the !indows Update settings of the Default Domain .ontroller organi0ational unit *'U+ Croup 5olic ob)ect *C5'+ to point client computers to http9HHtest/ingF. 3. Modif the !indows Update settings of the Default Domain 5olic Croup 5olic ob)ect *C5'+ to point client computers to http9HHtest/ingF. (. Upgrade all !indows 2""" 5rofessional client computers to !indows <5 5rofessional. )ns"er: )* +* E E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;23 2 The )utomatic U#dates client so$t"are is necessary $or some !indo"s 2=== and !indo"s @. machines to use ?icroso$t So$t"are U#date Ser/ices &SUS( You only need to install )utomatic U#dates on com#uters running !indo"s 2=== "ith S.2 or earlier* or !indo"s @. "ithout S.< )utomatic U#dates is a !indo"s $eature that noti$ies you "hen critical u#dates are a/ailable $or your com#uter This $eature re#laces 'ritical U#date Noti$ication i$ it is already installed 'ritical U#date Noti$ication "ill there$ore no longer o$$er critical u#dates Do"nload and install to recei/e noti$ications o$ critical !indo"s u#dates To ensure u#dates on all the com#uters it has to be installed on both the !indo"s 2=== .ro$essional clients as "ell as the !indo"s @. .ro$essional clients To minimi1e the administrati/e e$$ort and time this tas0 can ta0e* all you need to do is to modi$y the a##ro#riate -.O that "ill #oint all the client com#uters to the Ser/er that has the SUS installed A Croup 5olic 'b)ect *C5'+ is a collection of policies stored in two locations9 a Croup 5olic container *C5.+ and a Croup 5olic template *C5T+. The C5. is an Acti%e Director ob)ect that stores %ersion information, status information, and other polic information *for eBample, application ob)ects+. Incorrect )ns"ers: ': Iou alread ha%e $U$ installed on windows 2""3. D: Iou want all client computers to ha%e the updates, and not onl the domain controllers. Thus this option will not suffice. E: There is no need to upgrade the !indows 2""" machines. The Automatic Updates client will be sufficient. De$erence: G"22=1+, .hapter QUESTION NO: 4= :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. #ro$essional com#uters You are con$iguring )utomatic U#dates on the ser/ers The "ritten com#any net"or0 security #olicy states that all u#dates must be re/ie"ed and a##ro/ed be$ore they are installed )ll u#dates are recei/ed $rom the ?icroso$t !indo"s U#date ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2- 2 You "ant to automate the u#dates as much as #ossible !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2F 2 E3#lanation: 'hec0 the Bee# my com#uter u# to date chec0bo3 Select the Do"nload the u#dates automatically and noti$y me "hen they are ready to be installed radio button The updates will be automaticall downloaded, but ou will be able to re%iew the updates before the are installed. 4eading the wa in &T testing and certification tools, www.test/ing.com

2 ;2; 2 De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, pp. >">2>1" QUESTION NO: 4< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e directory domain named test0ing com The domain contains 2= !indo"s Ser/er 2==, com#uters and 5*=== !indo"s @. .ro$essional com#uters )ll client com#uter accounts are in the 'lients organi1ational unit &OU( The client com#uters do not ha/e any ser/ice #ac0s installed You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing4 )ll client com#uters must do"nload security u#dates $rom TestBing4 You need to #re#are the client com#uters so they can connect to TestBing4 to do"nload !indo"s security u#dates !hat should you do% A. .reate a logon script that connects to the !indows Update .atalog !eb site, scans for a%ailable securit updates, and downloads securit updates to the client computes, 1. &nstall the Automatic Updates client on all client computers. .onfigure the client computers to use Automatic Updates to connect to Test@ing-. .. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the clients 'U. .onfigure the C5' to create a software pac/age that assigns securit updates from Test@ing- to the client computers. D. Add http9HHTest@ing- as the %alue for !U$tatus$er%er registr entries on all client computers. )ns"er: + E3#lanation: ) local administrator can use the )utomatic U#dates a##let in the 'ontrol .anel to con$igure )utomatic U#date or to modi$y the settings I$ -rou# .olicy has been con$igured $or )utomatic U#dates* it "ill o/erride the local settings 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2G 2 !ith Automatic Updates installed and configured on the client computers, securit updates can be automaticall downloaded from Test@ing-. 'nce the client computers are configured, !indows $er%er 2""3 will automaticall search for an !indows securit updates for our client computers from the !indows Update website and download these %ia 1ac/ground &ntelligent Transfer $er%ices *1&T$+. Incorrect )ns"ers: ): To prepare the client computers to be able to recei%e updates ou need to install the Automatic Updates client on them and not create log on scripts as if the client computers ha%e alread been installed. ': 4in/ing C5's to the clients as described in this option is not preparing them to recei%e updates from Test/ing-. D: Use!U$er%er 2 $et this to 1 to enable Automatic Updates to use the ser%er running $oftware Update $er%ices as specified in !U$er%er and sets the s $ets the $U$ ser%er as well as the $U$ statistics ser%er b ATT5 name thus this option will not wor/. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, M.$AHM.$39 3Bam G"22=19 &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure $tud Cuide and D?D Training $ stem, p. >1 QUESTION NO: 42 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, ) user named Bing is res#onsible $or managing grou#s in the domain In )cti/e Directory* you delegate the #ermissions to create* delete* and manage grou#s to him !hen Bing tries to log on to a domain controller* he recei/es the error message sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2> 2 You need to ensure that Bing can immediately manage grou#s !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Modif the default securit polic for each domain controller. Refresh the polic b using $ecedit.eBe. 1. Modif the default securit polic for the domain. Refresh the polic b using Cpupdate.eBe. .. Modif the default securit polic for the Domain .ontrollers organi0ational unit *'U+. Refresh the polic b using $ecedit.eBe. D. Modif the default securit polic for the Domain .ontrollers organi0ational unit

*'U+. Refresh the polic b using Cpupdate.eBe. 3. &nstall the !indows $er%er 2""3 administrati%e tools on @ingKs computer. &nstruct him to run Dsa.msc from his computer. (. $hare Dsa.msc from a computer running !indows $er%er 2""3. &nstruct @ing to run Dsa.msc from his computer. )ns"er: D* E E3#lanation: +y de$ault* normal users cannot log on to a domain controller You need to assign this right to BingJs account i$ you "ant him to be able to manage accounts $rom his com#uter To a##ly the ne" #olicy immediately* you need to re$resh the #olicy The Secedit e3e tool used to re$resh #olicies has since changed $rom !indo"s 2=== ser/er to !indo"s Ser/er 2=== The ne" tool* -#u#date e3e* is used in !indo"s 2==, Incorrect )ns"ers: ): Using a group polic is a 6uic/er method of appl ing a setting to all the domain controllers. +: @ing needs to log on to the domain controllers onl , so ou should appl the polic to the domain controllers 'U. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2= 2 ': $ecedit.eBe is no longer used in !indows 2""3. &t has been replaced b gpupdate.eBe and is used to enforce an update to the group polic without ha%ing to log off. E: Iou cannot share a single file. Iou can onl share folders containing files. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. G=G QUESTION NO: 4, You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains 25 !indo"s ser/er 2==, com#uters and 5*=== !indo"s 2=== .ro$essional com#uters You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBingSr/ )ll client com#uter accounts are in the 'lients organi1ational unit &OU( You create a -rou# .olicy ob2ect &-.O( named SUSu#dates and lin0 it to the 'lients OU You con$igure the SUSu#dates -.O so that client com#uters obtain security u#dates $rom TestBingSr/ Three days later* you e3amine the !indo"su#date log $ile on se/eral client com#uters and disco/er that they ha/e do"nloaded !indo"s security u#dates $rom only "indo"su#date microso$t com You need to con$igure all client com#uters to do"nload !indo"s security u#dates $rom TestBingSr/ !hat should you do% A. 'pen the $U$updates C5' and configure the .onfigure Automatic Update polic to assign the Auto download and notif for install setting for !indows securit updates. 1. 'pen the $U$updates C5' and configure the .onfigure Automatic Update polic to assign the Auto download and schedule the install setting for !indows securit updates. .. .reate software distribution polic for the $U$updates C5' that assigns the pac/age !UAU22.msi to all client computers. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3" 2 Restart all client computers. D. 'n all client computers, configure the Use!U$er%er registr %alue to enable Automatic Updates to use Test@ing$r%. )ns"er: ' E3#lanation: The !indo"s 2=== clients arenJt able to use the -.O setting that con$igures "hich ser/er they should recei/e their u#dates $rom This is because they ha/e an early /ersion o$ the "indo"s u#date client so$t"are The /ersion o$ the "indo"s u#date client so$t"are that comes "ith !indo"s 2=== .re>S., can only do"nload u#dates $rom the ?icroso$t !indo"s U#date ser/ers There$ore the ans"er is to install the latest /ersion o$ the "indo"s u#date client so$t"are on the client com#uters This is the !U)U22 msi #ac0age !e can use a -.O to de#loy the so$t"are The SUSu#dates -.O settings "ill then be a##lied and the clients "ill then recei/e their u#dates $rom TestBingSr/ Incorrect )ns"ers: ): This wonKt affect which ser%er the clients download the updates from. The problem is that the settings in the C5' wonKt appl to the !indows 2""" clients because the ha%e an earl %ersion of the windows update client software. +: This wonKt affect which ser%er the clients download the updates from. The problem is that the settings in the C5' wonKt appl to the !indows 2""" clients because the ha%e an earl %ersion of the windows update client software.

D: &t would be impractical to configure the registr settings on F""" computers. QUESTION NO: 44 You are the net"or0 administrator $or the !eimar o$$ice o$ TestBing com The com#any net"or0 consists o$ the single )cti/e directory domain test0ing com The !eimar o$$ice contains <; $ile ser/ers that contain con$idential $iles )ll the $ile ser/ers run either !indo"s Ser/er 2==, or !indo"s 2=== Ser/er )ll the $ile ser/ers are in the !eimarEile.rint organi1ational unit &OU( The com#anyJs security de#artment sets a rule that s#eci$ies the si1e and retention setting $or the Security e/ent log o$ the all $ile ser/ers The rule also s#eci$ies that local administrators on ser/ers cannot o/erride the changes you ma0e to the settings $or the Security e/ent log You need to de$ine a method to modi$y the security e/ent log settings on each $ile ser/er in the !eimar o$$ice in order to meet the stated requirements 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;31 2 !hat should you do% A. Modif the local securit polic on each file ser%er. Define the si0e and retention settings for the $ecurit e%ent log. 1. .reate a securit template on one of the file se%ers b using the securit configuration and Anal sis tool. Define the si0e and retention setting for the securit e%ent log in the template. &mport the securit template into the local securit polic of the other 1> file ser%ers. .. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the !eimar(ile5rint 'U. &n the C5', define the si0e and retention settings for the securit e%ent log. D. Use 3%ent ?iewer to modif the e%ent log properties on each file ser%er. Define the si0e and retention settings for the $ecurit e%ent log. )ns"er: ' E3#lanation: You can manage #olicies that are stored in )cti/e Directory $rom "hich they can be a##lied to any com#uter or grou# o$ com#uters in the domain +ecause all $ile ser/ers are in the !eimarEile.rint OU* use the )cti/e Directory Users )nd 'om#uters console to create a ne" -.O and in it* de$ine the si1e and retention settings $or the security e/ent log The -.O then needs to be lin0ed to the !eimarEile.rint OU The ser%ers are in 'U !eimar(ile5rint. $etting will appl to !indows 2""" $er%ers and !indowsO $er%ers 2""3. .onsider implementing these 3%ent 4og settings at the site, domain, or organi0ational unit le%el, to ta/e ad%antage of Croup 5olic settings. Incorrect )ns"ers: ): Iou must use a new Croup 5olic 'b)ect lin/ed to the !eimar(ile5rint 'U and not the local securit settings on the file ser%ers to meet the re6uirements. +: Defining si0e and retention settings is not done in this template. D: Ma/ing use of 3%ent ?iewer to modif e%ent logs will not meet the stated re6uirements of the !eimar office. 3%ent ?iewer can be used to %iew e%ents once logging has been enabled using the 3%ent 4ogging tab from the D,$ ser%erKs 5roperties window. De$erence: G"22=1 .hapter 3 Qill $pealman, @urt Audson, and Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, .hapter 1" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;32 2 QUESTION NO: 45 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The domain contains t"o domain controllers named Test0ing< and Test0ing2 You use a !indo"s @. .ro$essional client com#uter named 'lient< In )cti/e Directory* the domain administrator creates t"o ne" user accounts named Net)dmin< and )dminUser< The Net)dmin< account is a member o$ the Domain )dmins global grou# The )dminUser< account is a member o$ only the Users local grou# You assign the )dminUser< logon account the )llo" log on locally user right in the De$ault Domain 'ontroller -rou# .olicy ob2ect &-.O( ) ne" "ritten security #olicy states that user accounts that are members o$ the Domain )dmins global grou# should not be used to log on to the console o$ a domain controller It also states that administrati/e tas0s should be #er$ormed by using the Secondary Aogon ser/ice You no" need to create a ne" com#uter account in )cti/e Directory* and you must com#ly "ith the ne" TestBing security #olicy !hat should you do% A. 4og on to Test/ing1 b using the AdminUser1 user account. Run the dsa.msc command.

1. 4og on to Test/ing1 b using the ,etAdmin1 user account. Run the dsa.msc command. .. 4og on to .lient1 b using the AdminUser1 user account. Run the runas Huser9netadmin1 dsa.msc command. D. 4og on to .lient1 b using the ,etAdmin1 user account. Run the runas Huser9adminuser1 dsa.msc command. )ns"er: ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;33 2 To create a ne" com#uter account in )cti/e Directory* "e need to run )cti/e Directory Users and 'om#uters &dsa msc( using the credentials o$ a domain admin account !e can do this by logging into the client com#uter using the adminuser< account &"hich has 2ust JuserJ rights( and running the JrunasJ command to o#en dsa msc using the credentials o$ a domain admin account Incorrect ans"ers: ): This would open Acti%e Director Users and .omputers using the credentials of the user account. To create a new computer account in Acti%e Director , we need to open Acti%e Director Users and .omputers as a domain admin. +: The 6uestion states9 8A new written securit polic states that user accounts that are members of the Domain Admins global group should not be used to log on to the console of a domain controller8. Therefore, this answer is incorrect. D: This answer suggests logging as as the domain admin and running Acti%e Director Users and .omputers using the credentials of the KuserK account. !e need to be logging in as the user and running Acti%e Director Users and .omputers as a domain admin. QUESTION NO: 46 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s 2=== .ro$essional "ith Ser/ice .ac0 4 or !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a com#uter named TestBing< You create a -.O that con$igures all client com#uters to recei/e their so$t"are u#date $rom TestBing< One "ee0 later* you run ?icroso$t +aseline Security )naly1er &?+S)( on all client com#uters to $ind out "hether all u#dates are being a##lied You disco/er that all o$ the !indo"s 2=== .ro$essional client com#uters recei/e u#dates* but the !indo"s @. .ro$essional client com#uters do not recei/e u#dates You /eri$y that the -.O setting "as a##lied on all !indo"s @. .ro$essional com#uters You need to ensure that the !indo"s @. .ro$essional client com#uters recei/e their u#dates $rom TestBing< !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3- 2 A. Ma/e all users of the !indows <5 5rofessional client computers members of the Administrators local group. 1. 'n all !indows <5 5rofessional client computers, install $er%ice 5ac/ 1. .. 'n all !indows <5 5rofessional client computers, restart Automatic Updates. D. 'n all !indows <5 5rofessional client computers, delete the ,oAutoUpdate %alue under A@3IJ4'.A4JMA.A&,3W$'(T!AR3W5oliciesWMicrosoftW!indowsW!indowsUpdateWAU. )ns"er: + E3#lanation: To recei/e automatic u#dates $rom a local SUS ser/er* the client com#uters need the u#dated automatic u#dates client so$t"are installed This so$t"are doesnJt come "ith the original /ersion o$ !indo"s @.* but it is installed as #art o$ !indo"s @. ser/ice #ac0 < Incorrect )ns"ers: ): &t is not necessar to ma/e all users of the !indows <5 5rofessional client computers members of the Administrators local group. The automatic updates software runs under the securit conteBt of the local s stem account *the local s stem account has administrator rights+. ': The problem is that the updated automatic updates client software is not installed on the !indows <5 clients. Therefore, restarting Automatic Updates is not the correct solution. D: The problem is that the updated automatic updates client software is not installed on the !indows <5 clients. Therefore deleting a registr /e is not the correct solution. QUESTION NO: 47 :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll 5== client com#uters run !indo"s @. .ro$essional

TestBing com is in/ol/ed in #ro2ects throughout the "orld and o$ten has a##ro3imately <5= #ro2ects in #rogress You "ant to ensure that the user accounts o$ em#loyees "ho are acti/e in each #ro2ect can easily be $ound in )cti/e Directory You hire a #art>time em#loyee named ?arie :er role "ill be to u#date the user account #ro#erties in )cti/e Directory 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3F 2 You need to ensure that ?arie has only #ermissions necessary $or #er$orming her required tas0s You create a ne" user account $or ?arie* and you run the Delegation o$ )dministration "i1ard $or the domain !hat should you do ne3t% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: Select LDelegate the $ollo"ing common tas0sL 'hec0 the L?odi$y the membershi# o$ a grou#L chec0bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3; 2 QUESTION NO: 49 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains a !eb ser/er that runs IIS 6 = and hosts a secure intranet site )ll users are required to connect to the intranet site by authenticating and using :TT.S :o"e/er* because an automated !eb a##lication must connect to the !eb site by using :TT.* you cannot con$igure the intranet site to require :TT.S You need to collect in$ormation about "hich users are connecting to the !eb site by using :TT.S !hat should you do% A. .hec/ the application log on the !eb ser%er. 1. Use ,etwor/ Monitor to capture networ/ traffic on the !eb ser%er. .. Re%iew the log files created b &&$ on the !eb ser%er. D. .onfigure a performance log to capture all !eb ser%ice counters. Re%iew the performance log data. )ns"er: ' E3#lanation: !e can re/ie" the log $iles created by IIS on the !eb ser/er to /ie" connection data QUESTION NO: 4; SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3G 2 TestBing com has <6 sales re#resentati/es* "ho are mobile users )ll <6 mobile users are member o$ the .o"er Users local grou# on their com#uters Erom 5:== . ? until ;:== ) ? * the sales re#resentati/esJ #ortable com#uters are usually turned o$$ and disconnected $rom the cor#orate net"or0 TestBing comJs "ritten security #olicy states that all #ortable com#uters that are used by the mobile sales re#resenti/ati/es must recei/e so$t"are u#dates $rom the !indo"s U#date ser/ers e/ery day User interaction "ith the u#date #rocess must be minimi1ed On a #ortable com#uter named TestBing2* you /eri$y the recent u#dates and notice that u#dates $rom the !indo"s U#date ser/ers "ere not a##lied You need to ensure that so$t"are u#dates are a##lied to TestBing2 in com#liance "ith the com#any #olicy !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3> 2 )ns"er: $elect the 8@eep m computer up to date. !hen this setting enabled windows update software ma be automaticall updated prior to appl ing an other updates8 chec/boB. Then select 8Automaticall download the updates and install them on the schedule that & specif 8. The time should be specified e%er da between =am and Fpm. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3= 2 QUESTION NO: 5= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TestBing com #urchases a host>connecti/ity gate"ay a##lication de/elo#ed by an inde#endent so$t"are /endor You need to install the a##lication on a !indo"s Ser/er 2==, com#uter named TestBing2 ) su##ort technician named ?arie is assigned to install the a##lication ?arieJs user account is not a member o$ the )dministratorJs grou# on TestBing2 The installation $ails and dis#lays an error message stating the user account used $or installing the a##lication needs to be a member o$ the local )dministrators grou# Your user account is a member o$ the Domain )dmins grou# You "ant to enable ?arie to install a##lications* but you do not "ant her to be able to ma0e other changes on TestBing2 !hat should you do% A. 4og on locall on Test@ing2 as the local administrator. 'n Test@ing2, in .ontrol 5anel, start Add or Remo%e 5rograms. &nstruct Marie to install the application. 1. Use the Run as option to start the Add or Remo%e 5rograms .ontrol 5anel item on Test@ing2. 5ro%ide the credentials of the local Administrator account. &nstruct Marie to install the application. .. Ma/e MarieKs user account a member of the local Administrators group on Test@ing2. &nstruct her to log on locall b using her user account and to install the application. D. &nstruct Marie to log on locall and to send a Remote Assistance re6uest to ou. Accept the re6uest, and ta/e remote control of the session. 'n Test@ing2, in .ontrol 5anel, start Add or Remo%e 5rograms. &nstruct Marie to install the application. )ns"er: + E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-" 2 !e can use the Lrun asL command to o#en an a##lication using the security conte3t o$ a di$$erent user account Eor e3am#le* you can log in to a com#uter using a standard JuserJ account and use the Lrun asL command to run an a##lication as an administrator In this question* ?arie is logged in using a standard user account You can use the Lrun asL command and enter your administrator username and #ass"ord to o#en the )dd or Demo/e .rograms 'ontrol .anel using the security conte3t o$ your administrator account This "ill enable ?arie to install the so$t"are but not ma0e any other changes to the com#uter Incorrect )ns"ers: ): This solution suggests logging in to the computer using our administrator account. This would enable Marie to ma/e changes to the s stem. ': Ma/ing Marie a member of the local Administrators group on Test@ing2 would enable Marie to ma/e changes to the s stem. D: &f ou run Add or Remo%e 5rograms o%er a remote assistance session, ouKll be running Add or Remo%e 5rograms as the locall logged in user, ie. Marie. Therefore, ou will not ha%e the necessar permissions to install the application. QUESTION NO: 5< You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains ,5 2*=== !indo"s 2=== .ro$essional com#uters You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named TestBing, You need to scan all com#uters in the domain to $ind out "hether they ha/e recei/ed all a##ro/ed u#dates that are located on the SUS ser/er !hat should you do% A. 'n a ser%er, install and run the mbsacli.eBe command with the appropriate configuration switches. 1. 'n a ser%er that runs &&$, install and configure urlscan e3e .. 3dit and configure the Default Domain 5olic to enable the .onfigure Automatic Updates polic . D. (rom a command prompt on Test@ing3, run the netsh.eBe command to scan all computers in the domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-1 2 )ns"er: ) 1 default, a securit update scan eBecuted from the M1$A CU& or from mbsacli.eBe *M1$A2st le scan+ will scan and report missing updates mar/ed as critical securit updates in !indows Update *!U+, also referred to as 8baseline8 critical securit updates. !hen a securit update scan is eBecuted from mbsacli.eBe using the Hhf switch *A(,et.h/2st le scan+, all securit 2related securit updates will be scanned and reported on. A user running an A(,et.h/2st le scan would ha%e to use the 2b option to scan onl for !U critical securit updates. !hen the $U$ option is chosen, all securit updates mar/ed as appro%ed b the $U$ Administrator, including updates that ha%e been superseded, will be scanned and reported b M1$A.

De$erence: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTBaseAna QUESTION NO: 52 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You are required to accommodate $or $i/e ne" su##ort engineers The $i/e su##ort engineers "ill ha/e ha/e the $ollo"ing res#onsibilities: 1. Sto# and start #rinters* clear #rint 2obs $rom the #rinter queues* and set #ermissions on #rinters 2. +ac0 u# and restore all $iles on the ser/ers 3. ?a0e changes to T'.KI. settings -. 'reate and delete shared resources You need to assign the su##ort engineers the a##ro#riate #ermissions to #er$orm the required tas0s on the 2= member ser/ers O$ "hich grou# should you ma0e the Su##ort Engineers grou# a member% A. The Administrators local group on one of the domain controllers. 1. The Administrators local group on each of the ser%ers. .. The $er%er 'perators local group on one of the domain controllers. D. The 5ower Users local group on each of the ser%ers. 3. The 1ac/up 'perators local group on one of the domain controllers. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-2 2 (. The 1ac/up 'perators local group on each of the ser%ers. )ns"er: + E3#lanation: To #er$orm the tas0s listed in the question* the users "ill need )dministrator #ermissions !e should ma0e the users members o$ the local )dminstrators grou# on each o$ the ser/ers so that they can admin the ser/ers but not other machines in the domain Incorrect )ns"ers: ): !e should ma/e the users members of the local Adminstrators group on each of the ser%ers so that the can admin the ser%ers but not other machines in the domain. ': To perform the tas/s listed in the 6uestion, the users will need Administrator permissions. D: To perform the tas/s listed in the 6uestion, the users will need Administrator permissions. E: To perform the tas/s listed in the 6uestion, the users will need Administrator permissions. E: To perform the tas/s listed in the 6uestion, the users will need Administrator permissions. QUESTION NO: 5, :OTS.OT You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named TestBing6 You "ant all client com#uter on the net"or0 to use TestBing6 to recei/e their so$t"are u#dates You decide to modi$y the De$ault Domain .olicy -.O to set TestBing6 as the SUS ser/er $or all com#uters in the domain !hen you o#en the De$ault Domain .olicy -.O* you notice that there are no settings $or !indo"s U#date You reali1e that you need to load an administrati/e tem#late into the -rou# .olicy Ob2ect Editor !hich tem#late should you load% To ans"er* select the a##ro#riate tem#late in the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-3 2 )ns"er: E3#lanation: "uau adm The !UAU.adm file holds !indows Update settings for !indows 2""" and !indows $er%er 2""3 clients. &t describes the new polic settings for the Automatic Updates client, and is automaticall installed into the ZwindirZWinf folder when installing Automatic Updates. Iou should 4oad !UAU.adm as an administrati%e template in the Croup 5olic 'b)ect 3ditor. De$erence: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-- 2 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, .hapter =, p. 3;QUESTION NO: 54 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a

single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The domain contains t"o OUs named 'lients and Ser/ers )ll com#uter accounts $or the client com#uters are located in the 'lients OU )ll com#uter accounts $or member ser/ers are located in the Ser/ers OU TestBing comJs "ritten security #olicy requires you to con$igure s#eci$ic #ermissions $or the :BEYSAO')AS?)':INE hi/e in the registry on all com#uters in the domain The client com#uters and the ser/ers require a di$$erent set o$ registry #ermissions You create t"o -.Os named Degistry.ermissions'lients and Degistry.ermissionsSer/ers You con$igure each -.O "ith the correct registry #ermissions You need to ensure that the required registry #ermissions are con$igured on all client com#uters and ser/ers in the domain !hich three actions should you #er$orm% Each correct ans"er #resents #art o$ the solution 'hoose three A. 4in/ both C5's to the domain ob)ect. 1. $et a !M& filter on the Registr 5ermissions.lients C5' that targets all !indows <5 5rofessional computers. .. $et a !M& filter on the Registr 5ermissions$er%ers C5' that targets all !indows $er%er 2""3 computers. D. 5lace a securit filter on the C5's to onl appl the C5's to the Domain .omputers group. 3. 4in/ the Registr 5ermissions$er%ers C5' to the $er%ers 'U. )ns"er: )* +* ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-F 2 !e can use !?I $ilters to a##ly the -.Os according to the o#erating system running on the com#uters !?I Eilters are a "ay to $ine tune the a##lication o$ -.Os E/aluated at the time o$ a -rou# .olicy re$resh at the client* a !?I Eilter includes one or more !?I Query Aanguage &!QA( queries I$ any o$ these queries return a result &essentially meaning they e/aluate to True( then the !?I $ilter is considered to e/aluate to True and the -.O to "hich it is lin0ed is a##lied I$ the !QA queries do not return anything in the result set then the -.O is not a##lied !?I Eilters are su##orted on !indo"s @. and !indo"s Ser/er 2==, Since they are not su##orted on !indo"s 2===* any !?I Eilter associated "ith a -.O is ignored on this #lat$orm and the -.O is a##lied QUESTION NO: 55 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You install So$t"are U#date Ser/ices &SUS( on a net"or0 ser/er named Test0ing< !hen you attem#t to synchroni1e Test0ing< "ith the !indo"s U#date ser/ers* you recei/e an error message You sus#ect that your #ro3y ser/er requires authentication You o#en Internet E3#lorer and /eri$y that you can communicate "ith an e3ternal !eb site by using the #ro3y ser/er You need to ensure that Test0ing< can communicate "ith the !indo"s U#date ser/ers !hat should you do on Test0ing<% A. Restart the &&$ administration tool. 1. .onfigure the &nternet 3Bplorer settings to b pass the proB ser%er. .. &n the $U$ options, configure authentication to the proB ser%er. D. &nstall the Microsoft (irewall .lient. )ns"er: ' E3#lanation: In the So$t"are U#date Ser/ices administration console* there is an o#tion to con$igure your internet connection settings These settings include #ro3y ser/er settings I$ you ha/e a #ro3y ser/er bet"een the SUS ser/er and the internet* you need to con$igure the #ro3y ser/er settings in the SUS o#tions 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-; 2 Incorrect )ns"ers: ): &t is not necessar to restart the &&$ administration tool. $U$ has its own administration console, which ou can use to configure proB ser%er options. +: There is no problem connecting to the internet from &nternet 3Bplorer. The problem is with the $U$ software. D: The Microsoft (irewall is irrele%ant to this 6uestion. QUESTION NO: 56 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains <5 !indo"s

Ser/er 2==, com#uters and ,*=== !indo"s @. .ro$essional com#uters )ll client com#uters are running the most recent ser/ice #ac0 You install and con$igure So$t"are U#date Ser/ices &SUS( on a ser/er named Test0ing< You install the )utomatic U#dates client on all client com#uters )ll client com#uter accounts are in the 'lients organi1ation unit &OU( 'urrently all client com#uters obtain their !indo"s security u#dates $rom !indo"s U#date You "ant all client com#uters* and no other com#uters* to obtain their u#dates $rom Test0ing< You need to con$igure all client com#uters to obtain !indo"s security u#dates $rom Test0ing< You need to accom#lish this tas0 "ith the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the .lients 'U. 'pen the $U$ C5' and enable the .onfigure Automatic Update polic to automaticall download updates. 1. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the .lients 'U. 'pen the $U$ C5' and enable the $pecif intranet Microsoft updates ser%ice location polic to use http9HHTest/ing1 as the %alue for the update and statistics ser%er. .. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ to the domain. 'pen the $U$ C5' and enable the $pecif intranet Microsoft update ser%ice location polic to use http9HHTest/ing1 as the %alue for the update and statistics ser%er. D. .reate a Croup 5olic ob)ect *C5'+ named $U$ and lin/ it to the domain. 'pen the $U$ C5' and enable the .onfigure Automatic Update polic to automaticall download updates. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-G 2 )ns"er: + E3#lanation: !e need to con$igure all the client com#uters to recei/e "indo"s u#dates $rom the SUS ser/er Test0ing< !e can do this sim#ly by using a -.O lin0ed to the OU containing the client com#uter accounts The setting that needs to be con$igured in the -.O is S#eci$y intranet ?icroso$t u#dates ser/ice location Incorrect )ns"ers: ): $etting the .onfigure Automatic Update polic to automaticall download updates will )ust configure the clients to download updates from the Microsoft ser%ers. !e need to configure the clients to download the updates from the $U$ ser%er. ': 4in/ing the C5' to the domain will configure all the computers, not )ust the client computers to download the updates from the $U$ ser%er. The 6uestion states9 Iou want all client computers, and no other computers, to obtain their updates from Test/ing1. D: $etting the .onfigure Automatic Update polic to automaticall download updates will )ust configure the computers to download updates from the Microsoft ser%ers. !e need to configure the clients to download the updates from the $U$ ser%er. 4in/ing the C5' to the domain will configure all the computers, not )ust the client computers. The C5' should be applied to the client computers onl . QUESTION NO: 57 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional )ll ser/ers run either !indo"s 2=== Ser/er or !indo"s Ser/er 2==, There are no ser/ice #ac0s installed on any net"or0 com#uters You install So$t"are U#date Ser/ices &SUS( on a ser/er named Test0ing< You must ensure that all net"or0 com#uters can connect to Test0ing< !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &nstall !indows 2""" $er%ice 5ac/ 3 on all !indows 2""" $er%er computers and !indows 2""" 5rofessional computers. &nstall the Automatic Updates client on all !indows <5 5rofessional computers. 1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-> 2 &nstall !indows 2""" $er%ice 5ac/ 3 on all !indows 2""" $er%er computers and on all !indows 2""" 5rofessional computers. &nstall !indows <5 $er%ice 5ac/ 1 on all !indows <5 5rofessional computers. .. .onfigure the &nternet browser home page for all !indows <5 5rofessional computers to point to http9HHwindowsupdate.microsoft.com. &nstall the Acti%e Director client on all !indows 2""" $er%er computers and on all !indows 2""" 5rofessional computers. D. .onfigure the &nternet browser home page for all !indows 2""" 5rofessional computers to point to http9HHwindowsupdate.microsoft.com. &nstall !indows <5 $er%ice 5ac/ 1 on all !indows <5 5rofessional computers. 3. Upgrade all client computers to !indows <5 5rofessional. &nstall Acti%e Director on all !indows 2""" $er%er computers.

(. Upgrade all client computers to !indows <5 5rofessional. &nstall $U$ on all !indows $er%er 2""3 computers. )ns"er: )* + E3#lanation: To recei/e automatic u#dates $rom a local SUS ser/er* the client com#uters need the u#dated automatic u#dates client so$t"are installed This so$t"are doesnJt come "ith the original /ersion o$ !indo"s 2=== or !indo"s @.* but it is installed as #art o$ !indo"s 2=== ser/ice #ac0 , or !indo"s @. ser/ice #ac0 < It is also a/ailable as a se#arate do"nload Incorrect )ns"ers: ': .onfiguring the &nternet browser home page for all !indows <5 5rofessional computers to point to http9HHwindowsupdate.microsoft.com wonKt cause the clients to download the updates either from Microsoft or from the local $U$ ser%er. The AD client is not used to download automatic updates. D: .onfiguring the &nternet browser home page for all !indows <5 5rofessional computers to point to http9HHwindowsupdate.microsoft.com wonKt cause the !indows 2""" clients to download the updates either from Microsoft or from the local $U$ ser%er. E: &t is not necessar to upgrade an of the computers. !e )ust need to install the automatic updates client software on the client computers. E: &t is not necessar to upgrade an of the computers. !e )ust need to install the automatic updates client software on the client computers. QUESTION NO: 59 You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;-= 2 TestBingJs main o$$ice is located in Ne" Yor0 'ity and $our branch o$$ices are located in /arious North )merican cities The net"or0 is con$igured as sho"n in the e3hibit )ccess to the Internet is #ro/ided by a Net"or0 )ddress Translation &N)T( ser/er located in the ?ontreal o$$ice The I. address o$ the N)T ser/er is <;2 <69 <= 254 Users in the Aos )ngeles o$$ice re#ort that they cannot connect to the Internet Users in the Ne" Yor0 o$$ice re#ort that they can success$ully connect to the Internet Erom a com#uter in the Aos )ngeles o$$ice* you cannot connect to ser/ers located in the ?ontreal o$$ice by using their I. address You "ant to $ind out "here the communication $ailure resides by running a command #rom#t on a com#uter in the Aos )ngeles o$$ice !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. Run the pathping 1=2.1;>.1".2F- command. 1. Run the net %iew WW1=2.1;>.1".2F- command. .. Run the tracert 1=2.1;>.1".2F- command. D. Run the nsloo/up 1=2.1;>.1".2F- command. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F" 2 )ns"er: )* ' E3#lanation: There are multi#le routers bet"een the Aos )ngeles o$$ice and the ?ontreal o$$ice !e can use the tracert utility to $ind out ho" $ar the data #ac0ets are going and "hat #ath theyJre ta0ing This "ill tell us at "hich #oint &router( the connecti/ity is $ailing Tracert "or0s by sending an I'?. echo request much li0e a J#ingJ to each router along the #ath to the $inal destination .ath#ing is /ery similar to tracert in that it #ings each router along the #ath to the $inal destination thus sho"ing "here the #oint o$ $ailure is :o"e/er* #ath#ing can be used to dis#lay e3tra in$ormation about net"or0 s#eedKlatency and #ac0et loss Incorrect )ns"ers: +: The net %iew command is used to displa shares on a remote host. &t is not used for troubleshooting networ/ connecti%it problems. D: ,sloo/up is used to 6uer D,$ to resol%e hostnames to &5 addresses or &5 addresses to hostnames. &t would not help in this scenario. QUESTION NO: 5; You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, T"enty TestBing em#loyees connect to a terminal ser/er named Test0ing< to run a##lications and to gain access to the Internet The 2= em#loyees re#ort that they recei/e security messages "hile bro"sing Internet !eb sites The em#loyees re#ort that they cannot modi$y the Internet E3#lorer security settings on their client com#uters "hile connected to Test0ing2 You need to allo" these 2= em#loyees to modi$y the Internet E3#lorer security settings in their client com#uters "hile connected to Test0ing2 !hat should you do% A. 4og on to Test/ing2 as Administrator and add http9HH to the list of trusted sites in

&nternet 3Bplorer. 1. &nstruct the 2" emplo ees to add http9HH to the list of trusted sites in &nternet 3Bplorer on their client computers. .. &nstruct the 2" emplo ees to change the &nternet 3Bplorer pri%ac settings on their client computers to 4ow. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F1 2 D. Uninstall &nternet 3Bplorer 3nhanced $ecurit .onfiguration on Test/ing2. )ns"er: D E3#lanation: Internet E3#lorer Enhanced Security 'on$iguration is installed by de$ault on !indo"s 2==, Ser/er com#uters !ith Internet E3#lorer Enhanced Security 'on$iguration installed* "eb #ages may not dis#lay in Internet E3#lorer as e3#ected and a##lications that require the bro"ser may not "or0 correctly because scri#ts* ?icroso$t )cti/e@ controls* the ?icroso$t /irtual machine &?icroso$t 8?( $or :T?A content* and $ile do"nloads ha/e been disabled This is "hat is causing the security messages "hen users connect to the ser/er /ia Terminal Ser/ices There$ore* the solution is to uninstall Internet E3#lorer Enhanced Security 'on$iguration on Test0ing2 Incorrect )ns"ers: ): http9HH is in%alid as a wildcard entr in the trusted sites list. +: The 6uestion states that the users are unable to the &nternet 3Bplorer securit settings. This is because &nternet 3Bplorer 3nhanced $ecurit .onfiguration is installed on the ser%er. (urthermore, http9HH is in%alid as a wildcard entr in the trusted sites list. ': The &3 settings from the client computers donKt appl because the users are connecting to the ser%er %ia Terminal $er%ices *therefore, the ser%erKs &3 settings are in effect+. QUESTION NO: 6= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The com#any has o$$ices in +erlin* Dortmund* and Eran0$urt Each o$$ice is con$igured as a se#arate I. subnet DNS is the only method o$ name resolution on the net"or0 You need to im#lement a so$t"are u#date in$rastructure on the net"or0 You install So$t"are U#date Ser/ices &SUS( on a com#uter named TestBing, in the +erlin o$$ice You install on TestBing, "ith all de$ault settings You ha/e no #lans to install additional SUS ser/ers You con$igure all client com#uters a##ro#riately You must ensure that client com#uters can success$ully connect to the SUS ser/er !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F2 2 A. .onfigure the &nternet browser home page on all client computers to point to http9HHwindowsupdate.microsoft.com. 1. &n the $U$ Administrator, configure the $er%er ,ame propert to be the ser%erKs full 6ualified domain name *(:D,+. .. 'pen &&$ Manager and enable ATT5 o%er $$4. D. 3nable communication o%er port 13F between all client computers and the $U$ ser%er. )ns"er: + E3#lanation: The question states that you ha/e con$igured the client com#uters a##ro#riately This means you ha/e con$igured the clients to recei/e the u#dates $rom the SUS ser/er )s there are multi#le subnets in the net"or0* the clients "ill need to be con$igured "ith the $ully quali$ied domain name o$ the SUS ser/er There$ore* the SUS so$t"are on the SUS ser/er "ill also need to be con$igured "ith the $ully quali$ied domain name o$ the ser/er Incorrect )ns"ers: ): Iou do not need to configure the web browser homepage to configure a client to recei%e updates from a $U$ ser%er. ': &t is not necessar to enable ATT5 o%er $$4. $U$ uses ATT5 b default. D: $U$ uses ATT5 b default. ATT5 uses port >", not port 13F. QUESTION NO: 6< You are a domain administrator $or TestBing com The net"or0 contains three !indo"s 2==, Ser/er domain controllers and one !indo"s 2==, Ser/er member ser/er The member ser/er contains three hard dis0s* "hich use so$t"are D)ID>5 The member ser/er also contains an IS) card that has <2 modems attached $or Douting and Demote )ccess dial>u# access Usage o$ the member ser/erJs dis0 subsystem is occasionally as much as 9= #ercent This le/el o$ usage results in slo" res#onse times $or dial>in users You run System ?onitor on the member ser/er The System ?onitor results are sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com

2 ;F3 2 Ob2ect 'ounter )/erage /alue $ stem 5rocessor :ueue 4ength 1 5rocessor Z5rocessor Time F; 5rocessor &nterruptsHsec 32" 5h sicalDis/ Dis/ :ueue 4ength 1 5h sicalDis/ Dis/ 1 tesHsec 1="" @1 5h sicalDis/ ZDis/ Time GMemor 5age (aultsHsec 1" Memor 5age ReadsHsec = Memor 5agesHsec F" You "ant to ma3imi1e the #er$ormance o$ the member ser/er !hat should you do% A. &ncrease the number of hard dis/s in the RA&D2F s stem. 1. Upgrade the RAM. .. Upgrade the processor. D. Upgrade the &$A card to 5.&. )ns"er: + E3#lanation: The ?emory: .agesKsec counter is too high ) /alue o$ no more than 2= is recommended The current /alue indicates that the #aging $ile is being used too much The question states that the usage o$ the member ser/erJs dis0 subsystem is occasionally as much as 9= #ercent This is due to e3cessi/e #aging $ile usage You can $i3 this by u#grading the D)? Incorrect )ns"ers: ): &ncreasing the number of hard dis/s will not reduce paging file usage. ': The 5rocessor counters are within acceptable boundaries. D: The &$A card does not cause eBcessi%e dis/ usage. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. F-" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F- 2 QUESTION NO: 62 You are the net"or0 administrator $or TestBing com Your net"or0 consists o$ three )cti/e Directory domains in a single $orest You do not ha/e administrati/e rights to the $orest )ll domain controllers run !indo"s Ser/er 2==, Uni/ersal grou# membershi# caching is enabled TestBing has a main o$$ice in ?adras and $i/e branch o$$ices located "orld"ide Each o$$ice is con$igured as an )cti/e Directory site* as sho"n in the e3hibit Each o$$ice contains three domain controllers* one $or each domain ) ne" em#loyee named Dr Bing is hired in the +erlin o$$ice You create a ne" user account $or Dr Bing $rom a domain controller in +erlin :o"e/er* Dr Bing re#orts that he cannot log on to his domain Other users $rom +erlin re#ort no di$$iculties You need to ensure that Dr Bing can log on success$ully !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;FF 2 A. Delete the user account in 1erlin. Recreate the user account in Madras. 1. (orce director replication between all domain controllers in 1erlin. .. Restore networ/ connecti%it between the domain controllers in 1erlin and Madras. D. &nstruct Dr @ing to use his user principal name when he logs on for the first time. )ns"er: ' E3#lanation: !hen a ne" user logs on to a nati/e mode domain* the authenticating domain controller needs to be able to contact a -lobal 'atalog ser/er to obtain uni/ersal grou# in$ormation The -lobal 'atalog ser/ers are in the ?adras o$$ice The ne" user "ould not be able to log on "hen there is no connecti/ity bet"een +erlin and ?adras No one else is e3#eriencing a #roblem logging on because Uni/ersal -rou# caching is enabled The in$ormation in the cache on the +erlin domain controller is ho"e/er out o$ date because it does not contain in$ormation about the ne" user Incorrect )ns"ers: ): The account does not need to be created in Madras. &t can be created on an domain controller in the domain. +: The domain controllers in 1erlin are in separate domains. The do not need to replicate to each other. D: Dr @ing does not need to log on using his U5, name. The 6uestion states that the user could not log on to 8his8 domain. This implies that Dr @ing either attempted to log on using his U5, or he entered his down2le%el username, and selected the correct domain in

the drop down boB. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd L 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, p. -2; QUESTION NO: 6, You are the net"or0 administrator $or .rose"are* Inc )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F; 2 The net"or0 consists o$ t"o )cti/e Directory $orests: #rose"are com and test0ing com E3ternal trust relationshi#s e3ist bet"een the t"o $orests You create an additional user #rinci#al name &U.N( su$$i3 $or #rose"are com The ne" U.N su$$i3 is mail #rose"are com Da/id 'am#bell a user $rom #rose"are com* re#orts that he cannot log on to #rose"are com $rom test0ing com The con$iguration o$ Da/id 'am#bellJs user account is sho"n in the e3hibit You need to ensure that Da/id 'am#bell can log on to his domain $rom test0ing com !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;FG 2 .hange Da%id .ampbellKs user logon name to match his pre2!indows 2""" user logon name. 1. .lear the User cannot change password option in the Da%id .ampbell 5roperties dialog boB. .. &nstruct Da%id .ampbell to log on b using his pre2!indows 2""" user logon name. D. .hange Da%id .ampbellKs U5, suffiB to proseware.com. 3. .reate a computer account for Da%id .ampbellKs computer in test/ing.com. (. Delete Da%id .ampbellKs user account and recreate it in test/ing.com. )ns"er: )* ' E3#lanation: The user cannot log on because it is only #ossible to use an e3#licit U.N>Name to log on "hen there is $orest trust )s stated in the question there is an e3ternal trust relationshi# bet"een the t"o $orests* not $orest trust In this case you can only use an im#licit U.N>Name to log on )lternati/ely* you can use the #re>!indo"s 2=== user logon name to log on A user principal name *U5,+ is a %ariation of a user account name that loo/s li/e an e2mail name but can be used to log on to a domain. The s ntaB is Suser nameTUSstringT. U5,s allow ou to use the same logon name across different domains in the same forest or in different forests. The $ollo"ing t"o ty#es o$ U.Ns e3ist: 1. Im#licit9 Alwa s ta/es the form user&DUD,$Domain,ame. (or eBample, )ohnsUcorp.contoso.com is the U5, for the account of Qohn $mith, whose user &D is )ohns and whose account is a member of the corp.contoso.com forest. The implicit U5, is alwa s associated with the userKs account, regardless of whether an eBplicit U5, is defined. 2. E3#licit9 Alwa s ta/es the form stringUAn string, where both string and An string are eBplicitl defined b the administrator. (or eBample, Qohn $mith might ha%e the U5, &TQ$Uconeast. 3Bplicit U5,s are useful for situations when the organi0ation does not want to publici0e the name of domains or the forest structure. Incorrect )ns"ers: +: This is not a password problem. Thus clearing the option User cannot change password will not sol%e the problem. D: able to log on is an implicit U5, name. E: &t is unnecessar to create a computer account for Da%id .ampbellKs computer in All that is needed to grant Da%id .ampbell logon abilities is to use an implicit U5,2name. E: Deleting Da%id .ampbellKs user account and recreating it in test/ing.com is not the solution. There is alread an eBternal trust relationship between the two forests. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F> 2 De$erences: Deborah 4ittle)ohn $hinder and Dr. Thomas !. $hinder, M.$AHM.$3 3Bam G"22="9 Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, pp. 2;-, 2>222>-, 33http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3HplanHmt QUESTION NO: 64

You are the domain administrator $or TestBing comJs )cti/e Directory domain )ll client com#uters run !indo"s @. .ro$essional The Net"or0 contains ,= !indo"s Ser/er 2==, com#uters that $unction as $ile ser/ers The $ile ser/ers are in an organi1ation unit &OU( named !indo"s 2==, Ser/ers ) grou# named Eile)dmins contains the user accounts o$ the administrators "ho manage the $ile ser/ers Users in the Eile)dmins grou# use Demote Des0to# 'onnections to remotely administer the ser/ers $rom their client com#uters The Demote Des0to# settings on the ser/er are set to the de$ault con$iguration You need to con$igure Demote Des0to# $or all ser/ers in the !INDO!S 2==, Ser/er OU You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a new Croup 5olic 'b)ect *C5'+ and lin/ it to the !&,D'!$ 2""3 ser%ers 'U. &n the C5', enable the allow users to connect remotel using terminal ser%ices setting. 1. .reate a new Croup 5olic 'b)ect *C5'+ and lin/ it to the !&,D'!$ 2""3 ser%ers 'U. &n the C5', enable the $olicited Remote Assistance setting. .. Use the Delegation of control wi0ard to delegate permission for the !&,D'!$ 2""3 $er%er 'U. Assign the (ileAdmins group the Allow2(ull .ontrol permission. D. 'n each ser%er in the !&,D'!$ 2""3 $er%er 'U, modif the s stem settings to configure the local Remote Des/top Users group. Add the (ileAdmins group to the local Remote Des/top Users group. )ns"er: ) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F= 2 QUESTION NO: 65 You are the net"or0 administrator $or TestBing com )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional TestBing com uses a custom a##lication named )##< This a##lication "as originally created to run on the !indo"s NT 4 = o#erating system 'urrently* )##< is installed on all client com#uters )##< runs under the user conte3t and redirects tem#orary $iles to a se#arate $older $or each user The user $older is created "hen the a##lication starts* and it is deleted "hen the a##lication closes ?anagement decides to #ro/ide remote access to the net"or0 by using Terminal Ser/ices You must ensure that )##< "ill be accessible to users "ho log on to your terminal ser/ers Eirst* you success$ully test )##< by running it directly on a !indo"s Ser/er 2==, com#uter No" you need to set the initial con$iguration $or your de#loyment o$ Terminal Ser/ices !hat should you do% A. $elect (ull $ecurit as the permission compatibilit setting. 1. $elect RelaBed securit as the permission compatibilit setting. .. &n user account settings, configure the remote control setting to interact with the session. D. &n user account settings, configure the remote control setting to %iew the session. )ns"er: + E3#lanation: The question states that the a##lication "as originally created to run on the !indo"s NT 4 = o#erating system There$ore* it "as not "ritten "ith the !indo"s 2==, Ser/er security restrictions in mind The Dela3ed Security setting is used to rela3 security on /arious registry 0eys on $iles to enable legacy #rograms to be run o/er Terminal Ser/ices by users "ith non>administrati/e #ri/ileges De$erence: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/ab91fd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;" 2 QUESTION NO: 66 You are the net"or0 administrator $or TestBing )ll net"or0 ser/ers run !indo"s Ser/er 2==, Your com#any manages its o"n e>mail ser/ers on the internal net"or0 You install IS) on a ne" ser/er named TestBing5 The rele/ant #ortion o$ the resulting net"or0 con$iguration is sho"n in the e3hibit Your e>mail ser/ers are con$igured to relay all outbound e>mail to Ser/er5 Ser/er5 is con$igured to relay all inbound e>mail to your e>mail ser/ers You need to ensure that only your e>mail ser/ers can relay e>mail through Ser/er5 !hat should you do% A. .onfigure Rela Restrictions option. 1. .onfigure the $mart Aost option. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;1 2

.. 3nable &ntegrated !indows authentication. D. .hange the default T.5 port %alue to 2;. )ns"er: ) QUESTION NO: 67 You are the net"or0 administrator $or TestBing com TestBing includes t"o di/isions: 'ontoso* Atd and Eabri0am* Inc The t"o di/isions are in se#arate locations The t"o locations are connected by a !)N connection The net"or0 consists o$ t"o single>domain )cti/e Directory $orests The domain names are contoso com and $abri0am com )ll domain controllers run !indo"s Ser/er 2==, )ll domain controllers are con$igured as DNS ser/ers )ll com#uters in each domain are con$igured to use the local domain controller $or DNS Users in the contoso com domain $requently need to access se/eral !eb ser/ers in the $abri0am com domain :o"e/er* "hen the users attem#t to connect* they recei/e an error message stating that the ser/ers cannot be located You need to ensure that users in the contoso com domain can access the !eb ser/ers in the $abri0am com domain Your solution must ha/e a minimal e$$ect on the current name resolution and should require minimal administrati/e e$$ort to maintain !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 'n the D,$ ser%ers in the contoso.com domain, create a secondar 0one for the fabri/am.com domain. .onfigure one of the D,$ ser%ers in the fabri/am.com domain as the primar D,$ ser%er for the 0one. 1. .onfigure the D,$ ser%ers in the contoso.com domain with a primar 0one for the fabri/am.com domain. .reate a host *A+ resource record for each of the !eb ser%ers in the fabri/am.com domain. .. 'n the D,$ ser%ers in the contoso.com domain, create an Acti%e Director 2integrated stub 0one for the fabri/am.com domain. .onfigure one of the D,$ ser%ers in the fabri/am.com domain as the primar D,$ ser%er for the 0one. D. .reate a forwarder entr on the D,$ ser%ers in the contoso.com domain. .onfigure the ser%ers to forward all unresol%ed re6uests to a D,$ ser%er in the fabri/am.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;2 2 )ns"er: )* ' E3#lanation: Users in the 'ontoso com domain need to be able to quic0ly resol/e host names in the Eabri0am com domain LYour solution must ha/e a minimal e$$ect on the current name resolution and should require minimal administrati/e e$$ort to maintainL 'ne solution would be to configure a secondar 0one for the (abri/am.com domain on the D,$ ser%ers in the .ontoso.com domain. This will enable the .ontoso D,$ ser%ers to resol%e (abri/am host names. This solution re6uires minimal administrati%e effort to maintain because when a D,$ record changes in the (abri/am D,$ 0one, the changes are replicated to the secondar 0one hosted on the .ontoso D,$ ser%ers. A second solution would be to configure a stub 0one for the (abri/am.com domain on the .ontoso D,$ ser%ers. A stub 0one is a Kd namicK 0one that contains ,$ records which point to the D,$ ser%ers in the (abri/am domain. The 0one is d namic in the sense that if the &5 address of a (abri/am D,$ ser%er is changed, or if a new D,$ ser%er is added, the updated ,$ record for the D,$ ser%er will be replicated to the stub 0one on the .ontoso D,$ ser%ers. Thus this solution also re6uires minimal administrati%e effort to maintain. Incorrect )ns"ers: +: D,$ ser%ers in the .ontoso domain cannot host primar 0ones for the (abri/am.com domain. D: This solution would wor/ in that (abri/am hostname resolution would be 6uic/er, because the D,$ re6uests would be forwarded to (abri/am D,$ ser%ers. Aowe%er, this solution would affect current name resolution because all D,$ 6ueries eBternal to .ontoso *internet web ser%ers etc+ would be forwarded to the (abri/am D,$ ser%ers thus slowing the resolution process down. QUESTION NO: 69 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain The domain contains !indo"s Ser/er 2==, com#uters* !indo"s @. .ro$essional com#uters* and !indo"s 2=== .ro$essional com#uters )ll client com#uters ha/e Ser/ice .ac0 < installed So$t"are U#date Ser/ices &SUS( is installed on a net"or0 ser/er named Test0ing< You de#loy the SUS client so$t"are to all com#uters by using a -rou# .olicy ob2ect &-.O( named SUSSDe#loy that is lin0ed to an organi1ational unit &OU( named Des0to#s )ll client com#uters are located in the Des0to#s OU 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;3 2 Se/en days later* you analy1e security and you notice that all !indo"s @.

.ro$essional com#uters are recei/ing automatic u#dates :o"e/er* the !indo"s 2=== .ro$essional com#uters are not recei/ing automatic u#dates You need to modi$y the !indo"s 2=== .ro$essional com#uters to ensure that they recei/e automatic u#dates !hat should you do% A. .onfigure the ,o '%erride option on the $U$JDeplo C5'. 1. 3nable the 1loc/ &nheritance option on the Des/tops 'U. .. Run the secedit Hrefreshpolic command on each computer. D. Upgrade each computer to the latest ser%ice pac/. )ns"er: D E3#lanation: To recei/e automatic u#dates $rom a local SUS ser/er* the client com#uters need the u#dated automatic u#dates client so$t"are installed This so$t"are doesnJt come "ith the original /ersion o$ !indo"s 2=== or !indo"s @.* but it is installed as #art o$ !indo"s 2=== ser/ice #ac0 , or !indo"s @. ser/ice #ac0 < Incorrect )ns"ers: ): The !indows <5 clients are recei%ing automatic updates. Therefore, we /now that the C5' is being applied correctl . +: !e donKt want to bloc/ inheritance on the C5'. The C5' is being applied correctl . ': C5' is being applied correctl . Therefore, it is not necessar to refresh the C5' on the client computers. (urthermore, the secedit Hrefreshpolic command has been replaced with the KgpupdateK command in !indows $er%er 2""3 domains. QUESTION NO: 6; You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;- 2 The domain contains an organi1ational unit &OU( named !ebser/ers The !ebser/ers OU contains the com#uter accounts o$ <2 !indo"s Ser/er 2==, com#uters that $unction as intranet !eb ser/ers ) -rou# .olicy ob2ect &-.O( named !ebser/er.olicy is lin0ed to the !ebser/ers OU The -.O is used to con$igure /arious settings on the com#uters in the OU ) global grou# named !ebser/er)dmins is a member o$ the )dministrators local grou# on each intranet !eb ser/er You #lan to install a security scanning a##lication on each intranet !eb ser/er The documentation $or the a##lication states that it uses a ser/ice account* "hich must be able to modi$y the :BEYSAO')AS?)':INEQSYSTE? 0ey in the registry o$ e/ery com#uter on "hich the a##lication is installed You create the ser/ice account in the domain TestBingJs "ritten security #olicy states that ser/ice accounts must be assigned only the minimum rights and #ermissions that they require to $unction You need to con$igure the intranet !eb ser/ers so that they com#ly "ith the installation requirements o$ the security scanning a##lication You also need to com#ly "ith TestBingJs security #olicy You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Add the ser%ice account to the !ebser%erAdmins global group. 1. .onfigure the re6uired permissions as registr securit settings in the !ebser%ers5olic C5'. .. Run the regedit.eBe command to add the re6uired permissions to the registr of each intranet !eb ser%er. D. Run the eBplorer.eBe command to modif ,T($ permissions on the $ stemrootW$ stem32W.onfigW$ stem file. Assign the ser%ice account the Allow 2 .hange permission. 3. .onfigure file s stem securit settings in the !ebser%ers5olic C5' to modif ,T($ permissions on the $ stemrootW$ stem32W.onfigW$ stem file. Assign the ser%ice account the Allow 2 .hange permission. )ns"er: + QUESTION NO: 7= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;F 2 You are the net"or0 administrator $or TestBing TestBing has a main o$$ice in 'hicago and a branch o$$ice in San Diego The net"or0 consists o$ a single )cti/e Directory domain Each o$$ice is con$igured as an )cti/e Directory site )ll domain controllers run !indo"s Ser/er 2==, The net"or0 connections $rom 'hicago to San Diego intermittently $ail This is an e3isting condition that "ill be resol/ed in the $uture TestBing acquires another com#any that has a main o$$ice in Den/er The acquired com#any does not ha/e branch o$$ices ) !indo"s Ser/er 2==, com#uter that is con$igured as a domain controller is added to the Den/er o$$ice The client

com#uters in all three sites run !indo"s @. .ro$essional and are con$igured using D:'. The ser/er and net"or0 con$iguration $or TestBing is sho"n in the $ollo"ing table Site Ser/er Doles Ser/er I. )ddress Net"or0 Ain0s To .hicago D,$, global catalog, !&,$, DA.5 1".1".1".2"" $an Diego, Den%er $an Diego D,$, domain controller, !&,$, DA.5 1".1".2".2"" .hicago Den%er Clobal catalog, DA.5 1".1".3".2"" .hicago The rele/ant D:'. sco#e o#tions $or Den/er are sho"n in the $ollo"ing table Sco#e O#tion Settings !&,$H,1,$ $er%ers 1".1".2".2"" D,$ $er%ers 1".1".2".2"" Router 1".1".3".1 Users in Den/er re#ort that sometimes they cannot log on to the domain They recei/e an error message that states that a domain controller $or their domain cannot be located You need to ensure that users in Den/er can authenticate to the domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;; 2 !hat should you do% A. Add a domain controller to the Den%er site. 1. .hange the D,$ $er%er settings in the DA.5 scope option to include 1".1".1".2"". .. .hange the Router setting in the DA.5 scope option to include 1".1".3".2"". D. 'n the global catalog ser%er in Den%er, add a Aosts file entr for the domain controller in .hicago. )ns"er: + E3#lanation: !hen a user logs on to a client com#uter* the client sends a query to DNS to locate a domain controller to authenticate the logon The client com#uters in the Den/er o$$ice are con$igured "ith the I. address o$ the DNS ser/er in San Diego o$$ice There$ore* i$ the lin0 bet"een the Den/er and 'hicago o$$ices or bet"een the 'hicago and San Diego o$$ices $ails* the client com#uters are unable to access a DNS ser/er There$ore the solution is to con$igure the D:'. sco#e "ith the address o$ an additional DNS ser/er* in this case the 'hicago o$$ice DNS ser/er Incorrect )ns"ers: ): There is alread a domain controller in the Den%er office. The problem is that the clients are unable to locate it because the canKt access a D,$ ser%er. ': The router setting for the Den%er office should be 1".1".3".1, not 1".1".3".2"". D: The global catalog ser%er in the Den%er office is the domain controller. .onfiguring a Aosts file entr on the domain controller wonKt help because the clients are unable to locate the domain controller. QUESTION NO: 7< E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;G 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain The rele/ant #ortion o$ its con$iguration is sho"n in the e3hibit )ll net"or0 ser/ers run !indo"s Ser/er 2==, 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;> 2 ?aria is a hel# des0 em#loyee in Site ' She uses a Demote Des0to# connection to maintain a ser/er named Test0ing< in Site ) Test0ing< is located in an organi1ational unit &OU( named Ser/ers Su1anne is a ne" hel# des0 em#loyee in Site + ?aria is training Su1anne to #er$orm her duties on Test0ing< Su1anne recei/es an in/itation $rom ?aria to 2oin her Demote Des0to# session "ith Test0ing< :o"e/er* Su1anne cannot connect You need to enable Su1anne to use Demote )ssistance so she can 2oin ?ariaJs Demote Des0to# session !hat should you do% A. 3dit the Croup 5olic ob)ect *C5'+ for the $er%ers 'U b enabling the 'ffer Remote Assistance option. Add $u0anneKs user account to the list of Remote Assistance Aelpers.

1. 3dit the Croup 5olic ob)ect *C5'+ for the $er%ers 'U b disabling the Restrict Terminal $er%ices users to a single remote session option. .. Add $u0anneKs user account to the Remote Des/top Users local group on MariaKs client computer. D. Add $u0anneKs user account to the Remote Des/top Users local group on Test/ing1. 3. .onfigure (irewall A1 to allow Remote Des/top 5rotocol *RD5+ traffic to pass between $ite A and $ite 1. (. .onfigure (irewall 1. to allow Remote Des/top 5rotocol *RD5+ traffic to pass between $ite 1 and $ite .. )ns"er: E E3#lanation: The question states* LYou need to enable Su1anne to use Demote )ssistance so she can 2oin ?ariaJs Demote Des0to# sessionL There$ore* ?aria is connected to TestBing< /ia a remote des0to# connection and has sent Su1anne a Demote )ssistance in/ition $rom TestBing< as o##osed to sending a Demote )ssistance in/ition $rom her client com#uter in Site ' Demote )ssistance uses Demote Des0to# .rotocol &DD.( There$ore* "e need to con$igure Eire"all )+ to allo" Demote Des0to# .rotocol &DD.( tra$$ic to #ass bet"een Site ) and Site + Incorrect )ns"ers: ): The 6uestion states that $u0anne recei%es the Remote Assistance in%itation. Therefore, Remote Assistance is enabled on the ser%er so the C5' doesnKt need to be edited. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;;= 2 +: The problem isnKt to do with the number of Terminal $er%ices sessions. $u0anne is unable to connect to the ser%er so she doesnKt ha%e multiple sessions running. ': &t is not necessar to add $u0anneKs user account to the Remote Des/top Users local group on MariaKs client computer or the ser%er because $u0anne was in%ited b Maria using a remote assistance in%itation. D: &t is not necessar to add $u0anneKs user account to the Remote Des/top Users local group on MariaKs client computer or the ser%er because $u0anne was in%ited b Maria using a remote assistance in%itation. E: $u0anne needs to connect to Test@ing1, not MariaKs computer using a Remote Des/top connection. Therefore, we need to configure (irewall A1, not (irewall 1. to allow Remote Des/top 5rotocol *RD5+ traffic. QUESTION NO: 72 You are the net"or0 administrator $or TestBing Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll net"or0 ser/ers run !indo"s Ser/er 2==,* and all 2== client com#uters run !indo"s @. .ro$essional So$t"are U#date Ser/ices &SUS( is installed "ith de$ault settings on a ser/er named TestBing5 You disco/er that a critical security u#date $or Internet E3#lorer is not installed on any client com#uter You /eri$y that the u#date "as do"nloaded $rom the Internet to TestBing5 You also /eri$y that more recent security u#dates are installed You need to in/estigate the cause o$ this #roblem You "ill use the SUS administration console on TestBing5 !hich data should you e/aluate% Select one A. The securit update in the s nchroni0ation log. 1. The securit update in the appro%al log. .. The status of &nternet 3Bplorer F.FB in the Monitor $er%er window. D. The status of &nternet 3Bplorer ;.B in the Monitor $er%er window. )ns"er: + E3#lanation: The question states that the u#date "as do"nloaded $rom the Internet to TestBing5 but it "asnJt installed on the client com#uters The li0ely cause is that the u#date "asnJt Ja##ro/edJ You can /eri$y this by loo0ing at the a##ro/al log 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G" 2 An appro%al log is maintained on each ser%er running $U$ to /eep trac/ of the content that has been appro%ed or not appro%ed. This log contains the following information9 1. A record of each time the list of appro%ed pac/ages was changed. 2. The list of items that changed. 3. The new list of appro%ed items. -. s nchroni0ation ser%ice. QUESTION NO: 7, You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain )ll domain controllers run !indo"s Ser/er 2==, You enable the )udit account logon e/ents #olicy and the )udit logon e/ents #olicy on all domain controllers You enable both #olicies to audit $or both success and $ailure attem#ts In addition* you enable )udit logon e/ents $or all other com#uters in the domain $or both success and $ailure attem#ts You sus#ect that an unauthori1ed user attem#ted to disco/er the #ass"ord $or the

domain administrator account by using a com#uter located in a #ublic area in TestBingJs main o$$ice You need to $ind out i$ your net"or0 has been com#romised !hat should you do% A. 3Bamine the securit log on the public computer. 1. 3Bamine the securit log on each domain controller. .. 3Bamine the s stem log on the public computer. D. 3Bamine the s stem log on the primar domain controller *5D.+ emulator. )ns"er: + E3#lanation: )udited logon e/ents are logged in the Security log o$ either a domain controller &$or domain logons( or the client com#uter &$or local logons( In this question* an unauthori1ed user attem#ted to disco/er the #ass"ord $or the domain Security log o$ a domain controller )s any domain controller is able to authenticate the attem#ted logon* youJll need to e3amine the security log on each domain controller 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G1 2 Incorrect )ns"ers: ): &n this 6uestion, an unauthori0ed user attempted to disco%er the password for the $ecurit log of a domain controller, not the securit log on the public computer. ': Audited logon e%ents are logged in the $ecurit log, not the s stem log. D: Audited logon e%ents are logged in the $ecurit log, not the s stem log. QUESTION NO: 74 You are the net"or0 administrator $or TestBing The net"or0 consists o$ t"o subnets* Subnet< and Subnet2 in a single )cti/e Directory domain )ll net"or0 ser/ers run !indo"s Ser/er 2==, Some client com#uters run !indo"s NT 4 = !or0station* and the rest run !indo"s @. .ro$essional )ll users log on to the domain You mo/e a !indo"s NT 4 = "or0station named Test0ing<= $rom Subnet< to Subnet2 You manually recon$igure the T'.KI. settings $or Test0ing<= The rele/ant #ortion o$ the resulting net"or0 con$iguration is sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G2 2 Users no" re#ort that they can no longer log on to Test0ing<= Users can success$ully log on to other com#uters in Subnet2 To sol/e this #roblem* you need to recon$igure Test0ing<= !hat should you do% A. &nstall the Acti%e Director client software. 1. $pecif the address of the D,$ ser%er in the T.5H&5 properties. .. $pecif the address of the !&,$ ser%er in the T.5H&5 properties. D. (rom a command prompt, run the ipconfig command. )ns"er: ' E3#lanation: !indo"s NT 4 = uses Net+IOS To resol/e Net+IOS names to I. addresses* "e need a !INS ser/er There$ore the solution is to con$igure TestBing<= "ith the address o$ the !INS ser/er in subnet < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G3 2 Incorrect )ns"ers: ): &t is not necessar to install the Acti%e Director client software. The problem is a name resolution problem. +: !indows ,T uses ,et1&'$ names instead of hostnames. Therfore, we need to specif the address of the !&,$ ser%er, not the D,$ ser%er in the T.5H&5 properties. D: The ipconfig command will )ust displa the computerKs &5 address. &t is not the correct solution to this 6uestion. QUESTION NO: 75 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named Test0ing com The domain contains <*5== !indo"s 2=== .ro$essional des0to# com#uters* 25= !indo"s 2=== .ro$essional #ortable com#uters* and <== !indo"s @. .ro$essional #ortable com#uters )ll com#uters are D:'. clients The #ortable com#uters are $requently mo/ed $rom one subnet to another The DNS ser/ers $or the Test0ing com domain are con$igured as sho"n in the $ollo"ing table The DNS ser/ers occasionally return incorrect res#onses to queries against the names o$ the #ortable com#uters You need to ensure that the Test0ing com 1one contains current and correct in$ormation $or the #ortable com#uters !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o ( A. &n the properties of the Test/ing.com 0one, configure aging and sca%enging.

4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G- 2 1. &n the properties of $er%er1, enable aging and sca%enging. .. &n the properties of the Test/ing.com 0one, configure the setting for d namic updates to ,one. D. Add the $34( group to the D,$ administrators global group. 3. Add the $34( group to the D,$Update5roB global group. (. .onfigure the Test/ing.com 0one as an Acti%e Director 2integrated 0one. )ns"er: )* + E3#lanation: !e need to con$igure the DNS ser/er to delete old out o$ date records !e can do this by enabling aging and sca/enging To enable aging and sca/enging* "e need to enable it in t"o #laces Eirstly* in the #ro#erties o$ the DNS ser/er and secondly in the #ro#erties o$ the DNS 1one QUESTION NO: 76 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain Net"or0 ser/ers run either !indo"s 2=== Ser/er or !indo"s Ser/er 2==, The net"or0 includes si3 domain controllers named Test0ingD'< through Test0ingD'6 Test0ingD'< through Test0ingD', run !indo"s Ser/er 2==,* and Test0ingD'4 through Test0ingD'6 run !indo"s 2=== Ser/er TestBing hires )ndreas* a technical su##ort s#ecialist* to assist you in managing Test0ingD'< .eriodically* )ndreas needs to con$igure settings on Test0ingD'4 and Test0ing5 )ndreas tries to o#en )cti/e Directory Sites and Ser/ices $rom Test0ingD'< :o"e/er* he cannot establish a connection :o" should you sol/e this #roblem% A. .op Adminpa/.msi from the !indows 2""" $er%er .D2R'M to Test/ingD.1. 1. .op Adminpa/.msi from the !indows $er%er 2""3 .D2R'M to Test/ingD.-. .. &nstall !indows 2""" $er%er, $er%ice 5ac/ 3 or higher, on Test/ingD.-. D. &nstall the $upport Tools from the !indows 2""" $er%er .D2R'M on Test/ingD.1. )ns"er: ' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;GF 2 QUESTION NO: 77 You are the net"or0 administrator $or TestBing TestBingJs business is gro"ing steadily and no" requires a ne" training center The ne" training center is used only $or e3ternal training ser/ices and is com#letely disconnected $rom the cor#orate net"or0 In the training center* you install !indo"s @. .ro$essional* including Ser/ice .ac0 <* on 25= client com#uters )ll 25= client com#uters are con$igured a #art o$ a "or0grou# Internet access $or the training center is #ro/ided through a DSA router You install So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named Test0ing5 You need to ensure that critical u#dates and security #atches are al"ays installed on all 25= client com#uters !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o ( A. &nstall Acti%e Director on Test/ingF. Qoin all 2F" client computer to the domain. .onfigure a domain2le%el Croup 5olic ob)ect *C5'+ to redirect the Automatic Update client on all 2F" client computers to http9HHTest/ingF. 1. &nstall Acti%e Director on Test/ingF. Qoin Test/ingF to the domain. .onfigure domain2le%el Croup 5olic ob)ect *C5'+ to redirect the Automatic Update client on all 2F" client computers to http9HHTest/ingF. .. .reate a new registr file. Modif the registr file with the configurations necessar to point the Automatic Update client on all 2F" client computers to the http9HHTest/ingF. Deplo the registr file to all 2F" client computers. D. &n the $er%ices console on all 2F" client computers, restart the Automatic Update ser%ice. )ns"er: )* ' E3#lanation: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G; 2 The easiest "ay to con$igure settings on multi#le com#uters is through the use o$ -rou# .olicy ob2ects :o"e/er* -.Os can only be used in a domain en/ironment There$ore* one solution to this question "ould be to create a !indo"s 2==, domain at the training centre by installing )cti/e Directory on Test0ing5 and 2oining all 25= client com#uter to the domain Then "e can con$igure a domain>le/el -rou# .olicy ob2ect &-.O( to redirect the )utomatic U#date client on all 25= client com#uters to htt#:KKTest0ing5

Another solution would be to create a registr file. !e can do this b configuring the correct settings on one computer and eBporting the registr settings to a file. !e can then configure the client computers b running the registr file on each computer. Incorrect )ns"ers: +: The client computers would need to be members of the domain for a C5' to wor/. D: $impl restarting the Automatic Update ser%ice wonKt wor/. !e need to configure the automatic updates client software on each client computer to recei%e updates from Test@ingF. QUESTION NO: 79 You are the administrator o$ an )cti/e Directory domain named Test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ingD'< that is con$igured as a domain controller and a DNS ser/er Test0ingD'< is con$igured "ith a single DNS 1one $or Test0ing com 'lient com#uters and ser/er com#uters are on di$$erent net"or0 segments T"o !eb ser/ers named Test0ing"eb< and Test0ing"eb2 host TestBings intranet !eb site named """ test0ing com There are t"o host &)( resource records in DNS $or """ test0ing com One o$ the ) records is con$igured "ith the I. address o$ Test0ing"eb< The other ) record is con$igured "ith the I. address o$ Test0ing"eb2 Users re#ort slo" res#onse time $rom the intranet !eb site You notice that "hen users connect to """ test0ing com* they connect to only Test0ing"eb< You /ie" the DNS ser/er con$iguration on Test0ingD'< as sho"n in the e3hibit 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;GG 2 You must ensure that requests $rom client com#uters $or """ test0ing com are load balanced bet"een Test0ing"eb< and Test0ing"eb2 :o" should you con$igure the DNS ser/er settings on Test0ingD'<% A. .lear the 3nable netmas/ ordering chec/ boB. 1. $elect the 3nable round robin chec/ boB. .. $elect the 1&,D secondaries chec/ boB. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G> 2 )ns"er: + E3#lanation: Dound robin enables DNS entries that ha/e multi#le I. addresses sharing the same host name to be alternately sequenced through "hen clients query that host name $or name resolution This means that clients querying the same host name "ill be directed to di$$erent I. addresses in a load balancing $ashion Thus disabling round robin is not going to #re/ent the #re#roduction segment $rom resol/ing #roduction EQDNs Topic G, $imulations *12 :uestions+ QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You install DNS on a ne" !indo"s Ser/er 2==, com#uter in the data center You name the com#uter TestBing4 and con$igure it "ith an I. address o$ <= <= ,= 54 You install t"o net"or0 ada#ters on TestBing4* and con$igure TestBing4 as a domain controller TestBing4 has t"o net"or0 ada#ters* one "ith a #ublic I. address and one "ith a #ri/ate address The #ri/ate subnet is <= <= ,= 3 The research de#artment uses a domain named test local* "hich is stored on an inde#endent UNI@ DNS ser/er This ser/er is con$igured "ith an I. address o$ <= <= 5= <== TestBing com merges "ith com#any named Eoo The Eoo net"or0 consists o$ a single )cti/e Directory domain* "hich is named $oo com The domains "ill remain inde#endent You must con$igure DNS on TestBing4 to ensure that $he $ollo"ing requirements are $ul$illed: 1. Name resolution requests $or hosts hosts on $oo com $rom client com#uters assigned to query TestBing4 must be directly resol/ed by a DNS ser/er in the $oo com domain "ith the I. address <= <5= <= <== 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G= 2 2. ) $ull co#y o$ test local must be on TestBing4 3. ) re/erse loo0u# 1one be created $or the <= <= ,= 3 subnet This subnet must be stored in )cti/e Directory and u#dates should be secure -. The DNS ser/er should only res#ond requests $rom the #ri/ate net"or0 !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation "indo" )ns"er: 4eading the wa in &T testing and certification tools, www.test/ing.com

2 ;>" 2 To ans"er this question* "e need to con$igure $our things in DNS to meet the $our requirements o$ the question The $irst requirement in the question states: LName resolution requests $or hosts hosts on $oo com $rom client com#uters assigned to query TestBing4 must be directly resol/ed by a DNS ser/er in the $oo com domain "ith the I. address <= <5= <= <== L To do this* "e must set u# conditional $or"arding to the $oo com DNS ser/er Ste# <: Dight clic0 on TestBing4* select #ro#erties and go to the $or"arders tab 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>1 2 $tep 29 'lic0 LNe"L and ty#e in $oo com then clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>2 2 Ste# ,: Ty#e in the I. address o$ the $oo com DNS ser/er and clic0 )dd Then clic0 O0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>3 2 The second requirement o$ the question states: L) $ull co#y o$ test local must be on TestBing4L To do this* "e need to con$igure a secondary 1one on TestBing4 $or the test local domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>- 2 Ste# <: E3#and 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>F 2 Ste# 2: E3#and again Ste# ,: Dight clic0 on LEor"ard Aoo0u# YonesL and select Ne" Yone 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>; 2 Ste# 4: The !i1ard starts 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>G 2 Ste# 5: Select Secondary 1one and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>> 2 Ste# 6: Ty#e the 1one name test local and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;>= 2 Ste# 7: Ty#e in the address o$ the test local ?aster DNS ser/er 'lic0 )dd then clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=" 2 Ste# 9: 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=1 2 The third requirement o$ the question states: L) re/erse loo0u# 1one be created $or the <= <= ,= 3 subnet This subnet must be stored in )cti/e Directory and u#dates should be secure L The $ollo"ing ste#s describe ho" to con$igure the De/erse Aoo0u# 1one Ste# <: E3#and 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=2 2 Ste# 2: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=3 2 Dight clic0 on LDe/erse Aoo0u# YonesL and select Ne" Yone Ste# ,: The Ne" Yone !i1ard starts 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=- 2 Ste# 4: Select .rimary Yone and clic0 Ne3t

4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=F 2 Ste# 5: )cce#t the de$ault o#tion and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=; 2 Ste# 6: Ty#e in the net"or0 ID and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=G 2 Ste# 7: )cce#t the de$ault o#tion and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;=> 2 Ste# 9: 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;== 2 The $ourth requirement o$ the question states: LThe DNS ser/er should only res#ond requests $rom the #ri/ate net"or0 L Ste# <: Dight clic0 on TestBing4* select .ro#erties and go to the inter$aces tab 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"" 2 Ste# 2: Select LOnly the $ollo"ing I. addressesL Ty#e in the #ri/ate I. address and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"1 2 Ste# ,: Select the .ublic I. address and clic0 Demo/e Then clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"2 2 QUESTION NO: 2 SI?UA)TION E3hibit: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"3 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TestBing com o#ens a ne" branch o$$ice in +oston ) system engineer installs and authori1es a ne" D:'. ser/er $or the +oston o$$ice You are con$iguring D:'. in the +oston o$$ice The +oston o$$ice is assigned the subnet <= <= <5 =K24 The subnet $or the +oston is sho"n as in the e3hibit On the subnet in the +oston O$$ice* a client named TestBing) has ?)' address ==>E=>;2>;<>4E>,< TestBing) has a shared #rinter !ritten TestBing com com#any #olicy s#eci$ies the $ollo"ing requirement: 1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"- 2 Name resolution $or client com#uters must be #ro/ided by local ser/ers $or both !INS and DNS 2. I. addresses should be leased $or three days 3. Sco#e o#tions should be con$igured on a #er>sco#e basis -. Deser/ations should be named by using the NET+IOS name o$ the com#uter You need to create a D:'. sco#e $or the subnet in the +oston o$$ice that $ul$ils all o$ the TestBing comJs D:'. requirements You also need to con$igure TestBing) to al"ays use I. address <= <= <5 <== !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"F 2 Answer. Ste# <: O#en the D:'. a##let 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"; 2 Ste# 2: Dight clic0 on the ser/er and select Ne" Sco#e to start the Ne" Sco#e !i1ard

4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"G 2 Ste# ,: Enter a name $or the sco#e The question doesnJt s#eci$y a name so any name "ill do 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"> 2 Ste# 4: The sco#e should start at <= <= <5 5 because the diagram sho"s that ser/ers "ith static I. addresses are using the <= <= <5 2 to <= <= <5 4 addresses 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G"= 2 $tep F9 No e3clusions are required 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1" 2 Ste# 6: The question states that the lease should be set to , days 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G11 2 $tep G9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G12 2 Ste# 9: The e3hibit sho"s that the router address is <= <= <5 < Enter this address* and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G13 2 $tep =9 Enter the DNS ser/er in$ormation and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1- 2 Ste# <=: Enter the !INS ser/er address and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1F 2 $tep 119 )cti/ate the sco#e 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1; 2 Ste# <2: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1G 2 The question states that "e need to con$igure TestBing) to al"ays use I. address <= <= <5 <== To do this* "e need to create a reser/ation Ste# <: E3#and the list in D:'. management 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1> 2 Ste# 2: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1= 2 Ste# ,: Enter the I. address and ?)' address $or TestBing) 'lic0 )dd then clic0 'lose 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2" 2 QUESTION NO: ,SI?UA)TION You are a domain administrator $or TestBing TestBingJs )cti/e Directory domain is named test0ing com You need to create a customer security tem#late named SecTem#late< The tem#late must ha/e only the settings de$ined in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G21 2 Users should be loc/ed out for ;" minutes after fi%e unsuccessful password attempts are made within a 3"2minute period. An failed attempts at account management or polic changes acti%ities should be audited. The built2in Administrator account should be renamed to Test@ingAdmin The built2in Cuest accounts should be disabled !hat should you do%

)ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G22 2 )ns"er: The $irst requirement o$ the question is to create a ne" security tem#late named SecTem#late< Ste# <: E3#and Security Tem#lates 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G23 2 Ste# 2: Dight clic0 the tem#lates $older and select Ne" Tem#late 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2- 2 Ste# ,: Enter the tem#late name 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2F 2 Ste# 4: The tem#late should no" sho" u# in the list E3#and the tem#late 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2; 2 Ste# 5: The $irst requirement $or the security tem#late states: LUsers should be loc0ed out $or 6= minutes a$ter $i/e unsuccess$ul #ass"ord attem#ts are made "ithin a ,=>minute #eriod L 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2G 2 This can be con$igured in )ccount .olicies K )ccount Aoc0out .olicies Double clic0 )ccount Aoc0out Duration Tic0 the chec0bo3 and enter 6= $or the account loc0out duration 'lic0 OB Note: 'on$iguring the abo/e setting should cause !indo"s 2==, to de$ault to the $ollo"ing settings I$ this doesnJt ha##en* continue "ith Ste#s 6 and 7 Ste# 6: Double clic0 the )ccount Aoc0out Threshold Tic0 the chec0bo3 and enter 5 $or the )ccount Aoc0out Threshold /alue 'lic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2> 2 Ste# 7: Double clic0 LDeset )ccount Aoc0out 'ounter a$terL* tic0 the chec0bo3 and enter ,= $or the /alue 'lic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2= 2 The second requirement $or the security tem#late is: Lany $ailed attem#ts at account management or #olicy changes acti/ities should be audited L !e can set this in Aocal .olicies K )udit .olicy Ste# <: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3" 2 Ste# 2: Double clic0 )udit )ccount ?anagement Tic0 the LDe$ine these #olicy settings in the tem#lateL chec0bo3 and tic0 the LEailureL chec0bo3 'lic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G31 2 The third requirement $or the tem#late is LThe built>in )dministrator account should be renamed to TestBing)dminL This is done in Aocal .olicies K Security O#tions Ste# <: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G32 2 $tep 29 Double clic0 )ccount: Dename administrator account Tic0 the chec0bo3* ty#e in the name and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G33 2 The $ourth requirement $or the tem#late is: LThe built>in -uest accounts should be disabledL This is also done in Aocal .olicies K Security O#tions Ste# <:

4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3- 2 Ste# 2: Double clic0 )ccounts: -uest )ccount Status Tic0 the chec0bo3* select Disabled and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3F 2 QUESTION NO: 4SI?UA)TION You are the net"or0 administrator $or TestBing com )ll client com#uters run !indo"s @. .ro$essional You are res#onsible $or ensuring that the latest u#dates are a##lied to all client com#uters ) systems engineer installs So$t"are U#date Ser/ices &SUS( on a !indo"s Ser/er 2==, com#uter named TestBing<= $or this #ur#ose ) -.O named )utou#date Settings is used in the Sales OU You need to con$igure the -.O so that the client com#uters in the Sales OU "ill use SUS on TestBing<= to automatically install ne" u#dates daily at midnight These u#dates should be installed "ithout user #rom#ting !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3; 2 )ns"er: !e need to edit the -rou# .olicy $or the Sales OU Ste# < In )cti/e Directory Users and 'om#uters* right clic0 on the Sales OU and select #ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3G 2 $tep 2. On the -rou# .olicy tab* clic0 the Edit button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3> 2 $tep 3. +ro"se to 'om#uter 'on$iguration U )dministrati/e Tem#lates U !indo"s 'om#onents U !indo"s U#date 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3= 2 $tep -. Double clic0 L'on$igure )utomatic U#datesL 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-" 2 $tep F. 'on$igure the $ollo"ing o#tions then clic0 the Ne3t Setting button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-1 2 $tep ;. 'on$igure the $ollo"ing o#tions then clic0 the O0 button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-2 2 $tep G. 'lose the -rou# .olicy Editor !indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-3 2 $tep >. 'lic0 O0 to close the #ro#erties Sales OU .ro#erties "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-- 2 QUESTION NO: 5SI?UA)TION You are the net"or0 administrator $or TestBing com You administer a Ser/er named TestBing5 Douting and Demote )ccess is installed on TestBing5 You need to #er$orm the $ollo"ing administrati/e tas0s: 1. ?odi$y the .onnections to Microsoft Routing and Remote Access ser%er polic to allow remote access for members of the Domain Admins group. 2. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-F 2 )dd a static route $or the <;2 <69 4 =K24 net"or0* and con$igure <;2 <69 = < to be the gate"ay $or that net"or0 3. Enable Douting Internet .rotocol &DI.( /ersion 2 on Aocal )rea 'onnection , so

that u#dates can be recei/ed by both DI. /ersion < and DI. /ersion 2 routers but so that announcements $rom other routers "ill not cause an u#date to TestBing5Js routing table -. 'on$igure an inbound #ac0et $ilter to #re/ent all tra$$ic $rom the <;2 <69 5 = net"or0 on Aocal )rea connection , !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation "indo" )ns"er: To ans"er this question* "e need to con$igure some settings in Douting and Demote )ccess The $irst requirement o$ the question states: ?odi$y the .onnections to Microsoft Routing and Remote Access ser%er polic to allow remote access for members of the Domain Admins group. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-; 2 Ste# G<: O#en 'ontrol .anel $tep b29 O#en )dministrati/e Tools 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-G 2 $tep b39 O#en Douting and Demote )ccess 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-> 2 $tep b-. Double clic0 the L'onnections to ?icroso$t Douting and Demote )ccess ser/erL #olicy 'lic0 the )dd button to add a #olicy condition 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G-= 2 $tep bF. Scroll do"n* select !indo"s>-rou#s and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF" 2 $tep b;. 'lic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF1 2 $tep bG. Ty#e Domain )dmins and clic0 O0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF2 2 $tep b>. 'lic0 O0 again to close the -rou#s dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF3 2 $tep b=. Select L-rant remote access #ermissionL o0 clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF- 2 The second requirement o$ the question states: )dd a static route $or the <;2 <69 4 =K24 net"or0* and con$igure <;2 <69 = < to be the gate"ay $or that net"or0 Ste# G< In Douting and Demote )ccess* e3#and I. Douting 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GFF 2 $tep b2. Dight clic0 on Static Doutes and select LNe" Static DouteL 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF; 2 $tep b3. Enter the $ollo"ing in$ormation and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GFG 2 The third requirement o$ this question states: 'on$igure Douting Internet .rotocol &DI.( /ersion 2 on Aocal )rea 'onnection , so that u#dates can be recei/ed by both DI. /ersion < and DI. /ersion 2 routers but so that announcements $rom other routers "ill not cause an u#date to TestBing5Js routing table

Ste# G< In Douting and Demote )ccess* e3#and I. Douting 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF> 2 $tep b2. Dight clic0 on -eneral and select LNet Douting .rotocolL 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF= 2 $tep b3. Select LDI. 8ersion 2 $or Internet .rotocolL and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;" 2 $tep b-. YouJll no" see an icon $or DI. Dight clic0 on DI. and select Ne" Inter$ace 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;1 2 $tep bF. Select the required inter$ace and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;2 2 $tep b;. )cce#t the de$ault o#tions and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;3 2 The $ourth requirement o$ the question states: 'reate an inbound #ac0et $ilter to #re/ent all tra$$ic $rom the <;2 <69 5 = net"or0 on Aocal )rea connection , Ste# G< In Douting and Demote )ccess* clic0 -eneral* right clic0 on the Aocal )rea 'onnection and select #ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;- 2 $tep b2. 'lic0 the Inbound Eilters button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;F 2 $tep b3. 'lic0 Ne" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;; 2 $tep b-. Enter the source net"or0 address and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;G 2 QUESTION NO: 6SI?UA)TION You are a net"or0 engineer at TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You administer a ser/er named TestBing5 TestBing5 $unctions as a DNS ser/er )ll ser/ers on TestBingJs net"or0 run !indo"s Ser/er 2==, Eour o$ the ser/ers are named TestBing)* TestBing+* TestBing'* and TestBingD You need to #er$orm the $ollo"ing tas0s on TestBing5: 1. Enable users to connect to TestBing< test0ing com by using either the the name TestBing) test0ing com or TB) test0ing com 2. 'reate a host &)( resource record $or TestBingD "ith an I. address o$ <;2 <69 < 5 in the test0ing com 1one 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G;> 2 3. 'reate a mail e3change &?@( resource record $or TestBing' test0ing "ith #riority o$ <= -. ?odi$y the ?@ record $or TestBing) test0ing com to ha/e a #riority o$ ,= F. 'reate a static #ointer &.TD( resource record $or TestBing' test0ing com !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" )ns"er: The $irst requirement o$ this question states: Enable users to connect to TestBing< test0ing com by using either the the name TestBing) test0ing com or TB) test0ing com To do this* "e need to create )lias records in the test0ing com 1one Ste# G<: O#en 'ontrol .anel 4eading the wa in &T testing and certification tools, www.test/ing.com

2 G;= 2 $tep b29 O#en )dministrati/e Tools 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG" 2 $tep b3. O#en the DNS console E3#and the test0ing com $or"ard loo0u# 1one 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG1 2 $tep b-. Dight clic0 on the test0ing com 1one and select Ne" )lias 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG2 2 $tep bF. Eill in the $ollo"ing details and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG3 2 $tep b;. 'reate another alias record "ith the $ollo"ing details 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG- 2 The second requirement o$ this question states: 'reate a host &)( resource record $or TestBingD "ith an I. address o$ <;2 <69 < 5 in the test0ing com 1one Ste# G< In the DNS console* right clic0 on the test0ing com 1one and select Ne" :ost 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GGF 2 $tep b2. Enter the $ollo"ing details and clic0 )dd :ost 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG; 2 The third requirement in this question states: 'reate a mail e3change &?@( resource record $or TestBing' test0ing "ith #riority o$ <= Ste# G< In the DNS console* right clic0 on the test0ing com 1one and select Ne" ?ail E3changer &?@( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GGG 2 $tep b2. Enter the $ollo"ing details and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG> 2 The $ourth requirement in this question states: ?odi$y the ?@ record $or TestBing) test0ing com to ha/e a #riority o$ ,= Ste# G< In the DNS console* clic0 the test0ing com $or"ard loo0u# 1one to dis#lay the records in the right #ane 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG= 2 $tep b2. Double clic0 the ?ail E3changer record $or test0inga test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>" 2 $tep b3. 'hange the #riority to ,= and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>1 2 QUESTION NO: 7SI?UA)TION You are a net"or0 engineer at TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com So$t"are U#date Ser/ices &SUS( is installed on a single ser/er* "hich is named TestBing5 TestBing5 recei/es so$t"are u#dates $rom ?icroso$t !indo"s U#date Ser/ers 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>2 2 ) systems engineer installs SUS on a second ser/er* "hich is named TestBing, The system engineer manually synchroni1es TestBing, "ith the !indo"s U#date ser/ers You need to com#lete the SUS con$iguration on TestBing, to ensure that the $ollo"ing requirements are $ul$illed:

1. The current u#dates must be a##ro/ed 2. TestBing, must recei/e u#dates $rom TestBing5 and automatically synchroni1e "ith a##ro/ed u#dates on TestBing5 3. TestBing, must automatically recei/e daily u#dates at midnight !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: The $irst requirement o$ this question states that the current u#dates must be a##ro/ed Ste# G< O#en Internet E3#lorer and go to http9HHlocalhostH$U$AdminH or clic/ a shortcut to open the $U$ configuration, then clic/ the 8Appro%e Updates8 lin/ on the left. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>3 2 $tep b2. Select the u#dates and clic0 the )##ro/e button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>- 2 $tep b3. 'lic0 OB to con$irm 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>F 2 The second requirement o$ the question states: TestBing, must recei/e u#dates $rom TestBing5 and automatically synchroni1e "ith a##ro/ed u#dates on TestBing5 Ste# G< 'lic0 the LSet O#tionsL lin0 on the le$t o$ the SUSadmin "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>; 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>G 2 $tep b2. 'on$igure the $ollo"ing o#tions and clic0 )##ly 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>> 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G>= 2 The third requirement o$ the question states: TestBing, must automatically recei/e daily u#dates at midnight Ste# G< 'lic0 the LSynchroni1e ser/erL lin0 on the le$t o$ the SUSadmin "indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=" 2 $tep b2. 'lic0 the Synchroni1ation Schedule button $tep b3. 'on$igure the $ollo"ing o#tions and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=1 2 QUESTION NO: 9SI?UA)TION You are a net"or0 engineer at TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com ) !indo"s Ser/er 2==, com#uter named TestBing5 is the #rimary DNS ser/er the domain You are res#onsible $or maintaining the DNS structure $or the $orest Each o$ TestBingJs branch o$$ices has a domain controller installed to #ro/ide local authentication DNS is installed on each domain controller 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=2 2 You are #lanning to create a child domain named child test0ing com ) !indo"s Ser/er 2==, com#uter named TestBing<2* "hich has the I. address <= <= 5 2==* "ill be the $irst domain controller $or the ne" child domain DNS "ill be con$igured on TestBing<2 to be authoritati/e $or the 1one You need to modi$y the DNS con$iguration on TestBing5 to ensure that the $ollo"ing requirements are $ul$illed: 1. DNS u#dates to the test0ing com 1one must be made only by authori1ed client com#uters and ser/ers 2. In$ormation $or test0ing com must be u#dated to all )cti/e directory>integrated DNS ser/ers in the $orest 3. 'lient com#uters #ointing to the #arent domain $or name resolution must be able

to resol/e names on the child domain -. ) DNS domain named test local must be created and the data should be stored only on TestBing<2 !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation !indo" 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=3 2 )ns"er: The $irst requirement o$ this question states: DNS u#dates to the test0ing com 1one must be made only by authori1ed client com#uters and ser/ers !e can do this by con$iguring the test0ing com 1one to acce#t secure dynamic u#dates only Ste# G< In the DNS console* e3#and Test0ing 5 then e3#and Eor"ard Aoo0u# Yones 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=- 2 $tep b2. Dight clic0 on the test0ing com 1one and select .ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=F 2 $tep b3. Ensure that LSecure onlyL is selected in the Dynamic U#dates dro#>do"n list 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=; 2 The second requirement o$ this question states: In$ormation $or test0ing com must be u#dated to all )cti/e directory>integrated DNS ser/ers in the $orest Ste# G< In the test0ing com 1one .ro#erties* clic0 the 'hange button to change the De#lication o#tion 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=G 2 Select the o#tion LTo all DNS ser/ers in the )cti/e Directory $orest test0ing comL and clic0 OB $tep b2. 'lic0 OB to close the test0ing com 1one .ro#erties dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G=> 2 The third requirement o$ this question states: 'lient com#uters #ointing to the #arent domain $or name resolution must be able to resol/e names on the child domain To do this* "e can either con$igure a stub 1one or a 1one delegation )s "e 0no" the name and I. address o$ the child test0ing com DNS ser/er* "e can create a 1one delegation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G== 2 Ste# G< Dight clic0 on the test0ing com 1one and select LNe" DelegationL $tep b2. The Ne" Delegation !i1ard starts 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"" 2 $tep b3. Enter the name o$ the child domain and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"1 2 $tep b-. 'lic0 the )dd button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"2 2 $tep bF. Enter the $ully quali$ied domain name $or test0ing<2 Enter the I. address and clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"3 2 $tep b;. 'lic0 OB to close the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"- 2 $tep bG.

'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"F 2 $tep b>. 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"; 2 The $ourth requirement o$ this question states: ) DNS domain named test local must be created and the data should be stored only on TestBing<2 To do this "e need to create a DNS 1one on TestBing<2 The 1one data should be stored locally and not in )cti/e Directory )s "eJre "or0ing on TestBing5* "eJll need to connect to TestBing<2 Ste# G< In the DNS console* right clic0 on the DNS icon and select L'onnect to DNS Ser/erL 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"G 2 $tep b2. Ty#e test0ing<2 and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"> 2 Ste# G, Dight clic0 on the Eor"ard Aoo0u# Yones $older and select Ne" Yone $tep b-. The Ne" Yone !i1ard starts 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >"= 2 $tep bF. Unchec0 the LStore the 1one in )cti/e DirectoryL chec0bo3 and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1" 2 $tep b;. Enter the name test local and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >11 2 $tep bG. )cce#t the de$ault $ile name and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >12 2 $tep b>. The question doesnJt state "hether dynamic u#dates should be enabled so "eJll acce#t the de$ault o$ Jno u#datesJ and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >13 2 $tep b=. 'lic0 Einish to close the "i1ard 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1- 2 QUESTION NO: ;SI?UA)TION You are a net"or0 engineer at TestBing You administer a !indo"s Ser/er 2==, com#uter named TestBing5 TestBing5 $unctions as a DNS ser/er TestBingJs )cti/e Directory domain is named test0ing com The domain contains !indo"s Ser/er 2==, com#uters named TestBing)* TestBing+* and TestBing' You need to #er$orm the $ollo"ing administrati/e tas0s on TestBing5: 1. 'reate a mail e3change &?@( resource record $or TestBing' test0ing com "ith a #riority o$ <= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1F 2 2. ?odi$y the ?@ records $or TestBing) test0ing com and TestBing+ test0ing com so that incoming mail "ill be deli/ered to TestBing' on $irst attem#t* then to TestBing+ i$ TestBing' is not a/ailable* and lastly to TestBing) i$ TestBing+ and TestBing' are not a/ailable !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: The $irst requirement o$ this question states: 'reate a mail e3change &?@( resource record $or TestBing' test0ing com "ith a #riority o$ <= Ste# G< O#en the DNS management console &Eor e3am#le by

Start>U.rogram>U)dministrati/e tas0s>UDNS( Ste# G2 E3#and to sho" the test0ing com $or"ard loo0u# 1one 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1; 2 $tep b3. Dight clic0 on the test0ing com 1one and select Ne" ?ail E3changer &?@( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1G 2 $tep b-. Enter the ser/er name and #riority then clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1> 2 The second requirement o$ this question states: ?odi$y the ?@ records $or TestBing) test0ing com and TestBing+ test0ing com so that incoming mail "ill be deli/ered to TestBing' on $irst attem#t* then to TestBing+ i$ TestBing' is not a/ailable* and lastly to TestBing) i$ TestBing+ and TestBing' are not a/ailable To do this "e need to con$igure TestBing+ to ha/e a lo"er #riority than TestBing ' and TestBing) to ha/e a lo"er #riority than TestBing+ Note: ) lo"er ?@ number has a higher #riority 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1= 2 Ste# G< 'lic0 the test0ing com 1one to dis#lay the records in the right #ane Double clic0 the ?@ record $or test0ingb test0ing com $tep b2. Test0ingc has a #riority o$ <=* so "e need to enter a higher /alue &higher /alue Z lo"er #riority( than <= 'lic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2" 2 $tep b3. Double clic0 the ?@ record $or test0inga test0ing com 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >21 2 $tep b-. In ste# 2* "e ga/e test0ingb a #riority /alue o$ 2= Enter a higher /alue $or test0inga and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >22 2 Ste# G5 You should no" see the three ?@ records "ith di$$erent /alues 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >23 2 QUESTION NO: <=SI?UA)TION You are a net"or0 engineer at TestBing The net"or0 consists o$ t"o )cti/e Directory domains named test0ing com and $oo com You administer a !indo"s Ser/er 2==, com#uter named TestBing5 TestBing5 $unctions as a DNS ser/er You are required to #er$orm the $ollo"ing administrati/e tas0s on TestBing5: 1. 'on$igure the test0ing com 1one so that hosts can u#date their records e/ery <= days 2. 'on$igure the test0ing com 1one so that records that are not u#dated by DNS clients are remo/ed $rom the DNS ser/er a$ter 2= days 3. 'lear the currently cached DNS name resolutions on TestBing5 -. Enable 1one trans$ers $or the $oo com 1one to name ser/ers only !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: The $irst requirement o$ this question states: 'on$igure the test0ing com 1one so that hosts can u#date their records e/ery <= days To do this "e must con$igure the LNo De$resh inter/alL The second requirement o$ this questions states: 'on$igure the test0ing com so that records that are not u#dated by DNS clients are remo/ed $rom the DNS ser/er a$ter 2= days To do this "e must con$igure the LDe$resh inter/alL to be 2= days minus the LDe$resh inter/alL There$ore the LDe$resh inter/alL should be set to <= days Ste# G< O#en the DNS management console &Eor e3am#le by Start>U.rogram>U)dministrati/e tas0s>UDNS(

4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2- 2 $tep b2. E3#and to sho" the $or"ard loo0u# 1ones 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2F 2 $tep b3. Dight clic0 on the test0ing com 1one and select .ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2; 2 $tep b-. 'lic0 the )ging button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2G 2 $tep bF. Tic0 the chec0bo3 and enter /alues o$ <= days $or the no>re$resh inter/al and the re$resh inter/al then clic0 O0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2> 2 $tep b;. 'lic0 OB to close the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2= 2 $tep bG. !e should chec0 that )utomatic Sca/enging o$ stale records is enabled at the ser/er le/el Dight clic0 on TestBing5 and select .ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3" 2 $tep b>. I$ it is not already chec0ed* chec0 the LEnable automatic sca/enging o$ stale recordsL chec0bo3 then clic0 OB to close the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >31 2 The third requirement o$ this question states: 'lear the currently cached DNS name resolutions on TestBing5 Ste# G< Dight clic0 on TestBing5 and select 'lear 'ache 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >32 2 The fourth re6uirement of this 6uestion states9 3nable 0one transfers for the foo.com 0one to name ser%ers onl . Ste# G< Dight clic0 on the $oo com 1one and select .ro#erties 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >33 2 $tep b2. On the Yone Trans$ers tab* tic0 the chec0bo3 and select LOnly to ser/ers listed on the Name Ser/ers tabL then clic0 OB to close the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3- 2 QUESTION NO: <<SI?UA)TION You are a net"or0 engineer at TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You are required to create a dedicated domain administrator account to use "hen you #er$orm domain administrati/e tas0s The account name must be con$igured as sho"n in the $ollo"ing table 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3F 2 Eirst Name Domain Aast Name Test@ingAdmin1 Aogon name DomainTest@ingAdmin1 You ha/e to assign the account a tem#orary #ass"ord that must be changed on $irst login You also need to ensure that members o$ the s#eci$ied grou#s are allo"ed to #er$orm only the administrati/e tas0s sho"n in the $ollo"ing table -rou# )dministrati/e Tas0s 5assswordAdmin Reset passwords for the $ales 'U UserAdmin .reate and manage user accounts in the $ales 'U

CroupsAdmin Manage group membership in the $ales 'U !hat should you do% )ns"er by #er$orming the a##ro#riate actions in the simulation "indo" Simulation !indo" )ns"er: The $irst requirement o$ this question states: You are required to create a dedicated domain administrator account to use "hen you #er$orm domain administrati/e tas0s Ste# G< O#en the )cti/e Directory Users and 'om#uters console &&Eor e3am#le by Start>U.rogram>U)dministrati/e tas0s>U )cti/e Directory Users and 'om#uters( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3; 2 Ste# G2 E3#and TestBing com $tep b3. Dight clic0 on the Users container and select Ne" U User 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3G 2 $tep b-. Enter the name details and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3> 2 $tep bF. Enter a #ass"ord and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3= 2 $tep b;. 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-" 2 $tep bG. In the Users container* double clic0 the Domain TestBing)dmin< account 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-1 2 $tep b>. On the L?ember o$L tab* clic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-2 2 $tep b=. Ty#e in Jdomain adminsJ and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-3 2 $tep b1". 'lic0 OB to close the dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-- 2 The second requirement o$ this question states that members o$ the .ass"ord)dmin grou# should be able to reset #ass"ords $or the Sales OU To do this* "e can delegate control 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-F 2 Ste# G< Dight clic0 on the Sales OU and select Delegate 'ontrol $tep b2. The Delegation o$ 'ontrol "i1ard starts 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-; 2 $tep b3. 'lic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-G 2 $tep b-. Ty#e in J#ass"ordadminJ and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-> 2 $tep bF. 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >-= 2

$tep b;. Select the chec0bo3 $or resetting #ass"ords and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F" 2 $tep bG. 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F1 2 The third requirement o$ this question states that member o$ the User)dmin grou# should be able to create and manage user accounts in the Sales OU To do this* "e can delegate control Ste# G< Dight clic0 on the Sales OU and select Delegate 'ontrol 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F2 2 $tep b2. The Delegation o$ 'ontrol "i1ard starts 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F3 2 $tep b3. 'lic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F- 2 $tep b-. Ty#e in JuseradminJ and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >FF 2 $tep bF. 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F; 2 $tep b;. Select the chec0bo3 $or creating and managing user accounts and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >FG 2 $tep bG. 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F> 2 The $ourth requirement o$ this question states that members o$ the -rou#s)dmin grou# should be able to manage grou# membershi# in the Sales OU To do this* "e can delegate control Ste# G< Dight clic0 on the Sales OU and select Delegate 'ontrol 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F= 2 $tep b2. The Delegation o$ 'ontrol "i1ard starts 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;" 2 $tep b3. 'lic0 )dd 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;1 2 $tep b-. Ty#e in J-rou#s)dminJ and clic0 OB 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;2 2 $tep bF. 'lic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;3 2 $tep b;. Select the chec0bo3 L?odi$y the membershi# o$ a grou#L and clic0 Ne3t 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;- 2 $tep bG. 'lic0 Einish 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;F 2

QUESTION NO: <2 SI?UA)TION You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< Test0ing< is a member o$ the domain and is con$igured to dynamically register in DNS The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit Test0ing<= cannot connect to Test0ing< Test0ing5 and Test0ing2= can success$ully connect to Test0ing< ) ne" !eb site "ill be hosted on Test0ing< and must res#ond to requests on the I. address <= 2 ,2 5 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;; 2 ) third>#arty a##lication unsuccess$ully attem#ts to connect to hosts on the test0ing com domain by using com#uter names :o"e/er* hosts can be reached by using $ully quali$ied domain names &EQDNs( You need to ensure that Test0ing< can locate hosts on test0ing com "ithout using EQDNs You "ant to achie/e this goal by modi$ying the T'.KI. settings on Test0ing< !hat should you do% 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;G 2 )ns"er: E3#lanation: !e need Test0ing< to connect to com#uters in the test0ing com domain by using their host names only &"ithout using a $ully quali$ied domain name( To do this* "e need to con$igure a LDNS su$$i3L 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;> 2 Ste# G< In the Internet .rotocol #ro#erties dialog bo3* clic0 the )d/anced button* the clic0 the DNS tab 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >;= 2 $tep b2. Select L)##end these DNS su$$i3es &in order(L then clic0 the )dd button 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G" 2 $tep b3. Enter Ltest0ing comL in the domain su$$i3 bo3 and clic0 )dd Ste# G4 'lic0 OB to close the )d/anced T'.KI. Settings dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G1 2 $tep bF 'lic0 OB to close the Internet .rotocol &T'.KI.( #ro#erties dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G2 2 $tep b; 'lic0 'lose to close the A)N connection #ro#erties dialog bo3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G3 2 Microsoft 70-293 :*anning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure 45A wit% e6&*anations ersion 33"0 Im#ortant Note .lease Dead 'are$ully Study Ti#s: This product will pro%ide ou 6uestions and answers carefull compiled and written b our eBperts. Tr to understand the concepts behind the 6uestions instead of cramming the 6uestions. Co through the entire document at least twice so that ou ma/e sure that ou are not missing an thing. Other #roducts: $tud Cuide *not a%ailable for all eBams, separate product+9 1uild a foundation of /nowledge which will be useful also after passing the eBam. 'ffline Testing engine9 not included to cut down price. All Test@ing eBams a%ailable or will listing at9 http9HHwww.5rometric?U3.com 3mail9 infoUprometric%ue.com Aatest 8ersion:

!e are constantl re%iewing our products. ,ew material is added and old material is re%ised. (ree updates are a%ailable for -F da s after the purchase. Iou should chec/ h t t p 9 H Hwww.5rometric?U3.com 32- da s before the scheduled eBam date. (or most updates, it is enough )ust to print the new 6uestions at the end of the new %ersion, not the whole document. Su##ort: This '3M product is not support from Test@ing. The wrong answer is not allow to edit b reseller, so that please do not email for correct it. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2-2 Table o$ 'ontents Topic 1, 5lanning and &mplementing $er%er Roles and $er%er $ecurit *23 :uestions+ ; 5art 19 .onfigure securit for ser%ers that are assigned specific roles. *3 6uestions+ ; 5art 29 5lan a secure baseline installation. 1" A9 5lan a strateg to enforce s stem default securit settings on new s stems. *2 6uestions+ 1" 19 &dentif client operating s stem default securit settings. *2 6uestions+ 1.9 &dentif all ser%er operating s stem default securit settings. *1 6uestion+ 1G 5art 39 5lan securit for ser%ers that are assigned specific roles. Roles might include domain controllers, !eb ser%ers, database ser%ers, and mail ser%ers. 1G A9 Deplo the securit configuration for ser%ers that are assigned specific roles. *= 6uestions+ 1> 19 .reate custom securit templates based on ser%er roles. *F 6uestions+ 3" 5art -9 3%aluate and select the operating s stem to install on computers in an enterprise. *1 6uestion+ 3> Topic 2, 5lanning, &mplementing, and Maintaining a ,etwor/ &nfrastructure *-G :uestions+ 3= 5art 19 5lan a T.5H&5 networ/ infrastructure strateg . -" A9 Anal 0e &5 addressing re6uirements. *2 6uestions+ -" 19 5lan an &5 routing solution. *1 6uestion+ -3 .9 .reate an &5 subnet scheme. *2 6uestions+ -5art 29 5lan and modif a networ/ topolog . -G A9 5lan the ph sical placement of networ/ resources. *1 6uestion+ -G 19 &dentif networ/ protocols to be used. *1 6uestion+ -= 5art 39 5lan an &nternet connecti%it strateg . *2 6uestions+ F" 5art -9 5lan networ/ traffic monitoring. Tools might include ,etwor/ Monitor and $ stem Monitor. *1 6uestion+ F5art F9 Troubleshoot connecti%it to the &nternet. F; A9 Diagnose and resol%e issues related to ,etwor/ Address Translation *,AT+. *" 6uestions+ F; 19 Diagnose and resol%e issues related to name resolution cache information. *" 6uestions+ F; .9 Diagnose and resol%e issues related to client configuration. *" 6uestions+ F; 5art ;9 Troubleshoot T.5H&5 addressing. F; A9 Diagnose and resol%e issues related to client computer configuration. *3 6uestionFs;+ F; 19 Diagnose and resol%e issues related to DA.5 ser%er address assignment. *G 6ues;ti2ons+ ;2 5art G9 5lan a host name resolution strateg . GG A9 5lan a D,$ namespace design. *" 6uestions+ GG ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2F2 19 5lan 0one replication re6uirements. *F 6uestions+ G> .9 5lan a forwarding configuration. *F 6uestions+ >F D9 5lan for D,$ securit . *2 6uestions+ =2 39 3Bamine the interoperabilit of D,$ with third2part D,$ solutions. *F 6uestion=s-+ =5art >9 5lan a ,et1&'$ name resolution strateg . 1"F A9 5lan a !&,$ replication strateg . *1 6uestion+ 1"F 19 5lan ,et1&'$ name resolution b using the 4mhosts file. *" 6uestions+ 1"; 5art =9 Troubleshoot host name resolution. 1"; A9 Diagnose and resol%e issues related to !&,$ and D,$ ser%ices. *> 6uestions+ 1"; 19 Diagnose and resol%e issues related to client computer configuration. *1 6uestio1n1+> 11> Topic 3, 5lanning, &mplementing and Maintaining Routing and Remote Access *23 :uestions+ 11= 5art 19 5lan a routing strateg . 11=

A9 &dentif routing protocols to use in a specified en%ironment. *1 6uestion+ 11= 19 5lan routing for &5 multicast traffic. *1 6uestion+ 121 5art 29 5lan securit for remote access users. 12A9 5lan remote access policies. *3 6uestions+ 1219 Anal 0e protocol securit re6uirements. *" 6uestions+ 12= .9 5lan authentication methods for remote access. *1" 6uestions+ 12= 5art 39 &mplement secure access between pri%ate networ/s. 1-A9 .reate and implement secure ?5, connections. *- 6uestions+ 1-19 .reate and implement an &5$ec polic . *2 6uestions+ 1F2 5art -9 Troubleshoot T.5H&5 routing. Tools might include the route, tracert, ping, pathping, and netsh commands and ,etwor/ Monitor. *2 6uestions+ 1FF Topic -, 5lanning, &mplementing, and Maintaining $er%er A%ailabilit *3F :uestions+1F> 5art 19 5lan ser%ices for high a%ailabilit . 1F> A9 5lan a high a%ailabilit solution that uses clustering ser%ices. *; 6uestions+ 1F> 19 5lan a high a%ailabilit solution that uses ,etwor/ 4oad 1alancing. *- 6uestion1s;+ ; 1;; related bottlenec/s. *F 6uestions+ 1G2 5art 39 &mplement a cluster ser%er. *- 6uestions+ 1>1 5art -9 Manage ,etwor/ 4oad 1alancing. Tools might include the ,etwor/ 4oad 1alancing Monitor Microsoft Management .onsole *MM.+ snap2in and the !41$ cluster control utilit . *- 6uestions+ 1>= 5art F9 5lan a bac/up and reco%er strateg . 1=; A9 &dentif appropriate bac/up t pes. Methods include full, incremental, and differential. *; 6uestions+ 1=; 19 5lan a bac/up strateg that uses %olume shadow cop . *3 6uestions+ 2"G .9 5lan s stem reco%er that uses Automated $ stem Reco%er *A$R+. *3 6uestion2s1+2 212 Topic F, 5lanning and Maintaining ,etwor/ $ecurit *2G :uestions+ 21; 5art 19 .onfigure networ/ protocol securit . 21; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2;2 A9 .onfigure protocol securit in a heterogeneous client computer en%ironment. *" 6uestions+ 21; 19 .onfigure protocol securit b using &5$ec policies. *1 6uestion+ 21; 5art 29 .onfigure securit for data transmission. *1 6uestion+ 21> 5art 39 5lan for networ/ protocol securit . 22" A9 $pecif the re6uired ports and protocols for specified ser%ices. *- 6uestions+ 22" 19 5lan an &5$ec polic for secure networ/ communications. *2 6uestions+ 22G 5art -9 5lan secure networ/ administration methods. 23" A9 .reate a plan to offer Remote Assistance to client computers. *2 6uestions+ 23" 19 5lan for remote administration. *2 6uestions+ 235art F9 5lan securit for wireless networ/s. *F 6uestions+ 23> 5art ;9 5lan securit for data transmission. 2-> A9 $ecure data transmission between client computers to meet securit re6uirements. *3 6uestions+ 2-> 19 $ecure data transmission b using &5$ec. *G 6uestions+ 2F1 5art G9 Troubleshoot securit for data transmission. Tools might include the &5 $ecurit Monitor MM. snap2in and the Resultant $et of 5olic *R$o5+ MM. snap2in. *" 6uestions+ 2;; Topic ;, 5lanning, &mplementing, and Maintaining $ecurit &nfrastructure *3- :uestio2n;s+; 2;; 5art 19 .onfigure Acti%e Director director ser%ice for certificate publication. *3 6uestions+ 2;; 5art 29 5lan a public /e infrastructure *5@&+ that uses .ertificate $er%ices. 2G1 A9 &dentif the appropriate t pe of certificate authorit to support certificate issuance re6uirements. *- 6uestions+ 2G1 19 5lan the enrollment and distribution of certificates. *12 6uestions+ 2>" .9 5lan for the use of smart cards for authentication. *; 6uestions+ 3"3 5art 39 5lan a framewor/ for planning and implementing securit . 31A9 5lan for securit monitoring. *F 6uestions+ 3119 5lan a change and configuration management framewor/ for securit . *1 6uesti3o2n1+ 321 5art -9 5lan a securit update infrastructure. Tools might include Microsoft 1aseline $ecurit Anal 0er and Microsoft $oftware Update $er%ices. *3 6uestions+ 322 Topic G, $imulations *1= :uestions+ 32G Topic >, Miscellaneous *-- :uestions+ -1= Total Number o$ Questions: 25< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2G2 Topic 1, 5lanning and &mplementing $er%er Roles and $er%er $ecurit *23 :uestions+ 5art 19 .onfigure securit for ser%ers that are assigned specific roles. *3 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains t"o !indo"s Ser/er 2==, domain controllers* t"o !indo"s 2=== Ser/er domain controllers* and t"o !indo"s NT Ser/er 4 = domain controllers )ll $ile ser/ers $or the $inance de#artment are located in an organi1ational unit &OU( named Einance Ser/ers )ll $ile ser/ers $or the #ayroll de#artment are located in an OU named .ayroll Ser/ers The .ayroll Ser/ers OU is a child OU o$ the Einance Ser/ers OU TestBingJs "ritten security #olicy $or the $inance de#artment states that de#artmental ser/ers must ha/e security settings that are enhanced $rom the de$ault settings The "ritten security #olicy $or the #ayroll de#artment states that de#artmental ser/ers must ha/e enhanced security settings $rom the de$ault settings* and auditing must be enabled $or $ile or $older deletion You need to #lan the security #olicy settings $or the $inance and #ayroll de#artments !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ to appl to the .ompatws.inf securit template to computer ob)ects, and lin/ it to the (inance $er%ers 'U. .reate a second C5' to enable the Audit ob)ect access audit polic on computer ob)ects, and lin/ it to the 5a roll $er%ers 'U. 1. .reate a Croup 5olic ob)ect *C5'+ to appl the $ecurews.inf securit template to computer ob)ects, and lin/ it to the (inance $er%ers 'U. .reate a second C5' to enable the Audit ob)ect access audit polic on computer ob)ects, and lin/ it to the 5a roll $er%ers 'U. .. .reate a Croup 5olic ob)ect *C5'+ to appl to the .ompatws.inf securit template to computer ob)ects, and lin/ it to the (inance $er%ers 'U. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2>2 .reate a second C5' to appl the Aisecws.inf securit template to computer ob)ects, and lin/ it to the 5a roll $er%ers 'U. D. .reate a Croup 5olic ob)ect *C5'+ to appl the $ecurews.inf securit template to computer ob)ects, and lin/ it to the (inance $er%ers and to the 5a roll $er%ers 'Us. .reate a second C5' to enable the Audit ob)ect access audit polic on computer ob)ects, and lin/ it to the 5a roll $er%ers 'U. )ns"er: + E3#lanation: The Secure"s in$ tem#late contains #olicy settings that increase the security on a "or0station or member ser/er to a le/el that remains com#atible "ith most $unctions and a##lications The tem#late includes many o$ the same account and local #olicy settings as Securedc in$* and im#lements digitally signed communications and greater anonymous user restrictions )udit Ob2ect )ccess A user accesses an operating s stem element such as a file, folder, or registr /e . To audit elements li/e these, ou must enable this polic and ou must enable auditing on the resource that ou want to monitor. (or eBample, to audit user accesses of a particular file or folder, ou displa its 5roperties dialog boB with the $ecurit tab acti%e, na%igate to the Auditing tab in the Ad%anced $ecurit $ettings dialog boB for that file or folder, and then add the users or groups whose access to that file or folder ou want to audit. Incorrect )ns"ers: )* ': The .ompatws.inf securit template is designed for !indows ,T compatible applications that re6uire lower securit settings in order to run. These settings are lower than the default settings. D: The 5a roll $er%ers 'U is a child 'U of the (inance $er%ers 'U. C5' settings C5' to both the (inance $er%ers 'U and the 5a roll $er%ers 'U. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, .hapters = and 1" QUESTION NO: 2 You are the net"or0 admin $or TestBing Your net"or0 contains 5= a##lication ser/ers that run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2=2 The security con$iguration o$ the a##lication ser/ers is not uni$orm The a##lication

ser/ers "ere de#loyed by local administrators "ho con$igured the setting $or each o$ the a##lication ser/ers di$$erently based on their 0no"ledge and s0ill The a##lication ser/ers are con$igured "ith di$$erent authentication methods* audit settings and account #olicy settings The security team recently com#leted a ne" net"or0 security design The design includes a baseline con$iguration $or security settings on all ser/ers The baseline security settings use the hisec"s in$ #rede$ined security tem#late The design also requires modi$ied settings $or ser/ers in an a##lication ser/er role These settings include system ser/ice startu# requirements* renaming the administrator account* and more stringent account loc0out #olicies The security team created a security tem#late named a##lication in$ that contains the required settings You need to #lan the de#loyment o$ the ne" security design You need to ensure that all security settings $or the a##lication ser/ers are standardi1ed* and that a$ter the de#loyment* the security settings on all a##lication ser/ers meet the design requirements !hat should you do% A. Appl the setup securit .inf template first, the hisecws.inf template neBt, and then the application.inf template 1. Appl the Application.inf template and then the Aisecws.inf template. .. Appl the Application.inf template first, then setup.inf template neBt, and then the hisecws.inf template D. Appl the $etup.inf template and then the application.inf template )ns"er: ) E3#lanation: The ser/ers currently ha/e di$$erent security settings +e$ore a##lying our modi$ied settings* "e should recon$igure the ser/ers "ith their de$ault settings This is "hat the security in$ tem#late does No" that our ser/ers ha/e the de$ault settings* "e can a##ly our baseline settings s#eci$ied in the hisec"s in$ tem#late No" "e can a##ly our custom settings using the a##lication in$ tem#late Incorrect )ns"ers: +: The hisecws.inf template would o%erwrite the custom application.inf template. ': $ame as answer A. Also, the setup.inf securit template doesnKt eBist. To return a s stem to its default securit settings, we use the securit .inf template. D: The setup.inf securit template doesnKt eBist. To return a s stem to its default securit settings, we use the securit .inf template. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1" 2 De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139;2 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter > QUESTION NO: , Your net"or0 contains Terminal ser/ers that host legacy a##lications that require users to be members o$ the .o"er Users grou# in order to run them ) ne" com#any #olicy states that the .o"er Users -rou# must be em#ty on all ser/ers You need to maintain the ability to run legacy a##lications on your ser/ers "hen the ne" security requirement is enabled !hat should you do% A. Add the domain users global group to the Remote Des/top Users built2in group in the domain 1. Add the domain users global group to the Remote Des/top Users local group on each terminal ser%er .. Modif the compatws.inf securit template settings to allow members of the local users group to run the applications. &mport the securit settings into the default Domain .ontrollers Croup 5olic 'b)ect. D. Modif the compatws.inf securit template settings to allow members of the local users group to run the applications. Appl the modified template to each terminal ser%er )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11 2 The de$ault !indo"s 2=== security con$iguration gi/es members o$ the local Users grou# strict security settings* "hile members o$ the local .o"er Users grou# ha/e security settings that are com#atible "ith !indo"s NT 4 = user assignments This de$ault con$iguration enables certi$ied !indo"s 2=== a##lications to run in the standard !indo"s en/ironment $or Users* "hile still allo"ing a##lications that are not certi$ied $or !indo"s 2=== to run success$ully under the less secure .o"er Users con$iguration :o"e/er* i$ !indo"s 2=== users are members o$ the .o"er Users grou# in order to run a##lications not certi$ied $or !indo"s 2===* this may

be too insecure $or some en/ironments Some organi1ations may $ind it #re$erable to assign users* by de$ault* only as members o$ the Users grou# and then decrease the security #ri/ileges $or the Users grou# to the le/el "here a##lications not certi$ied $or !indo"s 2=== run success$ully The com#atible tem#late &com#at"s in$( is designed $or such organi1ations +y lo"ering the security le/els on s#eci$ic $iles* $olders* and registry 0eys that are commonly accessed by a##lications* the com#atible tem#late allo"s most a##lications to run success$ully under a User conte3t In addition* since it is assumed that the administrator a##lying the com#atible tem#late does not "ant users to be .o"er Users* all members o$ the .o"er Users grou# are remo/ed Incorrect )ns"ers: )* +: Clobal group is a group that is a%ailable domain2wide in an domain functional le%el, so wh would ou add to another group. ': The .ompatws.inf template is not intended for domain controllers, so ou should not lin/ it to a site, to the domain, or to the Domain .ontrollers 'U De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. >9F Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, .hapter = 5art 29 5lan a secure baseline installation. A9 5lan a strateg to enforce s stem default securit settings on new s stems. *2 6uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, The domain contains an organi1ational unit &OU( named Ser/ers that contains all o$ TestBingJs !indo"s Ser/er 2==, resource ser/ers The domain also contains an OU named !or0stations that contains all o$ TestBingJs !indo"s @. .ro$essional client com#uters You con$igure a baseline security tem#late $or resource ser/ers named Ser/er in$ and a baseline security tem#late $or client com#uters named !or0station in$ The Ser/er in$ tem#late contains hundreds o$ settings* including $ile and registry #ermission settings that ha/e inheritance #ro#agation enabled The !or0station in$ tem#late contains 2= security settings* none o$ "hich contain $ile or registry #ermissions settings The resource ser/ers o#erate at near ca#acity during business hours You need to a##ly the baseline security tem#lates so that the settings "ill be #eriodically en$orced You need to accom#lish this tas0 by using the minimum amount o$ administrati/e e$$ort and "hile minimi1ing the #er$ormance im#act on the resource ser/ers !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the domain. &mport both the $er%er.inf and the !or/station.inf templates into the C5'. 1. &mport both the $er%er.inf and the !or/station.inf templates into the Default Domain 5olic Croup 5olic ob)ect *C5'+. .. 'n each resource ser%er, create a wee/l scheduled tas/ to appl the $er%er.inf settings during off2pea/ hours b using the secedit command. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the !or/stations 'U. &mport the !or/station.inf template into the C5'. D. 'n each resource ser%er, create a wee/l scheduled tas/ to appl the $er%er.inf settings during off2pea/ hours b using the secedit command. &mport the !or/station.inf template into the Default Domain 5olic Croup 5olic ob)ect *C5'+. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13 2 The question states that you need to a##ly the baseline security tem#lates so that the settings "ill be #eriodically en$orced To accom#lish this you must create a scheduled tas0 so that the #er$ormance im#act on resource ser/ers is minimi1ed Eurthermore* the question also states that !or0station in$ is a baseline security tem#late $or client com#uters There$ore* the -.O has to be lin0ed to the OU that contains the client com#uters* and the !or0station in$ tem#late must be im#orted

to the said -.O so that it can be a##lied Secedit e3e is a command line tool that performs the same functions as the $ecurit .onfiguration And Anal sis snap2in, and can also appl specific parts of templates to the computer. Iou can use $ecedit.eBe in scripts and batch files to automate securit template deplo ments. Iou can create a baseline securit configuration in a C5' directl , or import a securit template into a C5'. 4in/ the baseline securit C5' to 'Us in which member ser%ersK computer ob)ects eBist. Incorrect )ns"ers: ): $er%er.inf and the !or/station.inf templates into a single C5', we would ensure that the settings in the securit template imported last are applied in cases where there are conflicting settings. &f we appl this to the domain, then all computers would ha%e the same settings. +* D: The Default Domain 5olic Croup 5olic ob)ect *C5'+ is applied onl to the Domain .ontrollers group. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, .hapter 1" Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, .hapter = QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains 9= !eb ser/ers that run !indo"s 2=== Ser/er The IIS Aoc0do"n !i1ard is run on all !eb ser/ers as they are de#loyed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1- 2 TestBing is #lanning to u#grade its !eb ser/ers to !indo"s Ser/er 2==, You mo/e all !eb ser/ers into an organi1ational unit &OU( named !eb Ser/ers You are #lanning a baseline security con$iguration $or the !eb ser/ers The com#anyJs "ritten security #olicy states that all unnecessary ser/ices must be disabled on ser/ers Testing sho"s that the ser/er u#grade #rocess lea/es the $ollo"ing unnecessary ser/ices enabled: 1. S?T. 2. Telnet Your #lan $or the baseline security con$iguration $or !eb ser/ers must com#ly "ith the "ritten security #olicy You need to ensure that unnecessary ser/ices are al"ays disabled on the !eb ser/ers !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ to appl a logon script that disables the unnecessar ser%ices. 4in/ the C5' to the !eb $er%ers 'U. 1. .reate a Croup 5olic ob)ect *C5'+ and import the Aisecws.inf securit template. 4in/ the C5' to the !eb $er%ers 'U. .. .reate a Croup 5olic ob)ect *C5'+ to set the startup t pe of the unnecessar ser%ices to Disabled. 4in/ the C5' to the !eb $er%ers 'U. D. .reate a Croup 5olic ob)ect *C5'+ to appl a startup script to stop the unnecessar ser%ices. 4in/ the C5' to the !eb $er%ers 'U. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F 2 !indo"s Ser/er 2==, installs a great many ser/ices "ith the o#erating system* and con$igures quite a $e" "ith the )utomatic startu# ty#e* so that these ser/ices load automatically "hen the system starts ?any o$ these ser/ices are not needed in a ty#ical member ser/er con$iguration* and it is a good idea to disable the ones that the com#uter does not need Ser/ices are #rograms that run continuously in the bac0ground* "aiting $or another a##lication to call on them Instead o$ controlling the ser/ices manually* using the Ser/ices console* you can con$igure ser/ice #arameters as #art o$ a -.O )##lying the -.O to a container ob2ect causes the ser/ices on all the com#uters in that container to be recon$igured To con$igure

ser/ice #arameters in the -rou# .olicy Ob2ect Editor console* you bro"se to the 'om#uter 'on$igurationQ!indo"s SettingsQSecurity SettingsQSystem Ser/ices container and select the #olicies corres#onding to the ser/ices you "ant to control Incorrect )ns"ers: ): The logon script would onl run when someone logs on to the web ser%ers. &tKs li/el that the web ser%ers will be running with no one logged in. +: The Aisecws.inf securit template is designed for wor/stations, not ser%ers. D: The startup script would onl run when the ser%ers are restarted. A group polic would be refreshed at regular inter%als. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 13912; 19 &dentif client operating s stem default securit settings. *2 6uestions+ QUESTION NO: < You are the net"or0 admin $or TestBing )ll ser/ers run !indo"s Ser/er 2==, E/ery "ee0* you run the mbsacli e3e Kh$ command to ensure that all ser/ers ha/e the latest critical u#dates installed You run the mbsaclie e3e Kh$ command $rom a ser/er named ser/er< !hen you scan a ser/er named TestBing+ you recei/e the $ollo"ing error message stating Error 2==* System not $ound* Scan $ailed !hen you #ing TestBing+ you recei/e a re#ly ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1; 2 You need to ensure that you can scan TestBing+ by using the mbsacli e3e Kh$ !hat should you do% A. .op the latest %ersion of the Mssecure.Bml to the program filesWmicrosoft baseline securit anal 0er folder on ser%er1 1. 3nsure that the $er%er ser%ice is running on Test@ing1 .. &nstall &&$ common files on $er%er1 D. &nstall the latest %ersion of &3 on Test@ing1 )ns"er: + E3#lanation: Erom ?icroso$t: Error: 2== > System not $ound Scan not #er$ormed This error message indicates that mbsacli Kh$ did not locate the s#eci$ied com#uter and did not scan it To resol/e this error* /eri$y that this com#uter is on the net"or0 and that the host name and I. address are correct !e 0no" that the com#uter is on the net"or0 because "e can success$ully #ing it There$ore* the cause o$ the #roblem must be that the Ser/er ser/ice isnJt running Incorrect )ns"ers: )* ': !e can successfull scan other computers from $er%er1. Therefore, the problem is unli/el to be with $er%er1. D: The %ersion of &3 that comes with !indows $er%er 2""3 is sufficient, and therefore does not need to be upgraded. De$erence: http9HHsupport.microsoft.comHdefault.aspB[scid\http9HHsupport.microsoft.com9>"HsupportH/bHarticlesH63"3H2H1F Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam G"22=-+9 5lanning, &mplementing, and Maintaining a Microsoft !indows $er%er 2""3 Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139F QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains <= a##lication ser/ers that run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G 2 The a##lication ser/ers are accessed $rom the TestBing net"or0 and $rom the Internet The net"or0 design requires that the a##lication ser/ers must ha/e s#eci$ically con$igured security settings* including the #ass"ord #olicy* audit #olicies* and security o#tions settings You create a security tem#late named )## in$ that contains the security settings required by the net"or0 design You are concerned that an unauthori1ed user "ill modi$y the con$iguration and gain access to the a##lication ser/ers You "ant to ca#ture any changes made to the security settings o$ the a##lication ser/ers You need to generate a re#ort that com#ares the current settings o$ each a##lication ser/er "ith the required settings e/ery 24 hours !hat should you do% A. Use a Croup 5olic startup script to run the secedit command in anal sis mode with the App.inf template, and set the Croup 5olic refresh inter%al for computers to 2- hours. 1. &mport the App.inf template into Croup 5olic , and set the Croup 5olic refresh inter%al for computers to 2- hours.

.. Use Tas/ $cheduler to run the gpresult command in %erbose mode e%er 2- hours. D. Use a custom script in Tas/ $cheduler to run the secedit command in anal sis mode with the App.inf template e%er 2- hours. )ns"er: D E3#lanation: Secedit e3e is a command line /ersion o$ the Security 'on$iguration and )nalysis tool In JanalysisJ mode* this tool can be used to com#are the current system settings "ith the required settings !e can use the Tas0 Scheduler to run a scri#t that runs secedit e3e to analyse the current settings Incorrect )ns"ers: ): A Croup 5olic startup script will onl run when the computer starts up. &t does not run e%er time the group polic is refreshed. +: This will reappl the re6uired settings e%er 2- hours, but the 6uestion states that ou want to capture an changes b comparing the current settings to the re6uired settings. ': The gpresult utilit is a command line %ersion of the R$o5 utilit . &n %erbose mode, it will list the effecti%e policies on a computer. Aowe%er, it wonKt list the differences between the current settings and the re6uired settings. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1> 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1"9-.9 &dentif all ser%er operating s stem default securit settings. *1 6uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBingJs )cti/e Directory domain TestBingJs "ritten security #olicy "as u#dated and no" requires a minimum o$ NTA? /2 $or A)N manager authentication You need to identi$y "hich O#erating Systems on your net"or0 do not meet the ne" requirement !hich OS "ould require an u#grade to the OS or so$t"are to meet the requirement% A. !indows 2""" 5rofessional 1. !indows $er%er 2""3 .. !indows <5 5rofessional D. !indows ,T !or/station with ser%ice pac/ F 3. !indows =F )ns"er: E E3#lanation: !indo"s ;5 does not nati/ely su##ort NTA? /2 authentication To enable it* you "ould need to install the Directory Ser/ices 'lient so$t"are Incorrect )ns"ers: )* +* '* D: !indows 2""" 5rofessional, $er%er 2""3, <5 5rofessional, and ,T !or/station with ser%ice pac/ F nati%el supports ,T4M %2 authentication. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam G"22=-+9 5lanning, &mplementing, and Maintaining a Microsoft !indows $er%er 2""3 Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 192-22; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1= 2 5art 39 5lan securit for ser%ers that are assigned specific roles. Roles might include domain controllers, !eb ser%ers, database ser%ers, and mail ser%ers. A9 Deplo the securit configuration for ser%ers that are assigned specific roles. *= 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing Inc The net"or0 consists o$ a single )cti/e Directory $orest as sho"n in the e3hibit TestBingJs "ritten security #olicy requires that all domain controllers in the child< test0ing com domain must acce#t a A)N ?anager authentication le/el o$ only NTA?/2 You also "ant to restrict the ability to start a domain controller to the Domain )dmins grou# You need to con$igure the domain controllers in the child< test0ing com domain to meet the ne" security requirements ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2" 2 !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. &mport the Rootsec.inf securit template into the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+ on the child1.test/ing.com domain.

1. &mport the Rootsec.inf securit template into the Default Domain 5olic Croup 5olic ob)ect *C5'+ in the child1.test/ing.com domain. .. &mport the $ecuredc.inf securit template into the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+ in the child1.test/ing.com domain. D. &mport the $ecuredc.inf securit template into the Default Domain 5olic Croup 5olic ob)ect *C5'+ in the child1.test/ing.com domain. 3. Run the s stem /e utilit *s s/e + on each domain controller in the child1.test/ing.com domain. &n the Account Database @e dialog boB, select the 5assword $tartup option. (. Run the s stem /e utilit *s s/e + on each domain controller in the child1.test/ing.com domain. &n the Account Database @e dialog boB, select the $tore $tartup @e 4ocall option. )ns"er: '* E E3#lanation9 $ecure *$ecured.inf+ Template 2 The $ecure templates define enhanced securit settings that are least li/el to impact application compatibilit . (or eBample, the $ecure templates define stronger password, loc/out, and audit settings. Additionall , the $ecure templates limit the use of 4A,Manager and ,T4M authentication protocols b configuring clients to send onl ,T4M%2 responses and configuring ser%ers to refuse 4A,Manager responses. &n order to appl $ecurews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run !indows,T-." $er%ice 5ac/- or higher. The s stem /e utilit *$I$@3I+ is a securit measure used to restrict logon names to user accounts and access to computer s stems and resources. 1 running the s s/e utilit with the 5assword startup option, the account information in the director ser%ices is encr pted and a password needs to be entered during s stem start. The start of the Domain .ontrollers is therefore restricted to e%er bod with this password. Incorrect )ns"ers: ): The Rootsec.inf securit template defines permissions for the root of the s stem dri%e. This template can be used to reappl the root director permissions to other %olumes. +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21 2 The Rootsec.inf securit template defines permissions for the root of the s stem dri%e. This template can be used to reappl the root director permissions to other %olumes. D: !e need to appl the polic to the domain controllers container, not the entire domain. E: The $ stem @e Utilit *s s/e + is used to encr pt the account password information that is stored in the $AM database or in the director ser%ices. 1 selecting 8$tore @e locall 8 the computer stores an encr pted %ersion of the /e on the local computer. This doesnKt help in controlling the start of the Domain .ontrollers. De$erence: http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3Hproddo Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 192-22; Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter > QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest )ll domain controllers run !indo"s Ser/er 2==, The ban0 decides to #ro/ide access to its mortgage a##lication ser/ices $rom a real estate agency that has o$$ices throughout the country You install a TestBing domain controller in each real estate agency o$$ice You need to $urther #rotect the domain controllersJ user account databases $rom unauthori1ed access You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Use the s stem /e utilit *s s/e + with the most secure securit le%el on the domain controllers. 1. .reate a Croup 5olic ob)ect *C5'+, import the $ecuredc.inf securit template, and appl the C5' to the domain controllers. .. .reate a Croup 5olic ob)ect *C5'+, configure the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22 2 Net"or0 security: A)N ?anager authentication le/el securit option to the $end ,T4M%2 response onl Wrefuse 4M setting, and appl the C5' to the domain controllers.

D. .reate a Croup 5olic ob)ect *C5'+, import the D. securit .inf securit template, and appl the C5' to the domain controllers. )ns"er: )* + E3#lanation: On domain controllers* #ass"ord in$ormation is stored in directory ser/ices It is not unusual $or #ass"ord > crac0ing so$t"are to target the Security )ccounts ?anager &S)?( database or directory ser/ices to access #ass"ords $or user accounts The System Bey utility &Sys0ey( #ro/ides an e3tra line o$ de$ence against o$$line #ass"ord > crac0ing so$t"are Sys0ey uses strong encry#tion techniques to secure account #ass"ord in$ormation that is stored in directory ser/ices ?ode , is the most secure Sys0ey utility* because it uses a com#uter>generated random 0ey and stores the 0ey on a $lo##y dis0 This dis0 is required $or the system to start* and it must be inserted at a #rom#t during the startu# sequence The system 0ey is not stored any"here on the com#uter $ecure *$ecured.inf+ Template define enhanced securit settings that are least li/el to impact application compatibilit . (or eBample, the $ecure templates define stronger password, loc/out, and audit settings. Additionall , the $ecure templates limit the use of 4A,Manager and ,T4M authentication protocols b configuring clients to send onl ,T4M%2 responses and configuring ser%ers to refuse 4A,Manager responses. Incorrect )ns"ers: ': Iou should be importing the $ecuredc.inf securit template instead of configuring the ,etwor/ securit 9 4A, Manager authentication le%el securit option to the $end ,T4M%2 response onl Wrefuse 4M setting. D: D. $ecurit .inf templates contain a large number of settings, and in particular a long list of file2s stem permission assignments. (or this reason, ou should not appl these templates to a computer b using group policies. De$erence: Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter > QUESTION NO: , ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll domain controllers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional TestBing has legacy a##lications that run on UNI@ ser/ers The legacy a##lications use the AD). #rotocol to query )cti/e Directory $or em#loyee in$ormation The domain controllers are currently con$igured "ith the de$ault security settings You need to con$igure enhanced security $or the domain controllers In #articular* you "ant to con$igure stronger #ass"ord settings* audit settings* and loc0out settings You "ant to minimi1e inter$erence "ith the #ro#er $unctioning o$ the legacy a##lications You decide to use the #rede$ined security tem#lates You need to choose the a##ro#riate #rede$ined security tem#late to a##ly to the domain controllers !hat should you do% A. Appl the $etup securit .inf template to the domain controllers. 1. Appl the D. securit .inf template to the domain controllers. .. Appl the $ecuredc.inf template to the domain controllers. D. Appl the Rootsec.inf template to the domain controllers. )ns"er: ' E3#lanation9 $ecuredc.inf contains polic settings that increase the securit on a domain controller to a le%el that remains compatible with most functions and applications. The template includes more stringent account policies, enhanced auditing policies and securit options, and increased restrictions for anon mous users and 4anManager s stems. Incorrect )ns"ers: ): This template allows ou to reappl the default securit settings. +: The D. securit .inf template is a%ailable to undo securit template polic settings. D: Rootsec.inf contains onl the default file s stem permissions for the s stem dri%e on a computer running !indows $er%er 2""3. Iou can use this template to restore the default permissions to a s stem dri%e that ou ha%e changed, or to appl the s stem dri%e permissions to the computerKs other dri%es. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2- 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 1" Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour

.ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 3n%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter = QUESTION NO: 4 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single acti/e directory domain named test0ing com The net"or0 includes 2= ser/ers running !indo"s Ser/er 2==, and 2== client com#uters running !indo"s @. .ro$essional The com#any #urchases <= ne" ser/ers to $unction as $ile ser/ers $or the domain You install !indo"s Ser/er 2==, on the ne" ser/ers The com#uter accounts $or the $ile ser/ers are located on an OU named Eile Ser/ers ) security e3#ert con$igures one o$ the ser/ers named TBEile< "ith /arious security settings You need to a##ly and maintain the same security settings on the remaining ; ser/ers You need to do this by using the minimum amount o$ administrati/e e$$ort !hat should you do% &'hoose t"o( A. Use dis/ imaging software to ta/e an image of T@(ile1. Appl the dis/ image to the remaining = ser%ers. 1. Use gpedit.msc to create a new Croup 5olic ob)ect *C5'+. Manuall configure the C5' with the same securit settings as T@(ile1. 4in/ the C5' to the (ile $er%ers 'U. .. Use gpedit.msc to create a new Croup 5olic ob)ect *C5'+. &mport the securit template into the $ecurit $ettings of the .omputer .onfiguration section of the C5'. 4in/ the C5' to the (ile $er%ers 'U. D. 'n the 5D. 3mulator, use $ecurit .onfiguration and Anal sis to eBport the securit settings to a securit template. 3. 'n T@(ile1, use $ecurit .onfiguration and Anal sis to eBport the securit settings to a securit template. )ns"er: '* E E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F 2 The easiest "ay to con$igure multi#le com#uters "ith multi#le security settings is to use a -.O In this question* "e ha/e a com#uter con$igured "ith the required settings !e can use the Security 'on$iguration and )nalysis to e3#ort the security settings to a security tem#late !e can then im#ort the tem#late into a -rou# .olicy Ob2ect and a##ly the settings to the Eile Ser/ers OU Incorrect )ns"ers: ): This could "or0 &i$ "e changed the com#uter names and SIDS(* but there is a catch in the question The question states that you need to a##ly and maintain the securit settings contained in the securit template to the new file ser%ers. Using a C5', the settings will be periodicall refreshed, ensuring that the securit settings are maintained. +: This is a long wa of doing it and definitel not the least amount of administrati%e effort that will also accomplish the tas/. 3Bporting the settings to a securit template would be easier and less effort. D: This would ha%e no effect on the file ser%ers. De$erence: Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter > QUESTION NO: 5 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 includes ,= ser/ers running !indo"s Ser/er 2==, and 2=== client com#uters running !indo"s @. .ro$essional 2= member ser/ers are located in an organisational unit &OU( named Ser/ers <= domain controllers are in the de$ault Domain 'ontrollers container )ll 2=== client com#uters are located in an organisational unit &OU( named 'lients The member ser/ers are con$igured "ith the $ollo"ing security settings: 1. Aogon e/ents must be audited 2. System e/ents must be audited 3. .ass"ords $or local user accounts must meet com#le3ity requirements -. .ass"ords must be changed e/ery ,= days F. .ass"ord history must be en$orced ;. 'onnections to the ser/ers must be encry#ted ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2; 2 The "ritten security #olicy states that you need to be able to /eri$y the custom security settings during audits You need to de#loy and re$resh the custom security settings on a routine basis

!hat should you do% A. .reate a custom securit template and appl it b using a Croup 5olic lin/ed to the $er%ers 'U. 1. .reate a custom securit template and appl it b using a Croup 5olic lin/ed to the domain. .. .reate and appl a custom Administrati%e Template. D. .reate a custom application ser%er image and deplo it b using R&$. )ns"er: ) E3#lanation: The easiest "ay to de#loy multi#le security settings to a grou# o$ !indo"s 2==, com#uter is to create a security tem#late "ith all the required settings and im#ort the settings into a -.O In this case* the security settings a##ly to local accounts on the ser/ers This means that "e can a##ly the settings "ith a -.O assigned to an Organisation Unit containing the ser/ers Incorrect )ns"ers: +: The securit settings need to appl to the member ser%ers onl . Appl ing the C5' to the domain would affect all computers in the domain. ': !e need a securit template, not an administrati%e template. D: !e cannot use imaging in this wa . De$erence: Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter > QUESTION NO: 6 TestBing has a single acti/e directory domain named TestBing com The com#anyJs "ritten security #olicy requires that com#uters in a $ile ser/er role must ha/e a minimum $ile si1e $or e/ent log settings In the #ast* logged e/ents "ere lost because the si1e o$ the e/ent log $iles "as too small You "ant to ensure that the e/ent log $iles are large enough to hold history You also "ant the security e/ent log to be cleared manually to ensure that no security in$ormation is lost The a##lication log must clear e/ents as needed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G 2 You create a security tem#late named $ileser/er in$ to meet the requirements You need to test each $ile ser/er and ta0e the a##ro#riate correcti/e action i$ needed You audit a $ile ser/er by using $ileser/er in$ and recei/e the results sho"n in the e3hibit NNN?ISSIN-NNN You "ant to ma0e only the changes that are required to meet the requirements !hich t"o actions should you ta0e% A. .orrect the maBimum application log si0e setting on the file ser%er 1. .orrect the maBimum securit log si0e setting on the file ser%er .. .orrect the maBimum s stem log si0e setting on the file ser%er D. .orrect the retention method for application log setting on the file ser%er 3. .orrect the retention method for the securit log setting on the file ser%er (. .orrect the retention method for the s stem log setting for the file ser%er )ns"er: +* E E3#lanation9 The 3%ent 4og securit area defines attributes related to the application, securit , and s stem logs in the 3%ent ?iewer console for computers in a site, domain, or 'U. The attributes are9 maBimum log si0e, access rights for each log, and retention settings and methods. 3%ent log si0e and log wrapping should be defined to match our business and securit re6uirements. &n this particular case ou should be correcting the maBimum securit log si0e setting and the retention method for the securit log setting on the file ser%er so as to compl with the stated re6uirements. Incorrect ans"ers9 )* '* D* E9 The 6uestion states that the compan Ks written securit polic re6uires that computers in a file ser%er role must ha%e a minimum file si0e for e%ent log settings. And gi%en the past eBperiences of the compan regarding the si0e of securit e%ents and its retention, ou should be correct the maBimum log si0e and retention methods of the securit logs and not the application log or the s stem log. De$erence9 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 1" Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2> 2 QUESTION NO: 7 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com TestBingJs #erimeter net"or0

contains 5= !eb ser/ers that host the com#anyJs #ublic Internet site The !eb ser/ers are not members o$ the domain The net"or0 design team com#leted a ne" design s#eci$ication $or the security o$ ser/ers in s#eci$ic roles The net"or0 design requires that security settings must be a##lied to !eb ser/ers These settings include #ass"ord restrictions* audit settings* and automatic u#date settings You need to com#ly "ith the design requirements $or securing the !eb ser/ers You also "ant to be able to /eri$y the security settings and generate a re#ort during routine maintenance You "ant to achie/e these goals by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a custom securit template named !eb.inf that contains the re6uired securit settings. .reate a new organi0ational unit *'U+ named !eb$er%ers and mo%e the !eb ser%ers into the new 'U. Appl !eb.inf to the !eb$er%ers 'U. 1. .reate a custom securit template named !eb.inf that contains the re6uired securit settings, and deplo !eb.inf to each !eb ser%er b using $ecurit .onfiguration and Anal sis. .. .reate an image of a !eb ser%er that has the re6uired securit settings, and replicate the image to each !eb ser%er. D. Manuall configure the re6uired securit settings on each !eb ser%er. )ns"er: + E3#lanation: The easiest "ay to de#loy multi#le security settings to a !indo"s 2==, com#uter is to create a security tem#late "ith all the required settings and im#ort the settings using the Security 'on$iguration and )nalysis tool Incorrect )ns"ers: ): The web ser%ers arenKt members of the domain. Therefore the cannot be mo%ed to an 'U in Acti%e Director . ': !e cannot use imaging in this wa . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2= 2 D: This is a long wa of doing it. A securit template would simpl the tas/. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139FG QUESTION NO: 9 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The com#any #lans to de#loy <2= !indo"s Ser/er 2==, member ser/ers as $ile ser/ers in the domain The ne" $ile ser/ers "ill be located in a single organi1ational unit &OU( named Eile Ser/ers The security de#artment #ro/ides you "ith a security tem#late that must be a##lied to the ne" $ile ser/ers You need to a##ly and maintain the security settings contained in the security tem#late to the ne" $ile ser/ers You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. 'n a reference computer, use the 4ocal $ecurit $ettings console to import the securit template. Use imaging technolog to install and configure the new file ser%ers based on the configuration of the reference computer. 1. 'n a reference computer, run the secedit command to appl the securit template. Ma/e use of imaging technolog to install and configure the new file ser%es based on the configuration of the reference computer. .. .reate a new Croup 5olic ob)ect *C5'+. &mport the securit template into the $ecurit $ettings of the .omputer .onfiguration section of the C5'. 4in/ the C5' to the (ile $er%ers 'U. D. 'n the 5D. emulator master in the domain, run the secedit command to appl the securit template. )ns"er: ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3" 2 E3#lanation: !e ha/e a security tem#late "ith the required security settings !e can sim#ly im#ort the tem#late into a -rou# .olicy Ob2ect and a##ly the settings to the Eile Ser/ers OU Incorrect )ns"ers:

): This "ould "or0* but there is a catch in the question The question states that you need to a##ly and maintain the securit settings contained in the securit template to the new file ser%ers. Using a C5', the settings will be periodicall refreshed, ensuring that the securit settings KmaintainedK. +: This "ould "or0* but there is a catch in the question The question states that you need to a##ly and maintain the securit settings contained in the securit template to the new file ser%ers. Using a C5', the settings will be periodicall refreshed, ensuring that the securit settings KmaintainedK. D: This would ha%e no effect on the file ser%ers. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139G3 QUESTION NO: ; You are the net"or0 administrator $or TestBing TestBing is de#loying a #ublic !eb ser/er $arm on !indo"s Ser/er 2==, com#uters This !eb ser/er $arm "ill allo" the #ublic to /ie" com#any in$ormation The !eb ser/ers in the !eb ser/er $arm "ill be #laced in TestBingJs #erimeter net"or0* "hich uses a #ublic Internet address s#ace TestBing "ants to reduce the #robability o$ e3ternal unauthori1ed users brea0ing into the #ublic !eb ser/ers You need to ma0e the !eb ser/ers less /ulnerable to attac0 You also "ant to ensure that the #ublic "ill be able to /ie" in$ormation that is #laced in TestBingJs #erimeter net"or0 !hat should you do% A. .onfigure each !eb ser%erKs &5 address to a pri%ate reser%ed &nternet address. 1. .onfigure the !eb ser%ers to allow onl &5$ec communications. .. Disable an unneeded ser%ices on the !eb ser%ers. D. Disable T.5H&5 filtering on all adapters in the !eb ser%ers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31 2 )ns"er: ' E3#lanation: !e should disable any unneeded ser/ices on the !eb ser/ers This includes unneeded "eb ser/ices and unneeded ser/er ser/ices This "ill also ensure that no unnecessary #orts are o#en on the ser/ers Reducing the Attac/ $urface of the !eb $er%er 2 &mmediatel after installing !indows $er%er2""3 and &&$;." with the default settings, the !eb ser%er is configured to ser%e onl static content. &f our !eb sites consist of static content and ou do not need an of the other &&$ components, then the default configuration of &&$ minimi0es the attac/ surface of the ser%er. !hen our !eb sites and applications contain d namic content, or ou re6uire one or more of the additional &&$ components, ou will need to enable additional features. Aowe%er, ou still want to ensure that ou minimi0e the attac/ surface of the !eb ser%er. The attac/ surface of the !eb ser%er is the eBtent to which the ser%er is eBposed to a potential attac/er. Aowe%er, if ou reduce the attac/ surface of the !eb ser%er too much, ou can eliminate functionalit that is re6uired b the !eb sites and applications that the ser%er hosts. Iou need to ensure that onl the functionalit that is necessar to support our !eb sites and applications is enabled on the ser%er. This ensures that the !eb sites and applications will run properl on our !eb ser%er, but that the attac/ surface is minimi0ed. Incorrect )ns"ers: ): The public web ser%ers need public &5 addresses. +: Iou can not use &5$ec on public web ser%ers. ,o one would be able to access the web pages. D: T.5H&5 filtering should be enabled, not disabled. De$erence Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 1 M$ !indows $er%er 2""3 Deplo ment @it Deplo ing &nternet &nformation $er%ices *&&$+ ;." Reducing the Attac/ $urface of the !eb $er%er 19 .reate custom securit templates based on ser%er roles. *F 6uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32 2 QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains <= domain controllers and 5= ser/ers in a##lication ser/er roles )ll ser/ers run !indo"s Ser/er 2==, The a##lication ser/ers are con$igured "ith custom security settings that are

s#eci$ic to their roles as a##lication ser/ers )##lication ser/ers are required to audit account logon e/ents* ob2ect access e/ents* and system e/ents )##lication ser/ers are required to ha/e #ass"ords that meet com#le3ity requirements* to en$orce #ass"ord history* and to en$orce #ass"ord aging )##lication ser/ers must also be #rotected against man>in>the>middle attac0s during authentication You need to de#loy and re$resh the custom security settings on a routine basis You also need to be able to /eri$y the custom security settings during audits !hat should you do% A. .reate a custom securit template and appl it b using Croup 5olic . 1. .reate a custom &5$ec polic and assign it b using Croup 5olic . .. .reate and appl a custom Administrati%e Template. D. .reate a custom application ser%er image and deplo it b using R&$. )ns"er: ) E3#lanation: The easiest "ay to de#loy multi#le security settings to a !indo"s 2==, com#uter is to create a security tem#late "ith all the required settings and im#ort the settings into a grou# #olicy !e can also use secedit to analyse the current security settings to /eri$y that the required security settings are in #lace Incorrect )ns"ers: +: An &5$ec polic will not configure the re6uired auditing polic . ': !e need a securit template, not an administrati%e template. D: This will create multiple identical machines. !e cannot use R&$ images in this scenario. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139FG ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33 2 QUESTION NO: 2 Tess Bing is a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains <2 domain controllers and 5= ser/ers in the a##lication ser/er roles )ll ser/ers run !indo"s Ser/er 2==, The a##lication ser/ers are con$igured "ith custom security settings that are s#eci$ic to their roles as a##lication ser/ers )##lications ser/ers are required to audit account logon e/ents* ob2ect access e/ents* and system e/ents )##lication ser/ers required to ha/e #ass"ords that meet com#le3ity requirements* to en$orce #ass"ord history* and to en$orce #ass"ord aging )##lication ser/ers must also be #rotected against man>in>the>middle attac0s during authentication Tess needs to de#loy and re$resh the custom security settings on a routine basis She also needs to be able to /eri$y the customer security settings during audits !hat actions should Tess Bing ta0e% A. $he should create a custom securit template and appl it b using Croup 5olic . 1. $he should create a customer &5$ec polic and assign it b using Croup 5olic . .. $he should create and appl a custom Administrati%e Template. D. $he should create a custom application ser%er image and deplo it b using R&$. )ns"er: ) E3#lanation: ) security tem#late is a #hysical $ile re#resentation o$ a security con$iguration that can be a##lied to a local com#uter or im#orted to a -rou# .olicy Ob2ect &-.O( in )cti/e Directory !hen you im#ort a security tem#late to a -.O* -rou# .olicy #rocesses the tem#late and ma0es the corres#onding changes to the members o$ that -.O* "hich can be users or com#uters A Croup 5olic 'b)ect *C5'+ is a collection of configuration parameters that ou can use to create a secure baseline installation for a computer running !indows $er%er 2""3. To deplo a C5', ou associate it with an Acti%e Director container, and all the ob)ects in the container inherit the C5' configuration settings. Audit and 3%ent 4og policies enable ou to specif what information a computer logs, how much information the computer retains in logs, and how the computer beha%es when logs are full. !indows $er%er 2""3 loads man ser%ices b default that a member ser%er usuall doesnKt need. Iou can use a C5' to specif the startup t pe for each ser%ice on a computer. C5's include a great man securit options that ou can use to configure specific beha%iours of a computer running !indows $er%er 2""3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3- 2 Incorrect )ns"ers: +: &5$ec is re6uired to secure networ/ traffic, not application ser%ers. ': Administrati%e templates are used to pro%ide settings re6uired to allow for the performance of administrati%e tas/s. $ecurit templates are used to pro%ide securit settings, such as minimum password lengths. D: .ustom application ser%er images deplo ed through R&$ are used to install automate

the installation of operating s stems with applications pre2installed. &t is not used to appl securit settings. De$erence: Q. .. Mac/in, and &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, Clossar .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter =. QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com TestBing has an internal net"or0 and a #erimeter net"or0 The internal net"or0 is #rotected by a $ire"all )##lication ser/ers on the #erimeter net"or0 are accessible $rom the Internet You are de#loying <= !indo"s Ser/er 2==, com#uters in a##lication ser/er roles The ser/ers "ill be located in the #erimeter net"or0 and "ill not be members o$ the domain The ser/ers "ill host only #ublicly a/ailable !eb #ages The net"or0 design requires that custom security settings must be a##lied to the a##lication ser/ers These custom security settings must be automatically re$reshed e/ery day to ensure com#liance "ith the design You create a custom security tem#late named +aseline< in$ $or the a##lication ser/ers You need to com#ly "ith the design requirements !hat should you do% A. &mport 1aseline1.inf into the Default Domain 5olic Croup 5olic ob)ect *C5'+. 1. .reate a tas/ on each application ser%er that runs $ecurit and .onfiguration Anal sis with 1aseline1.inf e%er da . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F 2 .. .reate a tas/ on each application ser%er that runs the secedit command with 1aseline1.inf e%er da . D. .reate a startup script in the Default Domain 5olic Croup 5olic ob)ect *C5'+ that runs the secedit command with 1aseline1.inf. )ns"er: ' E3#lanation: Secedit e3e is a command line tool that #er$orms the same $unctions as the Security 'on$iguration )nd )nalysis sna#>in* and can also a##ly s#eci$ic #arts o$ tem#lates to the com#uter You can use Secedit e3e in scri#ts and batch $iles to automate security tem#late de#loyments Incorrect )ns"ers: )* D: The Default Domain 5olic Croup 5olic ob)ect *C5'+ is applied to the domain controllers. !e need to configure the application ser%ers, not the domain controllers. +: $ecurit and .onfiguration Anal sis anal 0es the securit settings. &t doesnKt appl it. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 1". QUESTION NO: 4 :OTS.OT You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains a !indo"s Ser/er 2==, member ser/er named TestBingSr/) The net"or0 also contains a !indo"s @. .ro$essional com#uter named 'lient< You use 'lient< as an administrati/e com#uter You #lan to use ?icroso$t +aseline Security )naly1er &?+S)( on 'lient< to analy1e TestBingSr/) :o"e/er* the recent a##lication o$ a custom security tem#late disabled se/eral ser/ices on TestBingSr/) You need to ensure that you can use ?+S) to analy1e TestBingSr/) !hich t"o ser/ices should you enable% To ans"er* select the a##ro#riate ser/ices to enable in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3; 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G 2 The Remote Registr and $er%er ser%ices should be enabled. The following are the re6uirements for a computer running the tool that is scanning a remote machine*s+9 1. !indows $er%er 2""3, !indows 2""", or !indows <5

2. &nternet 3Bplorer F."1 or greater 3. An <M4 parser *M$<M4 %ersion 3." $52 or later+ is re6uired in order for the tool to function correctl . $ stems not running &nternet 3Bplorer F."1 or greater will need to download and install an <M4 parser in order to run this tool. M$<M4 %ersion 3." $52 can be installed during tool setup. &f ou opt to not install the <M4 parser that is bundled with the tool, see the notes below on obtaining an <M4 parser separatel . -. The &&$ .ommon (iles are re6uired on the computer on which the tool is installed if performing remote scans of &&$ computers. The following ser%ices must be enabled9 !or/station ser%ice and .lient for Microsoft ,etwor/s. The following are the re6uirements for a computer to be scanned remotel b the tool9 1. !indows ,T -." $5- and abo%e, !indows 2""", !indows <5 *local scans onl on !indows <5 computers that use simple file sharing+, or !indows $er%er 2""3 2. &&$ -.", F.", ;." *re6uired for &&$ %ulnerabilit chec/s+ 3. $:4 G.", 2""" *re6uired for $:4 %ulnerabilit chec/s+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3> 2 -. Microsoft 'ffice 2""", <5 *re6uired for 'ffice %ulnerabilit chec/s+ The following ser%ices must be installedHenabled9 $er%er ser%ice, Remote Registr ser%ice, (ile L 5rint $haring De$erence: (rom the readmefile for M1$A Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 129F"2F1 QUESTION NO: 5 You are a consultant $or se/eral di$$erent com#anies You design the security #olicies $or the com#uters running !indo"s 2==, Ser/er and !indo"s 2=== .ro$essional in your customersJ net"or0s You use these security #olicies to con$igure a ser/er named Ser/er< You "ant to de#loy the security con$iguration on Ser/er< to com#uters in your customerJs net"or0s by using the least amount o$ administrati/e e$$ort !hat should you do $irst% A. .reate a Croup 5olic 'b)ect *C5'+ that configures the securit settings for all computers to match the settings on $er%er1, and then lin/ the C5' to the domain. 3Bport the console list to a file. 1. &n the $ecurit .onfiguration and Anal sis snap2in, anal 0e $er%er1 and eBport the securit template in a file. .. &n the $ stem &nformation snap2in, sa%e the s stem summar as a s stem information file. D. &n the $ecurit Templates snap2in, eBport the console list to a file. )ns"er: + E3#lanation: !e can use the Security 'on$iguration and )nalysis sna#>in to e3#ort all the security settings $rom a com#uter to a tem#late $ile This "ill enable us to a##ly the same security settings to other com#uters !e can a##ly the tem#late to other com#uters either by using the Security 'on$iguration and )nalysis sna#>in &$or single com#uters( or by im#orting the tem#late into a grou# #olicy ob2ect &$or multi#le com#uters( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3= 2 Incorrect )ns"ers: ): Iou ha%e alread manuall configured the settings on $er%er1. &t would be 6uic/er to eBport them to a template file, rather than manuall enter the settings into a C5'. ': The s stem summar does not contain the securit settings. D: The console list does not contain the securit settings. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 132FG to 132;F, 132G"2132>". 5art -9 3%aluate and select the operating s stem to install on computers in an enterprise. *1 6uestion+ QUESTION NO: < :OTS.OT You are a net"or0 administrator $or TestBing The net"or0 consists o$ an intranet and a #erimeter net"or0* as sho"n in the "or0 area The #erimeter net"or0 contains: 1. One !indo"s Ser/er 2==,* !eb Edition com#uter named TestBing< 2. One !indo"s Ser/er 2==,* Standard Edition com#uter named TestBing2 3. One !indo"s Ser/er 2==,* Enter#rise Edition com#uter named TestBing,

-. One !eb ser/er $arm that consists o$ t"o !indo"s Ser/er 2==,* !eb Edition com#uters )ll ser/ers on the #erimeter net"or0 are members o$ the same "or0grou# The design team #lans to create a ne" )cti/e Directory domain that uses the e3isting ser/ers on the #erimeter net"or0 The ne" domain "ill su##ort !eb a##lications on the #erimeter net"or0 The design team states that the #erimeter net"or0 domain must be $ault tolerant You need to select "hich ser/er or ser/ers on the #erimeter net"or0 need to be con$igured as domain controllers !hich ser/er or ser/ers should you #romote% To ans"er* select the a##ro#riate ser/er or ser/ers in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -" 2 )ns"er: E3#lanation: !e /now that web editions cannot be domain controllers, and we want fault tolerance, which means two Domain .ontrollers. The answer is to promote the two ser%ers that arenKt running !eb 3dition to Domain .ontrollers *Test/ing2 and Test/ing3+. De$erence: Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1 2 Topic 2, 5lanning, &mplementing, and Maintaining a ,etwor/ &nfrastructure *-G :uestions+ 5art 19 5lan a T.5H&5 networ/ infrastructure strateg . A9 Anal 0e &5 addressing re6uirements. *2 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com TestBing has 2=*=== users in 2= #hysical locations "orld"ide TestBing is e3#ecting to gro" by 5= #ercent the ne3t $i/e years TestBing recently became a subsidiary o$ :umongous Insurance :umongous Insurance has $i/e other subsidiaries :umongous Insurance has <==*=== users in <== #hysical locations "orld"ide :umongous Insurance uses the <= = = =K9 net"or0 and requires that all subsidiaries integrate into this net"or0 The net"or0 design team at TestBing #ro/ides you "ith a net"or0 design $or integrating into the :umongous Insurance net"or0 The design s#eci$ies that TestBing "ill use a single bloc0 o$ I. net"or0 numbers to assign I. addresses to its net"or0 You need to #lan the I. address s#ace to meet the design s#eci$ication You need to request a bloc0 o$ I. addresses $rom :umongous Insurance that "ill accommodate all TestBing users To reduce the di$$iculty o$ obtaining the addresses and to conser/e the :umongous Insurance address s#ace* you "ant to request the smallest bloc0 o$ I. addresses that meets the design s#eci$ication !hat should you do% A. Re6uest a 1"."."." bloc/ of &5 addresses with an >2bit subnet mas/ from Aumongous &nsurance. 1. Re6uest a 1"."."." bloc/ of &5 addresses with a 1;2bit subnet mas/ from Aumongous &nsurance. .. Re6uest a 1"."."." bloc/ of &5 addresses with a 2-2bit subnet mas/ from Aumongous &nsurance. D. Re6uest a 1"."."." bloc/ of &5 addresses with a 322bit subnet mas/ from Aumongous &nsurance. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2 2 !e ha/e 2=*=== users in 2= locations "hich "ould gi/e us an a/erage o$ <*=== users #er location !e need to ma0e #ro/ision $or a 5=R gro"th so that ma0es in <*5== users #er location !e need to integrate this net"or0 "ith the :umongous Insurance net"or0 "hich uses the <= = = = net"or0 This means "e must use the <= = = = net"or0 $ubnetting is the process of shifting the subnet mas/ so as to increase or decrease the number of bits reser%ed for the networ/ addresses. &n this instance we are using a .lass A address, so the number of clients is important. A simple formula of 2*322n+22, where n is the number of bits in the subnet mas/, can be used to calculate the number of hosts a networ/ will support. The best subnet mas/ would be a 212bit mas/ which would gi%e us 2,"=G,1F" networ/s

with 2"-; clients per networ/. Aowe%er, a 212bit subnet mas/ is not offered as an option so we must use the neBt best subnet mas/ which would be 1;. This would gi%e us ;F,F3networ/s with ;F,F3- clients per networ/. Incorrect )ns"ers: ): The default subnet mas/ for a .lass A networ/ is and > bit subnet mas/ of 2FF.".".". This pro%ides a total of 2F- networ/s with 1;,GGG,21- clients per networ/. This pro%ides us with too mush clients as we want the smallest bloc/ of &5 addresses that meets the design specification. ': A 2-2bit subnet mas/ would gi%e us 1;,GGG,21- networ/s with 2F- clients per networ/. This would be too few clients per networ/. D: !e cannot use a 322bit subnet mas/ as this is not a %alid subnet mas/. De$erence: Thomas $hinder and Debra 4ittle)ohn $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3, $ ngress 5ublishing, Roc/land, MA, 2""-, pp. 1G321>". QUESTION NO: 2 You are the net"or0 administrator $or TestBing The com#any has a main o$$ice and t"o branch o$$ices The net"or0 in the main o$$ice contains <= ser/ers and <== client com#uters Each branch o$$ice contains 5 ser/ers and 5= client com#uters Each branch o$$ice is connected to the main o$$ice by a direct T< line The net"or0 design requires that com#any I. addresses must be assigned $rom a single class$ul #ri/ate I. address range The net"or0 is assigned a class ' #ri/ate I. address range to allocate I. addresses $or ser/ers and client com#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3 2 TestBing acquires a com#any named )cme The acquisition "ill increase the number o$ ser/ers to 2= and the number o$ client com#uters to 2== in the main o$$ice The acquisition is e3#ected to increase the number o$ ser/ers to 2= and the number o$ client com#uters to 2== in the branch o$$ices The acquisition "ill also add <= more branch o$$ices )$ter the acquisition* all branch o$$ices "ill be the same si1e Each branch o$$ice "ill be connected to the main o$$ice by a direct T< line The ne" com#any "ill $ollo" the TestBing net"or0 design requirements You need to #lan the I. addressing $or the ne" com#any You need to com#ly "ith the net"or0 design requirement !hat should you do% A. Assign the main office and each branch office a new class A pri%ate &5 address range. 1. Assign the main office and each branch office a new class 1 pri%ate &5 address range. .. Assign the main office and each branch office a subnet from a new class 1 pri%ate &5 address range. D. Assign the main office and each branch office a subnet from the current class . pri%ate &5 address range. )ns"er: ' E3#lanation: )$ter the e3#ansion the situation "ill be: 1. Main office 1. ,eed 22" &5, 2" for ser%ers and 2"" for clients 1. 1ranch 'ffices 1. ,eed 22" &5, 2" for ser%ers and 2"" for clients 2. !e will ha%e 12 branch offices 3. 12 B 22" \ 2;-" Total for all offices is 2;-" a 22" \ 2>;". The net"or0 design requires that com#any I. addresses must be assigned $rom a single class$ul #ri/ate I. address range !e can subnet a pri%ate .lass 1 address range into enough subnets to accommodate each office. There are %arious wa s of doing this, but one wa would be to subnet the class 1 address into subnets using a 2- bit subnet mas/. This would allow up to 2F- &5 addresses per subnet and up to 2F- subnets. Incorrect )ns"ers: ): The networ/ design re6uires that compan &5 addresses must be assigned from a single classful pri%ate &5 address range. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -- 2 +: The networ/ design re6uires that compan &5 addresses must be assigned from a single classful pri%ate &5 address range. D: The class . networ/ does not ha%e enough &5 addresses to accommodate all the computers in all the offices. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2322;

19 5lan an &5 routing solution. *1 6uestion+ QUESTION NO: < You are the systems engineer $or TestBing TestBing has 2=*=== users in a large cam#us en/ironment located in Aondon Each de#artment in the com#any is located in its o"n building Each de#artment has its o"n IT sta$$ The com#anyJs net"or0 is di/ided into se/eral I. subnets that are connected to one another by using dedicated routers Each building on the com#anyJs main cam#us contains at least one subnet* and #ossibly u# to $i/e subnets Each building has at least one router )ll routers use DI. /2 broadcasts ) ne" o$$ice in Dortmund has 25 users Dortmund is connected to the main o$$ice "ith a Erame Delay line Dortmund installs a ser/er "ith DD)S and im#lements DI. /2 Aater the Dortmund admin re#orts that his router is not recei/ing routing table u#dates $rom the routers at the main o$$ice :e must manually add routing entries to the routing table to enable connecti/ity bet"een the locations You in/estigate and disco/er that the DI./2 broadcasts are not being recei/ed at the Dortmund o$$ice You also disco/er that no routing table announcements $rom the Dortmund o$$ice are being recei/ed at the main o$$ice You need to ensure that the net"or0 in the Dortmund o$$ice can communicate "ith the main cam#us net"or0 and can send and recei/e automatic routing table u#dates as net"or0 conditions change !hat should you do to the router in the Dortmund o$$ice% A. .onfigure the router to use R&5%1 broadcasts ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F 2 1. .onfigure the router to use auto2static update mode .. Add the &5 address ranges of the main campus networ/ to the routers accept list and announce list D. Add the &5 addresses of the main campus routers to the routerKs neighbors list )ns"er: D E3#lanation9 Routers need to read from an &5 pac/et onl the destination networ/ address of which the particular destination host is a member. The routers then use information stored in their routing tables to determine how to mo%e the pac/et toward the networ/ of the destination host. 'nl after the pac/et is deli%ered to the destinationKs networ/ segment is the precise location of the destination host determined. &t loo/s li/e the Dortmund router is configured to use neighbors. Therefore, we need to add the &5 addresses of the main campus routers to the routerKs neighbors list. Incorrect ans"ers: )9 Ma/ing Use of R&5 %1 broadcast is not going to ensure that Dortmund will be able to communicate with the main campus since there are no routing table announcements from Dortmund at the main office. +9 !hen ou configure an interface to use auto2static update mode, the router sends a re6uest to other routers and inherits routes. The routes are sa%ed in the routing table as auto2static routes and are /ept e%en if the router is restarted or the interface goes down. 1ut this is not what is re6uired here. '9 This would be unnecessar since it will not be addressing the problem. $ince Dortmund is configured to use neighbors, then ou should rather add the &5 addresses of the main campus routers to the routerKs neighbor list. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 291.9 .reate an &5 subnet scheme. *2 6uestions+ QUESTION NO: < You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 includes 2= ser/ers running !indo"s Ser/er 2==, and 2== client com#uters running !indo"s @. .ro$essional The o$$ice uses a single class ' #ri/ate I. address range ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -; 2 The com#any announces a ma2or e3#ansion TestBing "ill o#en <2 branch o$$ices The <2 branch o$$ices "ill connect to the e3isting o$$ice by direct T< lines Each branch o$$ice "ill ha/e the same number o$ com#uters as the main o$$ice You need to #lan the I. addressing $or the ne" com#any You "ant to assign all com#any I. addresses $rom a single class$ul #ri/ate I. address range !hat should you do% A. Assign each office a new class . pri%ate &5 address range. 1. Assign each office a new class 1 pri%ate &5 address range.

.. Assign each office a subnet from a new class 1 pri%ate &5 address range. D. Assign each office a subnet from the current class . pri%ate &5 address range. )ns"er: ' E3#lanation: The net"or0 design requires that com#any I. addresses must be assigned $rom a single class$ul #ri/ate I. address range !e can subnet a #ri/ate 'lass + address range into enough subnets to accommodate each o$$ice There are /arious "ays o$ doing this* but one "ay "ould be to subnet the class + address into subnets using a 24 bit subnet mas0 This "ould allo" u# to 254 I. addresses #er subnet and u# to 254 subnets Incorrect )ns"ers: ): The networ/ design re6uires that compan &5 addresses must be assigned from a single classful pri%ate &5 address range. +: The networ/ design re6uires that compan &5 addresses must be assigned from a single classful pri%ate &5 address range. D: The class . networ/ does not ha%e enough &5 addresses to accommodate all the computers in all the offices. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2322; QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G 2 You are the net"or0 administrator $or TestBing com TestBing has o$$ices in Ne" Yor0* 'o#enhagen and )n0ara The net"or0 consists o$ a single )cti/e Directory domain and three sites The sites are named NYsite* 'o#Site* and )n0Site TestBing is adding a ne" di/ision at the Ne" Yor0 o$$ice $or #ublishing $iction boo0s You create a ne" organi1ational unit &OU( named Eiction $or the $iction di/ision You add a ne" net"or0 segment and subnet $or the $iction di/ision You #lan to #lace ne" !indo"s @. .ro$essional com#uters $or the $iction di/ision in the ne" subnet You also #lan to add a ne" domain controller to NYSite You need to ensure that users in the $iction di/ision use the domain controllers in the Ne" Yor0 o$$ice "hen logging on to the net"or0 !hat should you do% A. Decrease the metric for the default gatewa on the new !indows <5 5rofessional computers. 1. .reate a new subnet ob)ect for the new subnet. Add the new subnet ob)ect to ,I$ite. .. .onfigure the location attribute for the new !indows <5 5rofessional computers to be ,I$ite. D. Mo%e the domain controller ob)ects for the domain controllers in the ,ew Ior/ office to the (iction 'U. )ns"er: + E3#lanation: Subnets can be associated "ith a site by using subnet ob2ects This "ill ensure that users on a #articular subnet log on to a domain controller in a #articular site Incorrect )ns"ers: ): This will not accomplish an thing. ': The location attribute is for information onl . &t will not lin/ the computer to the site. D: This will gi%e the administrators of the (iction 'U control o%er the domain controllers in the ,ew Ior/ office. &t will not ensure that the users on the new subnet logon to the domain controller in the ,ew Ior/ office. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2G23" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -> 2 5art 29 5lan and modif a networ/ topolog . A9 5lan the ph sical placement of networ/ resources. *1 6uestion+ QUESTION NO: < :OTS.OT You are a net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 contains a single D:'. ser/er that ser/ices t"o subnets named SubnetTB< and SubnetTB2* as sho"n in the "or0 area )ll ser/ers and the administrator client com#uter ha/e manually assigned I. addresses )ll other client com#uters are D:'. clients The router on your net"or0 $ails and is re#laced by another router )$ter the router

is re#laced* client com#uters on SubnetTB2 cannot recei/e I. addressing $rom the D:'. ser/er You need to con$igure an a##ro#riate host to be a D:'. relay agent !hich com#onent should you use% To ans"er* select the a##ro#riate com#onent in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -= 2 )ns"er: E3#lanation: Select the .rint Ser/er DA.5 rela agents intercept DA.5 Disco%er pac/ets and forward them to a remote DA.5 ser%er whose address has been preconfigured. Although DA.5 Rela Agent is configured through Douting )nd Demote )ccess, the computer hosting the agent does not need to be functioning as an actual router between subnets. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F" 2 Q. .. Mac/in, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, 2""-, .hapter = 19 &dentif networ/ protocols to be used. *1 6uestion+ QUESTION NO: < You are a net"or0 administrator $or TestBing )ll domain controllers run !indo"s Ser/er 2==, The net"or0 contains 5= !indo"s ;9 client com#uters* ,== !indo"s 2=== .ro$essional com#uters* and <5= !indo"s @. .ro$essional com#uters )ccording to the net"or0 design s#eci$ication* the Berberos /ersion 5 authentication #rotocol must be used $or all client com#uters on the internal net"or0 You need to ensure that Berberos /ersion 5 authentication is used $or all client com#uters on the internal net"or0 !hat should you do% A. 'n each domain controller, disable $er%er Message 1loc/ *$M1+ signing and encr ption of the secure channel traffic. 1. Replace all !indows => computers with new !indows <5 5rofessional computers. .. &nstall the Acti%e Director .lient 3Btension software on the !indows => computers. D. Upgrade all !indows => computers to !indows ,T wor/station -.". )ns"er: + E3#lanation: +y de$ault* in a !indo"s 2==, domain* !indo"s 2=== and !indo"s @. clients use Berberos as their authentication #rotocol !indo"s ;9 doesnJt su##ort Berberos authentication There$ore* "e need u#grade the !indo"s ;9 com#uters Incorrect )ns"ers: ): This will not enable the !indows => clients to use @erberos authentication. ': The Acti%e Director .lient 3Btension software does not enable !indows => clients to use @erberos authentication. D: !indows ,T -." does not support @erberos authentication. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1 2 De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 119 3=2-2 5art 39 5lan an &nternet connecti%it strateg . *2 6uestions+ QUESTION NO: < DD)- DDO. You are the security analyst $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 currently does not ha/e a connection to the Internet You are in the #rocess o$ designing an Internet connection solution $or TestBing TestBingJs Internet security #olicy includes the $ollo"ing requirements: 1. Tra$$ic that originates $rom outside the TestBing net"or0 must ne/er be #assed to the TestBing intranet 2. Internal TestBing resources must not be directly accessible $rom the Internet 3. TestBingJs #ublic !eb site must not contain any con$idential TestBing in$ormation -. TestBingJs #ublic !eb site must be accessible $rom the Internet* e/en in the e/ent o$ the $ailure o$ any TestBing>o"ned net"or0 com#onent You design a net"or0 solution that #ro/ides strict access control to the TestBing

intranet by means o$ a $ire"all Your ne" design includes a #erimeter net"or0* "hich contains resources that e3ternal users or com#uters might need to access Your design also includes three com#uters running intrusion>detection so$t"are: ISD<* IDS2* and IDS, You no" need to #lan the #lacement o$ $i/e ser/ers on the net"or0 in accordance "ith TestBingJs Internet security #olicy :o" should you #lace the ser/ers to com#ly "ith the security #olicy% To ans"er* drag the a##ro#riate ser/er role to the correct net"or0 location in the Net"or0 Diagram ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3 2 !e must ensure that traffic from outside the Test@ing networ/ ne%er passes to the Test@ing intranet and that internal Test@ing resources arenKt directl accessible from the &nternet. &n addition, the public !eb site must be accessible from the &nternet e%en in the e%ent of the failure of an Test@ing2owned networ/ component. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F- 2 To ensure that traffic from outside the Test@ing networ/ ne%er passes to the Test@ing intranet but can access the public web site, we should place the !eb ser%er outside the firewall. (or securit reasons, ser%ices that re6uire access to the &nternet should be placed in the perimeter networ/. These include 3mail forwarders and ?5, ser%ers. (ile ser%ers that store user folders, and email ser%ers that store mailboBes should be placed in the intranet. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 2322> QUESTION NO: 2 You are the net"or0 administrator $or a ne" branch o$$ice o$ TestBing The o$$ice net"or0 is connected to the Internet by a T< line TestBingJs Internet ser/ice #ro/ider &IS.( gi/es you a single #ublic I. address and #ro/ides $ire"all ser/ices to #rotect the o$$ice net"or0 The o$$ice net"or0 includes $i/e "indo"s @. .ro$essional client com#uters and a !indo"s Ser/er 2==, com#uter named TestBing) )ll client com#uters are con$igured to use D:'. to obtain their I. con$iguration settings TestBing) is con$igured as a D:'. ser/er and contains t"o net"or0 ada#ters You connect one net"or0 ada#ter to the IS. connection* and you connect the other net"or0 ada#ter to the o$$ice net"or0 You "ant to con$igure TestBing) so that client com#uters can access the Internet !hich t"o courses o$ action should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Remo%e the DA.5 $er%er ser%ice. 1. &nstall the D,$ $er%er ser%ice. .. Run the route command to add a route to the internal networ/. D. Assign the public &5 address to the eBternal networ/ adapter. &nstall and configure Routing and Remote Access. )ns"er: +* D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF 2 E3#lanation: !e ha/e a single #ublic I. address $rom the IS. This should be assigned to the e3ternal net"or0 ada#ter This "ill enable the ser/er to send and recei/e data on the internet The A)N clients "ill use #ri/ate I. addresses !e need to install the Douting and Demote )ccess ser/ice on the ser/er and con$igure N)T &Net"or0 )ddress Translation( This "ill enable the ser/er to route tra$$ic bet"een the internet and the A)N !e need to install the DNS ser/ice on the router so that the clients can resol/e e3ternal &internet( host names Incorrect )ns"ers: ): &t is not necessar to remo%e the DA.5 ser%ice. ': !e do not need to add a route into the internal networ/. The 6uestion doesnKt sa that people will be connecting to the 4A, computers from the internet. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9

&mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 2322> 5art -9 5lan networ/ traffic monitoring. Tools might include ,etwor/ Monitor and $ stem Monitor. *1 6uestion+ QUESTION NO: < You are the administrator $or TestBing The net"or0 consists o$ a single acti/e directory domain named TestBing com )ll ser/ers run "indo"s ser/er 2==, !hen the net"or0 "as designed* the design team set design s#eci$ications )$ter the net"or0 "as im#lemented* the de#loyment team set baseline s#eci$ications The s#eci$ications $or broadcast tra$$ic are: 1. The design s#eci$ications requires that broadcast tra$$ic must be 5 #ercent or less o$ total net"or0 tra$$ic 2. The baseline s#eci$ications sho"ed that the broadcast tra$$ic is al"ays < #ercent or less o$ the total net"or0 tra$$ic during normal o#eration You need to monitor the net"or0 tra$$ic and $ind out i$ the le/el o$ broadcast tra$$ic is "ithin the design and baseline s#ecs You decide to use net"or0 monitor )$ter monitoring $or < hour* you obser/e the results sho"n in the e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F; 2 You need to re#ort the results o$ your obser/ations to management !hich 2 actions should you ta0e% A. Report that broadcast traffic is outside of the baseline specs 1. Report that the broadcast traffic is outside of the design specs .. Report that the broadcast traffic is within the design specs D. Report that the broadcast traffic is within the baseline specs )ns"er: )* + ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG 2 E3#lanation9 A baseline is a measurement deri%ed from the collection of data o%er an eBtended period during %ar ing wor/loads and user connections, representing acceptable performance under t pical operating conditions. The baseline indicates how s stem resources are used during periods of normal acti%it and ma/es it easier to spot problems when the occur. A baseline pro%ides a mechanism for identif ing what normal operating conditions are for a ser%er. The baseline acts as a reference for troubleshooting performance issues. &f the design specifications re6uire that broadcast traffic must be F percent or less of total networ/ traffic then the graphic indicates that it is outside of the specifications as monitored o%er a period of one hour. (urther, if the baseline specifications showed that the broadcast traffic is alwa s 1 percent or less of the total networ/ traffic during normal operation then ou can report than the broadcast traffic is outside of the baseline specs as monitored o%er the period of one hour. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1-9-2 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 2, pp. =-2112 5art F9 Troubleshoot connecti%it to the &nternet. A9 Diagnose and resol%e issues related to ,etwor/ Address Translation *,AT+. *" 6uestions+ 19 Diagnose and resol%e issues related to name resolution cache information. *" 6uestions+ .9 Diagnose and resol%e issues related to client configuration.*" 6uestions+ 5art ;9 Troubleshoot T.5H&5 addressing. A9 Diagnose and resol%e issues related to client computer configuration.*3 6uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F> 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains t"o I. subnets connected by a !indo"s Ser/er 2==, com#uter running Douting and Demote )ccess )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Each subnet contains a domain controller Each subnet contains a D:'. ser/er* "hich #ro/ides T'.KI. con$iguration in$ormation to the com#uters on only its subnet The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit You recently im#lemented a ?icroso$t Internet Security and )cceleration &IS)(

Ser/er 2=== array on the net"or0 to #ro/ide Internet connecti/ity The IS) Ser/er array uses Net"or0 Aoad +alancing on the internal ada#ters The arrayJs Net"or0 Aoad +alancing cluster address is <72 ,= ,2 < You con$igure the D:'. ser/er on Subnet< to #ro/ide the arrayJs Net"or0 Aoad +alancing cluster address as the de$ault gate"ay You con$igure the D:'. ser/er on Subnet2 to #ro/ide the I. address <72 ,= 64 < as the de$ault gate"ay $or Subnet2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F= 2 Users on Subnet2 re#ort that they cannot connect to Internet>based resources They can success$ully connect to resources located on Subnet< Users on Subnet< can success$ully connect to Internet>based resources You in/estigate and disco/er that no Internet requests $rom com#uters on Subnet2 are being recei/ed by the IS) Ser/er array You need to #ro/ide Internet connecti/ity to users on Subnet2 !hat should you do% A. .onfigure the DA.5 ser%er on $ubnet2 to pro%ide the address 1G2.3".32.1 as the default gatewa . 1. .onfigure the DA.5 ser%er on $ubnet2 to pro%ide the address 1G2.3".32.2 as the default gatewa . .. 'n the Routing and Remote Access ser%er, add a default route to 1G2.3".32.1. D. 'n the Routing and Remote Access ser%er, add a default route to 131.1"G.G2.1G. )ns"er: ' E3#lanation: The routing and remote access ser/er 0no"s ho" to route tra$$ic bet"een subnet < and subnet 2 :o"e/er* it doesnJt 0no" ho" to route tra$$ic to the internet !e can $i3 this by adding a de$ault route on the routing and remote access ser/er The de$ault route "ill tell the routing and remote access ser/er that any tra$$ic that isnJt destined $or subnet< or subnet2 &i e any e3ternal destination( should be $or"arded to the internal inter$ace o$ the IS) ser/er &<72 ,= ,2 <( Incorrect )ns"ers: ): 1G2.3".32.1 is not on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gatewa . +: 1G2.3".32.2 is not on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gatewa . (urthermore, this address isnKt the internal address of the &$A ser%er. D: The default route needs to forward traffic to the internal interface of the &$A ser%er. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1F93" QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;" 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ multi#le #hysical segments The net"or0 contains t"o !indo"s Ser/er 2==, com#uters named TestBingSr/) and TestBingSr/+* and se/eral !indo"s 2=== Ser/er com#uters TestBingSr/) is con$igured "ith a single D:'. sco#e $or the <= 25= <== =K24 net"or0 "ith an I. address range o$ <= 25= <== <= to <= 25= <== <== Se/eral users on the net"or0 re#ort that they cannot connect to $ile and #rint ser/ers* but they can connect to each otherJs client com#uters )ll other users on the net"or0 are able to connect to all net"or0 resources You run the i#con$ig e3e Kall command on one o$ the a$$ected client com#uters and obser/e the in$ormation in the $ollo"ing table: You need to con$igure all a$$ected client com#uters so that they can communicate "ith all other hosts on the net"or0 !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Disable the DA.5 ser%ice on Test@ing$r%1. 1. &ncrease the &5 address range for the 1".2F".1""."H2- scope on Test@ing$r%A. .. Add global DA.5 scope options to Test@ing$r%A for default gatewa , D,$ ser%ers, and !&,$ ser%ers. D. Delete all &5 address reser%ation in the scope on Test@ing$r%A. 3. Run the ipconfig.eBe Hrenew command on all affected client computers. (. Run the ipconfig.eBe Hregisterdns command on all affected client computers. )ns"er: )* E E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1 2

!e can see $rom the e3hibit that the a$$ected com#uter recei/ed itJs I. con$iguration $rom TestBingSr/+ !e can also see that the I. con$iguration has no de$ault gate"ay* !INS or DNS addresses Ob/iously* TestBingSr/+ is their I. con$iguration $rom TestBingSr/) !e can either correctly con$igure the D:'. ser/ice on TestBingSr/+ or "e can disable it and 2ust use TestBingSr/) as the D:'. ser/er !e need to run the i#con$igKrene" command on all a$$ected client com#uters so that they can u#date their I. con$igurations using TestBingSr/) as their D:'. ser/er )ns"er ) is correct* because it is the only o#tion gi/en that tells you to disable the D:'. ser/ice on TestBingSr/+ Incorrect )ns"ers: +: The client computer recei%ed its &5 configuration from Test@ing$r%1. Therefore, the problem is li/el to be with Test@ing$r%1, not Test@ing$r%A. ': configuration from Test@ing$r%A. Therefore, Test@ing$r%A is correctl configured. D: The client computer recei%ed its &5 configuration from Test@ing$r%1. Therefore, the problem is li/el to be with Test@ing$r%1, not Test@ing$r%A. E: will ha%e no affect. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29-QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named TestBing com You con$igure a ne" !indo"s Ser/er 2==, $ile ser/er named TestBingSr/l You restore user $iles $rom a ta#e bac0u#* and you create a logon scri#t that ma#s dri/e letters to shared $iles on TestBing Sr/< Users re#ort that they cannot access TestBingSr/l through the dri/e ma##ings you created Users also re#ort that TestBingSr/l does not a##ear in ?y Net"or0 .laces You log on to TestBingSr/l and con$irm that the $iles are #resent and that the NTES #ermissions and share #ermissions are correct You cannot access any net"or0 resources You run the i#con$ig command and see the $ollo"ing out#ut ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2 2 You need to con$igure the T'.KI. #ro#erties on TestBingSr/< to resol/e the #roblem !hat should you do% A. Add Test@ing.com to the D,$ suffiB for this connection field. 1. .onfigure the default gatewa . .. .onfigure the D,$ ser%er address. D. .onfigure a static &5 address. )ns"er: D E3#lanation: The I. address sho"n in the e3hibit is an ).I.) &automatic #ri/ate I. addressing( address This means that the ser/er is con$igured to use D:'. $or its I. con$iguration but is unable to contact a D:'. ser/er &a li0ely cause $or this is that there isnJt a D:'. ser/er on the net"or0( !e can fiB the problem b configuring a static &5 address in the same &5 range as the rest of the networ/. Incorrect )ns"ers: ): A D,$ suffiB is not necessar . +: A default gatewa is not necessar unless this is a routed networ/. ': The ser%er not ha%ing a D,$ ser%er address will not pre%ent clients connecting to the ser%er. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9F= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3 2 19 Diagnose and resol%e issues related to DA.5 ser%er address assignment. *G 6uestions+ QUESTION NO: < You are a net"or0 administrator $or Test Bing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers and member ser/ers run !indo"s Ser/er 2==,* Enter#rise Edition )ll client com#uters run !indo"s @. .ro$essional Test Bing has one main o$$ice and one branch o$$ice The t"o o$$ices are connected to a T< !)N connection There is a hard"are router at each end o$ the connection The main o$$ice contains <=*=== client com#uters* and the branch o$$ice contains

5*=== client com#uters You need to use D:'. to #ro/ide I. addresses to the !indo"s @. .ro$essional com#uters in both o$$ices You need to minimi1e net"or0 con$iguration tra$$ic on the !)N connection Your solution needs to #re/ent any com#onent in/ol/ed in the D:'. architecture $rom becoming a single #oint o$ $ailure !hat should you do% A. At the main office, configure two !indows $er%er 2""3 computers as a DA.5 ser%er cluster. .onfigure the branch office router as a DA.5 rela agent. 1. At the main office, configure two !indows $er%er 2""3 computers as a DA.5 ser%er cluster. At the branch office, configure a !indows $er%er 2""3 computer as a DA.5 rela agent. .. At the main office, configure two !indows $er%er 2""3 computers as a DA.5 ser%er cluster. At the branch office, configure two !indows $er%er 2""3 computers as a DA.5 ser%er cluster. D. At the main office, configure two !indows $er%er 2""3 computers as DA.5 ser%ers. .onfigure one DA.5 ser%er to handle >" percent of the &5 address scope and the other DA.5 ser%er to handle 2" percent. .onfigure the branch office router as a DA.5 rela agent. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;- 2 The best $ault tolerant solution here "ould be to im#lement a D:'. ser/er cluster in each o$$ice The !indows $er%er2""3 DA.5 $er%er ser%ice is a cluster2aware application, which is an application that can run on a cluster node and that can be managed as a cluster resource. These applications use the .luster A5& to recei%e status and notification information from the ser%er cluster. Iou can implement additional DA.5 *or MAD.A5+ ser%er reliabilit b deplo ing a DA.5 ser%er cluster using the .luster ser%ice. This ser%ice is the essential software component that controls all aspects of ser%er cluster operation and manages the cluster database. 3ach node in a ser%er cluster runs one instance of the .luster ser%ice pro%ided with !indows $er%er2""3, 3nterprise 3dition. 1 using clustering support for DA.5, ou can implement a local method of DA.5 ser%er failo%er, achie%ing greater fault tolerance. Iou can also enhance fault tolerance b combining DA.5 ser%er clustering with a remote failo%er configuration, such as b using a split scope configuration. Another wa to implement DA.5 remote failo%er is to deplo two DA.5 ser%ers in the same networ/ that share a split scope configuration based on the >"H2" rule. Incorrect )ns"ers: ): The branch office router would be a single point of failure in this solution. +: The ser%er hosting the DA.5 rela agent would be a single point of failure in this solution. D: The branch office router would be a single point of failure in this solution. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G92 QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 also contains <= net"or0 #rinters )ll ser/ers ha/e manually con$igured I. addresses The client com#uters and net"or0 #rinters recei/e their T'.KI. con$iguration in$ormation $rom a D:'. ser/er TestBing I. #olicy states that each o$ the net"or0 #rinters "ill al"ays be con$igured "ith the same I. address You con$igure a D:'. ser/er and create a D:'. sco#e as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F 2 Users re#ort that they cannot submit #rint 2obs to any o$ the net"or0 #rinters You in/estigate and disco/er that none o$ the net"or0 #rinters are recei/ing their I. addresses $rom the D:'. ser/er You need to ensure that the net"or0 #rinters recei/e their I. addresses $rom D:'. !hat should you do% A. Remo%e the &5 address reser%ations for the networ/ printers from the DA.5 scope.

1. Delete the &5 address eBclusion range for the networ/ printers from the DA.5 scope. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;; 2 .. Add the ""= 45R $er%ers option to the DA.5 ser%er options. D. 3nable address conflict detection on the DA.5 ser%er. )ns"er: + E3#lanation: )n e3clusion range is a set o$ one or more I. addresses* included "ithin the range o$ a de$ined sco#e that you do not "ant to lease to D:'. clients E3clusion ranges assure that the ser/er does not o$$er to D:'. clients on your net"or0 any addresses in these ranges Therefore, ou would want to perform the action described in 818, so that Test@ing &5 polic is adhered to. Incorrect )ns"ers: ): Using address reser%ations in DA.5, allows de%ices the abilit to alwa s ha%e the same address. ': There are no 45R $er%ers mentioned in the 6uestion. D: &t is an optional ser%er2side mechanism for detecting whether a scope &5 address is in use on the networ/. De$erence: Q. .. Mac/in, and &an Mc4ean M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter G. QUESTION NO: , DD)- DDO. You are the net"or0 administrator $or TestBing TestBing has an internal net"or0 and a #erimeter net"or0* as sho"n in the "or0 area The internal net"or0 consists o$ a single )cti/e Directory domain test0ing com The internal net"or0 contains a !indo"s Ser/er 2==, domain controller named D'<* "hich runs the DNS Ser/er ser/ice The internal net"or0 also contains a !indo"s Ser/er 2==, $ile ser/er named Test0ing<* "hich runs the D:'. Ser/er ser/ice The net"or0 contains 5== !indo"s @. .ro$essional com#uters The #erimeter net"or0 contains a #ublic !eb ser/er named !ebTB< The internal net"or0 is connected to the #erimeter net"or0 by a $ire"all The #erimeter net"or0 is connected to the Internet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G 2 You need to #lan an I. address strategy The I. address strategy must #ro/ide T'.KI. connecti/ity $rom the internal net"or0 to !ebTB< TestBing "ants to reduce administrati/e o/erhead by automatically assigning I. addresses "hene/er #ossible You need to choose the a##ro#riate I. addressing distribution method $or the com#uters on the net"or0s To ans"er* drag the a##ro#riate I. addressing distribution method or methods to the correct com#uter or com#uters in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;> 2 )ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G" 2 $tatic and d namic routing both pro%ide the same le%el of router performance. The drawbac/s of static routing are the amount of manual maintenance the process re6uires and the routersK inabilit to compensate for changes in the networ/ configuration. D namic routing enables routers to compensate for a failed router or !A, lin/, but it can generate a considerable amount of additional networ/ traffic. Thus to compl with the re6uirements of pro%iding T.5H&5 connecti%it from the internal networ/ to !ebT@1 and still reducing administrati%e o%erhead, the abo%e configuration will be the solution. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F9 12213 QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll

client com#uters run !indo"s @. .ro$essional The net"or0 consists o$ three #hysical subnets* "hich corres#onds to the three buildings on TestBingJs cam#us* as sho"n in the Net"or0 Diagram e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1 2 )ll ser/ers ha/e manually con$igured I. addresses )ll client com#uters recei/e their T'.KI. con$iguration in$ormation $rom a D:'. ser/er located on the +uilding< subnet The D:'. ser/er has one sco#e con$igured $or each subnet Users on the +uilding2 subnet and the +uilding, subnet re#ort that they #eriodically cannot connect to net"or0 resources located on any subnet You disco/er that during times o$ high net"or0 usage* client com#uters in +uilding2 and +uilding, are con$igured as sho"n in the Net"or0 'onnection Details e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2 2 You need to ensure that all client com#uters recei/e /alid I. addresses $or their subnet e/en during times o$ high net"or0 usage !hat should you do% A. &nstall one DA.5 ser%er on the 1uilding2 subnet and one on the 1uilding3 subnet. 'n each DA.5 ser%er, configure identical scopes for each subnet. 1. &nstall one DA.5 ser%er on the 1uilding2 subnet and one on the 1uilding3 subnet. 'n each DA.5 ser%er, configure a single subnet2specific scope. .. .onfigure one DA.5 rela agent on the 1uilding2 subnet and one on the 1uilding3 subnet to forward DA.5 re6uests to the 1uilding1 subnet DA.5 ser%er. D. .onfigure an administrati%e template in the Default Domain 5olic Croup 5olic ob)ect *C5'+ to disable Automatic 5ri%ate &5 addressing *A5&5A+ on the client computers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3 2 )ns"er: + E3#lanation: D:'. is a ser/ice that* "hen installed and con$igured correctly* "ill ta0e a massi/e administration burden o$$ any net"or0 administrator or engineer D:'. "or0s "ith the assignment o$ I. addresses on your net"or0 In other "ords* "hen you "ant your net"or0 clients to communicate "ith any de/ice on the net"or0* they need to s#ea0 the same #rotocol and be assigned "ith a unique logical address This address &called an I. address( allo"s $or this Sco#e is the pool of &nternet 5rotocol *&5+ addresses on a gi%en subnet that a D namic Aost .onfiguration 5rotocol *DA.5+ ser%er is configured to assign to clients when using the automatic or d namic allocation method. A subnet is a group of computers on a Transmission .ontrol 5rotocolH&nternet 5rotocol *T.5H&5+ networ/ that share a common networ/ identifier. &n some cases, a T.5H&5 networ/ is di%ided into multiple subnets b modif ing the subnet mas/ and designating some of the host identifier bits as subnet identifier bits. Incorrect )ns"ers: ): .onfiguring identical scopes on two separate networ/s will create a networ/ address conflict. ': the problem in this case onl occurs during times of high networ/ usage. A DA.5 Rela agent will not resol%e this problem. D: A5&5A is used automaticall when the DA.5 client cannot located the DA.5 ser%er. &f we disable A5&5A on all client computers, we would need to configure each computer with alternati%e &5 configuration. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 29 3;23> QUESTION NO: 5 You are the net"or0 administrator $or TestBing com The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G- 2 )ll ser/ers run !indo"s Ser/er 2==, Each subnet o$ the net"or0 contains <== !indo"s @. .ro$essional com#uters Each subnet also contains a D:'. ser/er* "hich #ro/ides T'.KI. con$iguration in$ormation to all com#uters on its local subnet You create and con$igure Subnet, $or a ne" de#artment at your com#any Users in Subnet, re#ort that they cannot connect to resources located on ser/ers in Subnet< and Subnet2 !hen they attem#t to connect to these resources* they recei/e

the $ollo"ing message: LSer/er not $oundL The users can success$ully connect to resources located on ser/ers in Subnet, Users in Subnet< and Subnet2 re#ort that they cannot connect to resources located on ser/ers in Subnet, !hen they attem#t to connect to these resources* they recei/e the $ollo"ing error message: LSer/er did not res#ond in a timely mannerL The users can success$ully connect to resources in both Subnet< and Subnet2 You need to ensure that all client com#uters can connect to ser/er>based resources an all subnets !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF 2 A. .onfigure the DA.5 ser%er in $ubnet3 to pro%ide a subnet mas/ of 2FF.2FF.2FF." 1. .onfigure the DA.5 ser%ers in $ubnet1 and $ubnet2 to pro%ide a subnet mas/ of 2FF.2FF.".". .. .onfigure the Test/ing2 &nterface 31 to use a subnet mas/ of 2FF.2FF.".". D. .onfigure the &5 address of the Test/ing2 &nterface 3" as the default gatewa for $ubnet3. 3. .onfigure the &5 address of the Test/ing2 &nterface 31 as the default gatewa for $ubnet2. )ns"er: ) E3#lanation9 !ith a subnet mas/ of 2FF.2FF.2FF.", ou can assign &5 addresses ranging from 1G2.3".2.1 to 1G2.3".2.2F- to our computers. This will ensure that users in $ubnet1 and subnet2 can connect to resources that are located in subnet3. Incorrect )ns"ers: +: The subnet mas/ for $ubnet1 and $ubnet2 are correctl configured. Thus ou do not need to configure the DA.5 ser%ers in $ubnet1 and $ubnet2 to pro%ide a subnet mas/. ': Iou should configure the DA.5 ser%ers of $ubnet3 to use the 2FF.2FF.2FF." subnet mas/ and not theTest@ing2 &nterface 31. D* E: The &5 addresses for interfaces 3" and 31 on Test@ing2 are correctl configured. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 29 2F QUESTION NO: 6 You are the administrator o$ a net"or0 at TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters run either !indo"s @. .ro$essional or !indo"s ;9 )ll !indo"s ;9 com#uters ha/e the )cti/e Directory 'lient E3tensions so$t"are installed The net"or0 consists o$ three #hysical subnets Each subnet contains a domain controller and a ser/er that runs D:'. Each subnet also contains a ser/er that runs both the DNS Ser/er ser/ice and the !INS ser/ice )ll client com#uters recei/e their T'.KI. con$iguration $rom the D:'. ser/er that is located on their local subnet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G; 2 )ll o$ the !indo"s ;9 com#uters are located on a single subnet The D:'. sco#e on this subnet is con$igured "ith the o#tions sho"n in the e3hibit )ll D:'. ser/ers are con$igured "ith similar o#tions Users o$ the !indo"s ;9 com#uters re#ort that they cannot connect to resources on the !indo"s Ser/er 2==, com#uters located on any subnet !hen they attem#t to connect to a shared resource by using QQser/ernameQsharename in the Dun command* they recei/e the $ollo"ing error message: LSer/er not $oundL The users can success$ully connect to !eb>based resources located on the same ser/ers !hen you attem#t to connect to the ser/ers by using the #ing command on an a$$ected !indo"s ;9 com#uter you can connect success$ully The users o$ the !indo"s @. .ro$essional com#uters do not re#ort the same #roblems You need to ensure that the users o$ the !indo"s ;9 com#uters can connect to shared resources on the !indo"s Ser/er 2==, com#uters !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG 2 A. 'n the affected subnetKs DA.5 ser%er, configure the scope options to use the !indows => %endor class. 1. 'n the affected subnetKs DA.5 ser%er, remo%e the !&,$H,1T ,ode T pe from the scope options. .. 'n each DA.5 ser%er, remo%e the Microsoft Disable ,et1&'$ 'ption from the scope options.

D. 'n each DA.5 ser%er, add the ,et1&'$ o%er T.5H&5 ,1DD DA.5 scope option to the scope options. )ns"er: ' E3#lanation: The main ad/antage o$ disabling Net+IOS is im#ro/ed net"or0 security Net+IOS as a ser/ice stores in$ormation about net"or0 resources that can be collected by any host through broadcast>based queries Eeasibly* this in$ormation could be e3#loited by a malicious intruder )nother ad/antage o$ disabling Net+IOS is that doing so can sim#li$y administration by reducing the number o$ naming in$rastructures that you must con$igure* maintain* and su##ort Incorrect )ns"ers: ): ?endor .lasses are used to identif DA.5 clients according to their %endor and hardware configuration t pe. This determines what options are a%ailable for ou to gi%e to our DA.5 client. This wonKt change the options shown in the eBhibit. +: This cannot be remo%ed, as there are ser%ers on each subnet running the !&,$ ser%ice. D: 'nl if all the computers on our networ/ are running !indows 2""" or later and no applications are using ,et21&'$, is it possible to remo%e !&,$ ser%ers and disable the ,et1&'$ '%er T.5H&5 *,et1T+ protocol on our computers. De$erence: Q. .. Mac/in, and &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter -. Qames .hellis, 5aul RobichauB L Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""-, .hapter F QUESTION NO: 7 You are the net"or0 admin $or TestBing Your net"or0 contains , subnets )ll ser/ers ha/e manually assigned I. addresses "hile all clients are con$igured to recei/e an address $rom a D:'. ser/er The D:'. ser/er is located in Site < The D:'. ser/er has a sco#e con$igured $or each subnet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G> 2 Users in site 2 and site , are com#laining that #eriodically they cannot connect to resources located on any subnet You disco/er that during times o$ #ea0 usage users are recei/ing an I. address in the <6; 254 3 3 address range You need to ensure that all client com#uters recei/e an address $rom their subnet e/en during times o$ #ea0 usage !hat should you do% A. &nstall one DA.5 ser%er in site 2 and site 3. 'n each DA.5 ser%er, configure identical scopes for each subnet 1. &nstall one DA.5 ser%er in $ite 2 and $ite 3. 'n each DA.5 ser%er configure a single subnet specific scope .. .onfigure a DA.5 Rela agent on $ite 2 and $ite 3 D. .onfigure a C5' on the domain that disables A5&5A )ns"er: + E3#lanation: It a##ears that during times o$ #ea0 usage* the D:'. ser/er andKor the subnet containing the D:'. ser/er cannot co#e "ith the load The clients in sites 2 and , are unable to recei/e an I. con$iguration $rom the D:'. ser/er and so con$igure themsel/es "ith an ).I.) con$iguration !e can ease the load on the D:'. ser/er and subnet < by installing D:'. ser/ers in Site 2 and Site , The D:'. ser/ers must be con$igured "ith a single sco#e s#eci$ic to the subnet Incorrect )ns"ers: ): !e cannot ha%e DA.5 ser%ers with identical scopes. This would lead to duplicate &5 addresses on the networ/. ': The clients can connect to the DA.5 ser%er during less bus times. Therefore, a DA.5 Rela Agent is either alread installed or isnKt re6uired. D: Disabling A5&5A wonKt ease the load on the DA.5 ser%er. De$erence: Q. .. Mac/in, and &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter -. 5art G9 5lan a host name resolution strateg . A9 5lan a D,$ namespace design. *" 6uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G= 2 19 5lan 0one replication re6uirements. *F 6uestions+ QUESTION NO: < You are the security analyst $or TestBing com The net"or0 consists o$ TestBingJs

intranet and a #erimeter net"or0 The net"or0s are se#arated by a $ire"all TestBingJs intranet consists o$ a single )cti/e Directory domain named cor# test0ing com The #erimeter net"or0 consists o$ a DNS domain named test0ing com The #erimeter net"or0 contains #ublicly accessible !eb ser/ers The intranet contains a !indo"s Ser/er 2==, DNS ser/er named Test0ing< Test0ing< hosts an )cti/e Directory>integrated #rimary 1one $or the cor# test0ing com domain Test0ing< also hosts a secondary 1one that is not integrated "ith )cti/e Directory $or the test0ing com domain The #erimeter net"or0 contains a !indo"s Ser/er 2==, DNS ser/er named Test0ing2 Test0ing2 is authoritati/e $or the test0ing com DNS domain* "hich contains the resource records $or the #ublicly accessible ser/ers Test0ing< is con$igured to $or"ard requests to Test0ing2 Test0ing2 is con$igured "ith root hints TestBingJs "ritten DNS security includes the $ollo"ing requirements: 1. The internal DNS names#ace must ne/er be accessible by e3ternal users or com#uters 2. E3ternal users must not be able to retrie/e 1one in$ormation $rom either DNS ser/er You need to #lan a DNS security solution that meets the DNS security #olicy requirements Your solution must not ad/ersely a$$ect required or allo"ed name resolution $unctions in the net"or0 !hat should you do% A. 'n Test/ing2, allow 0one transfers to onl ser%ers listed in the ,ame $er%ers list. Disable recursion on Test/ing1. 1. 'n Test/ing2, allow 0one transfers to onl ser%ers listed b &5 address. 'n Test/ing1, do not allow 0one transfers. .. 'n Test/ing1, allow 0one transfers to onl ser%ers listed in the ,ame $er%ers list. Disable recursion on Test/ing2. D. 'n Test/ing1, allow 0one transfer to onl ser%ers listed b &5 address. 'n Test/ing2, do not allow 0one transfers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >" 2 )ns"er: ) E3#lanation: Yone trans$er data can be #rotected by s#eci$ying the I. addresses o$ the DNS ser/ers that you allo" to #artici#ate in 1one trans$ers I$ you do not do this* a #otential intruder can sim#ly install a DNS ser/er* create a secondary 1one* and request a 1one trans$er $rom your #rimary 1one The intruder then has a com#lete co#y o$ your 1one and all the in$ormation in it To limit 1one trans$ers on a !indo"s Ser/er 2==, DNS ser/er* you o#en the DNS console* dis#lay the .ro#erties dialog bo3 $or a #rimary 1one and then clic0 the Yone trans$ers tab to dis#lay the dialog bo3 Select the )llo" Yone Trans$ers chec0 bo3 and then choose either the Only To Ser/ers Aisted On The Name Ser/ers Tab or the Only To The Eollo"ing Ser/ers o#tion button You can then s#eci$y the I. addresses o$ the DNS ser/ers that contain your secondary 1ones* in either the I. )ddress te3t bo3 or the Name Ser/ers tab !hen the Disable Recursion option is enabled, howe%er, the D,$ $er%er ser%ice does not answer the 6uer for the client but instead pro%ides the client with referrals, which are resource records that allow a D,$ client to perform iterati%e 6ueries to resol%e an (:D,. This option might be appropriate, for eBample, when clients need to resol%e &nternet names but the local D,$ ser%er contains resource records onl for the pri%ate namespace. Incorrect )ns"ers: +: (or a secondar D,$ ser%er to operate, it has to cop the information in the primar D,$ ser%erKs 0one files to its own 0one files to ensure that its database of names and &5 addresses is up2to2date. ': This is incorrect because Test/ing 2 contains the resource records for the publicl accessible ser%ers. D Test@ing1 and allow 0one transfers on Test@ing2 to onl ser%ers in the ,ame $er%ers 4ist. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter -. QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains three domains Each domain contains

domain controllers that run !indo"s 2=== Ser/er and domain controllers that run !indo"s Ser/er 2==, The DNS Ser/er ser/ice is installed on all domain controllers )ll client com#uters run !indo"s @. .ro$essional You need to add an additional DNS 1one that is hosted on at least one DNS ser/er on each domain You "ant to con$igure the 1one to allo" secure u#dates only !hat should you do% A. .onfigure the new 0one on D,$ ser%ers in the root domain. .onfigure stub 0ones that refer to D,$ ser%ers in another two domains. 1. .onfigure the new 0one as a primar 0one on one D,$ ser%er. .onfigure other D,$ ser%ers in the three domains as secondar ser%ers for this 0one. 3nable the D,$ $ecurit 3Btensions *D,$$3.+ protocol. .. .onfigure the new 0one as an Acti%e Director 2integrated 0one on D,$ ser%ers in the three domains. $tore the 0one data in the D,$ director partition named DomainD,$Rones. D. .onfigure the new 0one as an Acti%e Director 2integrated 0one on D,$ ser%ers in the three domains. $tore the 0one data in the D,$ director partition named (orestD,$Rones. )ns"er: D E3#lanation: To enable secure u#dates* "e need an )cti/e Directory integrated 1one To re#licate to the DNS ser/ers in the other domains* the 1one must be installed on a !indo"s 2==, domain controller in each domain During the con$iguration o$ the 1one* you can select the o#tion to re#licate the 1one in$ormation directory #artition named EorestDNSYones Incorrect )ns"ers: ): !e need Acti%e Director integrated 0ones, not stub 0ones. +: $econdar 0ones are not writeable and so cannot accept updates. ': &f we store the 0one data in the D,$ director partition named DomainD,$Rones, it will onl be replicated in a single domain, not the entire forest. De$erences: Q... Mac/in L &an Mc4ean, M.$AHM.$3 self2paced training /it *3Bam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22F, ;222. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2 2 QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ 2= )cti/e Directory domains )ll ser/ers run !indo"s Ser/er 2==, TestBing has 24= o$$ices Each o$$ice is con$igured as an )cti/e Directory site TestBing has a branch o$$ice that contains $our users User ob2ects $or these users are stored in the australia test0ing com domain The branch o$$ice is connected to the cor#orate net"or0 by a 56>Bb#s !)N connection The branch o$$ice contains a domain controller named TestBing<7 that is con$igured as an additional domain controller $or the australia test0ing com domain )n )cti/e Directory site is con$igured $or the branch o$$ice TestBing<7 is a member o$ this site )n I. site lin0 e3ists bet"een the branch o$$ice and the main o$$ice The !)N connection is a/ailable only during business hours Users in the branch o$$ice re#ort slo" res#onse times on the !)N connection You e3amine the !)N connection and disco/er that the #roblem is caused by )cti/e Directory re#lication You need to im#ro/e the #er$ormance o$ the !)N connection !hat should you do% A. .onfigure Test@ing1G as a global catalog ser%er. 1. 3nable uni%ersal group membership caching in the branch office. .. Remo%e Acti%e Director from Test@ing1G and configure Test@ing1G as a member ser%er. D. 'n the site lin/ that connects the branch office to the corporate networ/, increase the replication inter%al. )ns"er: D E3#lanation: The branch o$$ice contains a domain controller $rom the australia test0ing com domain De#lication bet"een this domain controller and a domain controller at the main o$$ice is using u# the band"idth o$ the 56Bb#s lin0 bet"een the t"o sites !e can reduce the !)N lin0 usage by increasing the re#lication inter/al* thus ensuring that re#lication across the !)N lin0 occurs less $requently Incorrect )ns"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3 2 .onfiguring Test@ing1G as a global catalog ser%er will increase the bandwidth used b

the replication. +: 3nabling uni%ersal group membership caching in the branch office wonKt decrease the bandwidth used the replication. ': &t is not necessar to demote Test@ing1G to a member ser%er. (urthermore, this would cause logon authentication traffic to go o%er the !A, lin/. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 3; QUESTION NO: 4 :OTS.OT You are the net"or0 administrator $or Test0ing Atd The net"or0 consists o$ a single )cti/e Directory $orest The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, The $orest contains a root domain named test0ing com and t"o child domains named scotland test0ing com and "ales test0ing com )ll domain controllers run !indo"s Se/er 2==, Each domain contains a DNS ser/er The DNS ser/er in test0ing com is named TESTBIN-DNS<* the DNS ser/er in scotland test0ing com is named TESTBIN-DNS2* and the DNS ser/er in "ales test0ing com is named TESTBIN-DNS, Each DNS ser/er in a child domain is res#onsible $or name resolution in only its domain The T'.KI. #ro#erties o$ all client com#uters in the child domains are con$igured to use only the DNS ser/er in the domain )ll records o$ all DNS ser/ers are stored in )cti/e Directory You create a ne" a##lication directory #artition named DSNdata test0ing com You enlist TESTBIN-DNS< and TESTBIN-DNS2 in this a##lication directory #artition You need to enable all users in test0ing com to access resources in the scotland test0ing com domain by using host names Users in the test0ing com domain do not need to access resources in the "ales test0ing com domain You need to con$igure the 1one re#lication sco#e o$ the scotland test0ing com domain at TESTBIN-DNS2 !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >- 2 )ns"er: E3#lanation: Select the $ourth radio button The application director partition D,$data.test/ing.com contains a D,$ ser%er from test/ing.com and $cotland.test/ing.com. 1 configuring the D,$ information from the D,$ ser%er in $cotland.test/ing.com to be replicated to the D,$ ser%er in test/ing.com, we will enable users in test/ing.com to locate resources in $cotland.test/ing.com. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 3; QUESTION NO: 5 You are the net"or0 administrator $or Test0ing The net"or0 consists o$ t"o #hysical subnets connected by a hard"are>based router Each subnet contains t"o domain controllers running !indo"s 2=== )d/anced Ser/er )ll other ser/ers run !indo"s 2=== ser/er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F 2 TestBing is in the #rocess o$ migrating to a !indo"s Ser/er 2==, )cti/e Directory domain>based net"or0 You #lan to install t"o ne" !indo"s Ser/er 2==, com#uters as domain controllers in the domain The migration #lan does not currently allo" $or u#grading the !indo"s 2=== domain controllers or changing any o#erations master roles 'urrently* host name resolution is #er$ormed by one o$ the !indo"s 2=== domain controllers that is running the DNS Ser/er ser/ice The DNS ser/er hosts a standard #rimary 1one $or the domain The migration #lan requires that the DNS 1one must be im#lemented as an )cti/e Directory>integrated 1one You need to redesign the DNS in$rastructure to com#ly "ith the requirements o$ the migration #lan You need to ensure that the )cti/e Directory>integrated 1one "ill be loaded and hosted on all domain controllers !hat should you do% A. .onfigure the 0one replication scope to replicate the 0one to all D,$ ser%ers in the Acti%e Director forest. 1. .onfigure the 0one replication scope to replicate the 0one to all D,$ ser%ers in the Acti%e Director domain named test/ing.com.

.. .onfigure the 0one replication scope to replicate the 0one to all domain controllers in the Acti%e Director domain named test/ing.com. D. .onfigure the 0one replication scope to replicate the 0one to all domain controllers specified for a separate D,$ application director partition. )ns"er: ' E3#lanation: The question states that You need to ensure that the )cti/e Directory>integrated 1one "ill be loaded and hosted on all domain controllers This is the only ans"er that states Lall domain controllersL This option replicates 0one data to all domain controllers in the Acti%e Director domain. &f ou want !indows2""" D,$ ser%ers to load an Acti%e Director 0one, this setting must be selected for that 0one. Incorrect )ns"ers9 )* +9 These options suggest that 0one replication scope should be replicated to all D,$ ser%ers in the forest and in the domain respecti%el . This is contradictor to what is re6uired if ou are to ensure that the Acti%e Director 2integrated 0one is to be loaded and hosted on all domain controllers. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >; 2 9 Rone replication should be configured to replicate the 0one to all domain controllers in the Acti%e director domain and not for a specified separate D,$ application director partition. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 3; .9 5lan a forwarding configuration. *F 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters TestBing de#loys t"o DNS ser/ers +oth DNS ser/ers run !indo"s Ser/er 2==, One DNS ser/er is inside o$ the cor#orate $ire"all* and the other DNS ser/er is outside o$ the $ire"all The e3ternal DNS ser/er #ro/ides name resolution $or the e3ternal Internet name o$ TestBing on the Internet* and it is con$igured "ith root hints The internal DNS ser/er hosts the DNS 1ones related to the internal net"or0 con$iguration* and it is not con$igured "ith root hints You "ant to limit the e3#osure o$ the client com#uters to DNS>related attac0s $rom the Internet* "ithout limiting their access to Internet>based sites !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution &'hoose t"o( A. .onfigure the client computers to use onl the internal D,$ ser%er. 1. .onfigure the client computers to use both D,$ ser%ers. 4ist the internal D,$ ser%er first. .. .onfigure the firewall to allow onl networ/ traffic on the D,$ ports. D. 'n the internal D,$ ser%er, disable recursion. 3. 'n the internal D,$ ser%er, configure the eBternal D,$ ser%er as forwarder. (. 'n the internal D,$ ser%er, add the eBternal D,$ ser%er as the onl root hint. )ns"er: )* E E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G 2 Install one ser/er on your #erimeter net"or0* $or Internet name resolution* and another on your internal net"or0* to host your #ri/ate names#ace and #ro/ide internal name resolution ser/ices Then con$igure the internal DNS ser/er to $or"ard all Internet name resolution requests to the e3ternal DNS ser/er This "ay* no com#uters on the Internet communicate directly "ith your internal DNS ser/er* ma0ing it less /ulnerable to all 0inds o$ attac0s Incorrect )ns"ers: +: The internal D,$ ser%er is not configured with root hints, so it will not be able to resol%e names outside its domain. ': .learl this is incorrect, as it will not limit the eBposure of the client computers to D,$2related attac/s from the &nternet D: &f disable recursion is enabled, the internal D,$ ser%er still needs root hints for referrals. E: The root hints are a D,$ ser%erKs list of root name ser%er addresses, which it uses to resol%e names outside its domain. &n this wa D,$ can resol%e internet 6ueries, but its not a best practice because can gi%e negati%e answers to domain. De$erence:

.raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter -. QUESTION NO: 2 You are the net"or0 administrator $or 'ontoso* Atd The net"or0 consists o$ a single )cti/e Directory $orest The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, The $orest root domain is contoso com 'ontoso Atd * recently merged "ith another com#any named TestBing* "hose net"or0 consists o$ a single )cti/e Directory $orest The $unctional le/el o$ the TestBing $orest is !indo"s Ser/er 2==, The $orest root domain $or TestBing is test0ing com You need to create a $orest trust relationshi# bet"een the t"o $orests Each com#any has dedicated connections to the Internet You need to con$igure DNS to su##ort the $orest trust relationshi# You "ant to maintain Internet name resolution ca#ability $or each com#anyJs net"or0 !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >> 2 A. .onfigure the contoso.com D,$ ser%ers to forward to the test/ing.com D,$ ser%ers. .onfigure the test/ing.com D,$ ser%ers to forward to the contoso.com D,$ ser%ers. 1. .onfigure conditional forwarding of test/ing.com on the contoso.com D,$ ser%ers to the test/ing.com D,$ ser%ers. .onfigure conditional forwarding of contoso.com on the test/ing.com D,$ ser%ers to the contoso.com D,$ ser%ers. .. .onfigure a standard primar 0one for test/ing.com on one of the contoso.com D,$ ser%ers. .onfigure a standard primar 0one for contoso.com on one of the test/ing.com D,$ ser%ers. D. .onfigure an Acti%e Director 2integrated 0one for test/ing.com on the contoso.com D,$ ser%ers. .onfigure an Acti%e Director 2integrated 0one for contoso.com on the test/ing.com D,$ ser%ers. )ns"er: + E3#lanation: ) conditional $or"arder is a DNS ser/er on a net"or0 that is used to $or"ard DNS queries according to the DNS domain name in the query It is a DNS ser/er that can be con$igured to $or"ard all the queries it recei/es $or names ending "ith "idgets e3am#le com to the I. address o$ a s#eci$ic DNS ser/er or to the I. addresses o$ multi#le DNS ser/ers Incorrect )ns"ers: ): !e do not want A44 resolution re6uests to be forwarded to the other D,$ ser%ers. ': !e can not host primar 0ones on multiple ser%ers. D: !e can not host Acti%e Director integrates 0ones on D,$ ser%ers in different forests. De$erences: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2F>, -2;1. QUESTION NO: , You are the net"or0 administrator $or )cme The net"or0 consists o$ a single )cti/e Directory $orest root domain named acme com The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >= 2 ) !indo"s Ser/er 2==, domain controller named D'< acme com is the )cti/e Directory>integrated DNS ser/er $or acme com )ll ser/ers and client com#uters in the acme com domain use D'< acme com as their DNS ser/er $or name resolution )cme acquires a com#any named TestBing The TestBing net"or0 consists o$ a single )cti/e Directory $orest root domain named test0ing com The $unctional le/el o$ this domain is !indo"s Ser/er 2==, ) !indo"s Ser/er 2==, domain controller named D'< test0ing com is the )cti/e Directory>integrated DNS ser/er $or test0ing com )ll ser/ers and client com#uters in the test0ing com domain use D'< test0ing com as their DNS ser/er $or name resolution You create a t"o>"ay $orest trust relationshi# "ith $orest>"ide authentication bet"een acme com and test0ing com You need to ensure that all users in both com#anies can log on to both $orest root domains You need to achie/e this goal "ithout ad/ersely a$$ecting Internet access !hat should you do% A. $et the $tub Rone as the 0one t pe for the acme.com domain on D.1.acme.com and

for the test/ing.com domain on D.1.test/ing.com. 1. $elect the Do not use recursion for this domain chec/ boB on D.1.test/ing.com and on D.1.acme.com. .. Add the full 6ualified domain name *(:D,+ and the &5 address of D.1.test/ing.com to the Root hints list in D.1.acme.com. Add the (:D, and the &5 address of D.1.acme.com to the Root hints list on D.1.test/ing.com. D. .onfigure conditional forwarding on D.1.acme.com to forward all re6uests for resources in the test/ing.com domain to D.1.test/ing.com. .onfigure conditional forwarding on D.1.test/ing.com to forward all re6uests for resources in the acme.com domain to D.1.acme.com. )ns"er: D E3#lanation: To log on to a com#uter in acme com "ith a user account in test0ing com* the acme com DNS ser/er needs to be able to locate a domain controller in test0ing com to authenticate the login You can use 'onditional $or"arding "hich enables a DNS ser/er to $or"ard DNS queries based on the DNS domain name in the query 'onditional $or"arding in !indo"s Ser/er 2==, DNS eliminates the need $or secondary 1ones by con$iguring DNS ser/ers to $or"ard queries to di$$erent ser/ers based on the domain name ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =" 2 Incorrect )ns"ers: ): A stub 0one is a cop of a 0one containing onl those resource records necessar to identif the authoritati%e D,$ ser%ers for the master 0one +: Recursion is the process of a D,$ ser%er 6uer ing other D,$ ser%ers on behalf of an original 6uer ing client. &f recursion is disabled, the client performs iterati%e 6ueries b using root hint referrals from the D,$ ser%er. &teration refers to the process of a D,$ client ma/ing repeated 6ueries to different D,$ ser%ers. ': Root hints is a list of preliminar resource records used b the D,$ ser%ice to locate ser%ers authoritati%e for the root of the D,$ domain namespace tree. De$erence Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. -F1. QUESTION NO: 4 You are the system engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 is connected to the Internet by a dedicated T, line TestBing enters into a #artnershi# "ith another com#any $or a ne" #ro2ect The #artner com#anyJs net"or0 consists o$ a single )cti/e Directory $orest that contains t"o domains )ll ser/ers in the net"or0 run !indo"s 2==, Ser/er The #artner net"or0 is also connected to the Internet by a dedicated T, line The #artner net"or0 is accessible by a 8.N connection that "as established bet"een the t"o net"or0s The 8.N connection "as tested and "as /eri$ied to #ro/ide a $unctional connection bet"een the t"o net"or0s Users $rom both com#anies need to connect to resources located on another net"or0 ) $orest trust relationshi# e3ists bet"een the t"o com#aniesJ $orests to allo" user access to resources Users in your com#any re#ort that they can access resources on the #artner net"or0* but that it can ta0e u# to se/eral minutes $or the connection to be established This #roblem is most #ronounced during the morning ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =1 2 You /eri$y that there is su$$icient a/ailable band"idth on the connection bet"een the t"o net"or0s to #ro/ide access You also /eri$y that both net"or0Js routing tables are con$igured correctly to route requests to the a##ro#riate destinations !hen you attem#t to connect to a ser/er in the #artner net"or0 by host name by using the #ing command* the connection times out :o"e/er* "hen you attem#t to connect to the ser/er a second time by I. address by using the #ing command* you recei/e a res#onse "ithin a $e" seconds You need to im#ro/e the #er$ormance o$ the net"or0 connection bet"een the t"o net"or0s !hat should you do% A. Add the partner networ/Ks domain names and D,$ ser%er addresses to the forwarders list on our D,$ ser%ers. 1. Update the root hints list on our D,$ ser%ers to include the host names and &5 addresses of the partner networ/Ks D,$ ser%ers. .. Disable recursion on the D,$ ser%ers in both companiesK networ/s. D. Add the partner networ/Ks D,$ ser%er addresses to the ""; D,$ $er%ers scope option in our DA.5 scope.

)ns"er: ) E3#lanation: It is ta0ing a long time to locate resources on the other net"or0 This is because name resolution requests are being #assed to the internet root ser/ers* then do"n through the internet DNS hierarchy be$ore the request $inally reaches the a##ro#riate DNS ser/er !e can s#eed u# this #rocess by using conditional $or"arding This "ould enable resolution requests $or resources in the #artner net"or0 to be $or"arded directly to the #artnerJs DNS ser/er Incorrect )ns"ers: +: The root hints are used to locate internet root D,$ ser%ers. ': This will not help. &t would mean that the internal D,$ ser%ers wouldnKt forward eBternal resolution re6uests to other D,$ ser%ers such as the root ser%ers. D: The partner networ/Ks D,$ ser%ers would ne%er be used unless the local D,$ ser%er failed. De$erence: Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. -F1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =2 2 QUESTION NO: 5 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains t"o !indo"s Ser/er 2==, domain controllers named TestBing) and TestBing+* "hich both run the DNS Ser/er ser/ice )ll o$ the resource ser/ers on the net"or0 are D:'. clients* including a !indo"s Ser/er 2==, $ile ser/er named TestBing' The DNS con$iguration consists o$ a #rimary $or"ard loo0u# 1one that allo"s dynamic u#dates on TestBing) and a secondary 1one on TestBing+ Users re#ort that they cannot connect to TestBing' You disco/er that the I. address that is associated "ith the host &)( resource record $or TestBing' is assigned to a test com#uter that is not a member o$ the domain This com#uter is also named TestBing' You need to con$igure DNS to ensure that ) records resol/e to the I. addresses o$ the com#uters that made the original registration !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure the $ecure 'nl d namic updates setting on the forward loo/up 0one on Test@ingA. 1. .onfigure the ,one d namic updates setting on the forward loo/up 0one on Test@ingA. .. Manuall create A record entries for each ser%er on Test@ingA. D. .on%ert the 0one t pe on Test@ingA to Acti%e Director 2integrated. 3. .on%ert the 0one t pe on Test@ing1 to primar . )ns"er: )* D E3#lanation: +y con$iguring Secure only u#dates* only domain members can con/ert the 1one to )cti/e Directory integrated to enable Lsecure onlyL u#dates Incorrect )ns"ers: +: &t is not necessar *or recommended+ to disable d namic updates on the 0one. ': This would onl be necessar if we disabled d namic updates on the 0one. E: Iou canKt ha%e two primar 0ones for one domain. De$erence: Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. 3>G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =3 2 D9 5lan for D,$ securit . *2 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The internal net"or0 has an )cti/e Directory>integrated 1one $or the test0ing org domain 'om#uters on the internal net"or0 use the )cti/e Directory>integrated DNS ser/ice $or all host name resolution The TestBing !eb site and DNS ser/er are hosted at a local IS. The #ublic !eb site $or TestBing is accessed at """ test0ing com The DNS ser/er at the IS. hosts the test0ing com domain To im#ro/e su##ort $or the !eb site* TestBing "ants to mo/e the !eb site and DNS ser/ice $rom the IS. to the com#anyJs #erimeter net"or0 The DNS ser/er on the #erimeter net"or0 must contain only the host &)( resource records $or com#uters on the #erimeter net"or0 You install a !indo"s Ser/er 2==, com#uter on the #erimeter net"or0 to host the DNS ser/ice $or the test0ing com domain You need to ensure that the com#uters on

the internal net"or0 can #ro#erly resol/e host names $or all internal resources* all #erimeter resources* and all Internet resources !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'n the D,$ ser%er that is on the perimeter networ/, install a primar 0one for test/ing.com. 1. 'n the D,$ ser%er that is on the perimeter networ/, install a stub 0one for test/ing.com. .. .onfigure the D,$ ser%er that is on the internal networ/ to conditionall forward loo/up re6uests to the D,$ ser%er that is on the perimeter networ/. D. .onfigure the computers on the internal networ/ to use one of the internal D,$ ser%ers as the preferred D,$ ser%er. .onfigure the T.5H&5 settings on the computers on the internal networ/ to use the D,$ ser%er on the perimeter networ/ as an alternate D,$ ser%er. 3. 'n the D,$ ser%er that is on the perimeter networ/, configure a root 0one. )ns"er: )* ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =- 2 +y con$iguring a #rimary 1one $or test0ing com on a DNS ser/er in the #erimeter net"or0* "e ha/e a DNS ser/er that can resol/e requests $or the """ test0ing com "ebsite To enable users on the A)N to quic0ly resol/e test0ing com resources* "e can con$igure conditional $or"arding on the internal test0ing org ser/er so that requests $or test0ing com resources get $or"arded straight to the #erimeter net"or0 DNS ser/er Incorrect )ns"ers: +: A stub 0one is no good to us here. The perimeter D,$ ser%er must be authoritati%e for the test/ing.com domain. Therefore, we need a primar 0one on the perimeter D,$ ser%er. D: As long as the internal D,$ ser%ers are wor/ing, the eBternal D,$ ser%er will ne%er be used. &nternal clients will not be able to resol%e www.test/ing.com. E: There is no need to configure a root 0one on the perimeter networ/ D,$ ser%er. De$erence: Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. -;22-;F QUESTION NO: 2 You are the net"or0 administrator $or TestBing TestBing has a main o$$ice in San Erancisco and branch o$$ices in Aondon and 8ancou/er The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains $our !indo"s Ser/er 2==, domain controllers There are t"o domain controllers in the main o$$ice and one in each branch o$$ice The domain controllers are DNS ser/ers Net"or0 ser/ices are monitored centrally $rom the main o$$ice You re/ie" the DNS ser/er e/ent logs remotely $rom the main o$$ice during the monthly maintenance routine During the monthly maintenance* you $ind out that some o$ the DNS e/ent history is missing You need to ensure that all DNS e/ent history is retained until you manually clear it :o" should you modi$y each domain controller% A. Use D,$ Manager to select the All 3%ents option on the 3%ent 4ogging tab in the D,$ $er%er properties. 1. Use D,$ Manager to select the Do not o%erwrite e%ents option on the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =F 2 Ceneral tab in the D,$ 3%ents properties. .. Use 3%ent ?iewer to set the MaBimum log si0e to F12 @1 in the D,$ $er%er properties. D. Use 3%ent ?iewer to select the Do not o%erwrite e%ents option in the Application properties. )ns"er: D E3#lanation9 4ea%ing the default setting of '%erwrite 3%ents As ,eeded on the $ecurit log could o%erwrite important resource access or other securit 2related data if the log is not chec/ed often. The 6uestion mentions that some of the D,$ e%ent histor is missing and it could be a result of the '%erwrite 3%ents as needed settings. To ensure that all e%ents are retained, ou should chec/ the Do ,ot '%erwrite 3%ents *.lear 4og Manuall + This configuration will halt e%ent logging when the log reaches the maBimum si0e and will afford ou the opportunit to manuall clear the log. To ensure that the information is not deleted automaticall ou should configure the setting that states D' not o%erwrite e%ents *clear log manuall + to ensure that information is deleted onl

through user inter%ention. Incorrect ans"ers: )9 This will not ensure that ou will not lose information of the D,$ histor that is logged. +9 The Ceneral tab will not ield the proper options for ou to set the re6uired retention method so as not to lose D,$ histor that should ha%e been logged. '9 $etting the MaBimum log si0e to F12 @1 in the D,$ ser%er properties onl specifies the si0e of the log. Iou still ha%e to choose a retention method. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, 4aura 3. Aunter and !ill $chmied, Managing and Maintaining a !indows $er%er 2""3 3n%ironment $tud Cuide L D?D Training $ stem, $ ngress 5ublishing Roc/land, 2""-, p. G;G Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. 1-GG21-G> Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 122F, 1223-. 39 3Bamine the interoperabilit of D,$ with third2part D,$ solutions.*F 6uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =; 2 You are the systems engineer $or TestBing -m+h The net"or0 consists o$ three !indo"s NT 4 = domains in a master domain model con$iguration The ser/ers on the net"or0 run either !indo"s NT Ser/er 4 = or !indo"s 2=== Ser/er )ll domain controllers run !indo"s NT Ser/er 4 = The net"or0 also contains <= UNI@>based a##lication ser/ers )ll host name resolution ser/ices are #ro/ided by a UNI@>based ser/er running the latest /ersion o$ +IND* "hich currently hosts the 1one $or the test0ing com domain )ll Net+IOS name resolution ser/ices are #ro/ided by t"o !indo"s 2=== Ser/er !INS ser/ers The com#any is in the #rocess o$ migrating to a single !indo"s Ser/er 2==, )cti/e Directory domain>based net"or0 The ne" domain is named test0ing>ad com* and it "ill be hosted in an )cti/e Directory>integrated 1one that is stored on the domain controllers Ser/ers that are not domain controllers "ill not be u#dated at this time The migration #lan requires that all com#uters must use DNS to resol/e host names and com#uter redundancy $or the !indo"s>based DNS ser/ers You u#grade the domain controllers in the master domain to !indo"s Ser/er 2==, You also migrate all user and com#uter accounts to the ne" )cti/e Directory domain The DNS 1one on the !indo"s Ser/er 2==, com#uters is con$igured as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =G 2 You no" need to con$igure the required redundancy bet"een the !indo"s>based DNS ser/ers and the UNI@>based DNS ser/er You need to ensure that there "ill be no ser/ice interru#tion on any o$ the DNS ser/er com#uters !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'n a !indows $er%er 2""3 D,$ ser%er, create a secondar 0one that uses the U,&<2based D,$ ser%er as the master ser%er. 1. 'n the U,&<2based D,$ ser%er, create a secondar 0one that uses a !indows2based D,$ ser%er as the master ser%er. .. 'n a !indows $er%er 2""3 D,$ ser%er, create a stub 0one that uses the U,&<2based D,$ ser%er as the master ser%er. D. Add a delegation in the test/ing.com 0one that delegates authorit of the test/ing2ad.com 0one to a !indows $er%er 2""3 D,$ ser%er. 3. .onfigure the test/ing2ad.com 0one to not replicate !&,$2specific resource records during 0one transfers. )ns"er: +* E E3#lanation: This is a tric0 question because it is as0ing $or redundancy $or the !indo"s 2==, DNS ser/ers !e can #ro/ide this by con$iguring the UNI@ DNS ser/er to resol/e names in the test0ing>ad com domain !ith a secondary 1one on the UNI@ DNS ser/er* it "ill be able to resol/e host name resolutions requests in the test0ing>ad com domain The test0ing>ad com DNS is con$igured to query !INS i$ required !hen con$iguring a UNI@ DNS ser/er "ith a secondary 1one* "e should con$igure the 1one to not re#licate !INS>s#eci$ic resource records during 1one trans$ers Incorrect )ns"ers: ): ': This will not pro%ide an redundanc .

D: Test/ing2ad.com is not a subdomain of test/ing.com so no delegation is re6uired. De$erence: Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. -3;2-3G QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 => 2 You are the systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ) !indo"s Ser/er 2==, com#uter named TESTBIN-DNS< $unctions as the internal DNS ser/er and has 1one con$igured as sho"n in the e3hibit The net"or0 is not currently connected to the Internet TestBing maintains a se#arate net"or0 that contains #ublicly accessible !eb and mail ser/ers These !eb and mail ser/ers are members o$ a DNS domain named test0ing com The test0ing com 1one is hosted by a UNI@>based DNS ser/er named UNI@DNS* "hich is running the latest /ersion o$ +IND The com#any #lans to allo" users o$ the internal net"or0 to access Internet>based resources The com#anyJs "ritten security #olicy states that resources located on the internal net"or0 must ne/er be e3#osed to the Internet The "ritten security #olicy states that the internal net"or0Js DNS names#ace must ne/er be e3#osed to the Internet To meet these requirements* the design s#eci$ies that all name resolution requests $or Internet>based resources $rom com#uters on the internal net"or0 must be sent $rom TESTBIN-DNS< The current design also s#eci$ies that UNI@DNS must attem#t to resol/e any name resolution requests be$ore sending them to name ser/ers on the Internet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 == 2 You need to #lan a name resolution strategy $or Internet access You need to con$igure TESTBIN-DNS< so that it com#lies "ith com#any requirements and restrictions !hat should you do% A. Delete the root 0one from T3$T@&,CD,$1. .onfigure T3$T@&,CD,$1 to forward re6uests to U,&<D,$. 1. .op the .ache.dns file from the !indows $er%er 2""3 installation .D2R'M to the .9W!indowsW$ stem32WDns folder on T3$T@&,CD,$1. .. Add a name ser%er *,$+ resource record for U,&<D,$ to our 0one. .onfigure U,&<D,$ with current root hints. D. 'n T3$T@&,CD,$1, configure a secondar 0one named test/ing.com that uses U,&<D,$ as the master ser%er. .onfigure U,&<D,$ to forward re6uests to our &$5Ks D,$ ser%ers. )ns"er: ) E3#lanation: !e need to delete the root 1one $rom the internal DNS ser/er This "ill enable us to con$igure the ser/er to $or"ard internet name resolution requests to the e3ternal DNS ser/er &UNI@DNS( ) DNS ser/er con$igured to use a $or"arder "ill beha/e di$$erently than one that is not con$igured to use it ) DNS ser/er con$igured to use a $or"arder beha/es as $ollo"s: !hen the D,$ ser%er recei%es a 6uer , it attempts to resol%e this 6uer using the primar and secondar 0ones that it hosts and its cache. &f the 6uer cannot be resol%ed using this local data, then it will forward the 6uer to the D,$ ser%er designated as a forwarder. The D,$ ser%er will wait briefl for an answer from the forwarder before attempting to contact the D,$ ser%ers specified in its root hints. Incorrect )ns"ers: +: The .ache.dns file contains the &5 addresses of the internet root D,$ ser%ers. !e donKt want the internal D,$ ser%er to 6uer the root D,$ ser%ers, so we donKt need the cache.dns file. ': UniBdns alread has root hints. An ,$ record on the internal D,$ ser%er wonKt fulfill the re6uirements of the 6uestion. D: !e do not need a secondar 0one on the internal D,$ ser%er. All eBternal resolution re6uests must be forwarded to the eBternal D,$ ser%er. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"" 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -23 QUESTION NO: ,

You are the system engineer $or TestBing The internal net"or0 consists o$ a !indo"s NT 4 = domain The com#any maintains a se#arate net"or0 that contains #ublicly accessible !eb and mail ser/ers These !eb and mail ser/ers are members o$ a DNS domain named test0ing com The test0ing com 1one is hosted by a UNI@>based DNS ser/er running +IND 4 9 < TestBing is #lanning to migrate to a !indo"s Ser/er 2==, )cti/e Directory domain>based net"or0 The migration #lan states that all client com#uters "ill be u#graded to !indo"s @. .ro$essional and that all ser/ers "ill be re#laced "ith ne" com#uters running !indo"s Ser/er 2==, The migration #lan s#eci$ies the $ollo"ing requirements $or DNS in the ne" en/ironment: 1. )cti/e Directory data must not be accessible $rom the Internet 2. The DNS names#ace must be contiguous to minimi1e con$usion $or users and administrators 3. Users must be able to connect to resources in the test0ing com domain -. Users must be able to connect to resources located on the Internet F. The e3isting UNI@>based DNS ser/er "ill continue to host the test0ing com domain ;. The e3isting UNI@>based DNS ser/er cannot be u#graded or re#laced You #lan to install a !indo"s Ser/er 2==, DNS ser/er on the internal net"or0 You need to con$igure this !indo"s>based DNS ser/er to meet the requirements s#eci$ied in the migration #lan !hat should you do% A. .reate a primar 0one named ad.test/ing.com on our !indows2based D,$ ser%er. .reate a delegation record for the new 0one on the U,&<2based D,$ ser%er. .onfigure forwarders on our !indows2based D,$ ser%er. 1. .reate a primar 0one named ad.test/ing.com on the U,&<2based D,$ ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"1 2 .reate a secondar 0one on our !indows2based D,$ ser%er for the ad.test/ing.com domain. .. .reate a primar 0one named test/ing2ad.com on our !indows2based D,$ ser%er. .reate a secondar 0one on the U,&<2based D,$ ser%er for the test/ing2ad.com domain. D. .reate a primar 0one named test/ing2ad.com on the U,&<2based D,$ ser%er. .reate a stub 0one on the !indows2based D,$ ser%er for the test/ing2ad.com domain. .onfigure conditional forwarders on our !indows2based D,$ ser%er for the test/ing2ad.com and test/ing.com domain. )ns"er: ) E3#lanation: ) #rimary 1one contains the master co#y o$ the 1one database* "here administrators ma0e all changes to the 1oneJs resource records I$ the Store LThe Yone In )cti/e DirectoryL &this is only a/ailable i$ DNS Ser/er is a Domain 'ontroller( chec0 bo3 is cleared* the ser/er creates a #rimary master 1one database $ile on the local dri/e This is a sim#le te3t $ile that is com#liant "ith most non>!indo"s DNS ser/er im#lementations To delegate a 0one means to assign authorit o%er portions of our D,$ namespace to subdomains within this namespace. A 0one delegation occurs when the responsibilit for the resource records of a subdomain is passed from the owner of the parent domain to the owner of the subdomain. The (orwarders tab of the D,$ ser%er properties dialog boB allows ou to forward D,$ 6ueries recei%ed b the local D,$ ser%er to upstream D,$ ser%ers, called forwarders. This tab also allows ou to disable recursion for select 6ueries *as specified b domain+. Incorrect ans"ers: +* ' 0one contains a bac/up cop of the primar master 0one database file, stored as an identical teBt file on the ser%erKs local dri%e. Iou cannot modif the resource records in a 0one database file, using a process called a 0one transfer. This is not that is re6uired to compl with the re6uirements as stated. (urthermore option 1 suggests the creation of a primar 0one on the wrong ser%er. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"2 2 9 $tub 0one is a cop of a primar 0one that contains $tart 'f Authorit *$'A+ and ,ame $er%er *,$+ resource records, plus the Aost *A+ resource records that identif the authoritati%e ser%ers for the 0one, the stub 0one forwards or refers re6uests. !hen ou create a stub 0one, ou configure it with the &5 address of the ser%er that hosts the 0one from which ou created the stub. !hen the ser%er hosting the stub 0one recei%es a 6uer for a name in that 0one, it either forwards the re6uest to the host of the 0one or replies with a referral to that host, depending on whether the 6uer is recursi%e or iterati%e. Iou

should be creating a primar 0one on the !indows2based D,$ ser%er instead. De$erence: Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 3n%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter G and >. Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter F. .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 3QUESTION NO: 4 :OTS.OT You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The net"or0 also contains UNI@ ser/ers and UNI@ client com#uters ?any users share $iles on their client com#uters "ith other users )ll client com#uters also access shared resources on both the !indo"s Ser/er 2==, com#uters and the UNI@ ser/ers* "hich use a third>#arty Ser/er ?essage +loc0 &S?+( ser/er #roduct The "ritten security #olicy $or TestBing requires that S?+ #ac0et signing must be used "hene/er #ossible You need to edit the 'om#uter 'on$iguration section o$ the De$ault Domain .olicy -rou# .olicy ob2ect &-.O( to ensure that all com#uters in the domain meet the "ritten security #olicy requirement !hich t"o security settings should you enable% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"3 2 To ans"er* select the a##ro#riate security settings in the -rou# .olicy Ob2ect Editor Desults .ane )ns"er: E3#lanation: All !indows operating s stems support both a client2side $M1 component and a ser%er2side $M1 component. To ta/e ad%antage of $M1 pac/et signing, both the client2side $M1 component and ser%er2side $M1 component that are in%ol%ed in a communication must ha%e $M1 pac/et signing either enabled or re6uired. (or !indows 2""" and abo%e, enabling or re6uiring pac/et signing for client and ser%er2side $M1 components is controlled b the following four polic settings9 ?icroso$t net"or0 client: Digitally sign communications &al"ays( 2 .ontrols whether or not the client2side $M1 component re6uires pac/et signing. ?icroso$t net"or0 client: Digitally sign communications &i$ ser/er agrees( 2 .ontrols whether or not the client2side $M1 component has pac/et signing enabled. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"- 2 ?icroso$t net"or0 ser/er: Digitally sign communications &al"ays( 2 .ontrols whether or not the ser%er2side $M1 component re6uires pac/et signing. ?icroso$t net"or0 ser/er: Digitally sign communications &i$ client agrees( 2 .ontrols whether or not the ser%er2side $M1 component has pac/et signing enabled. &f ser%er2side $M1 signing is re6uired, a client will not be able to establish a session with that ser%er unless it has client2side $M1 signing enabled. 1 default, client2side $M1 signing is enabled on wor/stations, ser%ers, and domain controllers. $imilarl , if client2side $M1 signing is re6uired, that client will not be able to establish a session with ser%ers that do not ha%e pac/et signing enabled. 1 default, ser%er2side $M1 signing is enabled onl on domain controllers. &f ser%er2side $M1 signing is enabled, $M1 pac/et signing will be negotiated with clients that ha%e client2side $M1 signing enabled. Using $M1 pac/et signing can impose up to a 1F percent performance hit on file ser%ice transactions. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. =913 QUESTION NO: 5 You are the systems engineer $or )cme Inc The net"or0 consists o$ a single )cti/e Directory domain named acme com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 is not currently connected to the Internet )cme enters into a #artnershi# "ith Test0ing The Test0ing net"or0 consists o$ a single )cti/e Directory domain named test0ing>ad com )ll ser/ers in the

test0ing>ad com domain run !indo"s Ser/er 2==, Test0ing maintains a se#arate net"or0 that contains #ublicity accessible !eb and mail ser/ers These !eb and mail ser/ers are members o$ a DNS domain named test0ing com The test0ing com 1one is hosted by a UNI@>based DNS ser/er running the latest /ersion o$ +IND ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"F 2 +oth com#anies require that users $rom each com#any must be able to access resources in either net"or0 ) ne" dedicated T< line is established bet"een the t"o o$$ices to #ro/ide connecti/ity The )cti/e Directory #ro2ect team #lans to create a $orest trust relationshi# bet"een the t"o $orests +oth com#aniesJ "ritten security #olicies state that resources located on the internal net"or0 must ne/er be e3#osed to the Internet The Test0ing "ritten security #olicy also states that the internal net"or0Js DNS names#ace must ne/er be e3#osed to the Internet You need to #lan a name resolution strategy $or internet"or0 connecti/ity You need to con$igure both !indo"s Ser/er 2==, DNS ser/ers so that they com#ly "ith both com#aniesJ requirements and restrictions Your #lan must #ro/ide $or minimal disru#tion o$ net"or0 connecti/ity in both net"or0s !hat should you do% A. .reate a conditional forwarder on the acme.com D,$ ser%er to forward all re6uests for hosts in the test/ing2ad.com domain to the test/ing2ad.com D,$ ser%er. .reate a conditional forwarder on the test/ing2ad.com D,$ ser%er to forward all re6uests for hosts in the acme.com domain to the acme.com D,$ ser%er. 1. .reate a conditional forwarder on the acme.com D,$ ser%er to forward all re6uests for hosts in the test/ing2ad.com domain to the test/ing.com U,&<2based D,$ ser%er. .onfigure the test/ing.com U,&<2based D,$ ser%er to forward all re6uests for hosts in the acme.com domain to the acme.com D,$ ser%er. .. .onfigure root hints on each !indows $er%er 2""3 D,$ ser%er. .onfigure each !indows $er%er 2""3 D,$ ser%er to forward re6uests to the test/ing.com U,&<2based D,$ ser%er. D. .onfigure a secondar 0one on the test/ing.com U,&<2based D,$ ser%er for each compan Ks domain. .onfigure each compan Ks !indows $er%er 2""3 D,$ ser%er to allow 0one transfers to onl the test/ing.com U,&<2based D,$ ser%er. )ns"er: ) E3#lanation: I$ your internal net"or0 does not ha/e a #ri/ate root and your users need access to other names#aces* such as a net"or0 belonging to a #artner com#any* use conditional $or"arding to enable ser/ers to query $or names in other names#aces 'onditional $or"arding in !indo"s Ser/er 2==, DNS eliminates the need $or secondary 1ones by con$iguring DNS ser/ers to $or"ard queries to di$$erent ser/ers based on the domain name +y creating conditional $or"arders to "or0 in both directions bet"een the t"o com#anies as described in this o#tion "ill result in the least amount o$ disru#tion in connecti/ity "hile still com#lying "ith all the requirements as set out in the question ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"; 2 Incorrect ans"ers: + conditional forwarder on the test/ing2ad.com D,$ ser%er to forward all re6uests to the test/ing.com U,&<2based D,$ ser%er. '9 There is no need to configure root hints when ou ma/e use of conditional forwarders between the two parties as suggested in option A. D9 &f ou ma/e use of conditional forwarders, then ou do not ha%e to ma/e use of secondar 0ones. $econdar 0one application as described in this option will also cause unnecessar disruption in connecti%it that can be a%oided. (urthermore, conditional forwarders render secondar 0ones obsolete. De$erence9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 35art >9 5lan a ,et1&'$ name resolution strateg . A9 5lan a !&,$ replication strateg . *1 6uestion+ QUESTION NO: < You are the administrator o$ TestBingJs net"or0* "hich lin0s the main o$$ice and <5 branch o$$ices The net"or0 contains 5*=== com#uters running !indo"s 2=== .ro$essional and <9= com#uters running !indo"s 2=== Ser/er The main o$$ice has t"o !INS ser/ers* and each branch o$$ice has one !INS ser/er The !INS ser/ers in the branch o$$ices are con$igured $or #ushK#ull re#lication "ith one o$ the !INS ser/ers in the main o$$ice +oth !INS ser/ers in

the main o$$ice are con$igured $or #ushK#ull re#lication "ith each other You enable #eriodic database consistency chec0ing You then notice an increase in net"or0 tra$$ic during the chec0 #eriods You need to reduce or eliminate the additional tra$$ic* "hile maintaining the integrity o$ the database records !hat should you do% A. .onfigure all !&,$ ser%ers to use the automatic partner configuration. 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"G 2 Disable periodic database consistenc chec/ing and manuall perform consistenc chec/ing. .. &ncrease the %erification inter%al on each of the !&,$ ser%ers. D. .onfigure the DA.5 client options for !&,$ so that the primar !&,$ ser%ers are e%enl di%ided among the DA.5 clients. )ns"er: + E3#lanation9 5eriodic database consistenc chec/ing increases networ/ traffic, so it should be disabled and manuall perform consistenc chec/ing. Incorrect ans"ers: )9 Ma/ing use of automatic partner configuration will not sol%e the problem as the 6uestion states clearl that there is an increase in networ/ traffic during chec/ periods. '9 &ncreasing the %erification inter%al on each of the !&,$ ser%ers will result in an increase in networ/ traffic. D9 This option might compromise the integrit of the database records. De$erence9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 --2-G 19 5lan ,et1&'$ name resolution b using the 4mhosts file. *" 6uestions+ 5art =9 Troubleshoot host name resolution. A9 Diagnose and resol%e issues related to !&,$ and D,$ ser%ices.*> 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a !indo"s NT 4 = domain )ll ser/ers run !indo"s NT Ser/er 4 = and all client com#uters run !indo"s NT !or0station 4 = TestBing has t"o o$$ices that are connected by a 56>Bb#s !)N connection )ll com#uters are con$igured to use !INS $or name resolution and net"or0 bro"sing ca#ability bet"een the t"o o$$ices ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"> 2 TestBing is #lanning to u#grade the domain controllers to !indo"s Ser/er 2==, and to de#loy !indo"s Ser/er 2==, and !indo"s @. .ro$essional com#uters You need to maintain name resolution and net"or0 bro"sing su##ort during and a$ter the u#grade #rocess You need to allo" users o$ !indo"s NT !or0station 4 = and !indo"s @. .ro$essional com#uters to bro"se and connect to both !indo"s NT Ser/er 4 = and !indo"s Ser/er 2==, com#uters You need to minimi1e name resolution tra$$ic across the !)N connection !hat should you do% A. &nstall a !indows $er%er 2""3 D,$ ser%er at each office. .onfigure all !indows ,T !or/station -." and !indows ,T $er%er -." computers to use both !&,$ and D,$ for name resolution. .onfigure all !indows $er%er 2""3 computers to use !&,$. 1. &nstall a !indows $er%er 2""3 D,$ ser%er at onl one office. .onfigure all !indows ,T !or/station -." and !indows ,T $er%er -." computers to use both !&,$ and D,$ for name resolution. .onfigure all !indows $er%er 2""3 computers to use !&,$ .. Upgrade the !&,$ ser%ers at each office to !indows $er%er 2""3. &nstall a !indows $er%er 2""3 D,$ ser%er at onl one office and configure it to use !&,$ loo/up. .onfigure all !indows $er%er 2""3 computers to use !&,$. D. Upgrade the !&,$ ser%ers at each office to !indows $er%er 2""3. &nstall a !indows $er%er 2""3 D,$ ser%er at each office. .onfigure each D,$ ser%er to use !&,$ loo/up. .onfigure all !indows $er%er 2""3 computers to use !&,$. )ns"er: ) E3#lanation: ) DNS ser/er #ro/ides host name resolution by translating host names to I. addresses &$or"ard loo0u#s( and I. addresses to host names &re/erse loo0u#s( !&,$ pro%ides computer name resolution b translating ,et1&'$ names to &5 addresses.

&t is not necessar to install !indows &nternet ,ame $er%ice *!&,$+ unless ou are supporting legac operating s stems, such as !indows =F or !indows ,T. 'perating s stems such as !indows 2""" and !indows <5 do not re6uire !&,$, although legac applications on those platforms ma %er well re6uire ,et1&'$ name resolution. Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"= 2 +9 The 6uestion re6uires name resolution and networ/ browsing support, during and after the upgrade process, to be maintained in both offices. '* D9 There is no need to upgrade an of the ser%ers because ,et1&'$ names supports computers with earlier %ersions of !indows. (urthermore, configuring the usage of !&,$ loo/up will not minimi0e name resolution traffic across the !A, connection. De$erence9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 -1 QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com that has t"o child domains: domain< test0ing com and domain2 test0ing com )ll domain controllers run !indo"s Ser/er 2==, )ll domain controllers are con$igured as DNS ser/ers You use a #ro3y $ire"all to isolate your net"or0 $rom the Internet You con$igure the DNS ser/ers in the test0ing com domain as internal DNS root ser/ers )ll client com#uters are con$igured "ith the #ro3y $ire"all client so$t"are You need to allo" users to resol/e host names on both the internal net"or0 and the Internet !hat should you do% A. .onfigure the internal D,$ root ser%ers to use Acti%e Director 2integrated stub 0ones to resol%e D,$ 6ueries for domain1.test/ing.com and domain2.test/ing.com. 1. .onfigure all client computers to use a !eb browser automatic configuration script. .. .onfigure the D,$ ser%ers in the child domains to use the internal D,$ root ser%ers as forwarders. D. .onfigure the D,$ ser%ers in the child domain with root hints that point to the internal D,$ root ser%ers in the test/ing.com domain. )ns"er: D E3#lanation: I$ you are using the DNS ser/ice on a #ri/ate net"or0* you can edit or re#lace the root hints $ile "ith similar records that #oint to your o"n internal root DNS ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11" 2 &f ou are configuring a D,$ ser%er within a large pri%ate namespace, ou can use the Root Aints tab, in D,$ ser%er properties, to delete the &nternet root ser%ers and specif the root ser%ers in our networ/ instead. Incorrect )ns"ers: ): $tub 0ones are used to /eep all the ,$ resource records from a master 0one current. +: This option does not resol%e name resolution. ': This will onl allow users to resol%e host names on the internal networ/. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter - and F QUESTION NO: , TestBing uses !INS and DNS $or name resolution The A?:osts and :osts $iles are not used ) user Tess on a ser/er named TestBing2 re#orts that "hen she runs a scri#t to trans$er $iles to a ser/er named TestBing5* she recei/es the $ollo"ing error stating LUn0no"n :ost TestBing5L You use TestBing2 to troubleshoot the #roblem The results o$ your troubleshooting sho" that the nsloo0u# utility re#lies "ith an address o$ <;2 <69 < 9 !hen you try to #ing TestBing5* the re#ly times out and sho"s a di$$erent I. address You need to allo" Tess on TestBing2 to use the scri#t on TestBing5 !hat should you do% A. Re register Test@ingF with !&,$ 1. 'n Test@ingF run the ipconfig Hregisterdns command .. 'n Test@ing2 run the ipconfig Hflushdns command D. 'n Test@ing2, purge and reload the remote ,et1&'$ cache name table )ns"er: )

E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 111 2 The nsloo0u# utility re#lies "ith an address o$ <;2 <69 < 9 This is #robably the correct address* but "hen you #ing TestBing5* it times out and sho"s a di$$erent I. address This is an incorrect address that "as resol/ed using a !INS loo0u# )s the address in the !INS database is "rong* "e need to re>register TestBing5 "ith !INS Incorrect )ns"ers: +: The address of Test@ingF stored in D,$ is li/el to be correct, so it does not need to be re2registered. ': ,sloo/up returns an address of Test@ingF that is li/el to be correct. !e /now this because the ping test fails with a different &5 address. Therefore, the locall cached &5 address is li/el to be correct, so the cache does not need to be cleared. D: !e would need to purge the local ,et1&'$ name cache, not the remote cache. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ;" QUESTION NO: 4 You are the net"or0 admin $or 'ontoso The net"or0 consists o$ a single acti/e directory domain named contoso com The domain is su##orted by an acti/e directory integrated 1one that allo"s only secure u#dates The contoso com domain is con$igured as t"o acti/e directory sites named ?aino$$ice and +ranch< +ranch< contains a single "indo"s ser/er 2==, domain controller named ser/er< that is not a DNS ser/er There is a single subnet o$ <;2 <69 <= =K24 in branch< that contains all client com#uters and ser/ers in the site +ranch < is connected to ?aino$$ice by a single lo" band"idth !)N connection that is o$ten saturated Users in +ranch< are normally authenticated by ser/er< Users in +ranch< re#ort that they are e3#eriencing unusually long logon times You disco/er that +ranch< users are being authenticated by domain controllers in ?ainO$$ice You run the nsloo0u# command to query the SD8 records $or +ranch< and recei/e the out#ut sho"n in the $ollo"ing table: $er%er hostname $er%er1.contoso.com $er%er1.contoso.com internet address 1=2.1;>.1".;F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 112 2 You run the i#con$ig command on ser/er< and recei/e the $ollo"ing: &5 address 1=2.1;>.1".32 $ubnet mas/ 2FF.2FF.2FF." Default Catewa 1=2.1;>.1".1 You "ant ser/er< to resume authenticating all clients in +ranch< !hat should you do% A. Run the ipconfig.eBe registerdns command on ser%er1 1. Run the ipconfig.eBe Hflushdns command on ser%er1 .. $top and restart the ,etlogon ser%ice on ser%er1 D. $top and restart the ,etlogon ser%ice on clients in 1ranch1 )ns"er: ' E3#lanation: The DNS record sho"s the "rong I. address $or Ser/er< !e need to con$igure the DNS "ith the correct in$ormation +ecause ser/er< is a domain controller* "e need to register the ) records and the SD8 records The Net Aogon ser/ice on a domain controller registers the DNS resource records required $or the domain controller to be located in the net"or0 e/ery 24 hours To initiate the registration #er$ormed by Net Aogon ser/ice manually* you can restart the Net Aogon ser/ice Incorrect )ns"ers: ): This command will onl register the A records. The client computers locate the domain controller b 6uer ing $R? records. +: This will flush the local D,$ client cache. This wonKt sol%e the problem. D: !e need to restart the ,etlogon ser%ice on ser%er1, not the clients. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ;" QUESTION NO: 5 You are a net"or0 administrator $or !oodgro/e +an0 )ll ser/ers run !indo"s Ser/er 2==, The com#any uses !INS and DNS $or name resolution The A?:osts and :osts $iles are not used

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 113 2 ) user on a ser/er named Ser/er2 re#orts that "hen she attem#ts to ma# a net"or0 dri/e to a shared $older on a ser/er named Ser/er5 by name* she recei/ed the $ollo"ing error message: LSystem error 67 has occurred The net"or0 name cannot be $oundL The user "as #re/iously able to ma# net"or0 dri/es by name to shared $olders on Ser/er5 $rom Ser/er2 You run the #ing command on Ser/er2 to troubleshoot the #roblem The results o$ your troubleshooting are sho"n in the e3hibit You need to allo" the user on Ser/er2 to connect to resources on Ser/er5 both by name and by address !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11- 2 A. 'n $er%er2, purge and reload the remote ,et1&'$ cache name table. 1. Re2register $er%erF with !&,$. .. 'n $er%er2, run the ipconfig command with the Hflushdns option. D. 'n $er%erF, run the ipconfig command with the Hrenew option. 3. 'n $er%erF, run the ipconfig command with the Hregisterdns option. )ns"er: +* E E3#lanation: The ser/er does not ans"er to DNS name or I. address "hich means either he is o$$line or he has changed his I. and is still registered "ith the old I. &<;2 <69 2=2 9( &pconfig Hregisterdns will register in D,$, and !&,$ re2register will register the ser%er with !&,$. Incorrect )ns"ers: )9 5urging and reloading the remote ,et1&'$ cache name table is the same as option .. This is not going to allow a user on $er%er2 to connect to resources on $er%erF both b name and b address. ': &pconfig Hrenew 2 Attempts to renew the DA.5 lease. This is not what is re6uired. D: &pconfig Hflushdns 2 (lushes the D,$ cache. (lushing the D,$ cache is not the same as registering. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ;" QUESTION NO: 6 You are the administrator o$ the !oodgro/e +an0 com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The net"or0 includes <= domain controllers running !indo"s Ser/er 2==,* ,= member ser/ers running !indo"s Ser/er 2==,* 5== client com#uters running !indo"s @. .ro$essional and 2== client com#uters running !indo"s NT 4 = !or0station !INS and DNS are used $or name resolution You log in to a member ser/er named Ser/er<5 You attem#t to connect to another member ser/er named Ser/er5* but you are unable to connect You recei/e the $ollo"ing error message: LSystem error 67 has occurred The net"or0 name cannot be $oundL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11F 2 To troubleshoot the #roblem* you try to #ing Ser/er5 The results are sho"n in the e3hibit You need to be able to connect to Ser/er5 by host name and I. address !hat should you do% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 'pen compmgmt.msc. Use the 8.onnect to another computer8 option. 1. 'pen a command prompt on $er%erF. Run the nbtstat 2RR command. .. 'pen a command prompt on $er%er1F. Run the ipconfig Hflushdns command. D. 'pen a command prompt on $er%erF. Run the ipconfig Hrenew command. 3. 'pen a command prompt on $er%erF. Run the ipconfig Hregisterdns command. )ns"er: +* E ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11; 2 E3#lanation: The ser/er does not ans"er to dns name or i# address "hich means either he is o$$line or he has changed his i# and is still registered "ith the old i#&<;2 <69 2=2 9(

&pconfig Hregisterdns will register ser%erF in dns. The nbtstat 2RR command will re2register $er%erF with !&,$. Incorrect ans"ers: )9 This option will not wor/ because ou need to register the host name and ip address in the D,$ cache. '9 &pconfig Hflushdns 2 (lushes the D,$ cache. (lushing the D,$ cache is not the same as registering. D9 &pconfig Hrenew 2 Attempts to renew the DA.5 lease. This is not what is re6uired. The host name and ip address has to be registered for ou to be able to connect to $er%erF b either of the two. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ;" QUESTION NO: 7 You are the net"or0 administrator $or TestBing You need to #ro/ide Internet name resolution ser/ices $or the com#any You set u# a !indo"s Ser/er 2==, com#uter running the DNS Ser/er ser/ice to #ro/ide this net"or0 ser/ice During testing* you notice the $ollo"ing intermittent #roblems: 1. Name resolution queries sometimes ta0e longer than one minute to resol/e 2. Some /alid name resolution queries recei/e the $ollo"ing error message in the Nsloo0u# command and>line tool: LNon>e3istent domainL You sus#ect that there is a #roblem "ith name resolution You need to re/ie" the indi/idual queries that the ser/er handles You "ant to con$igure monitoring on the DNS ser/er to troubleshoot the #roblem !hat should you do% A. &n the D,$ ser%er properties, on the Debug 4ogging tab, select the 4og pac/ets for debugging option. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11G 2 1. &n the D,$ ser%er properties, on the 3%ent 4ogging tab, select the 3rrors and warnings option. .. &n the $ stem Monitor, monitor the Recursi%e :uer (ailures counter in the D,$ ob)ect. D. &n the D,$ ser%er properties, on the Monitoring tab, select the monitoring options. )ns"er: ) E3#lanation: I$ you need to analy1e and monitor the DNS ser/er #er$ormance in greater detail* you can use the o#tional debug tool You can choose to log #ac0ets based on the $ollo"ing: 1. Their direction, either outbound or inbound 2. The transport protocol, either T.5 or UD5 3. Their contents9 6ueriesHtransfers, updates, or notifications -. Their t pe, either re6uests or responses F. Their &5 address (inall , ou can choose to include detailed information. Note: This is the onl thing thatKs going to let ou see details about pac/ets. Incorrect )ns"ers: +: The 3%ent 4ogging tab allows ou to restrict the e%ents written to the D,$ 3%ents log file to onl errors or to onl errors and warnings, also it allows ou to disable D,$ logging. ': This option allows ou to %iew the total number of recursi%e 6uer failures D: The Monitoring tab of the D,$ ser%er properties dialog boB allows ou to chec/ basic D,$ functionalit with two simple tests9 a simple 6uer against the local D,$ ser%er and a recursi%e 6uer to the root D,$ ser%ers. De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter F QUESTION NO: 9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11> 2 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains three sites named ?ainO$$ice* East'oast* and !est'oast Each site contains $our domain controllers and <== client com#uters One ser/er in the East'oast site is named TestBing< )ll DNS ser/ers contain )cti/e Directory>integrated 1ones Other administrators re#ort that they cannot connect to TestBing< "hen attem#ting to #er$orm )cti/e Directory administration They re#ort they can

#er$orm these tas0s locally at TestBing< You /eri$y that Ser/er< is o#erational and that $ile and #rint resources are accessible by using the host name You need to ensure that administrators can #er$orm )cti/e Directory administration on TestBing< "ithout requiring #hysical access to the ser/er !hat should you do% A. 'n $er%er1, force registration of D,$ hosts *A+ resource records. 1. 'n $er%er1, restart the ,et 4ogon ser%ice. .. &nstall D,$ on Test@ing1. D. .onfigure Test@ing as a local bridgehead ser%er for the 3ast.oast site. )ns"er: + E3#lanation: TestBing< is a domain controller !e 0no" this because administrators are trying to #er$orm )cti/e Directory administration on TestBing< Eile and #rint resources on TestBing< are accessible by using the host name This means that the ) records are #resent in DNS The #roblem in this question is that the SD8 records are missing !e need to restore the SD8 in DNS The ,et 4ogon ser%ice on a domain controller registers the D,$ resource records re6uired for the domain controller to be located in the networ/ e%er 2- hours. To initiate the registration performed b ,et 4ogon ser%ice manuall , ou can restart the ,et 4ogon ser%ice. Incorrect )ns"ers: ): (ile and print resources on Test@ing1 are accessible b using the host name. This means that the A records are present in D,$. ': &t is not necessar to install D,$ on Test@ing1. D: Test@ing1 does not need to be a bridgehead ser%er to enable the administrators to access it. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11= 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 12 19 Diagnose and resol%e issues related to client computer configuration.*1 6uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains one domain named test0ing com You need to de#loy a ne" domain named N) test0ing com as a child domain o$ test0ing com You install a ne" stand>alone !indo"s Ser/er 2==, com#uter named TB< You #lan to ma0e TB< the $irst domain controller in the N) test0ing com domain You con$igure TB< "ith a static I. con$iguration You run the )cti/e Directory Installation !i1ard on TB< The "i1ard #rom#ts you $or the net"or0 credentials to use to 2oin the N) test0ing com domain to test0ing com You recei/e an error message stating that a domain controller in the test0ing com domain cannot be located You need to be able to #romote TB< to a domain controller as the $irst domain controller o$ the child domain in the e3isting $orest !hat should you do% A. .onfigure the client !&,$ settings on T@1 to use a !&,$ ser%er that contains entries for the test/ing.com domain controllers. 1. .onfigure the client D,$ settings on T@1 to use a D,$ ser%er that is authoritati%e for the test/ing.com domain. .. .onfigure the D,$ $er%er ser%ice on T@1 to ha%e a 0one for ,A.test/ing.com. D. .onfigure T@1 to be a member ser%er in the test/ing.com domain. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12" 2 This is ty#ically the e$$ect o$ a DNS #roblem because the client &in this case a member ser/er( can not locate the SD8 records o$ a domain The #rocess needs to contact the DNS ser/er that is authoritati/e $or the #arent domain that you "ant to ma0e a child domain in (irst, in the Acti%e Director installation wi0ard, ou specif the D,$ name of the Acti%e Director domain for which ou are promoting the ser%er to become a domain controller. 4ater in the installation process, the wi0ard tests for the following9 1ased on its T.5H&5 client configuration, it chec/s to see whether a preferred D,$ ser%er is configured. &f a preferred D,$ ser%er is a%ailable, it 6ueries to find the primar authoritati%e ser%er for the D,$ domain ou specified earlier in the wi0ard.

&t then tests to see whether the authoritati%e primar ser%er can support and accept d namic updates as described in the D,$ d namic update protocol. &f, at this point in the process, a supporting D,$ ser%er cannot be located to accept updates for the specified D,$ domain name ou are using with Acti%e Director , ou are pro%ided with the option to install the D,$ $er%er ser%ice. Incorrect )ns"ers: ): !&,$ is used for name resolution for down le%el clients. T@1 is a !indows $er%er 2""3 computer. ': ,A.test/ing.com domain does not et eBist. D: !e want to install T@1 as a domain controller for the na.test/ing.com domain. Ma/ing T@1 a member ser%er would me demoting the ser%er and then promoting it again al a later point. This does not ma/e sense. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ; Topic 3, 5lanning, &mplementing and Maintaining Routing and Remote Access *23 :uestions+ 5art 19 5lan a routing strateg . A9 &dentif routing protocols to use in a specified en%ironment.*1 6uestion+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 121 2 QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBingJs main o$$ice is in +oston* and it has branch o$$ices in !ashington and Aos )lamos The com#any has no immediate #lans to e3#and or relocate the o$$ices The com#any "ants to connect the o$$ice net"or0s by using a $rame relay !)N connection and Douting and Demote )ccess ser/ers that are con$igured "ith $rame relay !)N ada#ters 'om#uters in each o$$ice "ill be con$igured to use their local Douting and Demote )ccess ser/er as a de$ault gate"ay You are #lanning the routing con$iguration $or the Douting and Demote )ccess ser/ers You need to allo" com#uters in +oston* !ashington* and Aos )lamos to connect to com#uters in any o$$ice You "ant to minimi1e routing tra$$ic on the !)N connection !hat should you do% A. At each office, add the '$5( routing protocol to Routing and Remote Access, add the !A, adapter to the '$5( routing protocol, and deplo '$5( as a single2area internetwor/. 1. At each office, add the R&5 %ersion 2 routing protocol to Routing and Remote Access, and configure the !A, adapter to use R&5 %ersion 2. .onfigure the outgoing pac/et protocol as R&5 %ersion 2 broadcast and the incoming pac/et protocol as R&5 %ersion 1 and 2. .. At each office, add the R&5 %ersion 2 routing protocol to Routing and Remote Access, and configure the !A, adapter to use R&5 %ersion 2. .onfigure the outgoing pac/et protocol as R&5 %ersion 2 multicast and the incoming pac/et protocol as R&5 %ersion 2 onl . D. At each office, configure the Routing and Remote Access ser%er with static routes to the local networ/s at the other two offices. )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 122 2 !e need to con$igure the routers to route tra$$ic bet"een the o$$ices )s "e only ha/e three o$$ices* "e can use sim#le static routes Once "e ha/e con$igured the routing tables "ith static routes* the o$$ices "ill be able to communicate "ith each other This solution is #re$erable to using a routing #rotocol* such as DI.* because there "ill be no routing in$ormation going o/er the !)N lin0s Incorrect )ns"ers: ): !e ha%e a simple networ/ configuration with )ust three offices. Using a routing protocol is unnecessar . $tatic routes will suffice. +: !e ha%e a simple networ/ configuration with )ust three offices. Using a routing protocol is unnecessar . $tatic routes will suffice. ': !e ha%e a simple networ/ configuration with )ust three offices. Using a routing protocol is unnecessar . $tatic routes will suffice. De$erence:

Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, p. =92G 19 5lan routing for &5 multicast traffic. *1 6uestion+ QUESTION NO: < You are the net"or0 administrators $or TestBing T"o o$ TestBingJs customers are 'ontoso .harmaceuticals and 'ity .o"er and Aight Your domain in$rastructure is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 123 2 )ll users in the test0ing com domain need to access resources in the contoso com domain Some users in the test0ing com domain need to access resources in the sales c#andl com domain No users in the test0ing com domain need to access resources in the sales contoso com domain )lthough a t"o>"ay trust relationshi# e3ists bet"een the test0ing com and c#andl com domains You disco/er that the users in the test0ing com domain cannot access resources in the sales c#andl com domain You need to ensure that all users in the test0ing com domain can access the a##ro#riate resources in the other $orests !hat should you do% A. 3nable the routing status of the sales.contoso.com name suffiB on the forest trust from test/ing.com to contoso.com ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12- 2 Disable the routing status of the sales.cpandl.com name suffiB on the forest trust from test/ing.com to cpandl.com 1. Disable the routing status of the sales.contoso.com name suffiB on the forest trust from test/ing.com to contoso.com 3nable the routing status of the sales.cpandl.com name suffiB on the forest trust from test/ing.com to cpandl.com .. 3nable the routing status of the sales.contoso.com name suffiB on the forest trust from test/ing.com to contoso.com 3nable the routing status of the sales.cpandl.com name suffiB on the forest trust from test/ing.com to cpandl.com D. Disable the routing status of the sales.contoso.com name suffiB on the forest trust from test/ing.com to contoso.com Disable the routing status of the sales.cpandl.com name suffiB on the forest trust from test/ing.com to cpandl.com )ns"er: + E3#lanation: ) $orest trust must be e3#licitly created by a systems administrator bet"een t"o $orest root domains This trust allo"s all domains in one $orest to transiti/ely trust all domains in another $orest ) $orest trust is not transiti/e across three or more $orests E g * $orest ) trusts $orest + and $orest + trusts $orest ' There is no trust relationshi# bet"een $orest ) and $orest ' The trust is transiti/e bet"een t"o $orests only and can be one>"ay or t"o>"ay Eorest trusts are only a/ailable "hen the $orest is at the !indo"s Ser/er 2==, $unctional le/el Eollo"ing this argument* it is clear that you should disable routing status bet"een the sales contoso com name su$$i3 on the $orest trust $rom test0ing com to contoso com and then enable the routing status o$ the sales c#andl com name su$$i3 on the $orest trust $rom test0ing com to c#andl com This should ensure that all users in the test0ing com domain can access the a##ro#riate resources in the other $orests Incorrect ans"ers: )* '* D9 (orest trusts are not transiti%e o%er three or more forests. Thus these options will result in some of the resources being inaccessible to the test/ing.com domain users. De$erences9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 2G http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HenterpriseHproddocsHen2usHDefault.a ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12F 2 5art 29 5lan securit for remote access users. A9 5lan remote access policies. *3 6uestions+ QUESTION NO: < You are the security analyst $or TestBing TestBingJs "ritten security #olicy does not allo" direct dial>in connections to the net"or0 During a routine security audit* you disco/er a !indo"s Ser/er 2==, ser/er named Test0ing< that has a modem installed and is connected to an outside analog #hone line You in/estigate and

disco/er that Test0ing< is also running Douting and Demote )ccess and is used by the sales de#artment The modem su##orts the caller ID ser/ice This remote access connection is used by an a##lication at a #artner com#any to u#load #roduct and in/entory in$ormation to Test0ing< Each day at midnight* the #artner a##lication connects to Test0ing< and u#loads the in$ormation The connection ne/er lasts longer than ,= minutes The a##lication is currently using the sales managerJs domain user account to ma0e the connection The #artner a##lication does not su##ort incoming connections The #artner com#any has no #lans to u#date this a##lication to su##ort your "ritten security #olicy* and the sales de#artment requires this u#dated #roduct and in/entory in$ormation to be a/ailable each morning TestBing management directs you to design a solution that #ro/ides the highest le/el o$ security $or this connection until a more secure solution can be de/elo#ed by the t"o com#anies You need to design and im#lement a solution that "ill ensure that only the #artnerJs a##lication can connect to your net"or0 o/er the dial>u# connection Your solution must #re/ent the connection $rom being used by unauthori1ed users* and it must allo" only the minimum amount o$ access to the net"or0 !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate an account named 5artnerDialup in the domain, and add this account to the Domain Cuests group. Crant this user account permissions for the folder to which the sales information is uploaded. Direct the partner compan to use this account for remote access. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12; 2 1. .reate a local account named 5artnerDialup on Test/ing1, and add this account to the local Users group. Crant this user account permission for the folder to which the sales information is uploaded. Direct the partner compan to use this account for remote access. .. .onfigure a remote access polic on Test/ing1 that allows the connection for onl the specified user account between midnight and 1."" A.M. .onfigure the polic to re6uire callbac/ authentication to the partner compan Ks ser%er. D. .onfigure a remote access polic on Test/ing1 that allows the connection for onl the specified user account between midnight and 19"" A.M. .onfigure the polic to allow onl the specific calling station identifier of the partner compan Ks computer. )ns"er: +* D E3#lanation9 A local user account for Microsoft !indows $er%er 2""3 is a user account a domain pro%ides for a user whose global account is not in a trusted domain. A local account is not re6uired where trust relationships eBist between domains. &5 address A 322bit address assigned to Transmission .ontrol 5rotocolH&nternet 5rotocol *T.5H&5+ client computers and other networ/ e6uipment that uni6uel identifies that de%ice on the networ/. (or a computer to be accessible from the &nternet, it must ha%e an &5 address containing a networ/ identifier registered with the &nternet Assigned ,umbers Authorit *&A,A+. Thus options 1 and D will pre%ent the connection from being used b unauthori0ed users and with the minimum amount of access to the networ/. Incorrect ans"ers: )9 This option will result in unnecessar eBposure on the networ/ b allowing more than the minimum amount of access to the networ/. '9 There is no need to ma/e use of re6uire callbac/ authentication. This implies that more than the minimum amount of access to the networ/ needs to be allowed for. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. =9 ; QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12G 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, The domain contains a !indo"s Ser/er 2==, com#uter named TestBing26 that is running Douting and Demote )ccess The domain contains a uni/ersal grou# named ?anagers and a global grou# named O#erations User accounts in the ?anagers grou# require remote access bet"een

the hours o$ 9:== ) ? and 9:== . ? User accounts in the O#erations grou# require remote access 24 hours #er day You con$igure a remote access #olicy on TestBing26 named D)S?anagers "ith the a##ro#riate settings $or the ?anagers grou#* and you con$igure a second remote access #olicy named D)SO#erations on TestBing26 "ith the a##ro#riate settings $or the O#erations grou# The de$ault remote access #olices on TestBing26 remain unmodi$ied ?embers o$ the ?anagers grou# re#ort that they can establish a remote access connection to TestBing26* but members o$ the O#erations grou# re#ort that they cannot establish a remote access connection to TestBing26 You o#en the Douting and Demote )ccess administrati/e tool and note that the remote access #olices are in the order #resented in the $ollo"ing table Demote access #olicy name Order RAJManagers 1 .onnections to Microsoft Routing and remote Access ser%er 2 RAJ'perations 3 .onnections to other access ser%ers You need to enable the a##ro#riate remote access $or the members o$ the ?anagers and O#erations grou#s "hile restricting remote access to all other users !hat should you do% A. Delete the 'onnections to other access ser/ers polic . 1. Re2create the 'perations global group as a uni%ersal group. .. Mo%e the .onnections to Microsoft Routing and Remote Access ser%er polic up so that it is the first polic in the order. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12> 2 D. Mo%e the RAJ'perations polic up so that it is the second polic in the order. )ns"er: D E3#lanation: The remote access #olicies are #rocessed in order I$ a user meets a condition in a #olicy* the user is allo"ed or denied access according to that #olicy No other #olicies are chec0ed The 'onnections to ?icroso$t Douting and Demote )ccess ser/er #olicy is being #rocessed be$ore the D)>O#erations #olicy The users meet the condition in the 'onnections to ?icroso$t Douting and Demote )ccess ser/er #olicy and are being denied access The D)>O#erations #olicy isnJt being chec0ed There$ore* "e need to mo/e the D)>O#erations #olicy abo/e the 'onnections to ?icroso$t Douting and Demote )ccess ser/er #olicy Incorrect )ns"ers: ): This polic is not pre%enting the remote access. The .onnections to Microsoft Routing and Remote Access ser%er polic is pre%enting the access. +: The global group is fine. .hanging it will not help. ': The .onnections to Microsoft Routing and Remote Access ser%er polic is pre%enting the access. The RA2'perations polic is not being chec/ed. Therefore, we need to mo%e the RA2'perations polic abo%e the .onnections to Microsoft Routing and Remote Access ser%er polic . De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 1G QUESTION NO: , You are the systems engineer $or TestBing The com#any has a main o$$ice in Aas .almas and t"o branch o$$ices* one in +arcelona and one in ?adrid The o$$ices are connected to one another by dedicated T< lines Each o$$ice has its o"n local IT de#artment and administrati/e sta$$ The com#any net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll ser/ers su##ort $irm"are>based console redirection by means o$ the serial #ort The ser/er hard"are does not su##ort any other method o$ console redirection and cannot be u#graded to do so ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12= 2 The com#any is currently being reorgani1ed The IT de#artment $rom each branch o$$ice is being relocated to a ne" central data center in the Aas .almas o$$ice Se/eral ser/ers $rom each branch o$$ice are also being relocated to the Aas .almas data center Each branch o$$ice "ill retain <= ser/ers ) ne" "ritten security #olicy includes the $ollo"ing requirements: 1. )ll ser/ers must be remotely administered $or all administrati/e tas0s

2. )ll ser/ers must be administered $rom the Aas .almas o$$ice 3. )ll remote administration connections must be authenticated and encry#ted Your current net"or0 con$iguration already adheres to the ne" "ritten security #olicy $or day>to>day ser/er administration tas0s #er$ormed on the ser/ers You need to #lan a con$iguration $or out>o$>band management tas0s $or each o$$ice that meets the ne" security requirements !hich three actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .onnect each ser%erKs serial port to a terminal concentrator. .onnect the terminal concentrator to the networ/. 1. .onnect a second networ/ adapter to each ser%er. .onnect the second networ/ adapter in each ser%er to a separate networ/ switch. .onnect the management port on the switch to a !A, port on the office router. 3nable &5$ec on the router. .. 3nable Routing and Remote Access on a ser%er in each branch office, and configure it as an 42T5H&5$ec ?5, ser%er. .onfigure a remote access polic to allow onl authori0ed administrati%e staff to ma/e a ?5, connection. D. 'n each ser%er, enable the Telnet ser%ice with a startup parameter of Automatic. .onfigure Telnet on each ser%er to use onl ,T4M authentication. Appl the $er%er *Re6uest $ecurit + &5$ec polic to all ser%ers. 3. 'n each ser%er, enable 3mergenc Management $er%ices console redirection and the 3mergenc Management $er%ices $pecial Administration .onsole *$A.+. )ns"er: )* '* E E3#lanation: The S#ecial )dministration 'onsole :el#er system ser/ice can be used to #er$orm remote management tas0s i$ the !indo"s Ser/er 2==, $amily o#erating system sto#s $unctioning due to an Sto# error message Its main $unctions are to: 1. Redirect $top error message eBplanator teBt 2. Restart the s stem ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13" 2 3. 'btain computer identification information The $A. is an auBiliar 3mergenc Management $er%ices command 2 line en%ironment that is hosted b !indows $er%er 2""3 famil operating s stems. &t also accepts input, and sends output through the out 2 of 2 band port. V$A. is a separate entit from both $A. and !indows $er%er 2""3 famil command 2 line en%ironments. After a specific failure point is reached, 3mergenc Management $er%ices components determine when the shift should be made from $A. to V$A.. V$A. becomes a%ailable automaticall if $A. fails to load or is not functioning. &f the $pecial Administration .onsole Aelper ser%ice is stopped, $A. ser%ices will no longer be a%ailable. &f this ser%ice is disabled, an ser%ices that eBplicitl depend on it will not start. Incorrect ans"ers: +9 There is no need to connect a second networ/ adapter to each ser%er and ha%e that adapter connected to a separate networ/ switch. D9 Ma/ing use of ,T4M authentication and appl ing the $er%er *Re6uest $ecurit + &5$ec polic on all ser%ers is not the solution. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 129 2G 19 Anal 0e protocol securit re6uirements. *" 6uestions+ .9 5lan authentication methods for remote access. *1" 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBing has a main o$$ice and a branch o$$ice +oth o$$ices are connected to the Internet by Net"or0 )ddress Translation &N)T( $ire"alls and T< connections to the com#anyJs IS. Each $ire"all is con$igured "ith a #erimeter net"or0 TestBing uses a #ublic 0ey in$rastructure &.BI( $or both internal and e3ternal authentication ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 131 2 TestBing needs to connect to the main o$$ice to the branch o$$ice by using the e3isting Internet connections TestBingJs "ritten security #olicy included the $ollo"ing requirements: 1. )ll Internet communications must use the .BI $or all authentication and data encry#tion 2. )ll ser/ers that are required to communicate to or by means o$ the Internet must

be located in a $ire"all #erimeter net"or0 You need to connect to the main o$$ice to the branch o$$ice You need to com#ly "ith the "ritten security #olicy You install Douting and Demote )ccess ser/ers in the #erimeter net"or0 at each o$$ice !hat else should you do% A. .onfigure persistent, two2wa initiated 55T5 connections with 3A52T4$ authentication. 1. .onfigure persistent, two2wa initiated 55T5 connections with M$2.AA5 %2 user authentication. .. .onfigure persistent, two2wa initiated 42T5H&5$ec connections with M$2.AA5 %2 user authentication. D. .onfigure persistent, two2wa initiated 42T5H&5sec connections with 3A52T4$ user and computer authentication. )ns"er: D E3#lanation9 4a er 2 Tunneling 5rotocol *42T5+ is a protocol used to establish %irtual pri%ate networ/ connections across the &nternet. 3Btensible Authentication 5rotocol2Transport 4e%el $ecurit *3A52T4$+ is re6uired to authenticate remote access users with smart cards or other securit mechanisms based on certificates. The networ/s that use 3A52T4$ t picall ha%e a public /e infrastructure *5@&+ in place and use certificates for authentication, that are stored on the computer or on smart cards. ?irtual pri%ate networ/ *?5,+ is a techni6ue for connecting to a networ/ at a remote location using the &nternet as a networ/ medium. A user can dial in to a local &nternet ser%ice pro%ider *&$5+ and connect through the &nternet to a pri%ate networ/ at a distant location, using a protocol li/e the 5oint2to25oint Tunneling 5rotocol *55T5+ to secure the pri%ate traffic. (or 42T5H&5$ec2t pe connections, the 42T5 protocol pro%ides ?5, tunneling, and the 3ncapsulation $ecurit 5a load *3$5+ protocol *itself a feature of &5$ec+ pro%ides data encr ption. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 132 2 Incorrect )ns"ers: )* +: Although 55T52based ?5, connections do pro%ide data confidentialit *captured pac/ets cannot be interpreted without the encr ption /e +, the do not pro%ide data integrit *proof that the data was not modified in transit+ or data origin authentication *proof that the data was sent b the authori0ed user+. ': M$2.AA5 %2 is not supported b !indows $er%er 2""3. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter F. Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2F; to1"2F=. QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains <= a##lication ser/ers running !indo"s Ser/er 2==, There are 5== client com#uters on the A)N The A)N>based client com#uters are members o$ the domain There are 5= client com#uters on the Internet The Internet>based client com#uters are not members o$ the domain )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters need to access the a##lication ser/ers TestBing #urchases certi$icates $rom a commercial certi$ication authority &')( "hen needed The net"or0 design requires that all access to the a##lication ser/ers must be encry#ted by using I.Sec The a##lication ser/ers are con$igured to re$use any connection that is not encry#ted You need to ensure that the client com#uters are authori1ed to access the a##lication ser/ers You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .onfigure both the 4A,2based client computers and the &nternet2based client computers to use the @erberos %ersion F authentication protocol. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 133 2 1. .onfigure both the 4A,2based client computers and the &nternet2based client computers to use the certificate2based authentication method with certificates generated b a commercial .A.

.. .onfigure the 4A,2based client computers to use the @erberos %ersion F authentication protocol and the &nternet2based client computers to use the certificate2based authentication method with certificates generated b a commercial .A. D. .onfigure the 4A,2based client computers to use the certificate2based authentication method with certificates generated b a commercial .A and the &nternet2based client computers to use the @erberos %ersion F authentication protocol. )ns"er: ' E3#lanation: Berberos is an industry>standard* tic0et>based authentication method This method is used "hen IIS machines are #art o$ a domain and there are no legacy !indo"s NT domain controllers #resent Berberos /ersion 5 is the de$ault #rotocol used by com#uters running !indo"s Ser/er 2==,* !indo"s @.* and !indo"s 2=== !ith certificates, ou can protect networ/ data and secure communications using a %ariet of cr ptographic algorithms and /e lengths that enable ou to implement as much securit as ou need for our organi0ation. (or securing eBternal transactions, the best practice is to obtain certificates from a neutral third2part organi0ation that functions as a commercial certification authorit . Incorrect )ns"ers: ): The &nternet2based client computers are not part of the domain. +* D: &f our organi0ation engages in digital transactions with other companies, an internal .A is t picall not useful because the other companies are not going to trust our own .A to %erif our identit . De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 119 3F QUESTION NO: , ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13- 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The $unctional le/el o$ the domain is !indo"s 2=== mi3ed The net"or0 contains domain controllers that run !indo"s Ser/er 2==,* !indo"s 2=== Ser/er* or !indo"s NT Ser/er 4 = The net"or0 also contains a##lication ser/ers that run !indo"s Ser/er 2==,* !indo"s 2=== )d/anced Ser/er* or !indo"s NT Ser/er 4 = )ll client com#uters run !indo"s @. .ro$essional TestBing has a main o$$ice and branch o$$ices Each o$$ice has local administrator Aocal administrators manage the client com#uters that are in their o$$ices* including the -rou# .olicy settings You "ant to reduce the #ossibility o$ #ass"ords being com#romised through man>in>the>middle attac0s during the authentication #rocess bet"een client com#uters and ser/ers You "ant to ensure that the authentication #rotocols used by the client com#uters are as secure as #ossible You are #lanning the guideline that the local administrators "ill use "hen they con$igure the Net"or0 Security #olicy setting $or client com#uters You "ant to be as $le3ible as #ossible* "hile still meeting your goals You need to select the a##ro#riate authentication ty#e or ty#es $or the client com#uters !hat should you do% A. Allow 4M, ,T4M, ,T4M%2, and @erberos. 1. Allow onl ,T4M, ,T4M%2, and @erberos. .. Allow onl ,T4M%2 and @erberos. D. Allow onl @erberos. )ns"er: ' E3#lanation: NTA?/2 is the direct successor to the challengeKres#onse NTA? authentication method This method is used "hen IIS machines are #art o$ a "or0grou# or on !indo"s Ser/er 2==, net"or0s that still ha/e some legacy !indo"s NT domain controllers #resent @erberos is an industr 2standard, tic/et2based authentication method. This method is used when &&$ machines are part of a domain and there are no legac !indows ,T domain controllers present. Incorrect )ns"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13F 2 The 4M authentication protocol is considered wea/ because of the method used to encr pt the password. This wea/ness is /nown and eBploited b hac/ers. +: &f ,T4M%2 is the direct successor to the challengeHresponse ,T4M authentication

method, then wh should it be allowed. D: There are legac !indows ,T domain controllers present, so this cannot be used on its own. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. =9 23 QUESTION NO: 4 You are the systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com TestBing has a main o$$ice and t"o branch o$$ices )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional Each branch o$$ice maintains a dedicated 256>Bb#s connection to the main o$$ice Each o$$ice also maintains a T< connection to the Internet Each o$$ice has a ?icroso$t Internet Security and )cceleration &IS)( Ser/er 2==, com#uter* "hich #ro/ides $ire"all and #ro3y ser/ices on the Internet connection Each branch o$$ice contains one domain controller and $i/e ser/ers that are not domain controllers )dministrati/e sta$$ at the branch o$$ices is minimal ) ne" com#any #olicy states that all ser/ers must no" be remotely administered by administrators in the main o$$ice The #olicy states that all remote administratorsJ connections must be authenticated by the domain and that all tra$$ic must be encry#ted The #olicy also states that the remote administration tra$$ic must ne/er be carried in clear te3t across the Internet You choose to im#lement remote administration by enabling Demote Des0to# connections on all ser/ers on the net"or0 You decide to use the Internet>connected T< lines $or remote administration connecti/ity bet"een o$$ices +ecause administrati/e tas0s might require simultaneous connections to multi#le ser/ers across the net"or0* you need to ensure that administrators do not lose connections to ser/ers in one o$$ice "hen they attem#t to connect to ser/ers in another o$$ice ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13; 2 !hat should you do% A. .onfigure Routing and Remote Access on one ser%er in each branch office. .reate 42T5H&5sec ?5, ports on these ser%ers. .reate new ?5, connections to the administratorKs computers to connect to the ?5, ser%ers in the branch offices. 1. .onfigure a ?5, ser%er in each branch office. .reate connections that use &5$ec Authentication Aeader *AA+ in tunnel mode from the main office to connect to ?5, ser%ers in the branch offices. .. .onfigure a local 42T5H&5$ec ?5, connection on the &$A $er%er 2""3 firewall computer in the main office. .onfigure the &$A $er%er 2""3 firewall computers at the branch offices as remote 42T5H&5$ec ?5, ser%ers. D. .onfigure a local 55T5 ?5, connection on the &$A $er%er 2""" firewall computers in each branch office. .onfigure the &$A $er%er 2""" firewall computer at the main office as a remote 55T5 ?5, ser%er. )ns"er: ' E3#lanation: Eor A2T.KI.Sec>ty#e connections* the A2T. #rotocol #ro/ides 8.N tunneling* and the Enca#sulation Security .ayload &ES.( #rotocol &itsel$ a $eature o$ I.Sec( #ro/ides data encry#tion A2T.KI.Sec connections* unli0e those o$ ..T.* require com#uter authentication in addition to user authentication 'om#uter connection attem#ts bet"een remote access clients and ser/ers )$ter the tunnel end#oints are authenticated and a secure channel is established bet"een the client and the ser/er* user authentication $ollo"s User authentication o/er A2T.KI.Sec 8.N connections occurs by means o$ any o$ the same set o$ authentication #rotocols that are used $or ..T. and dial>u# connections Once user authentication is com#lete* user authori1ation $ollo"s 5referred methods of ?5, encr ption include M553 and &5$ec. Incorrect )ns"ers: ): This option will not ensure that administrators will retain connecti%it to resources in one office while the are connecting to the other office. +: AA does not pro%ide confidentialit , which means that the data is not encr pted. D: Although 55T52based ?5, connections do pro%ide data confidentialit *captured pac/ets cannot be interpreted without the encr ption /e +, the do not pro%ide data integrit *proof that the data was not modified in transit+ or data origin authentication *proof that the data was sent b the authori0ed user+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 13G 2 De$erence: Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, glossar QUESTION NO: 5 You are a net"or0 administrator $or TestBing TestBing has one main o$$ice and ,= branch o$$ices The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBing needs to connect the main o$$ice net"or0 and all branch o$$ice net"or0s by using Douting and Demote )ccess ser/ers at each o$$ice The net"or0s "ill be connected by 8.N connections o/er the Internet You install three Douting and Demote )ccess ser/ers at the main o$$ice You are con$iguring security $or the Douting and Demote )ccess ser/ers You need to #ro/ide centrali1ed authentication $or the branch o$$ice Douting and Demote )ccess ser/ers You need to centrally con$igure the remote access #olicies $or the main o$$ice Douting and Demote )ccess ser/ers You need to centrally maintain remote access authentication and connection logs $or the main o$$ice Douting and Demote )ccess ser/ers You install Internet )uthentication Ser/ice &I)S( on a ser/er in the main o$$ice and register it in )cti/e Directory !hat else should you do% A. .onfigure the remote access policies on the &A$ ser%er. 'n the &A$ ser%er, configure the main office RAD&U$ clients. .onfigure the main office Routing and Remote Access ser%ers to use RAD&U$ authentication and accounting. 1. .onfigure the remote access policies on the &A$ ser%er. 'n the &A$ ser%er, configure the branch office RAD&U$ clients. .onfigure the branch office Routing and Remote Access ser%ers to use RAD&U$ authentication and accounting. .. .onfigure the remote access policies on the &A$ ser%er. 'n the &A$ ser%er, configure the main office RAD&U$ clients. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13> 2 .onfigure the main office Routing and Remote Access ser%ers to use !indows authentication and accounting. D. Run the netsh command to configure the remote access polices on the main office Routing and Remote Access ser%ers. 'n the &A$ ser%er, configure the main office RAD&U$ clients. .onfigure the main office Routing and Remote Access ser%ers to use RAD&U$ authentication and accounting. )ns"er: ) E3#lanation: Internet )uthentication Ser/ice &I)S( is the ?icroso$t im#lementation o$ Demote )uthentication Dial>In User Ser/ice &D)DIUS(* an authentication and accounting system used by many Internet Ser/ice .ro/iders &IS.s( !hen a user connects to an IS. using a username and #ass"ord* the in$ormation is #assed to a D)DIUS ser/er* "hich chec0s that the in$ormation is correct* and then authori1es access to the IS. system D)DIUS proB and ser%er support is a new feature in !indows $er%er 2""3. Iou can install and use the Microsoft &nternet Authentication $er%ice *&A$+ ser%er for both RAD&U$ ser%ers and RAD&U$ proBies. Incorrect )ns"ers: +: The main office RAD&U$ clients should be configured on the &A$ ser%er and not the other wa around. ': The 6uestion states that 8Iou need to centrall configure the remote access policies for the main office8 and with !indows authentication there is a separate set of policies for each RRA$ ser%er. D: ,et$h.eBe is a configuration tool that now adds the basic networ/ diagnostic features pro%ided b older ,etDiag.eBe tool. ,etsh is a command2line scripting utilit that permits administrators to displa or modif the networ/ configuration of a computer that is currentl running. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. F9 2> QUESTION NO: 6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 13= 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains !indo"s Ser/er 2==, $ile ser/ers The net"or0 also contains a !indo"s Ser/er 2==, com#uter named Test0ing< that runs Douting and Demote )ccess and Internet )uthentication Ser/ice &I)S( Test0ing< #ro/ides 8.N access to the net"or0 $or userJs home com#uters You sus#ect that an e3ternal unauthori1ed user is attem#ting to access the net"or0 through Test0ing< You "ant to log the details o$ access attem#ts by 8.N users "hen they attem#t to access the net"or0 You "ant to com#are the I. addresses o$ userJs home com#uters "ith the I. addresses used in the access attem#ts to /eri$y that the users are authori1ed You need to con$igure Test0ing< to log the details o$ access attem#ts by 8.N users !hat should you do% A. .onfigure the s stem e%ent log to Do not o%erwrite. 1. &n &A$, in Remote Access 4ogging, enable the Authentication re6uests setting. .. .onfigure the Remote Access ser%er to 4og all e%ents. D. .reate a custom remote access polic and configure it for Authentication2T pe. )ns"er: + E3#lanation: Internet )uthentication Ser/ices &I)S( is a ser/ice included "ith ?icroso$t !indo"s Ser/er 2==, that #ro/ides centrali1ed authentication and authori1ation ser/ices Remote Access 4ogging lists log files and allows ou to configure additional logging options, one of which is authentication re6uests. Incorrect )ns"ers: ): $ stem log files contain e%ents relating to the acti%it of the operating s stem. $tartups and shutdowns, de%ice dri%er e%ents, and s stem ser%ice e%ents are recorded in the $ stem log. ': 4og all 3%ents will be %er inefficient. 3nabling the Authentication re6uests setting will be sufficient to log all details concerning ?5, user access attempts. D: Authentication2t pe option is used to chec/ the authentication method in use. This is not what is re6uired. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-" 2 Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 312 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. F9 2> QUESTION NO: 7 You are a net"or0 administrator $or TestBing The com#any has a main o$$ice and one branch o$$ice The net"or0 consists o$ a single acti/e directory domain named TestBing com )ll ser/ers run "indo"s ser/er 2==, The com#any needs to connect the main o$$ice net"or0 and the branch o$$ice net"or0 by using DD)S ser/ers at each o$$ice the net"or0s "ill be connected by a 8.N connection o/er the internet The com#anyJs "ritten security #olicy includes the $ollo"ing requirements $or 8.N connections o/er the internet: 1. )ll data must be encry#ted "ith end to end encry#tion 2. 8.N connection authentication must be at the com#uter le/el 3. 'redential in$ormation must not be transmitted o/er the internet as #art o$ the authentication #rocess You need to con$igure security $or 8.N connections bet"een the main o$$ice and the branch o$$ice You need to com#ly "ith the "ritten #olicy !hat should you do% A. Use a 55T5 connection with 3A52T4$ authentication 1. Use a 55T5 connection with M$2.AA5 %2 authentication .. Use an 42T5 connection with 3A52T4$ authentication D. Use an 42T5 connection with M$2.AA5 %2 authentication )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-1 2 Strictly s#ea0ing* this ans"er is incom#lete* because it doesnJt mention I.Sec Eor com#uter le/el authentication* "e must use A2T.KI.Sec connections To establish

an I.Sec security association* the 8.N client and the 8.N ser/er use the Internet Bey E3change &IBE( #rotocol to e3change either com#uter certi$icates or a #reshared 0ey In either case* the 8.N client and ser/er authenticate each other at the com#uter le/el 'om#uter certi$icate authentication is highly recommended* as it is a much stronger authentication method 'om#uter>le/el authentication is only done $or A2T.KI.Sec connections Incorrect )ns"ers: ): 55T5 uses user2le%el authentication o%er 555. The 6uestion states that computer2le%el +: 55T5 uses user2le%el authentication o%er 555. The 6uestion states that computer2le%el D: (or computer certificate authentication, we must use 3A52T4$, not M$2.AA5 %2. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F=1, F=-2F=F QUESTION NO: 9 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The com#any has remote users in the sales de#artment "ho "or0 $rom home The remote usersJ client com#uters run !indo"s @. .ro$essional* and they are not members o$ the domain The remote usersJ client com#uters ha/e local Internet access through an IS. TestBing is de#loying a !indo"s Ser/er 2==, com#uter named TestBing) that has Douting and Demote )ccess installed TestBing) "ill $unction as a 8.N ser/er* and the remote users "ill use it to connect to the com#any net"or0 'on$idential research data "ill be transmitted $rom the remote usersJ client com#uters Security is critical to the com#any and TestBing) must #rotect the remote usersJ data transmissions to the main o$$ice The remote client com#uters "ill use A2T.KI.Sec to connect to the 8.N ser/er You need to choose a secure authentication method !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-2 2 A. Use the authentication method of the default &5$ec policies. 1. .reate a custom &5$ec polic and use the @erberos %ersion F authentication protocol. .. .reate a custom &5$ec polic and use certificate2based authentication. D. .reate a custom &5$ec polic and use preshared authentication. 3. Use the authentication method of the Routing and Remote Access custom &5$ec polic for 42T5 connection. )ns"er: ' E3#lanation: The security o$ a 8.N is based on the tunneling and authentication #rotocols that you use and the le/el o$ encry#tion that you a##ly to 8.N connections Eor the highest le/el o$ security* use a remote access 8.N based on A2T.KI.Sec "ith certi$icate>based I.Sec authentication and Tri#le>DES $or encry#tion I$ you decide to use a ..T.>based 8.N solution to reduce costs and im#ro/e manageability and intero#erability* use ?icroso$t 'hallenge :andsha0e )uthentication .rotocol /ersion2 &?S>':)./2( as the authentication #rotocol Tunneling and authentication #rotocols* and the encry#tion le/els a##lied to 8.N connections* determine 8.N security A2T.KI.Sec #ro/ides the highest le/el o$ security Eor a 8.N design* determine "hich 8.N #rotocol best meets your requirements !indo"s Ser/er2==, su##orts t"o 8.N #rotocols: .oint>to>.oint Tunneling .rotocol &..T.( and Aayer T"o Tunneling .rotocol "ith Internet .rotocol security &A2T.KI.Sec( Incorrect )ns"ers: ): The default &5$ec policies do not re6uire encr ption. +: !e cannot use the @erberos %ersion F authentication protocol because the remote users are not members of the domain. D: 5re2shared authentication uses a 8password8 that is /nown b the ser%er and the client computers. This method is less secure than a certificate based method. E: This answer sounds plausible, but the actual setting on RRA$ 8Allow .ustom &5$ec polic for 42T5 connection8 in the RRA$ $er%er properties onl allows a pre2shared /e which is ,'T secure compared to certificate2based &5$ec policies. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F9 >21" QUESTION NO: ; :OTS.OT ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-3 2

You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing4 that $unctions as a mail ser/er TestBing4 is con$igured as a member ser/er in the domain To im#ro/e ser/ice to users* TestBing launched a single sign>on initiati/e 'urrently* users need to authenticate to the mail ser/er a$ter they log on to the domain to send or recei/e e>mail messages You use IIS ?anager to con$igure the #ro#erties $or the De$ault S?T. 8irtual Ser/er on TestBing4 You need to allo" users to send e>mail messages "ithout e3#licitly logging on to TestBing4 You need to #re/ent unauthori1ed users $rom sending e>mail messages !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-- 2 Unchec0 anonymous access* 'hec0 Integrated !indo"s )uthentication Integrated !indo"s )uthentication > $elect this option to enable the standard securit mechanism that is pro%ided with ser%ers running !indows$er%er. This securit feature ma/es it possible for businesses to pro%ide secure logon ser%ices for their customers. ?irtual ser%ers that alread use &ntegrated !indows Authentication in an internal s stem can benefit b using a single, common securit mechanism. &ntegrated !indows Authentication uses a cr ptographic techni6ue for authenticating users and does not re6uire the user to transmit actual passwords across the networ/. Note: Using &ntegrated !indows Authentication re6uires a mail client that supports this authentication method. Microsoft 'utloo/ and Microsoft 'utloo/ 3Bpress support &ntegrated !indows Authentication. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. F9 2G QUESTION NO: <= You are the administrator o$ TestBingJs net"or0* "hich consists o$ a single !indo"s 2==, domain named test0ing com The net"or0 includes a stand>alone !indo"s 2==, Ser/er com#uter named D)S <* "hich runs Douting and Demote )ccess )ll em#loyees use com#uters running !indo"s @. .ro$essional to dial in to the net"or0 Your remote access #olices #ermit members o$ the Domain Users grou# to dial in to D)S< bet"een 7:== . ? and 6:== ) ? e/ery day To increase dial>u# security* your com#any issues smart cards to all em#loyees You need to con$igure D)S< and your remote access #olices to su##ort the use o$ the smart cards $or dial>u# connections !hich t"o actions should you #er$orm% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a remote access polic that re6uires users to authenticate b using the 3A52T4$. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-F 2 1. .reate a remote access polic that re6uires users to authenticate b using the M$2.AA5 %2. .. .reate a remote access polic that re6uires users to authenticate b using $5A5 protocol. D. Add RA$1 to the !indows 2""" domain. 3. &nstall the &nternet Authentication $er%ice *lA$+ on RA$ 1 (. &nstall .ertificate $er%ices on RA$1 and configure it to issue encr ption certificates upon re6uest. )ns"er: )* E E3#lanation: Smart cards require certi$icates To authenticate using certi$icates* the DD)S ser/er needs to be con$igured to use E).>TAS !hen con$iguring E).>TAS* you can select the smart card o#tion The DD)S ser/er is a standalone ser/er* so "eJll need to con$igure 'erti$icate Ser/ices on it to issue the certi$icates $or the smart cards Incorrect )ns"ers: +: 3A52T4$ is re6uired for smart card authentication, not M$2.AA5 %2. ': 3A52T4$ is re6uired for smart card authentication, not $5A5. D: The RRA$ ser%er does not need to be a member of the domain.

E: &nternet Authentication $er%ice *lA$+ is MicrosoftKs implementation of the RAD&U$ ser%ice. This is used when ou ha%e multiple RRA$ ser%ers and re6uire centrali0ed authentication. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. F=1, F=-2F=F 5art 39 &mplement secure access between pri%ate networ/s. A9 .reate and implement secure ?5, connections. *- 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains one root domain and multi#le child domains The $unctional le/el o$ all child domains is !indo"s Ser/er 2==, The $unctional le/el o$ the root domain is !indo"s 2=== nati/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-; 2 You con$igure a !indo"s Ser/er 2==, com#uter named TestBing< to be a domain controller $or an e3isting child domain TestBing< is located at a ne" branch o$$ice* and you connect TestBing< to a central data center by a #ersistent 8.N connection o/er a DSA line TestBing< has a single re#lication connection "ith a bridgehead domain controller in the central data center You con$igure DNS on TestBing< and create secondary $or"ard loo0u# 1ones $or each domain in the $orest You need to minimi1e the amount o$ tra$$ic o/er the 8.N connection caused by logon acti/ities !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. .onfigure the D,$ 0ones to be Acti%e Director 2integrated 0ones. 1. .onfigure Test@ing1 to be the 5D. emulator for the domain. .. .onfigure Test@ing1 to be a global catalog ser%er. D. .onfigure uni%ersal group membership caching on Test@ing1. )ns"er: '* D E3#lanation: Aogon tra$$ic o/er the 8.N is caused by the local domain controller retrie/ing uni/ersal grou# in$ormation $rom a global catalog ser/er !e can reduce this tra$$ic by either con$iguring TestBing< to be a global catalog ser/er* or by enabling uni/ersal grou# membershi# caching on TestBing< A global catalog ser%er stores information about all ob)ects in the forest, but not their attributes, so that applications can search Acti%e Director without referring to specific domain controllers that store the re6uested data. Uni%ersal group membership caching, on the other hand allows the domain controller to cache uni%ersal group membership information for users. This eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Incorrect )ns"ers: ): 4ogon traffic o%er the ?5, is caused b the local domain controller retrie%ing uni%ersal group information from a global catalog ser%er. &t is not cause b D,$ replication. +: The 5D. emulator is not used in the logon process *eBcept for down2le%el clients+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-G 2 De$erence9 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter F QUESTION NO: 2 DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional You need to im#lement the ca#abilities and requirements listed in the $ollo"ing table $or the users and com#uters in the domain Ty#e o$ user or com#uter 'a#ability or requirement Domain users $mart card logon re6uired for all users $ecurit global group Abilit to issue smart cards to all domain users Auman resources ser%ers .ertificate2based &5$ec encr ption re6uired for all data

transmissions ?5, ser%ers 42T5 re6uired )ll client com#uters are #ortable com#uters and need to connect to the 8.N ser/ers and to the human resources ser/es You con$igure a #ublic 0ey in$rastructure &.BI( to su##ort the domain users and com#uters You need to s#eci$y "hich ty#e o$ certi$icate* i$ any* each ty#e o$ user or com#uter requires !hat should you do% To ans"er* drag the a##ro#riate certi$icate tem#late or tem#lates to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-> 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-= 2 &5$ec should be enabled on the AR ser%ers, ?5, ser%ers and the client computers. The $mart .ard certificates are issued to the users, not the computers. The $ecurit group needs 3nrollment Agents certificates. Smart 'ard Aogon is integrated with the @erberos %ersion F authentication protocol implemented in !indows $er%er 2""3. !hen smart card logon is enabled, the s stem recogni0es a smart2card insertion e%ent as an alternati%e to the standard .trl a Alt a Del secure attention se6uence to initiate a logon. The user is then prompted for the smart card 5&, code, which controls access to operations performed b using the pri%ate /e stored on the smart card. &n this s stem, the smart card also contains a cop of the certificate of the user *issued b an enterprise .A+. This allows the user to roam within the domain. Enroll clients 2 To participate in a 5@&, users, ser%ices, and computers must re6uest and recei%e certificates from an issuing .A. T picall , enrollment is initiated when a re6uester pro%ides uni6ue identif ing information and a newl generated public /e . The .A administrator or enrollment agent uses this uni6ue identif ing information to authenticate the identit of the re6uester before issuing a certificate. The securit of a ?5, is based on the tunneling and authentication protocols that ou use and the le%el of encr ption that ou appl to ?5, connections. (or the highest le%el of securit , use a remote access ?5, based on 42T5H&5$ec with certificate2based &5$ec authentication and Triple2D3$ for encr ption. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, p. >== QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You su##ort <== mobile users "ho ha/e #ortable com#uters that run !indo"s NT !or0station 4 =* !indo"s ;9* !indo"s 2=== .ro$essional* !indo"s @. .ro$essional* or !indo"s ?E TestBingJs "ritten security #olicy requires that any remote access solution must #ro/ide both data integrity and data origin authentication You need to im#lement a 8.N>based remote access solution ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F" 2 !hich three actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. &nstall certificates on all ?5, client computers. 1. &nstall a certificate on the ?5, ser%er computer. .. &mplement 42T52based connections on the !indows 2""" 5rofessional computers and the !indows <5 5rofessional computers. &mplement 55T52based connections on all other portable computers. D. &nstall the 42T5H&5$ec ?5, client on the portable computers that run !indows ,T !or/station -." or earlier. &mplement 42T52based connections on all portable computers. 3. &nstall the 42T5H&5$ec ?5, client on the portable computers that run !indows ,T !or/station -." or earlier. &mplement 55T52based connections on all portable computers. )ns"er: )* +* D E3#lanation: The security o$ a 8.N is based on the tunneling and authentication #rotocols that you use and the le/el o$ encry#tion that you a##ly to 8.N

connections Eor the highest le/el o$ security* use a remote access 8.N based on A2T.KI.Sec "ith certi$icate>based &5$ec authentication and Triple2D3$ for encr ption. &f ou decide to use a 55T52based ?5, solution to reduce costs and impro%e manageabilit and interoperabilit , use Microsoft .hallenge Aandsha/e Authentication 5rotocol %ersion2 *M$2.AA5%2+ as the authentication protocol. To ensure that both data integrit and data origin authentication is pro%ided b our solution, certificates should be installed on both the ?5, client and ser%er computers. (urthermore, ma/ing use of 42T5H&5$3. ?5, clien ton the portable computers will accommodate all the computers that runs earlier %ersions of !indows operating s stems. Iou should also impl/ement 42T52based connections on all the portable computers. Microsoft 42T5H&5$ec ?5, .lient is a free download that allows computers running !indows =>, !indows Millennium 3dition *Me+, or !indows ,TO !or/station -." to use 4a er Two Tunneling 5rotocol *42T5+ connections with &nternet 5rotocol securit *&5$ec+. 1. !indows => *all %ersions+ with Microsoft &nternet 3Bplorer F."1 *or later+ and the Dial2up ,etwor/ing %ersion 1.- upgrade. 2. !indows Me with the ?irtual 5ri%ate ,etwor/ing communications component and Microsoft &nternet 3Bplorer F.F *or later+ 3. !indows ,T !or/station -." with Remote Access $er%ice *RA$+, the 5oint2to25oint Tunneling 5rotocol, $er%ice 5ac/ ;, and Microsoft &nternet 3Bplorer F."1 *or later+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F1 2 Incorrect ans"ers: '9 This option might eBclude some portable computer users. E9 The options seems to be in order, howe%er, ma/ing use of 55T52based connections will not accommodate all the portable computers users. De$erence9 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, p. 3"G http9HHwww.microsoft.comHwindows2"""Hser%erHe%aluationHnewsHbulletinsHl2tpclient.asp QUESTION NO: 4 You are the systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com TestBing has a main o$$ice and t"o branch o$$ices )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional Each branch o$$ice maintains a dedicated 256>Bb#s connection to the main o$$ice Each o$$ice also maintains a T< connection to the Internet Each o$$ice has a ?icroso$t Internet Security and )cceleration &IS)( Ser/er 2==, com#uter* "hich #ro/ides $ire"all and #ro3y ser/ices on the Internet connection Each branch o$$ice contains one domain controller and $i/e ser/ers that are not domain controllers There is a minimal administrati/e sta$$ at the branch o$$ices ) ne" com#any #olicy states that all ser/ers must no" be remotely administered by administrators in the main o$$ice The #olicy states that all remote administratorsJ connections must be authenticated by the domain and that all tra$$ic must be encry#ted The #olicy also states that the remote administration tra$$ic must ne/er be carried in clear te3t across the Internet You choose to im#lement remote administration by enabling Demote Des0to# connections on all ser/ers on the net"or0 You decide to use the Internet>connected T< lines $or remote administration connecti/ity bet"een o$$ices +ecause administrati/e tas0s might require simultaneous connections to multi#le ser/ers across the net"or0* you need to ensure that administrators do not lose connections to ser/ers in one o$$ice "hen they attem#t to connect to ser/ers in another o$$ice ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F2 2 !hat should you do% A. .onfigure Routing and Remote Access on one ser%er in each branch office. .reate 42T5H&5sec ?5, ports on these ser%ers. .reate new ?5, connections to the administratorKs computers to connect to the ?5, ser%ers in the branch offices. 1. .onfigure a ?5, ser%er in each branch office. .reate connections that use &5$ec Authentication Aeader *AA+ in tunnel mode from the main office to connect to ?5, ser%ers in the branch offices. .. .onfigure a local 42T5H&5$ec ?5, connection on the &$A $er%er 2""" firewall computer in the main office. .onfigure the &$A $er%er 2""" firewall computers at the branch offices as remote

42T5H&5$ec ?5, ser%ers. D. .onfigure a local 55T5 ?5, connection on the &$A $er%er 2""" firewall computers in each branch office. .onfigure the &$A $er%er 2""" firewall computer at the main office as a remote 55T5 ?5, ser%er. )ns"er: ' E3#lanation9 !indows 2""3 ?5,s use the &5 $ecurit protocol *&5$ec+ to encr pt data sent o%er an 42T5 tunnel. This pro%ides end2to2end encr ption and greater securit than the M553 encr ption used with 55T5. Incorrect ans"ers: )9 This option might result in some administrators losing their connection to ser%ers in one office when the tr to connect to ser%ers in another office. +9 Authentication Aeader *AA+ pro%ides data authentication, integrit , and anti2repla to &5 pac/ets. &t is one of the two primar &5$ec protocols. AA is used to *AA+ pro%ide data authentication and integrit . &t does not pro%ide data confidentialit . D9 55T5 in !indows $er%er 2""3 is based on the eBisting 555 infrastructure and supports the same authentication methods as 555, such as the 5assword Authentication 5rotocol *5A5+ and Microsoft .hallenge Aandsha/e Authentication 5rotocol *M$2.AA5+. Aowe%er, 42T5 pro%ides greater securit . De$erence9 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, pp. 2F>, 3"G23"= ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F3 2 19 .reate and implement an &5$ec polic .*2 6uestions+ QUESTION NO: < You are the systems engineer $or TestBing The net"or0 consists o$ three #hysical net"or0s connected by hard"are>based routers The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional Each #hysical net"or0 contains at least one domain controller and at least one DNS ser/er One #hysical net"or0 contains a ?icroso$t Internet Security and )cceleration &IS)( Ser/er array that #ro/ides Internet access $or the entire com#any The net"or0 also contains a certi$icate ser/er TestBing management "ants to ensure that all data is encry#ted on the net"or0 and that all com#uters transmitting data on the net"or0 are authenticated You decide to im#lement I.Sec on all com#uters on the net"or0 You edit the De$ault Domain .olicy -rou# .olicy ob2ect &-.O( to a##ly to Secure Ser/er &Dequire Security( I.Sec #olicy Users immediately re#ort that they cannot access resources located in remote net"or0s You in/estigate and disco/er that all #ac0ets are being dro##ed by the routers You also disco/er that )cti/e Directory re#lication is not $unctioning bet"een domain controllers in di$$erent net"or0s You need to re/ise your design and im#lementation to allo" com#uters to communicate across the entire net"or0 You also need to ensure that the authentication 0eys are stored encry#ted !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure the routers to use &5$ec and preshared /e for authentication. 1. .onfigure the routers to use &5$ec and a certificate for authentication. .. .onfigure the routers to use &5sec and @erberos for authentication. D. Reconfigure the C5's to re6uire a preshared /e for &5$ec authentication. 3. Reconfigure the C5's to re6uire a certificate for &5$ec authentication. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F- 2 )ns"er: +* E E3#lanation: I.Sec allo"s encry#tion o$ data across the net"or0 .ertificates are digital documents that are commonl used for authentication and to secure information on open networ/s. A certificate securel binds a public /e to the entit that holds the corresponding pri%ate /e . .ertificates are digitall signed b the issuing certificate authorit *.A+, and the can be issued for a user, a computer, or a ser%ice. Croup policies are used in Acti%e Director to configure auto2enrollment. &n .omputer .onfiguration ^ !indows $ettings ^ $ecurit $ettings ^ 5ublic @e 5olicies, there is a group polic entitled Automatic .ertificate Re6uest $ettings. The propert sheet for this polic enables ou to choose to either 3nroll certificates automaticall or not. Also, ou

will need to ensure that the 3nroll sub)ect option is selected on the Re6uest Aandling tab of the certificate template propert sheet without re6uiring an user input. Incorrect )ns"ers: )* D: 5re2shared /e s are stored as plainteBt. This means that it is not encr pted as is re6uired b the 6uestion. ': The @erberos authentication mechanism relies on a /e distribution center *@D.+ to issue tic/ets that allow client access to networ/ resources. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder , and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", pp. G;3. QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The )cti/e Directory domain contains three organi1ational units &OUs(: .ayroll Users* .ayroll Ser/ers* and Einance Ser/ers The !indo"s @. .ro$essional com#uters used by the users in the #ayroll de#artment are in the .ayroll Users OU The !indo"s Ser/er 2==, com#uters used by the #ayroll de#artment are in the .ayroll Ser/ers OU The !indo"s Ser/er 2==, com#uters used by the $inance de#artment are in the Einance Ser/ers OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FF 2 You are #lanning the baseline security con$iguration $or the #ayroll de#artment The com#anyJs "ritten security #olicy requires that all net"or0 communications "ith ser/ers in the .ayroll Ser/ers OU must be secured by using I.Sec The "ritten security states that I.Sec must not be used on any other ser/ers in the com#any You need to ensure that the baseline security con$iguration $or the #ayroll de#artment com#lies "ith the "ritten security #olicy You also need to ensure that members o$ the .ayroll Users OU can access resources in the .ayroll Ser/ers OU and in the Einance Ser/ers OU !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ and assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic setting. 4in/ the C5' to onl the 5a roll $er%ers 'U. .reate a second C5' and assign the .lient *Respond 'nl + &5$ec polic setting. 4in/ the second C5' to the 5a roll Users 'U. 1. .reate a Croup 5olic ob)ect *C5'+ and assign the $ecure $er%ers *Re6uire $ecurit + &5$ec polic setting. 4in/ the C5' to the 5a roll $er%ers 'U and to the (inance $er%ers 'U. .reate a second C5' and assign the .lient *Respond 'nl + &5$ec polic setting. 4in/ the second C5' to the 5a roll Users 'U. .. .reate a Croup 5olic ob)ect *C5'+ and assign the $er%er *Re6uest $ecurit + &5$ec polic setting. 4in/ the C5' to onl the 5a roll $er%ers 'U. .reate a second C5' and assign the .lient *Respond 'nl + &5$ec polic setting. 4in/ the second C5' to the 5a roll Users 'U. D. .reate a Croup 5olic ob)ect *C5'+ and assign the $er%er *Re6uest $ecurit + &5$ec polic setting. 4in/ the C5' to the 5a roll $er%es 'U and to the (inance $er%ers 'U. .reate a second C5' and assign the .lient *Respond 'nl + &5$ec polic setting. 4in/ the second C5' to the 5a roll Users 'U. )ns"er: ) E3#lanation: )ssigning the Secure Ser/er &Dequire Security( I.Sec #olicy to the #ayroll ser/ers "ill ensure that they "ill only communicate using I.Sec )ssigning the 'lient &Des#ond Only( I.Sec #olicy to the #ayroll clients "ill ensure that they are able to use I.Sec "hen as0ed to do so by the #ayroll ser/ers )ll other net"or0 communications "ill not use I.Sec 'lient &Des#ond Only( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F; 2 polic contains one rule, the default response rule. The default response rule secures communication onl upon re6uest b another computer. This polic does not attempt to negotiate securit for an other traffic. Secure Ser/er &Dequire Security( polic has two rules9 the default response rule and a rule that allows the initial inbound communication re6uest to be unsecured, but re6uires that all outbound communication be secured. The filter action for the second rule does

not allow &@3 to fall bac/ to unsecured communication. &f the &@3 securit negotiation fails, the outbound traffic is discarded and the communication is bloc/ed. This polic re6uires that all connections be secured with &5$ec. An clients that are not &5$ec2enabled cannot establish connections Incorrect )ns"ers: +* D: The 6uestion states that &5$ec must not be used on an other ser%ers in the compan . ': This option configures the computer to use &5$ec onl when another computer onl responds to re6uests from other computers for secured communications. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 12. 5art -9 Troubleshoot T.5H&5 routing. Tools might include the route, tracert, ping, pathping, and netsh commands and ,etwor/ Monitor. *2 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll ser/ers are manually con$igured "ith static I. addresses )ll client com#uters run !indo"s @. .ro$essional )ll client com#uters recei/e their T'.KI. con$iguration in$ormation $rom a D:'. ser/er TestBingJs net"or0 consists o$ t"o subnets: <72 ,= 22 =K24 and <72 ,= 2, =K24 The research de#artment uses the <72 ,= 2, =K24 subnet e3clusi/ely )ll com#uters that belong to the other de#artments are located on the <72 ,= 22 =K24 subnet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FG 2 You de#loy a ser/er named Test0ing< to the research de#artment Test0ing< "as $ormally used in a test lab en/ironment You change the T'.KI. con$iguration o$ Test0ing< to allo" it to communicate on the com#any net"or0 Aater* users $rom other de#artments re#ort that "hen they attem#t to connect to Test0ing<* the connection times out You run the route #rint command on Test0ing< and /ie" the out#ut sho"n in the e3hibit You need to ensure that users can connect to Test0ing< !hich command should you run on Test0ing<% A. route delete 1G2.3".22." mas/ 2FF.2FF.2FF." 1=2.1;>.1G.1"" 1. route delete 1G2.3".23." mas/ 2FF.2FF.2FF." 1G2.3".23.1= .. route change 1G2.3".22." mas/ 2FF.2FF.2FF." 1=2.1;>.1G.1"" 2 &( 1 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F> 2 D. route change 1G2.3".23." mas/ 2FF.2FF.2FF." 1G2.3".23.1= 3 &( 1 )ns"er: ) E3#lanation: !hen a #articular route or table entry is a##lied to a #ac0et* the gate"ay /alue determines the ne3t address or ho# $or "hich that #ac0et is destined In this case the gate"ay address is not #art o$ the same net"or0 Incorrect )ns"ers: +: According to the eBhibit, it is a %alid address. '* D: Addresses are a numerical se6uence, with no letters. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 $elf25aced Training @it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 networ/ &nfrastructure, Microsoft 5ress, Redmond, 2""3, 5art 1, .hapter 1F, p. =92G QUESTION NO: 2 You are the net"or0 administrator $or TestBing com The net"or0 contains <= !eb ser/ers that run !indo"s Ser/er 2==,* !eb Edition The !eb ser/ers are located in an organi1ational unit &OU( named !ebSSer/ers ) security analysis o$ the !eb ser/ers re/eals that they all contain se/eral security settings that are critical /ulnerabilities You need to modi$y the security settings on the !eb as quic0ly as #ossible "hile minimi1ing the #er$ormance im#act on the ser/ers You "ant the ne" settings to be #eriodically en$orced "ithout administrati/e inter/ention !hat should you do% A. .reate a Croup 5olic ob)ect *C5'+ and lin/ to the !ebJ$er%ers 'U. .onfigure the appropriate securit settings in the C5'. 'n each ser%er, run the secedit Hrefreshpolic machineJpolic command. 1. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the !ebJ$er%ers 'U. .onfigure the appropriate securit settings in the C5'. 'n each ser%er, run the g#u#date Ktarget:com#uter command.

.. .onfigure a securit template that contains the appropriate securit settings and name it !ebsec.inf. 'n each ser%er, run the secedit Hconfigure Hdb secedit.sdb Hcfg websec.inf command. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F= 2 D. .onfigure a securit template that contains the appropriate securit settings and name it !ebsec.inf. 'n each ser%er, run the secedit Himport Hdb secedit.sdb Hcfg websec.inf command. )ns"er: + E3#lanation: Ktarget : com#uter allows ou to specif that onl .omputer polic settings should be refreshed. 1 default, both User and .omputer polic settings are refreshed. Incorrect )ns"ers: ): The secedit Hrefreshpolic machineJpolic is a command a%ailable to !indows 2""" $er%ers, but is replaced b gpupdate in !indows $er%er 2""3. +: .onfigures local securit polic settings b appl ing the stored database settings ': &mports a securit template into the named database De$erence: 4aura 3. Aunter, 1rian 1arber, Melissa .raft, ,orris 4. Qohnson, Qr., and Ton 5ilt0ec/er, 5lanning, &mplementing and Maintaining a !indows $er%er 2""3 3n%ironment for an M.$3 .ertified on !indows 2""" $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, 2""-, .hapter G, p. 3G; Topic -, 5lanning, &mplementing, and Maintaining $er%er A%ailabilit *3F :uestions+ 5art 19 5lan ser%ices for high a%ailabilit . A9 5lan a high a%ailabilit solution that uses clustering ser%ices.*; 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 contains $our !indo"s Ser/er 2==, com#uters con$igured as a $our>node ser/er cluster Each cluster node is the #re$erred o"ner o$ a clustered instance o$ ?icroso$t SQA Ser/er 2===* and each cluster node is con$igured as a #ossible o"ner o$ all other instances o$ SQA Ser/er )ll nodes ha/e identically con$igured hard"are )ll $our nodes o#erate at a sustained 7= #ercent '.U a/erage ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;" 2 You add a ser/er that has identically con$igured hard"are to the cluster as a $i$th node You "ant each SQA Ser/er instance to continue o#erating at the same le/el o$ #er$ormance in the e /ent o$ a single node $ailure !hat should you do% A. .lear the Affect group chec/ boB in the cluster resource properties for each $:4 $er%er instance. 1. .onfigure the fifth node as the onl possible other than the eBisting preferred owner of the cluster resources that are associated with each $:4 $er%er instance. .. .onfigure the fifth node as the preferred owner of each cluster group that contains an $:4 $er%er instance. D. 3nable failbac/ on each group that contains an $:4 $er%er instance. )ns"er: + E3#lanation9 .lustering is intended for organi0ations running applications that must be a%ailable, ma/ing an ser%er downtime unacceptable. &n a ser%er cluster, each computer is running the same critical applications, so that if one ser%er fails, the others detect the failure and ta/e o%er at a momentKs notice. This is called failo%er. &n the 6uestion it is mentioned that a fifth node is added. The other four nodes are each configured as preferred owner. Thus if ou configure the added node as the onl possible other that are associated with each $:4 $erer instance, then each $:4 $er%er instance will continue at the same le%el of performance in case a single node fails. Incorrect ans"ers: )9 .learing the Affect group chec/ boB is not going to ensure that the other nodes will continue to operate at the same le%el of performance in case of single node failure. '9 This would be the wrong configuration for the purposes of this 6uestion. D9 (ailbac/ is when the failed node returns to ser%ice, the other nodes ta/e notice and the cluster begins to use the reco%ered node again. This will not ensure that each of the $:4 $er%er instance continue to operate at the same le%el of performance. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;1 2 QUESTION NO: 2 You ha/e 2ust installed t"o !indo"s Ser/er 2==, com#uters You con$igure the ser/ers as a t"o node ser/er cluster You install !INS on each Node o$ the cluster You create a ne" /irtual ser/er to su##ort !INS You create a ne" cluster grou# named !INSgrou# !hen you attem#t to create the Net"or0 Name resource* you recei/e an error message You need to ma0e the #ro#er changes to the cluster to com#lete the installation o$ !INS !hat should you do% A. .reate a Ceneric $er%ice resource in the !&,$group cluster group 1. .onfigure the networ/ priorities for the cluster .. .reate an &5 address resource in the !&,$group cluster group D. Add the proper D,$ name for the !&,$ $er%er in the D,$ database )ns"er: ' E3#lanation: You need to create an I. address resource be$ore you can create the net"or0 name resource Incorrect )ns"ers: ): Applications or ser%ices that do not pro%ide their own resource D44s can be configured into the cluster en%ironment b using the generic resource D44. The .luster $er%ice then treats these applications or ser%ices as generic, cluster2unaware applications or ser%ices. The absence of a Ceneric $er%ice resource will thus not impede the creation of a ,etwor/ ,ame resource. +: &fcluster nodes can communicate o%er multiple networ/s, the networ/Ks priorit specifies the order in which the nodes will attempt to communicate o%er the networ/s. D: ,ame Resolution is not re6uired to create a ,etwor/ ,ame resource. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 F http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HstandardHproddocsHen2usHDefault.asp ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;2 2 QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 contains a #erimeter net"or0 The #erimeter net"or0 contains $our !indo"s Ser/er 2==,* !eb Edition com#uters that are con$igured as a Net"or0 Aoad +alancing cluster The cluster hosts an e>commerce !eb site that must be a/ailable 24 hours #er day The cluster is located in a #hysically secure data centre and uses an Internet>addressable /irtual I. address )ll ser/ers in the cluster are con$igured "ith the :isec"s in$ tem#late You need to im#lement #rotecti/e measures against the clusterJs most signi$icant security /ulnerability !hat should you do% A. Use 3ncr pting (ile $ stem *3($+ for all files that contain confidential data stored on the cluster. 1. Use pac/et filtering on all inbound traffic to the cluster. .. Use $ecurit .onfiguration and Anal sis regularl to compare the securit settings on all ser%ers in the cluster with the baseline settings. D. Use intrusion detection on the perimeter networ/. )ns"er: + E3#lanation: The most sensiti/e element in this case is the net"or0 card that uses an Internet>addressable /irtual I. address The question doesnJt mention a $ire"all im#lementation or an intrusion detection system &Usually :ard"are( There$ore* "e should set u# #ac0et $iltering Iou can configure pac/et filtering to accept or den specific t pes of pac/ets. 5ac/et headers are eBamined for source and destination addresses, T.5 and UD5 port numbers, and other information. Incorrect )ns"ers: ): &n the case of 3($, ou canKt use it on cluster storage. ': $ecurit .onfiguration and Anal sis enables ou to wor/ with securit templates in a database, where ou can anal 0e them before appl ing them to our computers. D: &D$ will *if properl maintained and updated with new signatures+ loo/ for certain acti%it on the networ/ and chec/ this against a signature database it carries. &f a match occurs, then an alert is sent to an administrator or logged. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;3 2

.raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 F QUESTION NO: 4 DD)- DDO. You are the net"or0 administrator $or TestBing The com#any needs to im#lement a !eb a##lication that uses t"o ?icroso$t SQA Ser/er 2=== database instances You e3#ect the si1e o$ each database instance to be bet"een 2== -+ and ,== -+ at any gi/en time Se/eral tables in each database contain data that is u#dated once e/ery $e" seconds* on a/erage You estimate that each database instance requires 7 -+ o$ memory* and that each instance requires 7= #ercent usage o$ $our '.Us* on a/erage Using t"o ser/ers TestBingSQA< and TestBingSQA2* you need to #lan the minimum highly a/ailable ser/er in$rastructure $or the databases that meets the requirements You also "ant to minimi1e the costs and administrati/e e$$ort required to maintain the in$rastructure !hat should you do% To ans"er* drag the a##ro#riate con$iguration settings to the 'luster 'on$iguration ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;- 2 )ns"er: E3#lanation: !e are running two different databases so we need a .luster $er%ice .luster rather than a ,etwor/ 4oad 1alancing cluster *!e can onl use ,41 if the two ser%ers are hosting identical content+. (or a .luster $er%ice .luster, we need to use !indows $er%er 2""3 3nterprise 3dition. !e need to ensure that the database will still run if one of the cluster nodes fails. Therefore each cluster node will need enough resources to run both databases. 3ach database re6uires four .5Us, so each cluster node must ha%e > .5Us in order to run both databases in the e%ent of a cluster node failure. 3ach database re6uires G C1 of RAM so each cluster node must ha%e at least 1- C1 of RAM in order to run both databases in the e%ent of a cluster node failure *our onl option abo%e 1-C1 or RAM is to put 1;C1 of RAM in each cluster node+. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 F QUESTION NO: 5 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;F 2 You are a net"or0 administrator $or TestBing TestBing is de/elo#ing a ne" !eb a##lication that connects to an SQA bac0>end en/ironment The design team decides that the ne" a##lication must be $ault tolerant You inter/ie" the !eb de/elo#ers and the SQA administrators to establish the si1e o$ the en/ironment The !eb de/elo#ers state that they need at least three !eb ser/ers to share the load Each !eb ser/er requires t"o #rocessors and < -+ o$ D)? The !eb de/elo#ers state i$ one o$ the !eb ser/ers $ails* the !eb a##lication can run $or se/eral hours in a degraded state Des#onsi/eness "ill be belo" s#eci$ications in a degraded state The SQA administrators state that they need t"o ?icroso$t SQA Ser/er com#uters to su##ort the ne" a##lication They "ant the SQA ser/er en/ironment to be redundant Each SQA Ser/er com#uter requires $our #rocessors and , -+ o$ D)? The SQA administrators state that only one SQA Ser/er com#uter is required to maintain the a##lication You need to ensure that t"o o$ the !eb ser/ers and one o$ the SQA Ser/er com#uters are al"ays a/ailable You need to select the lo"est edition o$ !indo"s Ser/er 2==, that meets the requirements in order to minimi1e costs !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. &nstall !indows $er%er 2""3, !eb 3dition on all three !eb ser%ers. .onnect all three ser%ers b using ,etwor/ 4oad 1alancing. 1. &nstall !indows $er%er 2""3, $tandard 3dition on all three !eb ser%ers. .onnect all three ser%ers b using ,etwor/ 4oad 1alancing. .. &nstall !indows $er%er 2""3, 3nterprise 3dition on all three !eb ser%ers. &nstall a shared fiber2attached dis/ arra for the !eb ser%ers. &mplement a three2node ser%er cluster for the !eb ser%ers. .onfigure the cluster so that all three nodes are acti%e. D. &nstall !indows $er%er 2""3, $tandard 3dition on both $:4 $er%er computers.

.onnect the $:4 $er%er computers b using ,etwor/ 4oad 1alancing. 3. &nstall !indows $er%er 2""3, 3nterprise 3dition on both $:4 $er%er computers. .onnect the $:4 $er%er computers b using ,etwor/ 4oad 1alancing. (. &nstall !indows $er%er 2""3, 3nterprise 3dition on both $:4 $er%er computers. &nstall a shared fiber2attached dis/ arra for the $:4 $er%er computers. &mplement a two2node ser%er cluster for the $:4 ser%ers. .onfigure the cluster so that one node is acti%e and the second node is a hot standb node. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;; 2 )ns"er: )* E E3#lanation: Eor the "eb ser/ers "e can three ser/ers connected using Net"or0 Aoad +alancing !e can use Net"or0 Aoad +alancing because the content "ill be the same on the "eb ser/ers !indo"s Ser/er 2==, !eb Edition su##orts Net"or0 Aoad +alancing (or the $:4 ser%ers we need a two2node ser%er cluster. (or a ser%er cluster, we need !indows $er%er 2""3 3nterprise edition. Incorrect )ns"ers: +: !indows $er%er 2""3 !eb 3dition supports ,etwor/ 4oad 1alancing. !e donKt need !indows $er%er 2""3, $tandard 3dition9 ': !e can use ,etwor/ 4oad 1alancing because the content will be the same on the web ser%ers. !e donKt need a ser%er cluster. D: !e can not use ,etwor/ 4oad 1alancing for the $:4 ser%ers. ,etwor/ 4oad 1alancing should onl be used when ou ha%e static content. E: !e can not use ,etwor/ 4oad 1alancing for the $:4 ser%ers. ,etwor/ 4oad 1alancing should onl be used when ou ha%e static content. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 F QUESTION NO: 6 You are a net"or0 administrator $or TestBing The net"or0 design team decides that the DNS Ser/er ser/ice must al"ays be a/ailable The net"or0 design team requires that all com#uters on the net"or0 must al"ays access the DNS Ser/er ser/ice by using a single I. address T'.KI. con$igurations $or client com#uters and ser/ers "ill contain a single DNS entry The DNS Ser/er ser/ice must be authoritati/e $or all host &)( and ser/ice locator &SD8( resource records $or the net"or0 The DNS Ser/er ser/ice must maintain all records in the e/ent that there is a hard"are $ailure o$ the DNS ser/er You need to de#loy DNS on the net"or0 You need to com#ly "ith the net"or0 design teamJs requirements !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;G 2 A. Deplo D,$ b using the .luster ser%ice to configure a two2node ser%er cluster in a failo%er configuration. 1. Deplo D,$ b using the .luster ser%ice to configure a two2node ser%er cluster that hosts D,$ on both nodes simultaneousl . .. Deplo D,$ stub 0ones b using ,etwor/ 4oad 1alancing. D. Deplo multiple D,$ ser%ers that host secondar 0ones that are load balanced b using ,etwor/ 4oad 1alancing. )ns"er: ) E3#lanation: !e can use the 'luster ser/ice to con$igure a t"o>node ser/er cluster in a $ailo/er con$iguration Using the $ailo/er con$iguration* i$ one machine $ails* the other machine "ill continue to run Incorrect )ns"ers: +: This configuration will not wor/. ': !e need a primar 0one, not a stub 0one. The D,$ $er%er ser%ice must be authoritati%e for all host *A+ and ser%ice locator *$R?+ resource records for the networ/. D: !e need a primar 0one, not secondar 0ones. The D,$ $er%er ser%ice must be authoritati%e for all host *A+ and ser%ice locator *$R?+ resource records for the networ/. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 F 19 5lan a high a%ailabilit solution that uses ,etwor/ 4oad 1alancing.*- 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 contains t"o !indo"s

Ser/er 2==, com#uters named TestBing) and TestBing+ These ser/ers host an intranet a##lication 'urrently* 4= users connect to TestBing) and 44 users connect to TestBing+ The com#any is adding ,5 em#loyees "ho "ill need access to the intranet a##lication Testing sho"s that each ser/er is ca#able o$ su##orting a##ro3imately 5= users "ithout ad/ersely a$$ecting the #er$ormance o$ the a##lication ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;> 2 You need to #ro/ide a solution $or su##orting the additional ,5 em#loyees The solution must include #ro/iding ser/er $ault tolerance You need to minimi1e the costs and administrati/e e$$ort required by your solution You add a ne" ser/er named TestBing' to the net"or0 and install the intranet a##lication on TestBing' !hat else should you do% A. Use ,etwor/ 4oad 1alancing Manager to configure Test@ingA, Test@ing1, and Test@ing. as a ,etwor/ 4oad 1alancing cluster. 1. Use .luster Administrator to configure Test@ingA, Test@ing1, and Test@ing. as a three2node ser%er cluster. Use the Ma)orit ,ode $et option. .onfigure the cluster so that all three nodes are acti%e. .. Use .luster Administrator to configure Test@ingA, Test@ing1, and Test@ing. as a three2node ser%er cluster. .onfigure the cluster so that two nodes are acti%e and one node is a hot standb node. D. Use D,$ load balancing to utili0e all three ser%ers b using the same %irtual ser%er name. )ns"er: ) E3#lanation: !e can use Net"or0 Aoad +alancing to balance the load on the three "eb ser/ers .lustering allows ou to combine application ser%ers to pro%ide a le%el of scaling, a%ailabilit , or securit that is not possible with an indi%idual ser%er. ,etwor/ 4oad 1alancing distributes incoming client re6uests among the ser%ers in the cluster to more e%enl balance the wor/load of each ser%er and pre%ent o%erload on an one ser%er. To client computers, the ,etwor/ 4oad 1alancing cluster appears as a single ser%er that is highl scalable and fault tolerant. The ,etwor/ 4oad 1alancing deplo ment process assumes that our design team has completed the design of the ,etwor/ 4oad 1alancing solution for our organi0ation and has performed limited testing in a lab. After the design team tests the design in the lab, our deplo ment team implements the ,etwor/ 4oad 1alancing solution first in a pilot en%ironment and then in our production en%ironment. Upon completing the deplo ment process presented here, our ,etwor/ 4oad 1alancing solution *the ,etwor/ 4oad 1alancing cluster and the applications and ser%ices running on the cluster+ will be in place. (or more information about the procedures for deplo ing ,etwor/ 4oad 1alancing on indi%idual ser%ers, see the appropriate ,etwor/ 4oad 1alancing topics in Aelp and $upport .enter for !indows$er%er 2""32""3. Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;= 2 +: !e alread ha%e three ser%ers. A cluster would re6uire different hardware and would thus be more eBpensi%e. ': !e alread ha%e three ser%ers. A cluster would re6uire different hardware and would thus be more eBpensi%e. D: Round Robin D,$ would load balance the ser%ers, but if one ser%er failed, clients would still be directed to the failed ser%er. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. G9 1F21G QUESTION NO: 2 You are a net"or0 administrator $or TestBing TestBing has a main o$$ice and t"o branch o$$ices The branch o$$ices are connected to the main o$$ice by T< lines The net"or0 consists o$ three )cti/e Directory sites* one $or each o$$ice )ll client com#uters run either !indo"s 2=== .ro$essional or !indo"s @. .ro$essional Each o$$ice has a small data centre that contains domain controllers* !INS* DNS* and D:'. ser/ers* all running !indo"s Ser/er 2==, Users in all o$$ices connect to a $ile ser/er in the main o$$ice to retrie/e critical $iles The net"or0 team re#orts that the !)N connections are se/erely congested during #ea0 business hours Users re#ort #oor $ile ser/er #er$ormance during #ea0 business hours The design team is concerned that the $ile ser/er is a single #oint o$ $ailure The design team requests a #lan to alle/iate the !)N congestion during

business hours and to #ro/ide high a/ailability $or the $ile ser/er You need to #ro/ide a solution that im#ro/es $ile ser/er #er$ormance during #ea0 hours and that #ro/ides high a/ailability $or $ile ser/ices You need to minimi1e band"idth utili1ation !hat should you do% A. 5urchase two high2end ser%ers and a shared fiber2attached dis/ arra . &mplement a file ser%er cluster in the main office b using both new ser%ers and the shared fiber2attached dis/ arra . 1. &mplement 'ffline (iles on the client computers in the branch offices b using $ nchroni0ation Manager. $chedule s nchroni0ation to occur during off2pea/ hours. .. &mplement a stand2alone Distributed (ile $ stem *D($+ root in the main office. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G" 2 &mplement copies of shared folders for the branch offices. $chedule replication of shared folders to occur during off2pea/ hours b using scheduled tas/s. D. &mplement a domain Distributed (ile $ stem *D($+ root in the main office. &mplement D($ replicas for the branch offices. $chedule replication to occur during off2pea/ hours. )ns"er: D E3#lanation: ) DES root is e$$ecti/ely a $older containing lin0s to shared $iles ) domain DES root is stored in )cti/e Directory This means that users donJt need to 0no" "hich #hysical ser/er is hosting the shared $iles )ll they do is o#en a $older in )cti/e Directory and /ie" a list o$ shared $olders A D($ replica is another ser%er hosting the same shared files. !e can configure replication between the file ser%ers to replicate the shared files out of business hours. The users in each office will access the files from a D($ replica in the userKs office, rather than accessing the files o%er a !A, lin/. Incorrect )ns"ers: ): This will not minimi0e bandwidth utili0ation because the users in the branch offices will still access the files o%er the !A,. +: This does not pro%ide an redundanc for the ser%er hosting the shared files. ': Iou need D($ replicas to use the replicas of the shared folders. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 129 1F QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain You administer a three>node Net"or0 Aoad +alancing cluster Each cluster node runs !indo"s Ser/er 2==, and has a single net"or0 ada#ter The cluster has con/erged success$ully ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G1 2 You notice that the nodes in the cluster run at almost $ull ca#acity most o$ the time You "ant to add a $ourth node to the cluster You enable and con$igure Net"or0 Aoad +alancing on the $ourth node :o"e/er* the cluster does not con/erge to a $our>node cluster In the System log on the e3isting three nodes* you $ind the e3act same T'.KI. error e/ent The e/ent has the $ollo"ing descri#tion: LThe system detected an address con$lict $or I. address <= 5= 9 7= "ith the system ha/ing net"or0 hard"are address =2:+E:=):,2:=9:46 L In the System log on the ne" $ourth node* you $ind a similar T'.Kerror e/ent "ith the $ollo"ing descri#tion: LThe system detected an address con$lict $or I. address <= 5= 9 7= "ith the system ha/ing net"or0 hard"are address =,:+E:=):,2:=9:46 L Only the hard"are address is di$$erent in the t"o descri#tions You /eri$y that I. address <= 5= 9 7= is con$igured as the cluster I. address on all $our nodes You "ant to con$igure a $our>node Net"or0 Aoad +alancing cluster !hat should you do% A. .onfigure the fourth node to use multicast mode. 1. Remo%e 1".F".>.G" from the ,etwor/ .onnections 5roperties of the fourth node. .. 'n the fourth node, run the nlb.eBe resume command. D. 'n the fourth node, run the wlbs.eBe reload command. )ns"er: ) E3#lanation: This normally ha##ens "hen you do not enable the Net"or0 Aoad +alancing &NA+( ser/ice in T'.KI. o$ the ser/er* "hen adding t"o I.Js &one $or the

ser/er and one $or the load balancing I.( !hen you "ant to manage a NA+ cluster "ith one net"or0 ada#ter* you use the multicast o#tion $ince reloadHsuspend and remo%e the &5 are all garbage answers, it could be that the other nodes are using multicast, and this new node is using unicast. That is wh , on a single networ/ adapter configuration, it will cause an &5 conflict. Incorrect )ns"ers: +: The &5 address cannot be changed, since the node has a single networ/ adapter. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G2 2 This command instructs a suspended cluster to resume cluster operations. Using the Resume command does not restart clustering operations but, instead, allows the use of .luster .ontrol commands, including those sent remotel . The Resume command can be targeted at a specific cluster, a specific cluster on a specific host, all clusters on the local machine, or all global machines that are part of the cluster. D: The nlb.eBe command replaces the wlbs.eBe command pre%iousl used in !indows ,T -." and !indows 2""" $er%er. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. ;>= http9HHwww.microsoft.comH windowsser%er2""3HtechinfoHres/itHresource/it.mspB. QUESTION NO: 4 You are the net"or0 administrator $or TestBing TestBingJs !eb site is hosted at a local IS. TestBing needs to mo/e the !eb site $rom the IS. to TestBingJs #erimeter net"or0 The design team s#eci$ies that $i/e ser/ers "ill be needed to host the !eb site The $i/e ser/ers must balance the net"or0 load o$ requests $rom the Internet The !eb site must remain a/ailable in the e/ent that u# to three ser/ers $ail at the same time Each ser/er "ill ha/e $our #rocessors and 4 -+ o$ D)? Discussions "ith the design team and the !eb de/elo#ers re/eal that the site can be im#lemented by using either shared storage or local ser/er storage You need to select the #ro#er o#erating system to install on each ser/er You need to select the #ro#er !indo"s Ser/er 2==, technology to #ro/ide $ault tolerance You need to select the lo"est edition o$ !indo"s Ser/er 2==, that meets the requirements in order to minimi1e costs !hat should you do% A. &nstall !indows $er%er 2""3, 3nterprise 3dition on all fi%e ser%ers. .onnect all fi%e ser%ers to a shared fiber2attached dis/ arra . .onfigure the fi%e ser%ers as a ser%er cluster. .onfigure the cluster so that all fi%e nodes are acti%e. 1. &nstall !indows $er%er 2""3, 3nterprise 3dition on all fi%e ser%ers. .onnect all fi%e ser%ers to a shared fiber2attached dis/ arra . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G3 2 .onfigure the fi%e ser%ers as a ser%er cluster. .onfigure the cluster so that three nodes are acti%e and two nodes are hot standb nodes. .. &nstall !indows $er%er 2""3, $tandard 3dition on all fi%e ser%ers. .onnect all fi%e ser%ers b using ,etwor/ 4oad 1alancing. D. &nstall !indows $er%er 2""3, !eb 3dition on all fi%e ser%ers. .onnect all fi%e ser%ers b using ,etwor/ 4oad 1alancing. )ns"er: ' E3#lanation: The question states that you need to select the lo"est edition o$ !indo"s Ser/er 2==, that meets the requirements in order to minimi1e costs !indo"s 2==, Standard Edition su##orts u# to 4 #rocessors and 4 -+ o$ D)? I$ three ser/er $ail* "e "ill still ha/e t"o ser/ers ser/ing the "eb site Incorrect )ns"ers: ): The 6uestion states that ou need to select the lowest edition of !indows $er%er 2""3 that meets the re6uirements in order to minimi0e costs. !e can use !indows 2""3 $tandard 3dition with ,41. +: The 6uestion states that ou need to select the lowest edition of !indows $er%er 2""3 that meets the re6uirements in order to minimi0e costs. !e can use !indows 2""3 $tandard 3dition with ,41. D: !eb ser%er edition onl supports two2wa s mmetric multiprocessing *$M5+ and 2 gigab tes *C1+ of RAM. De$erence O/er/ie" o$ !indo"s Ser/er 2==,* !eb Edition

http9HHwww.microsoft.comHwindowsser%er2""3He%aluationHo%er%iewHweb.mspB O/er/ie" o$ !indo"s Ser/er 2==,* Standard Edition http9HHwww.microsoft.comHwindowsser%er2""3He%aluationHo%er%iewHstandard.mspB Introducing the !indo"s Ser/er 2==, Eamily http9HHwww.microsoft.comHwindowsser%er2""3He%aluationHo%er%iewHfamil .mspB related bottlenec/s. *F 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 contains an a##lication ser/er running !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G- 2 Users re#ort that the a##lication ser/er intermittently res#onds slo"ly !hen the a##lication ser/er is res#onding slo"ly* requests that normally ta0e < second to com#lete ta0e more than ,= seconds to com#lete You sus#ect that the slo" ser/er res#onse is because o$ high broadcast tra$$ic on the net"or0 You need to #lan ho" to monitor the a##lication ser/er and to ha/e a message generated "hen broadcast tra$$ic is high You also "ant to minimi1e the creation o$ $alse alarms "hen non>broadcast tra$$ic is high !hat should you do% A. Use the Alerts option in the 5erformance 4ogs and Alerts snap2in to configure an alert trigger when the DatagramsHsec counter in the UD5%- ob)ect is high. 1. Use $ stem Monitor and configure it to monitor the $egmentsHsec counter in the T.5%- ob)ect. .. Use $ stem Monitor and configure it to monitor the DatagramsHsec counter in the UD5%- ob)ect. D. Use the Alerts option in the 5erformance 4ogs and Alerts snap2in to configure an alert to trigger when the DatagramsHsec counter in the T.5%- ob)ect is high. )ns"er: ) E3#lanation: .er$ormance Aogs )nd )lerts is an ??' sna#>in that uses System ?onitorJs #er$ormance counters to ca#ture in$ormation to log $iles o/er a long #eriod o$ time )lthough the .er$ormance console "or0s "ell "hen systems are acti/ely #er$orming #oorly* "hen you canJt "ait around* you can set u# triggers using the .er$ormance console to catch bad systems in action UD5%- is one of the performance ob)ects that pro%ide networ/ traffic monitoring capabilities. &t monitors the number of User Datagram 5rotocol *UD5+ pac/ets the computer transmits and recei%es. $er%ice applications, such as the Domain ,ame $ stem *D,$+ and the D namic Aost .onfiguration 5rotocol *DA.5+, t picall use UD5 for client2ser%er communications. Incorrect )ns"ers: +: T.5%- trac/s the number of successful and failed Transmission .ontrol 5rotocol *T.5+ connections. ': An alert needs to be configured as well, to pre%ent false alarms. D: DatagramsHsec counter is found in the UD5%- ob)ect. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GF 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. ;9 ; QUESTION NO: 2 DD)- DDO. You are a net"or0 administrator $or TestBing The net"or0 contains t"o !indo"s Ser/er 2==, database ser/ers con$igured as a t"o>node ser/er cluster Each cluster node has a <==>?bit net"or0 ada#ter and a <=>?bit net"or0 ada#ter The <==>?bit net"or0 ada#ter on each ser/er is connected to the com#any net"or0 The <=>?bit ada#ters are connected to each other by an Ethernet crosso/er cable 'luster communications are con$igured to use the crosso/er connection as the #rimary cluster net"or0 The cluster #ro/ides mission>critical data to se/eral hundred users at any gi/en time* 24 hours #er day You need to be able to ascertain i$ the net"or0 #er$ormance e/er becomes or might become a limiting #er$ormance $actor You "ant to be able to identi$y trends o/er time You need to choose "hich net"or0 ada#ters and #er$ormance counters are the most im#ortant $or you to monitor* and you need to choose "hich method o$ monitoring to use to detect #otential saturation o$ the net"or0 ada#ters !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G; 2

)ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GG 2 $ince each cluster node has 1""2Mbit networ/ adapters that are connected to the networ/, it is logical to choose them to monitor in stead of the 1"2Mbit networ/ adapters. The latter is )ust to connect the clusters to each other b means of cross2o%er cable. &f ou need to be able to ascertain if the networ/ performance e%er becomes or might become a limiting performance factor and to be able to identif trends o%er time, then 5ac/ets Recei%edH$ec which specifies the number of pac/ets recei%ed b the adapter each second, would be the counter to configure for monitoring purposes. This can be %iewed using the 5erformance logs. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G> 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. ;9 2" QUESTION NO: , Your net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing' TestBing' has a single '.U* 5<2 ?+ o$ D)?* and a single <==?+ net"or0 ada#ter )ll net"or0 userJs home $olders are stored on TestBing' Users access their home $olders by using a ma##ed net"or0 dri/e that connects to a shared $older on TestBing' )$ter se/eral "ee0s* users re#ort that accessing home $olders on TestBing' is e3tremely slo" at certain times during the day You need to identi$y the resources bottlenec0 that is causing the #oor #er$ormance !hat should you do% A. .apture a counter log b using 4ogicalDis/, 5h sicalDis/, 5rocessor, Memor and ,etwor/ &nterface performance ob)ects and %iew the log data information that is captured during period of poor performance 1. .onfigure alerts on Test@ing. to log entries in the e%ent logs for the 4ogicalDis/, 5h sicalDis/, 5rocessor, Memor and ,etwor/ &nterface performance ob)ects when the %alue of an ob)ect is more than =" .. .apture a trace log that captures 5age faults, (ile details, ,etwor/ T.5H&5, and 5rocess creationsHdeletions e%ents D. &mplement Auditing on the folder that contains the userKs home folders. .onfigure ,etwor/ Monitor on Test@ing. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G= 2 The #roblem is most li0ely to be caused by a hard"are bottlenec0 This could be a dis0 #roblem or a #roblem "ith the #rocessor* D)? or net"or0 card !e can monitor these hard"are resources by using a System ?onitor counter log The !indo"s .er$ormance tool is com#osed o$ t"o #arts: System ?onitor and .er$ormance Aogs and )lerts !ith System ?onitor* you can collect and /ie" real>time data about memory* dis0* #rocessor* net"or0* and other acti/ity in gra#h* histogram* or re#ort $orm The out#ut $rom the counter log "ill sho" us "hich hard"are resource in unable to co#e "ith the load and needs to be u#graded or re#laced Incorrect )ns"ers: +: !e cannot use a generic %alue of =" for the different hardware resources because different hardware resources ha%e different acceptable performance counters. ': !e need to monitor the hardware resources listed in answer A, not the software resources listed in this answer. D: The problem is most li/el to be caused b a hardware bottlenec/. Auditing and networ/ monitoring wonKt gi%e us an useful information about the hardware. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;9 2F22> QUESTION NO: 4 You are a net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==, a##lication ser/er named TestBingSr/ TestBingSr/ has one #rocessor TestBingSr/ has been running $or se/eral "ee0s

You add a ne" a##lication to TestBingSr/ Users no" re#ort intermittent #oor #er$ormance on TestBingSr/ You con$igure System ?onitor and trac0 the #er$ormance o$ TestBingSr/ $or t"o hours You obtain the #er$ormance metrics that are summari1ed in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>" 2 The /alues o$ the #er$ormance metrics are consistent o/er time You need to identi$y the bottlenec0 on TestBingSr/ and u#grade the necessary com#onent You need to minimi1e hard"are u#grades !hat should you do% A. &nstall a faster .5U in Test@ing$r%. 1. Add more RAM to Test@ing$r%. .. Add additional dis/s and spread the dis/ &H' o%er the new dis/s. D. &ncrease the si0e of the paging file. )ns"er: ' E3#lanation: .hysical Dis0RDis0 Time threshold is ;= #ercent and the #er$ormance metrics /alues gi/es a #ercentage o$ ;, 6<= This means that the dis0 is not being read quic0ly enough* "hich could be a hard"are issue* and it could also be that the amount o$ data on the dis0 is too large Incorrect )ns"ers: ): The .5U is operating below its threshold. +* D: The %alues for these could be a result of the 5h sical Dis/WDis/ Time eBceeding its threshold. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>1 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;9 2F22> QUESTION NO: 5 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains an a##lication ser/er running !indo"s Ser/er 2==, Users re#ort intermittent slo" #er$ormance "hen they access the a##lication ser/er throughout the day You $ind out that the net"or0 inter$ace on the a##lication ser/er is being hea/ily used during the #eriods o$ slo" #er$ormance You sus#ect that a single com#uter is causing the #roblem You need to create a #lan to identi$y the #roblem com#uter !hat should you do% A. Monitor the performance monitor counters on the application ser%er b using $ stem Monitor. 1. Monitor the networ/ traffic on the application ser%er b using ,etwor/ Monitor. .. Monitor networ/ statistics on the application ser%er b using Tas/ Manager. D. Run networ/ diagnostics on the application ser%er b using ,etwor/ Diagnostics. )ns"er: + E3#lanation: Net"or0 ?onitor 'a#ture Utility &Netca# e3e( is a command>line Su##ort Tool that allo"s a system administrator to monitor net"or0 #ac0ets and sa/e the in$ormation to a ca#ture & ca#( $ile You can use in$ormation gathered by using Net"or0 ?onitor 'a#ture Utility to analy1e net"or0 use #atterns and diagnose s#eci$ic net"or0 #roblems This command2line tool allows a s stem administrator to monitor pac/ets on a 4A, and write the information to a log file. ,et.ap uses the ,etwor/ Monitor Dri%er to sniff pac/ets on local networ/ segments. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>2 2 ,etwor/ Monitor captures networ/ traffic information and gi%es detailed information about the frames being sent and recei%ed. This tool can help ou anal 0e compleB patterns of networ/ traffic. ,etwor/ Monitor can help ou %iew the header information included in ATT5 and (T5 re6uests. Cenerall , ou need to design a capture filter, which functions li/e a database 6uer and singles out a subset of the frames being transmitted. Iou can also use a capture trigger that responds to e%ents on our networ/ b initiating an action, such as starting an eBecutable file. An abbre%iated %ersion of ,etwor/ Monitor is included with members of the !indows $er%er2""3 famil . A complete %ersion of ,etwor/ Monitor is included with Microsoft $ stems Management $er%er. Incorrect )ns"ers: ): $ stem Monitor allows ou to monitor real2time performance statistics. ': Tas/ Manager is used to %iew real2time performance data surrounding processes and

applications. D: ,etwor/ Diagnostics is a graphical troubleshooting tool, built into the !indows $er%er 2""3 interface that pro%ides detailed information about a local computerKs networ/ing configuration. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;9 G212 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 3, and ;. Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 12. 5art 39 &mplement a cluster ser%er.*- 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing You install !indo"s Ser/er 2==, on t"o ser/ers named Test0ing< and Test0ing2 You con$igure Test0ing< and Test0ing2 as t"o>node ser/er cluster The cluster has three managed dri/es assigned the letters Q* D* and S The quorum resource is located in dri/e Q ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>3 2 You create a !INS grou# and con$igure !INS on the cluster You create a Eile Ser/er grou# and con$igure $ile sharing on the cluster by using a shared $older that you create on dri/e D Eile sharing and !INS are both running on Test0ing< You mo/e the !INS grou# to Test0ing2 The $ile share ser/ice $ails on Test0ing< !hen you attem#t to bring it bac0 online* the $ile share resource "ill not start on Test0ing< You mo/e the !INS grou# bac0 to Test0ing< The $ile share ser/ice "ill not come bac0 online You need to con$igure the cluster so that each a##lication can be mo/ed or can $ail o/er inde#endently* "ithout a$$ecting the other a##lication !hat should you do% A. Modif the 5referred owners list for the !&,$ group so that onl Test/ing2 is in the list. 1. Modif the 5referred owners list for the (ile $er%er group so that onl Test/ing2 is in the list. .. .onfigure both the !&,$ group and the (ile $er%er group to allow failbac/ immediatel . D. Reconfigure the (ile $er%er group (ile $hare resource to use a shared folder on dri%e $. )ns"er: + E3#lanation9 A cluster is a group of two or more ser%ers dedicated to running a specific application *or applications+ and connected to pro%ide fault tolerance and load balancing. .lustering is intended for organi0ations running applications that must be a%ailable, ma/ing an ser%er downtime unacceptable. &n a ser%er cluster, each computer is running the same critical applications, so that if one ser%er fails, the others detect the failure and ta/e o%er at a momentKs notice. This is called failo%er. !hen the failed node returns to ser%ice, the other nodes ta/e notice and the cluster begins to use the reco%ered node again. This is called failbac/. The order of failo%er is defined b the order the nodes appear in the 5referred 'wner list. The default node for the application is listed first. A failo%er will attempt to mo%e the cluster group to each node on the list, in order, until the group successfull starts. Thus if ou modif the 5referred 'wners list for the (ile $er%er group to ma/e Test@ing2 the onl entr in the list then failo%er can be independent without affecting the other application. Incorrect ans"ers: )9 The modification to the 5referred owners list should be for the (ile $er%er group and not the !&,$ group. ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>- 2 9 1 allowing failo%er b both groups will affect all applications and failo%er is thus not independent. D9 Ma/ing use of a shared folder to ma/e sure that the application is still a%ailable is not pro%iding failo%er in the real sense. &n fact the shared folder will also be affected in case of node failure. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond,

!ashington, 2""-, p. G9 22G http9HHdownload.microsoft.comHdownloadHGH;HfHG;f3db2f2;f-32-;2-2bfde2ffG31e3c1f=;HCD.lusters.doc QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains a !indo"s Ser/er 2==, t"o>node ser/er cluster The security team states that the #ass"ord $or the cluster ser/ice account must be changed because one o$ the administrators has le$t the com#any You $ill out the necessary change control #a#er"or0 You need to #ro/ide the #rocess $or changing the #ass"ord in the change control $orm You need to change the #ass"ord $or the cluster ser/ice account by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .hange the cluster ser%ice account password in Acti%e Director Users and .omputers. .hange the cluster ser%ice account password on one node, and restart the node. After the first node comes bac/ online, change the cluster ser%ice account password on the second node, and restart the node. 1. .hange the cluster ser%ice account password in Acti%e Director Users and .omputers. .hange the cluster ser%ice account password on both nodes, and restart the first node. After the first node comes bac/ online, restart the second node. .. Run Dsmod.eBe with the change password option. D. Run .luster.eBe with the change password option. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>F 2 3. Run $..eBe with the change password option. )ns"er: D E3#lanation: 'luster e3e is the command>line utility you can use to create or administer a ser/er cluster It has all o$ the ca#abilities o$ the 'luster )dministrator gra#hical utility and more 'luster e3e has numerous o#tions The $ollo"ing are some o$ the tas0s that are im#ossible to do "ith 'luster )dministrator or are easier to #er$orm "ith 'luster e3e: 1. .hanging the password on the cluster ser%ice account 2. .reating a ser%er cluster or adding a node to a ser%er cluster from a script 3. .reating a ser%er cluster as part of an unattended setup of !indows $er%er 2""3 -. 5erforming operations on multiple ser%er clusters at the same time &t is for this reasonthat A and 1 are incorrect. Incorrect )ns"ers: )* +: There is no need to change the cluster ser%ice account password in Acti%e Director Users and .omputers when all that is necessar is to run cluster.eBe with the change password option. ': Dsmod.eBe allows the properties of director ser%ices ob)ects to be changed but it will not change the password that the cluster is configured to use. E: $..eBe starts and stops and manages !in32 ser%ices. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, pp. ;G"2;>QUESTION NO: , You are a net"or0 administrator $or TestBing You install !indo"s Ser/er 2==, on t"o ser/ers named TestBing< and TestBing2 You con$igure TestBing< and TestBing2 as a t"o>node cluster You con$igure a custom a##lication on the cluster by using the -eneric )##lication resource* and you #ut all resources in the )##lication grou# You test the cluster and /eri$y that it $ails o/er #ro#erly and that you can mo/e the )##lication grou# $rom one node to the other and bac0 again ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>; 2 The a##lication and the cluster run success$ully $or se/eral "ee0s Users then re#ort that they cannot access the a##lication You in/estigate and disco/er that TestBing< and TestBing2 are running but the )##lication grou# is in a $ailed state You restart the 'luster ser/ice and attem#t to bring the )##lication grou# online on TestBing< The )##lication grou# $ails You disco/er that TestBing< $ails* restarts automatically* and $ails again soon a$ter restarting TestBing< continues to $ail and restart until the )##lication grou# re#orts that it is in a $ailed state and sto#s attem#ting to bring itsel$ bac0 online

You need to con$igure the )##lication grou# to remain on TestBing2 "hile you research the #roblem on TestBing< !hat should you do% A. 'n Test@ing2, configure the failo%er threshold to ". 1. 'n Test@ing2, configure the failo%er period to ". .. Remo%e Test@ing1 from the 5ossible owners list. D. Remo%e Test@ing1 from the 5referred owners list. )ns"er: ' E3#lanation: !e do not "ant the a##lication grou# to mo/e to TestBing< > "e "ant the a##lication grou# to remain on TestBing2 !e can do this by remo/ing TestBing< $rom the #ossible o"ners list Incorrect )ns"ers: )* +: The 6uestion states that failo%er occurred properl . D: The order of failo%er is defined b the order the nodes appear in the 5referred 'wner list. The default node for the application is listed first. A failo%er will attempt to mo%e the cluster group to each node on the list, in order, until the group successfull starts. Thus ou should not remo%e Test@ing1 from the preferred owners list. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 22G http9HHdownload.microsoft.comHdownloadHGH;HfHG;f3db2f2;f-32-;2-2bfde2ffG31e3c1f=;HCD.lusters.doc ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>G 2 QUESTION NO: 4 DD)- DDO. You are a net"or0 administrator $or TestBing com The net"or0 contains $our !indo"s Ser/er 2==, com#uters con$igured as a $our>node ser/er cluster The cluster uses dri/e Q $or the quorum resource You recei/e a critical "arning that both dri/es o$ the mirrored /olume that are dedicated to the quorum dis0 ha/e $ailed You "ant to bring the cluster and all nodes bac0 into o#eration as soon as #ossible !hich $our actions should you ta0e to achie/e this goal% To ans"er* drag the action that you should #er$orm $irst to the Eirst )ction bo3 'ontinue dragging actions to the corres#onding numbered bo3es until you list all $our required actions in the correct order ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>> 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>= 2 To reco%er from a corrupted 6uorum log or 6uorum dis/, proceed as follows9 1. &f the .luster ser%ice is running, open .omputer Management. 2. &n the console tree, double2clic/ $er%ices and Applications, and then clic/ $er%ices. 3. &n the details pane, clic/ .luster $er%ice. -. 'n the Action menu, clic/ $top. F. Repeat steps 1, 2, 3, and - for all nodes. ;. &f ou ha%e a bac/up of the 6uorum log, restore the log b following the instructions in 81ac/ing up and restoring ser%er clusters8 in Related Topics. G. &f ou do not ha%e a bac/up, select an gi%en node. Ma/e sure that .luster $er%ice is highlighted in the details pane, and then on the Action menu, clic/ 5roperties. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=" 2 >. Under $er%ice status, in $tart parameters, specif HfiB6uorum, and then clic/ $tart. =. $witch from the problematic 6uorum dis/ to another 6uorum resource. 1". (or more information, see 8To use a different dis/ for the 6uorum resource8 in Related Topics. 11. &n .luster Administrator, bring the new 6uorum resource dis/ online. 12. (or information on how to do this, see 8To bring a resource online8 in Related Topics. 13. Run .h/ds/, using the switches Hf and Hr, on the 6uorum resource dis/ to determine whether the dis/ is corrupted. 1-. (or more information on running .h/ds/, see 8.h/ds/8 in Related Topics. 1F. &f no corruption is detected on the dis/, it is li/el that the log was corrupted. 5roceed to step 12. 1;. &f corruption is detected, chec/ the $ stem 4og in 3%ent ?iewer for possible

hardware errors. 1G. Resol%e an hardware errors before continuing. 1>. $top the .luster ser%ice after .h/ds/ is complete, following the instructions in steps 1 2 -. 1=. Ma/e sure that .luster $er%ice is highlighted in the details pane. 'n the Action menu, clic/ 5roperties. 2". Under $er%ice status, in $tart parameters, specif Hreset6uorumlog, and then clic/ $tart. 21. This restores the 6uorum log from the nodeKs local database. Im#ortant The .luster ser%ice must be started b clic/ing $tart on the ser%ice control panel. Iou cannot clic/ '@ or Appl to commit these changes as this does not preser%e the Hreset6uorumlog parameter. 1. Restart the .luster ser%ice on all other nodes. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 3> 5art -9 Manage ,etwor/ 4oad 1alancing. Tools might include the ,etwor/ 4oad 1alancing Monitor Microsoft Management .onsole *MM.+ snap2in and the !41$ cluster control utilit . *- 6uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=1 2 You are a net"or0 administrator $or TestBing You install an intranet a##lication on three !indo"s Ser/er 2==, com#uters You con$igure the ser/ers as a Net"or0 Aoad +alancing cluster You con$igure each ser/er "ith t"o net"or0 ada#ters One net"or0 ada#ter #ro/ides client com#uters access to the ser/ers The second net"or0 ada#ter is $or cluster communications 'luster communications are on a se#arate net"or0 segment The net"or0 team "ants to reduce the clusterJs /ulnerability to attac0 These ser/ers need to be highly a/ailable The net"or0 team decides that the Net"or0 Aoad +alancing cluster needs to $ilter I. #orts The team "ants the cluster to allo" only the #orts that are required $or the intranet a##lication You need to im#lement $iltering so that only the intranet a##lication #orts are a/ailable on the cluster You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Use ,etwor/ 4oad 1alancing Manager to configure port rules. Allow onl the intranet application ports on the cluster &5 address. 1. Use T.5H&5 filtering on each ser%er. .onfigure onl the intranet application ports on the networ/ adapter that pro%ides client computers access to the ser%ers. .. Use T.5H&5 filtering on each ser%er. .onfigure onl the intranet application ports on both of the networ/ adapters. D. .onfigure Routing and Remote Access on each ser%er. Use Routing and Remote Access input filters to allow onl the intranet application ports on the networ/ adapter that pro%ides client computers access to the ser%ers. )ns"er: ) E3#lanation: The .ort Dule tab* in the NA+ .ro#erties sheet* lets you s#eci$y the .ort Dules used $or your NA+ cluster These settings enable you to control ho" your NA+ cluster "ill $unction under load &5 address filtering is useful for protecting part of a pri%ate networ/ from users on the other parts. Iou can create filters that gi%e onl certain computers access to the protected 4A,, while pre%enting all others from accessing it. Incorrect ans"ers: +* '9 This is not a T.5H&5 filtering matter. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=2 2 9 There is no need to configure Routing and Remote Access input filters and the li/es and described int his option. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 12. QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll com#uters on the net"or0 are members

o$ the domain You administer a Net"or0 Aoad +alancing cluster that consists o$ three nodes Each node runs !indo"s Ser/er 2==, and contains a single net"or0 ada#ter The Net"or0 Aoad +alancing cluster can run only in unicast mode The Net"or0 Aoad +alancing cluster has con/erged success$ully To increase the utili1ation o$ the cluster* you decide to mo/e a #articular a##lication to each node o$ the cluster Eor this a##lication to run* you must add a Net"or0 Aoad +alancing #ort rule to the nodes o$ the cluster You start Net"or0 Aoad +alancing ?anager on the second node o$ the cluster :o"e/er* Net"or0 Aoad +alancing ?anager dis#lays a message that it cannot communicate "ith the other t"o nodes o$ the cluster You "ant to add the #ort rule to the nodes o$ the cluster !hat should you do% A. Use ,etwor/ 4oad 1alancing Manager on the ,etwor/ 4oad 1alancing default host to add the port rule. 1. .hange the host priorit of the second node to be the highest in the cluster, and then use ,etwor/ 4oad 1alancing Manager to add the port rule. .. Run the nlb.eBe drain command on each node, and then use ,etwor/ 4oad 1alancing Manager to add the port rule. D. Add the port rule through ,etwor/ .onnections 5roperties on each node. )ns"er: D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=3 2 E3#lanation: Net"or0 Aoad +alancing ?anager is the #re$erred method* but since it cannot communicate "ith the other t"o nodes o$ the cluster you can also o#en the Net"or0 Aoad +alancing .ro#erties dialog bo3 through the Net"or0 'onnections tool I$ you use the Net"or0 'onnections tool* you must ma0e the same con$iguration changes on e/ery cluster host Using both Net"or0 Aoad +alancing ?anager and the Net"or0 'onnections tool together to change Net"or0 Aoad +alancing #ro#erties may create un#redictable results The parameters that are set in the ,etwor/ 4oad 1alancing 5roperties dialog boB are recorded in the registr on each host. .hanges to ,etwor/ 4oad 1alancing parameters are applied when ou clic/ '@ in the,etwor/ 4oad 1alancing 5roperties dialog boB. .lic/ing '@ stops ,etwor/ 4oad 1alancing *if it is running+, reloads the parameters, and then restarts cluster operations. Incorrect )ns"ers: )* +* ': The 6uestion states that the ,etwor/ 4oad 1alancing Manager9 8cannot communicate with the other two nodes of the cluster8. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. G9 2122F QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll com#uters on the net"or0 are members o$ the domain You administer a $our>node Net"or0 Aoad +alancing cluster )ll nodes run !indo"s Ser/er 2==, The cluster has con/erged success$ully You use Net"or0 Aoad +alancing ?anager on the de$ault host to con$igure all nodes o$ the cluster The nodes ha/e a single net"or0 ada#ter and are connected to the same s"itching hub de/ice )dministrators o$ non>cluster ser/ers that are connected to the same s"itching hub de/ice re#ort that their ser/ers recei/e tra$$ic that is destined $or the cluster nodes Decei/ing this additional net"or0 tra$$ic im#airs the net"or0 #er$ormance o$ the non>cluster ser/ers ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=- 2 You need to ensure that tra$$ic destined $or only the cluster nodes is not sent to all #orts o$ the s"itching hub de/ice You do not "ant to mo/e the cluster to another s"itching hub de/ice !hat should you do% A. 'n the node, run the nlb.eBe reload command. 1. 'n each node, run the wlbs.eBe drainstop command. .. Use ,etwor/ 4oad 1alancing Manager to enable &nternet Croup Management 5rotocol *&CM5+ support on the cluster. D. Use ,etwor/ 4oad 1alancing Manager to add a second cluster &5 address. )ns"er: ' E3#lanation: I$ you enable I-?. ?ulticast* NA+ attem#ts to #re/ent s"itch

$looding by limiting multicast tra$$ic to only those #orts on a s"itch that ha/e a NA+>bound net"or0 ada#ter connected to them So* "hen you use I-?. ?ulticast* tra$$ic is designed to $lo" only to those s"itch #orts connected to NA+ cluster hosts* thus #re/enting all other s"itch #orts $rom being $looded by the multicast tra$$ic Incorrect )ns"ers: ): The nlb.eBe reload command instructs ,41 to reload the current parameter set from the Registr . &f re6uired to complete the process, cluster operations are stopped and subse6uentl restarted. An errors that eBist within the parameters pre%ent the host from )oining the cluster and also cause a warning dialog boB to be displa ed. +: The nlb.eBe command replaces the wlbs.eBe command pre%iousl used in !indows ,T -." and !indows 2""" $er%er. ': Iou use the ,etwor/ 4oad 1alancing Manager application in !indows $er%er 2""3 to create, manage, and monitor ,41 clusters. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 23 QUESTION NO: 4 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=F 2 You are the net"or0 administrator $or TestBing com )ll ser/ers run !indo"s Ser/er 2==, The net"or0 contains t"o !eb ser/ers named Test0ing< and Test0ing2 and three a##lication ser/ers named Test0ing,* Test0ing4* and Test0ing5 )ll $i/e ser/ers ha/e similar hard"are The ser/ers are con$igured as Net"or0 Aoad +alancing clusters* as sho"n in the e3hibit ) !eb ser/ices a##lication hosted on Test0ing< and Test0ing2 communicates to a##lication com#onents hosted on Test0ing,* Test0ing4 and Test0ing5 by using the I. address <= < 2= << The a##lication is designed to be stateless The Net"or0 Aoad +alancing settings $or each ser/er are listed in the $ollo"ing table ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=; 2 :ost Eiltering mode :ost #riority )$$inity Aoad Test/ing1 Multiple 1 $ingle 36ual Test/ing2 Multiple 2 $ingle 36ual Test/ing3 Multiple 1 $ingle 36ual Test/ing- Multiple 2 $ingle 36ual Test/ingF Multiple 3 $ingle 36ual Users re#ort that res#onse time to the !eb ser/ices a##lication is slo" You in/estigate the #er$ormance o$ each ser/er and obser/e the in$ormation listed in the $ollo"ing table :ost )/erage R o$ '.U in use )/erage Ro$ D)? in use Test/ing1 GF >" Test/ing2 ;F GF Test/ing3 => =" Test/ing- 2 2" Test/ingF 2 2" You need to im#ro/e the res#onse time o$ the a##lication !hat should you do% A. Modif the !eb ser%ices application to access the components on the application ser%ers b using the &5 address 1".1.1".11. 1. Modif the ,etwor/ 4oad 1alancing host priorities for Test/ing3 and Test/ingF b 1. .. Modif the ,etwor/ 4oad 1alancing host priorit for Test/ing2 to be 1. D. Modif the ,etwor/ 4oad 1alancing affinit setting for Test/ing3, Test/ing-, and Test/ingF to be ,one. 3. Modif the ,etwor/ 4oad 1alancing affinit setting for Test/ing1 and Test/ing2 to be ,one. )ns"er: D E3#lanation: In sim#le terms* a$$inity is the attraction one item $eels $or another item $electing ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=G 2

,one specifies that ,41 doesnKt need to direct multiple re6uests from the same client to the same ,41 host, thereb splitting the load and impro%ing response times and reliabilit . Incorrect )ns"ers: ): The communication lin/ is not the problem, as Test/ing3, - and F are recei%ing communication. &t is the fact that Test/ing3 is o%er wor/ed compared to Test/ing- and F. +* ': 3ach host within the ,41 cluster must ha%e a uni6ue priorit number configured. D: The load between Test/ing1 and 2 are balanced. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. G9 2G 5art F9 5lan a bac/up and reco%er strateg . A9 &dentif appropriate bac/up t pes. Methods include full, incremental, and differential. *; 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The design team #ro/ides you "ith the $ollo"ing list o$ requirements $or ser/er disaster reco/ery: 1. No more than t"o sets o$ ta#es can be used to restore to the #re/ious day 2. ) $ull bac0u# o$ each ser/er must be stored o$$>site 3. ) $ull bac0u# o$ each ser/er that is no more than one "ee0 old must be a/ailable on>site -. +ac0u#s must ne/er run during business hours F. Ta#es may be recalled $rom o$$>site storage only i$ the on>site ta#es are corru#ted or damaged ) $ull bac0u# o$ all ser/ers requires a##ro3imately 24 hours +ac0ing u# all $iles that change during one "ee0 requires a##ro3imately 4 hours +usiness hours $or TestBing are ?onday through Eriday $rom 6:== ) ? to <=:== . ? You need to #ro/ide a bac0u# rotation #lan that meets the design teamJs requirements ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=> 2 !hich t"o actions should you include in your #lan% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 5erform a full normal bac/up for on2site storage on (rida night after business hours. 5erform a full cop bac/up of off2site storage on $aturda night after the (rida bac/up is complete. 1. 5erform a full normal bac/up for on2site storage on (rida night after business hours. 5erform another full normal bac/up for off2site storage on $aturda night after the (rida bac/up is complete. .. 5erform a full cop bac/up for on2site storage on (rida night after business hours. 5erform a full cop bac/up for off2site storage on $aturda night after the (rida bac/up is complete. D. 5erform differential bac/ups on $unda , Monda , Tuesda , !ednesda , and Thursda nights after business hours. 3. 5erform incremental bac/ups on $unda , Monda , Tuesda , !ednesda , and Thursda nights after business hours. (. 5erform incremental bac/ups on $unda , Tuesda , and Thursda nights after business hours. 5erform differential bac/ups on Monda and !ednesda nights after business hours. )ns"er: )* D E3#lanation: I$ you begin "ith a $ull bac0u# o/er the "ee0end* it might ma0e sense to #er$orm di$$erential bac0u#s on ?onday and Tuesday +y later in the "ee0* the quantity o$ changes may be such that a di$$erential bac0u# cannot be #er$ormed o/ernight )n incremental bac0u# on !ednesday "ill li0ely sol/e the #roblem* "ith di$$erential bac0u#s continuing a$ter that Using this system* the restore times are still minimi1ed* because the ma3imum restoration "ould in/ol/e ta#es $rom the $ull* incremental* and one di$$erential bac0u# I$ a $ailure occurred be$ore !ednesday* it may ta0e ta#es $rom only the $ull and* #ossibly* a di$$erential bac0u# to restore the system Incorrect )ns"ers: +: (ull normal bac/up, bac/s up all files and sets the archi%e bit as mar/ed for each file that is bac/ed up. Re6uires onl one tape set for the restore process. ': !ith a full bac/up, e%er thing that is bac/ed up has the file s stem archi%e bit reset *cleared+.This allows the incremental and differential bac/up t pes to determine if the file needs to be bac/ed up. &f the bit is still clear, the other bac/up t pes /now that the data has not changed. &f the bit is set, the data has changed, and the file needs to be bac/ed up. E: Re6uires the last normal bac/up set and all of the incremental tapes that ha%e been

created since the last normal bac/up for the restore process. E: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1== 2 1ac/s up onl the files that ha%e not been mar/ed as archi%ed and does not set the archi%e bit for each file that is bac/ed up. Re6uires both the last normal bac/up, and the De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >>1. QUESTION NO: 2 You are a net"or0 administrator $or TestBing The com#any has a main o$$ice and one branch o$$ice The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains three !indo"s Ser/er 2==, domain controllers: TestBing<* TestBing2* and TestBing4 You con$igure t"o )cti/e Directory sites* one $or the main o$$ice and one $or the branch o$$ice The net"or0 is sho"n in e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"" 2 The domain controllers are bac0ed u# each night by using a normal bac0u# that also ca#tures the system state ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"1 2 You are res#onsible $or creating a domain controller reco/ery #lan to be used i$ a domain controller $ails in either o$$ice The design team s#eci$ies that the domain controller reco/ery #lan must minimi1e re#lication tra$$ic across the lin0 bet"een the net"or0 in the main o$$ice and the net"or0 in the branch o$$ice The #lan must also minimi1e restoration time You need to include in your reco/ery #lan the #rocess $or restoring )cti/e Directory ser/ices i$ any o$ the domain controllers su$$ers a hard"are $ailure !hich t"o actions should you include in your #lan% &Each correct ans"er #resents #art o$ the solution &'hoose t"o( A. Restore the s stem state of an domain controller to an a%ailable member ser%er in the same networ/ subnet. 1. 5erform an authoritati%e restore operation on a functioning domain controller. .. 'n an a%ailable member ser%er in the same networ/ subnet as the failed domain controller, run the dcpromo Had% command and select the '%er the networ/ option. D. 'n an a%ailable member ser%er in the same networ/ subnet as the failed domain controller, run the dcpromo Had% command and select the (rom these restored bac/up files option. )ns"er: )* D E3#lanation: Eor additional domain controllers in an e3isting domain* you ha/e the o#tion o$ using the install $rom media $eature* "hich is ne" in !indo"s Ser/er2==, Install $rom media allo"s you to #re>#o#ulate )cti/e Directory "ith System State data bac0ed u# $rom an e3isting domain controller This bac0u# can be #resent on local 'D* D8D* or hard dis0 #artition Installing $rom media drastically reduces the time required to install directory in$ormation by reducing the amount o$ data that is re#licated o/er the net"or0 Installing $rom media is most bene$icial in large domains or $or installing ne" domain controllers that are connected by a slo" net"or0 lin0 To use the install $rom media $eature* you $irst create a bac0u# o$ System State $rom the e3isting domain controller* and then restore it to the ne" domain controller by using the Destore to: )lternate location o#tion &n this scenario, we can restore the s stem state data to a member ser%er, then use that restored s stem state data to promote a member ser%er to a domain controller. Incorrect )ns"ers: +: !e do not want to authoritati%el restore the data. There is also no need to restore an thing to a functioning domain controller. ': The O/er the net"or0 option is incomplete. The full option is '%er the networ/ from a domain controller. !e want to create a domain controller from the restored files. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"2 2 De$erences: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2G QUESTION NO: ,

You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You are res#onsible $or #lanning the bac0u# and reco/ery o$ all ser/ers and ser/ices $or TestBing ) !indo"s Ser/er 2==, com#uter named TestBing4 runs the enter#rise root certi$ication authority &')( No subordinate ')s are installed on the net"or0 You need to create a #lan to bac0 u# and restore the ') database Your #lan must ensure that the database and log $iles can be com#letely reco/ered in the e/ent that the database is corru#ted !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. 'n Test@ing-, use the .ertificates console to eBport all Trusted Root .ertification Authorities certificates. 'n Test@ing-, use the .ertificates console to import the certificates to the Trusted Root .ertification Authorities node. 1. 'n Test@ing-, run the certre6 command with the 2submit option. 'n Test@ing-, run the certre6 command with the 2retrie%e option. .. 'n Test@ing-, use the .ertification Authorit snap2in to bac/ up the .A. 'n Test@ing-, use the .ertification Authorit snap2in to restore the .A. D. 'n Test@ing-, run the certutil command with the 2bac/up option. 'n Test@ing-, run the certutil command with the 2restore option. )ns"er: '* D E3#lanation9 '9 .ertificate needs are based upon which applications and communications an organi0ation uses and how secure the need to be. 1ased on these needs, .As is created b installing certificate ser%ices and is managed using the .ertification Authorit snap2in. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"3 2 The options on the .ertificate Managers Restrictions tab enable ou to grant or den each administratorKs capabilit to manage users, groups, and computers. Renewing the .AKs certificate is a capabilit gi%en onl to the .A administrator with Manage .A permission. The .ertification Authorit snap2in is a%ailable onl for the .A. D9 Iou can bac/up and restore the database and /e s with the certutil command line utilit certutil 2bac/upD1 22 1ac/up .ertificate $er%ices database 2bac/up@e 22 1ac/up .ertificate $er%ices certificate and pri%ate /e 2restore 22 Restore .ertificate $er%ices 2restoreD1 22 Restore .ertificate $er%ices database 2restore@e 22 Restore .ertificate $er%ices certificate and pri%ate /e Incorrect ans"ers: )9 The .ertificates console is responsible for certificate re%ocation lists and the li/e and not for bac/ingup and restoring corrupted .A data. +9 Ma/ing use of these commands with the 2submit and 2retrie%e options will not ensure that ou database and the log files can be completel reco%ered in the e%ent of .A2data corruption. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. ="> Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1>9 G QUESTION NO: 4 You are a net"or0 administrator $or TestBing You administer a $ile ser/er named TestBingSr/' The $ile ser/er stores all data $iles on a logical /olume You #er$orm a $ull normal bac0u# o$ the $ile ser/er e/ery Saturday You #er$orm a di$$erential bac0u# o$ the $ile ser/er each day on Sunday through Eriday You #er$orm a co#y bac0u# o$ the $ile ser/er e/ery !ednesday a$ter the di$$erential bac0u# is com#lete The co#y bac0u# is sent to an o$$>site $acility that requires t"o hours $or ta#e deli/ery The logical /olume $ails on Eriday morning ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"- 2 You need to restore the data that "as stored on the $ailed /olume You need to minimi1e the loss o$ data and the time required to #er$orm the restoration !hat should you do% A. Restore the tapes from the cop bac/up that was performed on !ednesda and from

the differential bac/up that was performed on Thursda . 1. Restore the tapes from the normal bac/up that was performed on $aturda and from the differential bac/up that was performed on Thursda . .. Restore the tapes from the normal bac/up that was performed on $aturda and from the differential bac/ups that were performed on Monda through Thursda D. Restore the tapes from the normal bac/up that was performed on $aturda , from the cop bac/up that was performed on !ednesda , and from the differential bac/up that was performed on Thursda . )ns"er: + E3#lanation: ) co#y bac0u# co#ies all the $iles you select* but does not mar0 each $ile as ha/ing been bac0ed u# &in other "ords* the archi/e attribute is not cleared( 'o#ying is use$ul i$ you "ant to bac0 u# $iles bet"een normal and incremental bac0u#s because co#ying does not a$$ect these other bac0u# o#erations A differential bac/up copies files that ha%e been created or changed since the last normal or incremental bac/up. &t does not mar/ files as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. &f ou are performing a combination of normal and differential bac/ups, restoring files and folders re6uires that ou ha%e the last normal as well as the last differential bac/up. The logical %olume fails on (rida morning. The most recent bac/up of all the files was !ednesda Ks cop bac/up. Aowe%er, if we restored this, we would lose and new or changed data between the cop bac/up and (rida morning. The correct answer is to restore the normal bac/up that was performed on $aturda and the differential bac/up that was performed on Thursda . This would ensure that the restored files will be up to date as of Thursda . Incorrect )ns"ers: ): This would wor/ but the cop bac/up is offsite. &tKs 6uic/er to use $aturda Ks full bac/up. ': This is more than necessar . !e onl need the last differential bac/up with the full bac/up. D: This is more than necessar . !e onl need the last differential bac/up with the full bac/up. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"F 2 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, pp. F=;2F=G QUESTION NO: 5 You are a net"or0 administrator $or TestBing You install !indo"s Ser/er 2==, on a ser/er named TestBing) You install a #roduction a##lication on TestBing) You create a shared $older named .rodData on TestBing) to su##ort the needs o$ the #roduction a##lication )ll critical data $iles $or the a##lication are stored in the .rodData shared $older on TestBing) You install !indo"s Ser/er 2==, in another ser/er named TestBing+ You create a shared $older on TestBing+ named .rodData+ac0u# The #roduction a##lication 0ee#s many data $iles o#en )ll the $iles in the .rodData $older must be bac0ed u# during each shi$t change You are not allo"ed to sto# and restart the #roduction a##lication "ithout s#ecial a##ro/al You need to #ro/ide a bac0u# solution $or the critical $iles in the .rodData on TestBing) Your solution must not a$$ect the #roduction a##lication !hat should you do% A. 'n Test@ingA, use the 1ac/up or Restore !i0ard to select the 5rodData folder. T pe WWTest@ing1W5rodData1ac/Up for the bac/up destination, and the ad%anced bac/up options to select the Disable %olume shadow cop chec/ boB. 1. 'n Test@ing1, use the 1ac/up or Restore !i0ard to select the 5rodData folder. T pe WWTest@ingAW5rodData for the bac/up destination, and use the ad%anced bac/up options to select the Disable %olume shadow cop chec/ boB. .. 'n Test@ingA, use the 1ac/up or Restore !i0ard to select the 5rodData folder. T pe WWTest@ing1W5rodData1ac/Up for the bac/up destination. D. 'n Test@ingA, use the 1ac/up or Restore !i0ard to select the 5rodData folder. T pe WWTest@ingAW5rodData for the bac/up destination. )ns"er: ' E3#lanation: To bac0 u# o#en $iles* the bac0u# needs to be con$igured to use Shado" 'o#ies This is the de$ault beha/iour $or the !indo"s Ser/er 2==, bac0u# #rogram There$ore* "e 2ust need to con$igure the bac0u# #rogram to bac0u# the $iles to QQTestBing+Q.rodData+ac0U# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 2"; 2 Incorrect )ns"ers: ): !e need to use $hadow .opies. This is enabled b default. !e should not select the Disable %olume shadow cop chec/ boB. +: !e need to use $hadow .opies. This is enabled b default. !e should not select the Disable %olume shadow cop chec/ boB. D: QQTestBing)Q.rodData is the wrong bac/up destination. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. ;"2 QUESTION NO: 6 You are a net"or0 administrator $or TestBing The design team #ro/ides you "ith the $ollo"ing list o$ requirements $or ser/er disaster reco/ery: 1. No more than t"o sets o$ ta#es can be used to restore to the #re/ious day 2. ) $ull bac0u# o$ each ser/er must be stored o$$>site 3. ) $ull bac0u# o$ each ser/er that is no more than one "ee0 old must be a/ailable on>site -. +ac0u#s must ne/er run during business hours F. Ta#es may be recalled $rom o$$>site storage only i$ the on>site ta#es are corru#ted or damaged ) $ull bac0u# o$ all ser/ers requires a##ro3imately 24 hours +ac0ing u# all $iles that change during one "ee0 requires a##ro3imately 4 hours +usiness hours $or the com#any are ?onday through Eriday* $rom 6:== ) ? to <=:== . ? You need to #ro/ide a bac0u# rotation #lan that meets the design teamJs requirements !hich t"o actions should you include in your #lan% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 5erform a full normal bac/up for on2site storage on (rida night after business hours. 5erform a full cop bac/up for off2site storage on $aturda night after the (rida bac/ups is complete. 1. 5erform a full normal bac/up for on2site storage on (rida night after business hours. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"G 2 5erform another full normal bac/up for off2site storage on $aturda after the (rida bac/up is complete. .. 5erform a full cop bac/up for on2site storage on (rida night after business hours. 5erform a full cop bac/up for off2site storage on $aturda night after the (rida bac/up is complete. D. 5erform differential bac/ups on $unda , Monda , Tuesda , !ednesda , and Thursda nights after business hours. 3. 5erform incremental bac/ups on $unda , Monda , Tuesda , !ednesda , and Thursda nights after business hours. (. 5erform incremental bac/ups on $unda , Tuesda , and Thursda nights after business hours. 5erform differential bac/up on Monda and !ednesda nights after business hours. )ns"er: )* D E3#lanation9 A cop bac/up copies all the files ou select, but does not mar/ each file as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. .op ing is useful if ou want to bac/ up files between normal and incremental bac/ups because cop ing does not affect these other bac/up operations. A differential bac/up copies files that ha%e been created or changed since the last normal or incremental bac/up. &t does not mar/ files as ha%ing been bac/ed up *in other words, the archi%e attribute is not cleared+. &f ou are performing a combination of normal and differential bac/ups, restoring files and folders re6uires that ou ha%e the last normal as well as the last differential bac/up. A normal bac/up copies all the files ou select and mar/s each file as ha%ing been bac/ed up *in other words, the archi%e attribute is cleared+. !ith normal bac/ups, ou onl need the most recent cop of the bac/up file or tape to restore all of the files. Iou usuall perform a normal bac/up the first time ou create a bac/up set. 1ac/ing up our data using a combination of normal bac/ups and incremental bac/ups re6uires the least amount of storage space and is the 6uic/est bac/up method. !e do a normal bac/up on (rida , and the archi%e bit is cleared. !e do a cop bac/up on $aturda and the archi%e bit is not cleared. !e do a differential bac/up from $unda , Monda , Tuesda , !ednesda , and Thursda . This wa , we )ust need two tapes to restore, the full bac/up and the last differential bac/up. Incorrect )ns"ers: +9 !ith normal bac/ups, ou onl need the most recent cop of the bac/up file or tape to

restore all of the files. Aowe%er in this wa as suggested b this option, two tapes might be too few and it will not compl with the re6uirements as set out b the compan '9 !ith two full cop bac/ups the archi%e attribute is not cleared and ou will end up using more than two tapes this wa . E ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"> 2 9 An incremental bac/up bac/s up onl those files that ha%e been created or changed since the last normal or incremental bac/up. &t mar/s files as ha%ing been bac/ed up *in other words, the archi%e attribute is cleared+. This will not enable ou to run a full restoration when necessar e%en though ou would be using fewer tapes than most of the other t pes of bac/up. E9 $ince a differential bac/up copies files that ha%e been created or changed since the last of the compan . De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, pp. F=;2F=G 19 5lan a bac/up strateg that uses %olume shadow cop . *3 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< You install a custom mission>critical a##lication on Test0ing< $or the shi##ing de#artment You install the a##lication on dri/e D o$ Test0ing< You con$igure the a##lication database on dri/e D* and you con$igure the a##lication database log $iles on dri/e E o$ Test0ing< )$ter running success$ully $or si3 days* the custom a##lication $ails You in/estigate and $ind out that dri/e E is almost com#letely $illed "ith the a##licationJs log $iles The a##licationJs bac0u# #rogram is not #ro#erly deleting log $iles Security requirements do not allo" log $iles to be deleted unless the database on Test0ing< has been bac0ed u# You can 0ee# the a##lication running by manually bac0ing u# the a##lication database and then deleting the log $iles You need an automated #rocess to 0ee# the a##lication running until a long>term solution can be #ro/ided +ecause o$ the si1e o$ the database* you need to minimi1e the number o$ bac0u#s #er$ormed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"= 2 !hat should you do% A. .reate a script that bac/s up the database and then deletes the log files. .onfigure an alert on Test/ing1 to run the script when there is less then 2" percent of free space on dri%e 3. 1. .reate a script that bac/s up the database and deletes the log files. .onfigure an e%ent trigger on Test/ing1 to run the script when dri%e D has 2" percent free space. .. .reate a script that bac/s up the log files and then deletes the log files. .onfigure a scheduled tas/ to run the script on Test/ing1 each night. D. .reate a script that bac/s up the database and then deletes the log files. .onfigure a scheduled tas/ to run the script on Test/ing1 each night. )ns"er: ) E3#lanation: Set an alert on a counter "ith o#tions to send an administrati/e message* an a##lication is e3ecuted* or a log is started "hen the con$igured threshold on the counter is breached Incorrect )ns"ers: +: The log files are located on dri%e 3. ': $ecurit re6uirements state that the database has to be bac/ed up, not the log files. D: The 6uestion re6uires ou to minimi0e the number of bac/ups performed, and this option will not. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. ;"2 QUESTION NO: 2 You are a net"or0 administrator $or TestBing )ll client com#uters run !indo"s @. .ro$essional You administer a !indo"s Ser/er 2==, $ile ser/er named TestBingSr/' TestBingSr/' contains t"o /olumes con$igured as dri/e - and Dri/e : Shared

$olders $or the accounting de#artment are stored on dri/e - Shared $olders $or the mar0eting de#artment are stored on dri/e - and on dri/e : Dri/e : has su$$icient s#ace to store all o$ the shared $olders "ith 4== -+ o$ $ree s#ace ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21" 2 The design team s#eci$ies the $ollo"ing requirements $or the $iles in the mar0eting shared $olders on TestBingSr/': 1. The $iles must be bac0ed u#* e/en i$ they are o#en 2. +ac0u#s can be #er$ormed during business hours* i$ required 3. Users must be able to restore the $iles You need to create a #lan that "ill allo" the bac0u# and reco/ery o$ $olders and $iles in accordance "ith the requirements You need to minimi1e data loss !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .ustomi0e all shared folders b using the Documents template. 1. 5lace all mar/eting shared folders on dri%e A. 3nable $hadow .opies of $hared (olders on the %olume. .. .onfigure all bac/ups b selecting the Disable %olume shadow cop chec/ boB. D. &nstall the 5re%ious ?ersions client software on all mar/eting client computers. 3. Assign all users the Allow 2 (ull .ontrol ,T($ permissions for the mar/eting shared folders. )ns"er: +* D E3#lanation: The question states that dri/e : has su$$icient s#ace to hold all the $iles* and "ill ha/e enough s#ace le$t o/er to hold shado" co#ies o$ the $iles The client com#uters "ill need the #re/ious /ersions client so$t"are to access the #re/ious /ersions o$ the $iles The client software for $hadow .opies of $hared (olders is installed on the ser%er in the WWZs stemrootZWs stem32WclientsWtwclient director . before deplo ment. There are se%eral tools included in the !indows $er%er 2""3 famil , such as Croup 5olic , that can ma/e deplo ing and maintaining the clientsK software easier. &f ou accidentall delete a file, ou can open a pre%ious %ersion and cop it to a safe location. Reco%er from accidentall o%erwriting a file. &f ou accidentall o%erwrite a file, ou can reco%er a pre%ious %ersion of the file. .ompare %ersions of file while wor/ing. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 211 2 Iou can use pre%ious %ersions when ou want to chec/ what has changed between two %ersions of a file. Incorrect )ns"ers: ): This is not necessar . ': This option should be enabled, not disabled, in order to bac/ up the open files. E: &t is not necessar to change the permissions on the mar/eting shared folders. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. ;"2 QUESTION NO: , You are a net"or0 administrator $or TestBing )ll client com#uters on the net"or0 run !indo"s @. .ro$essional You administer a !indo"s Ser/er 2==, $ile se/er named TestBing+ On TestBing+* you create a shared $older named SharedDocs SharedDocs contains data $iles )ll client com#uters connect to the shared $older by using a ma##ed dri/e connected to QQTestBing+QSharedDocs TestBing+ is con$igured to su##ort /olume shado" co#ies You install the .re/ious 8ersions client so$t"are on all client com#uters You #er$orm a $ull normal bac0u# o$ TestBing+ e/ery day* se/en days #er "ee0 You need to document the reco/ery #rocess to be used i$ a user accidentally deletes a $ile $rom SharedDocs The #rocess must allo" you to reco/er the $ile as quic0ly as #ossible and to minimi1e data loss !hich #rocess should you use% A. 'n Test@ing1, restore the file from the normal bac/up that was performed on the da before the file was deleted. Use the ad%anced restore options to select the Replace eBisting files chec/ boB. 1. 'n Test@ing1, restore the file from the normal bac/up that was performed on the da before the file was deleted.

Use the ad%anced restore options to select the .reser/e e3isting /olume mount #oints ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 212 2 chec/ boB. .. Run the %olume shadow cop command2line tool to list all shadow copies. &nstruct the user to open the mapped dri%e and use the folder %iew options to eBpose hidden files. D. &nstruct the user to open the mapped dri%e and na%igate to the folder from which the file was deleted. &n the properties for the shared folder, select the 5re%ious ?ersions tab. ?iew the most recent %ersion and na%igate until the file is located. Restore the file b cop ing it to its new location. )ns"er: D E3#lanation: )lthough shado" co#ies are ta0en $or an entire /olume* users must use shared $olders to access shado" co#ies )dministrators on the local ser/er must also s#eci$y the QQser/ernameQsharename #ath to access shado" co#ies I$ you or your users "ant to access a #re/ious /ersion o$ a $ile that does not reside in a shared $older* you must $irst share the $older Note9 This will onl wor/ if the deleted file was in a subfolder in the shared folder. Iou can gi%e users access to pre%ious %ersions of files b enabling shadow copies, which pro%ide point2in2time copies of files stored on file ser%ers running !indows $er%er2""3. 1 enabling shadow copies, ou can reduce the administrati%e burden of restoring pre%iousl bac/ed up files for users who accidentall delete or o%erwrite important files. ta/en e%en when files are in use. $hadow copies wor/ b ma/ing a bloc/2le%el cop of an changes that ha%e occurred to files since the last shadow cop . 'nl the changes are copied, not the entire file. As a result, pre%ious %ersions of files do not usuall ta/e up as much dis/ space as the current file, although the amount of dis/ space used for changes can %ar depending on the application that changed the file. (or eBample, some applications rewrite the entire file when a change is made, whereas other applications append changes to the eBisting file. &f the entire file is rewritten to dis/, the shadow cop contains the entire file. Therefore, consider the t pe of applications in our organi0ation, as well as the fre6uenc and number of updates, when ou determine how much dis/ space to allocate for shadow copies. Incorrect ans"ers: )9 This option does not represent the 6uic/est wa to locate and restore an accidentall deleted file. +9 Restoring the file from a normal bac/up is not the 6uic/est wa to locate and restore the file if it was deleted. $ince Test@ing1 is configured to support %olume shadow copies, it would be 6uic/er to locate and restore the deleted files from it. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 213 2 '9 4isting all the shadow copies as suggested in this option does not represent the 6uic/est wa to reco%er a file it would be 6uic/er to na%igate amongst the most recent %ersions of shadow copies. This option also does not state an thing regarding actuall restoring the file. &t stops after locating the file. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, pp. F==2;"2 .9 5lan s stem reco%er that uses Automated $ stem Reco%er *A$R+.*3 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing You install !indo"s Ser/er 2==,* Enter#rise Edition on t"o ser/ers named Test0ing< and Test0ing2 You con$igure Test0ing< and Test0ing2 as a t"o>node ser/er cluster Test0ing< and Test0ing2 are connected to a shared $iber>attached array You con$igure the ser/er cluster $or $ile sharing You con$igure Test0ing< as the #re$erred o"ner o$ the $ile sharing resources You #er$orm the $ollo"ing bac0u#s by using the +ac0u# or Destore !i1ard Tuesday !ednesday Test/ing1 ,ormal bac/up including s stem state &ncremental bac/up and Automated $ stem Reco%er *A$R+ bac/up Test/ing2 ,ormal bac/up including

s stem state &ncremental bac/up and A$R bac/up On Thursday morning* Test0ing2 e3#eriences a hard dis0 $ailure The $ailed dis0 contains only the o#erating system $or Test0ing2 You e/ict Test0ing2 $rom the ser/er cluster You need to reco/er Test0ing2 and restore it to the cluster You need to minimi1e data loss and reco/ery time ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21- 2 !hat should you do% A. Restore the 6uorum dis/ signature and data from the Tuesda bac/up of Test/ing1, and add Test/ing2 to the ser%er cluster. 1. Restore Test/ing2 b using A$R, and add Test/ing2 to the ser%er cluster. .. Restore the Tuesda bac/up of Test/ing2, and add Test/ing2 to the ser%er cluster. D. Restore the Tuesda normal bac/up and the !ednesda incremental bac/up of Test/ing2, and add Test/ing2 to the ser%er cluster. )ns"er: + E3#lanation: !hen an )SD restore is #er$ormed* the o#erating system is reinstalled using the original !indo"s Ser/er 2==, media :o"e/er* instead o$ generating ne" dis0 signatures* security identi$iers* and Degistry content* these items are restored $rom the )SD set Incorrect )ns"ers: ): Test/ing1 did not fail. '* D: These t pes of bac/up do not restore the operating s stem. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, pp. ;1-. QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 contains !indo" Ser/er 2==, ser/ers con$igured in a 4 node ser/er cluster The cluster #ro/ides $ile ser/ices to 5*=== users and contains se/eral terabytes o$ data$iles Se/eral thousand shared $olders ha/e been created on <6 /irtual ser/er grou#s by using dynamic Eile Share cluster resources ?any data $iles are u#dated* created* or deleted each day ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21F 2 You need to create a bac0u# strategy $or both user data and the cluster con$iguration You need to ensure that your strategy limits the #otential loss o$ data and the cluster con$iguration to one "ee0 and #ro/ides the quic0est means o$ reco/ery !hat should you do% A. 5erform a wee/l A$R of the cluster node that owns the 6uorum resource. 5erform a wee/l bac/up of all data files to tape. 1. 5erform a wee/l A$R of e%er node in the cluster. 5erform a wee/l bac/up of all data files to tape .. 5erform a wee/l A$R on each cluster node that currentl owns cluster groups containing data files D. .onfigure dail shadow copies of all %olumes on cluster nodes 3. .onfigure wee/l shadow copies of all %olumes on all cluster nodes )ns"er: ) E3#lanation: The +ac0u# #rogram included in !indo"s Ser/er 2==, contains a disaster reco/ery $eature called )SD !hen you run the )utomated System Deco/ery .re#aration !i1ard* the so$t"are "al0s you through the #rocess o$ creating a $ull bac0u# o$ the ser/er* and then #rom#ts you to insert a $lo##y dis0* "hich is used to create the boot de/ice $or the system In the e/ent o$ a disaster in "hich the entire contents o$ the system dri/e are lost* you sim#ly insert the bac0u# ta#e into the ta#e dri/e and boot $rom the $lo##y dis0 to com#letely restore the o#erating system A clusterKs 6uorum contains the clusterKs configuration data, which nodes use to update their registries during the failbac/ process. The 6uorum is included as part of the $ stem $tate ob)ect, as long as the .lustering ser%ice is running on the computer. Incorrect )ns"ers: +* ': Iou onl need to bac/up the node containing the clusterKs 6uorum resource, because it contains the configuration data. D* E: $hadow copies is designed to facilitate 6uic/ reco%er from simple, da 2to2da

problems2not reco%er from significant data loss De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. ;1G ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21; 2 QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain and contains !indo"s Ser/er 2==, com#uters You install a ne" ser/ice on a ser/er named TestBing, The ne" ser/ice requires that you restart TestBing, !hen you attem#t to restart TestBing,* the logon screen does not a##ear You turn o$$ and then turn on the #o"er $or TestBing, The logon screen does not a##ear You attem#t to reco/er the $ailed ser/er by using the Aast Bno"n -ood 'on$iguration startu# o#tion It is unsuccess$ul You attem#t to reco/er TestBing, by using the Sa$e ?ode Startu# o#tions )ll Sa$e ?ode o#tions are unsuccess$ul You restore TestBing, TestBing, restarts success$ully You disco/er that TestBing, $ailed because the ne" ser/ice is not com#atible "ith a security #ath You "ant to con$igure all ser/ers so that you can reco/er $rom this ty#e o$ $ailure by using the minimum amount o$ time and by minimi1ing data loss You need to ensure that in the $uture* other ser/ices that $ail do not result in the same ty#e o$ $ailure !hat should you do% A. Use Add or Remo%e 5rograms. 1. &nstall and use the Reco%er .onsole. .. Use Automated $ stem Reco%er *A$R+. D. Use De%ice Dri%er Roll 1ac/. )ns"er: + E3#lanation9 1. !e /now that this ser%ice causes the failure. 2. !e want minimum of time and minimum of data loss. 3. !e want a solution for all ser%ers. d !e want to ma/e sure other ser%ices that fail do not result in the same t pe of failure. Reco%er .onsole is a teBt2mode command interpreter that can be used without starting !indows $er%er 2""3. &t allows ou to access the hard dis/ and use commands to troubleshoot and manage problems that pre%ent the operating s stem from starting properl . Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21G 2 ): This option is used to manage software, not uninstall it. ': Automated $ stem Reco%er returns a s stem to operation b reinstalling the operating s stem and restoring $ stem $tate from an A$R bac/up set, it does not affect ser%ices. D: This option deals with dri%ers and de%ices, not ser%ices. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 2, p. 12" Topic F, 5lanning and Maintaining ,etwor/ $ecurit *2G :uestions+ 5art 19 .onfigure networ/ protocol securit . A9 .onfigure protocol securit in a heterogeneous client computer en%ironment. *" 6uestions+ 19 .onfigure protocol securit b using &5$ec policies. *1 6uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers and ser/ers run !indo"s Ser/er 2==, 'lient com#uters in the human resources de#artment run !indo"s @. .ro$essional Em#loyees in the human resources de#artment use the human resources client com#uters to transmit con$idential data to the $ile ser/ers The net"or0 also contains 0ios0 com#uters The 0ios0 com#uters are used by tem#orary em#loyees to transmit data to $ile ser/ers The 0ios0 com#uters run !indo"s @. .ro$essional TestBingJs "ritten security #olicy requires that all data

transmissions $rom the 0ios0 com#uters must be able to be monitored by using a #rotocol analy1er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21> 2 You need to ensure that the con$idential data transmissions to and $rom the human resources client com#uters remain con$idential You also need to ensure that you can detect any alterations in the data transmissions made by any com#uter You need to com#ly "ith the "ritten security #olicy !hat should you do% A. Use &5$ec encr ption on both the human resources client computers and the /ios/ computers. 1. Use &5$ec encr ption on the human resources client computers and &5$ec integrit on the /ios/ computers. .. Use &5$ec integrit on the human resources client computers and &5$ec encr ption on the /ios/ computers. D. Use &5$ec integrit on both the human resources client computers and the /ios/ computers. )ns"er: + E3#lanation: !e "ant to monitor I.SE' tra$$ic !e can not use ES. because it encry#ts the I. header I$ you need to diagnose ES. so$t"are>encry#ted communication* you must disable ES. encry#tion and use ES.>null encry#tion by changing the I.Sec #olicy on both com#uters !e need to use AA so that we can monitor networ/ traffic and preser%e the integrit of messages, &f ou need to pro%ide both integrit and encr ption for data confidentialit , select the Data integrit and encr ption *3$5+ chec/ boB. Then under &ntegrit algorithm, clic/ can choose this+, MDF, or $AA1. Under 3ncr ption algorithm, choose ,one, D3$, or 3D3$. Using both AA and 3$5 is the onl wa to both protect the &5 header and encr pt the data. Aowe%er, this le%el of protection is rarel used because of the increased o%erhead that AA would incur for pac/ets that are alread ade6uatel protected b 3$5. 3$5 protects e%er thing but the &5 header, and modif ing the &5 header does not pro%ide a %aluable target for attac/ers. Cenerall , the onl %aluable information in the header is the addresses, and these cannot be spoofed effecti%el because 3$5 guarantees data origin authentication for the pac/ets Incorrect ans"ers: )9 Ma/ing use of &5$ec encr ption alone is not enough to compl with compan written securit polic . ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21= 2 9 To be able to ha%e all data transmissions from the /ios/ computers must be able to be monitored b using a protocol anal 0er, ou should use &5$ec integrit and &5$ec encr ption in a %ice %ersa fashion from what is suggested in this option. D9 Ma/ing use of &5$ec integrit on both the human resources client computers and the /ios/ computers, will not compl with compan written securit polic . De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", p. G3F 5art 29 .onfigure securit for data transmission. *1 6uestion+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, One o$ the domain controllers is con$igured as an enter#rise root certi$ication authority &')( )ll client com#uters run !indo"s @. .ro$essional TestBing uses I.Sec to secure communications bet"een com#uters in TestBing and com#uters at other com#anies These I.Sec connections require com#uter certi$icates Your I.Sec #olicies require e/ery com#uter to be able to ma0e an I.Sec connection "hen connecting to other com#uters You need to con$igure the net"or0 so that all com#uters can ma0e I.Sec connections !hat should you do% A. &n the computer settings section of the Default Domain 5olic Croup 5olic ob)ect *C5'+, configure the domain members to alwa s digitall encr pt or sign secure channel data. 1. .reate a new automatic certificate re6uest in the computer settings section of the

Default Domain 5olic Croup 5olic ob)ect *C5'+, .. 'btain a new computer certificate from a public .A. &mport a cop of this certificate into the Trusted Root .ertification Authorities section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22" 2 &ssue a new computer certificate from our enterprise .A. 5lace a cop of this certificate on an internal !eb page. &nstruct users to install this certificate in their trusted certificate store the first time the need to ma/e an &5$ec connection. )ns"er: D E3#lanation9 3nterprise .As are integrated into the Acti%e Director director ser%ice. The use certificate templates, publish their certificates and .R4s to Acti%e Director , and use the information in the Acti%e Director database to appro%e or den certificate enrollment re6uests automaticall . 1ecause the clients of an enterprise .A must ha%e access to Acti%e Director to recei%e certificates, enterprise .As are not suitable for issuing certificates to clients outside the enterprise. 3nterprise .As re6uires and uses Acti%e Director to issue certificates, often automaticall . A, &5$ec connection comprises of two modes9 Main mode and :uic/ mode. Main Mode is the first part of an &5$ec connection. &n Main Mode, each computer authenticates to the other and then &@3 is used to calculate the master /e . All other /e s are generated from the master /e . An &@3 securit association *$A+ is created o%er which :uic/ Mode can be negotiated. :uic/ Mode is the second phase of &5$ec. &n :uic/ Mode, agreement is reached for the encr ption, integrit algorithms, and other polic settings. Two $As are created, one incoming and one outgoing. Incorrect ans"ers: )9 Alwa s digitall encr pting or signing secure channel data does not necessaril ensure the abilit to ma/e &5$ec connections. +9 An automatic certificate re6uest in the computer settings section of the Default Domain C5' is not the solution. '9 'btaining a new certificate from a public .A is not going to ensure that all computers will ha%e the abilit to ma/e &5$ec connections. !hat is needed is to ha%e a new computer certificate issued from our enterprise .A which should be installed on usersK trusted certificate store. De$erence9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p.119 >> Qames .hellis, 5aul RobichauB, and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""-, p. 119 1F ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 221 2 5art 39 5lan for networ/ protocol securit . A9 $pecif the re6uired ports and protocols for specified ser%ices.*- 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==, !eb ser/er that hosts the com#any intranet The human resources de#artment uses the ser/er to #ublish in$ormation relating to /acations and #ublic holidays This in$ormation does not need to be secure The $inance de#artment "ants to #ublish #ayroll in$ormation on the ser/er The #ayroll in$ormation "ill be #ublished in a /irtual directory named .ayroll* "hich "as created under the de$ault !eb site on the ser/er The com#anyJs "ritten security #olicy states that all #ayroll>related in$ormation must be encry#ted on the net"or0 You need to ensure that all #ayroll>related in$ormation is encry#ted on the net"or0 To #reser/e #er$ormance* you need to ensure that other in$ormation is not encry#ted unnecessarily You obtain and install a ser/er certi$icate !hat else should you do% A. $elect the Re6uire secure channel *$$4+ chec/ boB for the default !eb site. 1. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic option for the ser%er. .. $elect the 3ncr pt contents to secure data chec/ boB for the 5a roll folder. D. $elect the Re6uire secure channel *$$4+ chec/ boB for the 5a roll %irtual director . )ns"er: D E3#lanation: SSA is a protocol de%eloped b ,etscape for transmitting pri%ate documents %ia the &nternet. &t wor/s b using a pri%ate /e to encr pt data thatKs transferred o%er the $$4 connection. 1oth ,etscape ,a%igator and &nternet 3Bplorer

support $$4 and man !eb sites use the protocol to obtain confidential user information such as credit card numbers. 1 con%ention, UR4s that re6uire an $$4 connection start with https, instead of http. Incorrect )ns"ers: ): This will encr pt all data from the web ser%er. !e onl need to encr pt the pa roll data. +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 222 2 This will encr pt all data from the web ser%er. !e onl need to encr pt the pa roll data. ': This will encr pt the data on the hard dis/ using 3($. &t wonKt encr pt the data as it is transferred o%er the networ/. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >;QUESTION NO: 2 You are the security analyst $or TestBing TestBingJs net"or0 consists o$ a single )cti/e Directory domain test0ing com TestBingJs net"or0 consists o$ an intranet and a #erimeter net"or0 se#arated by a $ire"all The #erimeter net"or0 is connected to the Internet by a second $ire"all The #erimeter net"or0 contains three !indo"s Ser/er 2==, com#uters The ser/ers on the #erimeter net"or0 host a custom a##lication that #ro/ides #roduct in/entory in$ormation to customers The a##lication is managed by SN?. Each ser/er has the SN?. ser/ice installed T"o !indo"s @. .ro$essional com#uters running SN?. management so$t"are are located on the TestBing intranet The internet $ire"all is con$igured to allo" outbound SN?. tra$$ic $rom the intranet to the #erimeter net"or0 The $ire"all does not allo" inbound SN?. tra$$ic to the intranet The current read>only SN?. community name is .ublic The current read>"rite SN?. community name is )##'ommD! TestBing management "ants to ensure that the SN?. tra$$ic on the #erimeter net"or0 cannot be interce#ted by outside #arties and used to com#romise a##lication integrity You need to design a method to secure the SN?. tra$$ic as it #assed $rom the intranet to the #erimeter net"or0 +ecause o$ budget constraints* you cannot add any ne" hard"are or so$t"are You solution must not a$$ect customer access to the a##lication You need to ensure that all SN?. management tra$$ic $or the a##lication is secure and cannot be used to com#romise net"or0 security !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 223 2 A. .hange the read2onl $,M5 communit name to App.ommR'. 'n each application ser%er, configure the $,M5, ser%ice to send onl application2specific $,M5 information to the management client computers, to send authentication traps for both communit names, and to accept onl $,M5 pac/ets from the &5 addresses of the management client computers. 1. .reate an &5$ec filter named $,M5 Messages for the default $,M5 ports in the local securit polic on the management client computers and on the application ser%er. .reate and assign a new &5$ec polic that re6uires securit b using the $,M5 Messages filter in the local securit polic on the management client computers and on the application ser%ers. .onfigure the internal firewall to allow outbound &5$ec traffic from the intranet. .. .hange the communit rights for the 5ublic communit to ,otif . .hange the communit rights for the App.ommR! communit to Read2.reate. 'n each application ser%er, configure the $,M5 ser%ice to log on b using a domain user account instead of the local s stem account and to send authentication traps for the App.ommR! communit name. .onfigure the internal firewall to allow inbound $,M5 traffic from the perimeter networ/. D. .reate an organi0ation unit *'U+ named $,M5 .omputers. Add the management client computers and the application ser%ers to the $,M5 .omputers 'U. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic to the $,M5 .omputers 'U. .onfigure the internal firewall to allow outbound &5$ec traffic from the intranet. )ns"er: + E3#lanation9 Iou can use the &5$ec console to manage &5$ec policies and to add and

remo%e filters applied to the &5$ec policies. &5$ec filtering is used to permit or bloc/ certain t pes of &5 traffic. !ith &5$ec filtering, ou can secure wor/stations from outside securit ha0ards. $imple ,etwor/ Management 5rotocol *$,M5+ is an application la er Transmission .ontrol 5rotocolH&nternet 5rotocol *T.5H&5+ protocol and 6uer language used to transmit information about the status of networ/ components to a central networ/ management console. .omponents embedded in networ/ hardware and software products, called $,M5 agents, are responsible for collecting data about the acti%ities of the products the ser%ice, storing the data in a management information base *M&1+, and transmitting that data to the console at regular inter%als using $,M5 messages. @eeping the abo%e mentioned in mind, then it is clear that this option will pro%ide the necessar means for ensuring that all $,M5 management traffic for the application is secure and cannot be used to compromise networ/ securit . Incorrect ans"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22- 2 )9 This option will not ensure that that all $,M5 management traffic for the application is secure and cannot be used to compromise networ/ securit . Iou should be ma/ing use of an &5$ec filter and &5$ec policies instead. '9 This option will not ensure $,M5 management will be secure. (urthermore, configuring the firewall to allow inbound $,M5 traffic from the perimeter networ/ should not be. D9 There is no need to create new organi0ational units. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", pp. G2>2G3" QUESTION NO: , You are the security analyst $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The #erimeter net"or0 contains an a##lication ser/er* "hich is accessible to e3ternal users You /ie" the logs on your intrusion>detection system &IDS( on the router and disco/er that /ery large numbers o$ T'. SYN #ac0ets are being sent to the a##lication ser/er The a##lication ser/er is res#onding "ith SYN>)'B #ac0ets to se/eral di$$erent I. addresses* but it is not recei/ing )'B res#onses You note that all incoming SYN #ac0ets a##ear to be originating $rom I. addresses located "ithin the #erimeter net"or0Js subnet address range No com#uters in your #erimeter net"or0 are con$igured "ith these I. addresses The router logs sho" that these #ac0ets are originating $rom locations on the Internet You need to #re/ent this ty#e o$ attac0 $rom occurring until a #atch is made a/ailable $rom the a##lication /endor +ecause o$ budget constraints* you cannot add any ne" hard"are or so$t"are to the net"or0 Your solution cannot ad/ersely a$$ect legitimate tra$$ic to the a##lication ser/er !hat should you do% A. Relocate the application ser%er to the compan intranet. .onfigure the firewall to allow inbound and outbound traffic on the ports and protocols used b the application. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22F 2 1. .onfigure networ/ ingress filters on the router to drop pac/ets that ha%e local addresses but that appear to originate from outside the compan networ/. .. .reate access control lists *A.4s+ and pac/et filters on the router to allow perimeter networ/ access to onl authori0ed users and to drop all other pac/ets originating from the &nternet. D. .onfigure the &D$ on the perimeter networ/ with a response rule that sends a remote shutdown command to the application ser%er in the e%ent of a similar denial2of2ser%ice attac/. )ns"er: + E3#lanation: In an ideal "orld* each router "ould be con$igured "ith ingress $ilters that "ould dro# #ac0ets arri/ing $rom LinternalL net"or0s "hose source address "as not a member o$ the set o$ net"or0 addresses that this router ser/es The ma2ority o$ routers could be so con$igured These ingress $ilters should be required as #art o$ a Lgood neighbor #olicy L Ingress $ilters "ould not totally eliminate denial o$ ser/ice attac0s but could greatly reduce such attac0s )n attac0er could still s#oo$ an address "ithin a local subnet* but that "ould #ermit bac0>trac0ing the #ac0ets to the source subnet

Incorrect )ns"ers: ): There is no firewall mentioned in the 6uestion. ': This option could also wor/, but it in%ol%es eBtra administration. D: the application ser%er8 and this option would. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter11, p. G>3 http9HHsecurit response.s mantec.comHa%centerHsecurit HcontentH="11.html QUESTION NO: <46 You are the systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll administrati/e sta$$ use #ortable com#uters The rele/ant #ortion o$ the net"or0 is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22; 2 The #ri/ate !eb ser/er uses non>standard #orts $or connections The e3ternal $ire"all is con$igured to allo" inbound connections on these non>standard #orts 'om#any #olicy requires that all administrati/e tas0s must be #er$ormed remotely You enable Demote Des0to# connections on all ser/ers on the com#any intranet Each administrati/e client com#uter has t"o !indo"s Ser/er 2==, )dministrati/e Tools and Demote Des0to#s sna#>in installed The administrators request that they be able to use Demote Des0to# connections to administer the ser/ers "hen they are at home The com#anyJs "ritten security #olicy requires that connections originating $rom the Internet are not allo"ed into the com#any intranet 'urrently* only the !eb ser/ers are accessible $rom the Internet The "ritten security #olicy does not allo" any other connections to the #erimeter net"or0 $rom the Internet You need to #ro/ide a solution that allo"s Demote Des0to# connections to the com#any intranet and that com#lies "ith the "ritten security #olicy !hat should you do% A. &nstall the Remote Administration !eb site on the pri%ate !eb ser%er. .onfigure the eBternal firewall to allow inbound connections on the &&$ Remote Administration port. .onfigure the internal firewall to allow inbound connections on the Remote Des/top 5rotocol *RD5+ port. 1. &nstall the Remote Administration !eb site on the pri%ate !eb ser%er. .onfigure the eBternal firewall to allow inbound connections on the Remote Des/top 5rotocol *RD5+ port. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22G 2 .onfigure the internal firewall to allow inbound connections on the &&$ Remote Administration port. .. &nstall the Remote Des/top !eb .onnection !eb site on the pri%ate !eb ser%er. .onfigure the internal firewall to allow inbound connections on the Remote Des/top 5rotocol *RD5+ port. D. &nstall the Remote Des/top !eb connection !eb site on the 5ri%ate !eb ser%er. .onfigure the internal firewall to allow inbound connections on the &&$ Remote Administration port. )ns"er: ' E3#lanation: The Demote Des0to# !eb 'onnection is a high>encry#tion* Demote Des0to# .rotocol &DD.( 5 = client and uses DS) SecurityJs D'4 ci#her "ith a 0ey strength o$ 4=>* 56>* or <29>bit* as determined by the com#uter to "hich it is connecting The Demote Des0to# !eb 'onnection uses the "ell>0no"n DD. T'. #ort &,,9;( to communicate to the host Unli0e some other dis#lay #rotocols* "hich send data o/er the net"or0 using clear te3t or "ith an easily decodable LscramblingL algorithm Demote Des0to# !eb 'onnectionJs built>in encry#tion ma0es it sa$e to use o/er any net"or0>including the Internet>as the #rotocol cannot be easily sni$$ed to disco/er #ass"ords and other sensiti/e data This "ill #ro/ide the necessary security !ith this solution, we can access the pri%ate web ser%er from the internet o%er a non2standard port b configuring RD5 to listen on the non2standard port. Then we can open a remote des/top connection from the pri%ate web ser%er to the intranet ser%ers. That would be without contra%ening the compan written securit polic that states that connections originating from the &nternet are not allowed into the compan intranet and it also will not allow an other connections to the perimeter networ/ from the &nternet.

Incorrect ans"ers: )9 .onfiguring the eBternal firewall to allow inbound connections on the &&$ Remote Administration port would be wrong in this case. &t should be omitted. +9 The internal and not the eBternal firewall should be configured to allow inbound connections on the RD5 port. D9 &t is not the &&$ Remote Administration port that should be considered here but rather the RD5 port that should be considered regarding the firewall configuration to allow inbound connections. De$erences: M$ @nowledge 1ase article 3";GF=9 Aow to .hange the 4istening 5ort for Remote Des/top ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22> 2 M$ @nowledge 1ase article 3">12G9 Aow to Manuall 'pen 5orts in &nternet .onnection (irewall in !indows <5 M$ @nowledge 1ase article 3"-"3-9 .onfiguring the Remote Des/top .lient to .onnect to a $pecific 5ort Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter G, p. F3" http9HHmsdn.microsoft.comHlibrar Hdefault.asp[url\Hlibrar HensHtermser%Htermser%Hpro%idingJforJrdpJclientJs http9HHwww.microsoft.comHwindowsBpHproHdownloadsHrdwebconn.asp 19 5lan an &5$ec polic for secure networ/ communications. *2 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The human resources de#artment has ser/ers that contain con$idential in$ormation stored in $iles The client com#uters in the human resources de#artment access the con$idential in$ormation o/er the A)N The net"or0 design requires that any access to the human resources de#artment ser/ers must be encry#ted to #rotect the con$identiality o$ the data transmissions You need to automatically en$orce the net"or0 design requirement at regular inter/als !hat should you do% A. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic to the human resources department ser%ers b using Croup 5olic . 1. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic to the human resources department ser%ers b using local polic . .. Appl the Aisecws.inf securit template to the human resources department ser%ers b using Croup 5olic . D. Appl the Aisecws.inf securit template to the human resources department ser%ers b using the secedit command. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22= 2 )ns"er: ) E3#lanation: Secure Ser/er &Dequire Security( con$igures the com#uter to require I.Sec security $or all communications I$ the com#uter attem#ts to communicate "ith a com#uter that does not su##ort I.Sec* the initiating com#uter terminates the connection The Secure Ser/er &Dequire Security( #olicy is intended $or com#uters "or0ing "ith sensiti/e data that must be secured at all times +e$ore im#lementing this #olicy* you must ma0e sure all the com#uters that need to access the secured ser/er su##ort I.Sec !hen securit settings are imported to a C5' in Acti%e Director , the affect the local securit settings of an computer accounts to which that C5' is applied. Incorrect )ns"ers: +: ,etwor/ design dictates that an access to the human resources department ser%ers must be encr pted, but using local polic onl affects an indi%idual computer. '* D: The 6uestion as/s for encr ption, not authentication. De$erence: Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 11 QUESTION NO: 2 You are the senior systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er

2==, 'lient com#uters in the sales de#artment run !indo"s NT !or0station 4 = "ith the )cti/e Directory 'lient E3tension so$t"are installed )ll other client com#uters run !indo"s @. .ro$essional )ll ser/ers are located in an organi1ational unit &OU( named Ser/ers )ll client com#uters are located in an OU named Des0to#s ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23" 2 Eour ser/ers contain con$idential com#any in$ormation that is used by users in either the $inance de#artment or the research de#artment Users in the sales de#artment also store $iles and a##lications in these ser/ers The com#anyJs "ritten security #olicy states that $or auditing #ur#oses* all net"or0 connections to these resources must require authentication at the #rotocol le/el The "ritten security #olicy also states that all net"or0 connections to these resources must be encry#ted The TestBing budget does not allo" $or the #urchase o$ any ne" hard"are or so$t"are The a##lications and data located on these ser/ers may not be mo/ed to any other ser/er in the net"or0 You de$ine and assign the a##ro#riate #ermissions to ensure that only authori1ed users can access the resources on the ser/ers You no" need to ensure that all connections made to these ser/ers by the users in the $inance de#artment and in the research de#artment meet the security guidelines stated by the "ritten security #olicy You also need to ensure that all users in the sales de#artment can continue to access their resources !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the $er%ers 'U. 3nable the $ecure $er%er *Re6uire $ecurit + &5$ec polic in the C5'. 1. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the $er%ers 'U. 3nable the $er%er *Re6uest $ecurit + &5$ec polic in the C5'. .. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the Des/tops 'U. 3nable the .lient *Respond onl + &5$ec polic in the C5'. D. .reate a new Croup 5olic ob)ect *C5'+. 3dit the C5' to enable the Registr 5olic 5rocessing option and the &5 $ecurit 5olic 5rocessing option. .op the C5' files to the ,etlogon shared folder. 3. Use the $ stem 5olic 3ditor to open the $ stem.adm file and enable the Registr 5olic 5rocessing option and the &5 $ecurit 5olic 5rocessing option. $a%e the s stem polic as ,T.onfig.pol. )ns"er: +* ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 231 2 !e need to ensure that the connections made to the ser/ers by the users in the $inance de#artment and in the research de#artment meet the security guidelines stated by the "ritten security #olicy The com#uters in these de#artments use !indo"s @. .ro$essional !e can there$ore enable I.Sec communication bet"een the ser/ers and the clients in the $inance and research de#artments :o"e/er* the sales users use !indo"s NT* "hich cannot use I.Sec There$ore* to ensure that the NT clients can still communicate "ith the ser/ers* "e should enable the Ser/er &Dequest Security( I.Sec #olicy on the ser/ers and the 'lient &Des#ond only( I.Sec #olicy $or the client com#uters Incorrect )ns"ers: ): This polic is intended for computers wor/ing with sensiti%e data that must be secured at all times. D: Registr 5olic 5rocessing specifies how Registr policies are processed, such as whether Registr policies can be applied during periodic bac/ground processing. &5 $ecurit 5olic 5rocessing specifies how &5 securit policies are updated. 1 cop ing the C5' files to the ,etlogon shared folder enables all authenticated users to access it. E: &n !indows $er%er 2""3 operating s stems, the Croup 5olic 'b)ect 3ditor replaces the $ stem 5olic 3ditor. De$erence: Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter F and 11. 5art -9 5lan securenetwor/ administration methods. A9 .reate a plan to offer Remote Assistance to client computers.*2 6uestions+ QUESTION NO: < You are the system engineer $or TestBing The net"or0 consists o$ a single )cti/e

Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The ser/ers on the net"or0 are all located in a central data center building* "hich is located on the com#any cam#us )ll ser/ers ha/e the Deco/ery 'onsole installed and su##ort $irm"are>based console redirection by means o$ installed ser/ice #rocessors ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 232 2 )ll ser/ers are located in a #hysically secured room IT de#artment #ersonnel can access this room $or the #ur#ose o$ installing or maintaining hard"are )ll IT de#artment #ersonnel are members o$ the Domain )dmins security grou# TestBing ado#ts a ne" remote administration #olicy* "hich includes the $ollo"ing requirements: 1. )ll in>bound management o$ ser/ers on the net"or0 must be #er$ormed remotely 2. )ll remote administration connections made to any ser/er must be authenticated by using the Berberos /ersion 5 #rotocol and must be logged in the Security e/ent log 3. )ll remote administration connections must be encry#ted -. The ne" remote administration con$iguration must not ad/ersely a$$ect normal net"or0 connecti/ity $or users or cause any disru#tion in net"or0 ser/ices The ne" remote administration #olicy a##lies to all ser/ers* including domain controllers* $ile and #rint ser/ers* and a##lication ser/ers You need to #lan a remote administration strategy $or all ser/ers on the net"or0 that com#lies "ith the ne" #olicy !hat should you do% A. 'n each ser%er, enable 3mergenc Management $er%ices. 1. 'n each ser%er, enable Remote Des/top connections. .. 'n each ser%er, enable the Telnet ser%ice with the Automatic startup parameter. 3nable the $ecure $er%er *Re6uire $ecurit + &5$ec polic in the Default Domain 5olic Croup 5olic ob)ect *C5'+. D. &nstall &&$ on each ser%er. $elect the Remote Administration *ATM4+ chec/ boB in the properties for the !orld !ide !eb $er%ice. 'n each ser%er, configure &5 pac/ets filters to accept onl $$4 connections. )ns"er: + E3#lanation: Demote Des0to# 'onnection is the client>side so$t"are used to connect to a ser/er in the conte3t o$ either Demote Des0to# or Terminal Ser/er modes The latest /ersion o$ Demote Des0to# 'onnection #ro/ides the most e$$icient* secure and stable en/ironment #ossible* through im#ro/ements such as a re/ised user inter$ace* <29>bit encry#tion and alternate #ort selection ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 233 2 Incorrect O#tions ): 3mergenc Management $er%ices *3M$+ pro%ides a means for managing a ser%er e%en when networ/ connecti%it has failed. '* D: @erberos %ersion F protocol must be used, not &5$ec or $$4. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >"3 QUESTION NO: 2 You are the systems engineer $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers on the net"or0 run !indo"s Ser/er 2==, )ll client com#uters run either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional )ll ser/ers that are not domain controllers are located in an organi1ational unit &OU( named Ser/ers )ll client com#uters used by administrati/e #ersonnel are located in an OU named )dminDes0to#s +oth the Domain 'ontrollers OU and the Ser/ers OU ha/e the Ser/er &Dequest Security( I.sec #olicy a##lied The )dminDes0to#s OU has the 'lient &Des#ond Only( I.Sec #olicy a##lied You im#lement remote administration $or all ser/ers on the net"or0 )ll ser/ers are con$igured to allo" Demote Des0to# connections $or administration The com#anyJs "ritten security #olicy requires that the highest security le/els #ossible must be en$orced during remote administration o$ the ser/ers The Terminal Ser/ices encry#tion settings are set to :igh in the De$ault -rou# .olicy ob2ect &-.O( )dministrators "ho use !indo"s 2=== .ro$essional com#utes soon re#ort that they

cannot establish Demote Des0to# connections to the ser/ers )dministrators can success$ully establish net"or0 connections to shared resources on the ser/ers )dministrators "ho use !indo"s @. .ro$essional com#uters do not e3#erience the same #roblem You /eri$y that the ser/ers to "hich the administrators are attem#ting to connect are online and ha/e Demote Des0to# connections enabled You also /eri$y that the ma3imum number o$ remote connections has not been e3ceeded on any ser/er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23- 2 You need to ensure that all administrators can establish Demote Des0to# connections to the ser/ers regardless o$ "hich o#erating system is running on their client com#uters !hat should you do% A. &n the properties for the Remote Des/top 5rotocol *RD5+ connection on each ser%er, set the encr ption le%el to (&5$ .ompliant. 1. Deplo the Remote Des/top 5rotocol *RD5+ F.2 client software to the AdminDes/tops 'U. .. 'n each ser%er, use Terminal $er%ices Manager to configure the ser%ers to use standard !indows authentication. D. .onfigure the Terminal $er%ices permission compatibilit to RelaBed $ecurit . )ns"er: + E3#lanation: 'om#uters running earlier /ersions o$ ?icroso$t !indo"s* including !indo"s2=== Ser/er* !indo"s2=== .ro$essional* !indo"sNT4 =* !indo"s;9* and !indo"s;5 can not connect to a !indo"s Ser/er 2==, Terminal Ser/ices i$ they are using the old client Terminal ser/er .lient can not connect because the are using the full securit . 1ut when install the new %ersion allows older !indows platforms to remotel connect to a computer running !indows<5 5rofessional with Remote Des/top enabled &n !indows $er%er 2""3 ou do not need to install Terminal $er%er. &nstead, ou can use Remote Des/top for Administration *formerl Terminal $er%ices in Remote Administration mode+, which is installed b default on computers running one of the !indows $er%er2""3 operating s stems. After ou enable remote connections, Remote Des/top for Administration allows ou to remotel manage ser%ers from an client o%er a 4A,, !A,, or dial2up connection. Up to two remote sessions, plus the console session, can be accessed at the same time, without re6uiring Terminal $er%er 4icensing. Incorrect )ns"ers ) &f this setting is enabled, the securit channel pro%ider of the operating s stem is forced to use onl the following securit algorithms9 T4$JR$AJ!&TAJ3D3$J3D3J.1.J$AA. This beha%ior forces the securit channel pro%ider to negotiate onl the stronger Transport 4a er $ecurit *T4$+ 1." ' $pecifies whether the connection defaults to the standard !indows authentication when another authentication pac/age has been installed on the ser%er. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23F 2 RelaBed securit enables ou to run programs that otherwise might not wor/ at all in the more rigorous (ull securit mode. Aowe%er, in RelaBed securit mode *also /nown as !indows,T-."HTerminal $er%er 3dition permissions compatibilit mode+, an user on the s stem can change files and registr settings in man places throughout the s stem, although others usersK data files might not be %isible. A malicious user could eBploit this situation b replacing a /nown and trusted program with a program of the same name but some harmful intent. &f the operating s stem on our terminal ser%er was installed using the Upgrade method, the securit mode might be set to RelaBed securit . The 6uestion as/s to pro%ide the highest le%el of securit . De$erences: http9HHwww.microsoft.comHwindowsBpHproHdownloadsHrdclientdl.asp Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, p. 119 3" 19 5lan for remote administration. *2 6uestions+ QUESTION NO: < You are the systems engineer $or 'ontoso* Atd The net"or0 consists o$ a single )cti/e Directory domain named 'ontoso com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The ser/ers on the net"or0 are located in a #hysically secured room* "hich is located in a central data center building on the com#any cam#us )ll ser/ers ha/e the Deco/ery 'onsole installed and su##ort $irm"are>based console redirection by

means o$ their serial #orts* "hich are connected to a terminal concentrator The terminal concentrator is connected to the com#any net"or0 by means o$ a standard A)N connection It is required that all ser/ers can be managed remotely )ll IT sta$$ in the com#any can establish connections to the ser/ers by means o$ either a Demote Des0to# connection or the !indo"s Ser/er 2==, )dministration Tools* "hich are installed locally on their client com#uters 'om#any management no" requires that se/eral ser/ers that ha/e high>a/ailability requirements must also be remotely managed in the e/ent o$ system $ailures and "hen the Deco/ery 'onsole is used ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23; 2 'om#any management also requires that these ser/ers can be remotely managed "hen the ser/ers are slo" or are not res#onding to normal net"or0 requests You need to #lan a remote management solution that com#lies "ith the ne" requirements !hat should you do% A. 'n each highl a%ailable ser%er, enable 3mergenc Management $er%ices b adding the Redirect\.'M1 and Hredirect parameters to the 1oot.ini file on each ser%er and the 3M$5ort\.'M1 and 3M$1audRate\=;"" parameters to the !innt.sif file on each ser%er. 1. 'n each highl a%ailable ser%er, configure the Telnet ser%ice with a startup parameter of Automatic. $et the number of maBimum Telnet connections to match the number of administrators in the compan . Add the administratorKs user accounts to the Telnet.lients securit group. .. &nstall &&$ on each highl a%ailable ser%er. $elect the Remote Administration *ATM4+ chec/ boB in the properties for the !orld !ide !eb $er%ice. Add the administratorKs user accounts to the Aelp$er%icesCroup securit group. D. Use the netsh command to create an offline configuration script that contains the networ/ parameters for outof2band remote management. .op this script to the .9W.mdcons folder on each highl a%ailable ser%er. )ns"er: ) E3#lanation9 !ith 3mergenc Management $er%ices, combined with the appropriate hardware, ou can perform remote management and s stem reco%er tas/s, e%en when the ser%er is not a%ailable through the standard remote administration tools and mechanisms. To enable 3mergenc Management $er%ices after setting up a !indows $er%er 2""3 operating s stem, ou must edit the 1oot.ini file to enable !indows loader console redirection and $pecial Administration .onsole *$A.+. The 1oot.ini file controls Incorrect ans"ers: +9 Telnet is used to connect to a terminal concentrator through an in2band connection, which then connects to the ser%er through an out2of2band connection. This is not what is re6uired. '9 &&$ allows users to access information using a number of protocols that are part of the T.5H&5 suite. This is not compliance with the re6uirements as stated. D ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23G 2 9 ,etsh is an interacti%e command2line utilit that allows ou to manage local or remote networ/ configurations of acti%e machines. netsh also supports scripting, so ou can create batch configurations that run against the local machine or a specified host on the networ/. Iou can also use the ,etsh utilit to generate a configuration script to use as a bac/up configuration or as an aid to configure new machines in an identical fashion. netsh wor/s with the eBisting components installed with the operating s stem b using helper d namic lin/ libraries *D44s+. 1ut this is not what is re6uired in this case. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 3, p. 1>= Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. >9 13 QUESTION NO: 2 You are a system engineer $or TestBing The net"or0 consists o$ $our )cti/e Directory domains )ll ser/ers on the net"or0 run !indo"s Ser/er 2==, The !indo"s Ser/er 2==, com#uters are distributed among three o$$ices )ll ser/ers su##ort out>o$>band management by means o$ serial connections to terminal concentrators in each o$$iceJs data center Each o$$ice maintains its o"n se#arate connection to the Internet

The com#any ado#ts a ne" "ritten security #olicy* "hich includes the $ollo"ing requirements: 1. .hysical access to all ser/ers is restricted to authori1ed #ersonnel and only $or the #ur#ose o$ installing or maintaining hard"are 2. )ll in>band remote administration connections must be authenticated by the Berberos /ersion 5 #rotocol 3. )dministrators in each o$$ice must be able to access their ser/ers $or remote administration or troubleshooting e/en "hen the o#erating system is not running or e3#eriences a Sto# error -. Ser/ices or #rograms that are not essential $or remote administration or ser/er o#eration must not be installed on any com#uter ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23> 2 You need to #lan a remote administration strategy $or the net"or0 that com#iles "ith the ne" #olicy You are not res#onsible $or #ermissions management in the domains !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure each ser%er to accept Remote Des/top connections. 1. 'n each ser%er, enable the Telnet ser%ice with a startup parameter of Automatic. .. &nstall Terminal $er%ices on each ser%er. D. 'n each ser%er, enable 3mergenc Management $er%ices. 3. &nstall &&$ on each ser%er. $elect the Remote Administration *ATM4+ chec/ boB in the properties for the !ide !orld !eb $er%ice. )ns"er: )* D E3#lanation9 3mergenc Management $er%ices is a new feature in !indows $er%er 2""3 that permits ou to perform remote management and s stem reco%er tas/s when the ser%er is not a%ailable b using the standard remote administration tools and mechanisms. 3mergenc Management $er%ices pro%ides alternati%e access to a ser%er when the ser%er is not accessible through the standard connection methods, t picall a networ/. !ith Emergency ?anagement Ser/ices* combined "ith the a##ro#riate hard"are* you can #er$orm remote management and system reco/ery tas0s* e/en "hen the ser/er is not a/ailable through the standard remote administration tools and mechanisms To manage a ser%er from a remote computer when the ser%er is not a%ailable on the networ/, ou must enable 3mergenc Management $er%ices. 3mergenc Management $er%ices is a !indows $er%er2""3 ser%ice that runs on the managed ser%er. This ser%ice is not enabled b default when ou install the !indows $er%er2""3 operating s stem, but ou can enable it during installation or at an later time. 3mergenc Management $er%ices features are a%ailable when the !indows $er%er2""3 loader or /ernel is at least partiall running. Iou can access all 3mergenc Management $er%ices output b using terminal emulator software that supports ?T1"", ?T1""a, or ?T2UT(> protocols on the management computer, although ?T2UT(> is the preferred protocol. (or more information about terminal emulator software and the supported protocols ?anagement So$t"are $or Out>o$>+and 'onnections T picall , ou use terminal emulation software on the management computer to connect to and communicate with a ser%er through an out2of2band connection. The two most common methods are the following9 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23= 2 Use Telnet 2 or a secure alternati%e such as $$A 2 to connect to a terminal concentrator through an in2band connection, which then connects to the ser%er through an out2of2band connection. 2. Use A perTerminal to connect directl to the ser%er Terminal $er%ices technolog is the basis for se%eral features that enable ou to connect to remote computers and perform administrati%e tas/s. 1. Demote Des0to# $or )dministration *formerl /nown as Terminal $er%ices in Remote Administration mode+ pro%ides remote ser%er management capabilities for !indows $er%er2""3 famil operating s stems. Using this feature, ou can administer a ser%er from %irtuall an computer on our networ/. ,o license is re6uired for up to two simultaneous remote connections in addition to the ser%er console session. A corresponding des/top %ersion of Remote Des/top for Administration is a%ailable on MicrosoftO!indowsO<5 5rofessional, and is called Remote Des/top. 2. The Remote Des/tops MM. snap2in allows ou to create remote connections to the

console session of multiple terminal ser%ers, as well as computers running !indows2""" or !indows $er%er2""3 famil operating s stems. Remote Des/top .onnection, a%ailable on !indows $er%er2""3 famil operating s stems as well as on MicrosoftO!indowsO<5 operating s stems, enables ou to log on to a remote computer and perform administrati%e tas/s, e%en from a client computer that is running an earlier %ersion of !indows. De$erences: ?S Bno"ledge +ase article 9<527,: A'! T'9 5erform an Unattended 3mergenc Management $er%ices &nstallation of !indows $er%er 2""3 ?S !indo"s Ser/er 2==,: .lanning Ser/er De#loyments: 3mergenc Management $er%ices Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. >9 13 5art F9 5lan securit for wireless networ/s. *F 6uestions+ QUESTION NO: < DD)- DDO. You are a net"or0 administrator $or a consulting com#any You need to create a "ireless net"or0 that "ill be used by consultants $rom your com#any at a customer location ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-" 2 The "ireless net"or0 "ill consists o$ nine #ortable com#uters* three ser/ers* and $our "ireless digital cameras )ll com#uters and cameras can use either static or dynamic I. addressing The cameras do not su##ort data encry#tion +oth the #ortable com#uters and the ser/ers must be able to initiate communication o/er the Internet to 8.N ser/ers in your com#anyJs main data center Only the "ireless #oint is connected to the customerJs cor#orate net"or0 You need to #lan the "ireless I. net"or0 so that it minimi1es the ris0 o$ unauthori1ed use o$ the "ireless net"or0 and #re/ents unsolicited communication $rom the Internet to the hosts on the net"or0 !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-1 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-2 2 )ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-3 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-- 2 ,etwor/ Address Translation *,AT+ is a ser%ice that allows multiple 4A, clients to share a single public &5 address and &nternet connection b translating and modif ing pac/ets to reflect the correct addressing information. Thus ma/ing use of static &5 addressing should minimi0e the ris/ of unauthori0ed use of the wireless networ/ and pre%ents unsolicited communication from the &nternet to the hosts on the networ/ De$erence9 Qames .hellis, 5aul RobichauB, and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""-, .hapter G, p. -F; QUESTION NO: 2 You are the net"or0 administrator $or 'ontoso* Atd )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro )ll com#uters are connected to the net"or0 by using "ireless access #oints You con$igure a ') You require certi$icate based IEEE 9=2 <@ authentication on the "ire access #oint You need to enable all com#uters to communicate on the "ireless net"or0 !hat are t"o #ossible "ays to com#lete this tas0% A. 3nter a 12> bit !35 /e on the wireless access point and on the computers 1. &n the !ireless ,etwor/ .onnection properties on each computer, select the 8The /e is pro%ided for me automaticall 8 chec/ boB .. Temporaril connect each computer to an a%ailable 3thernet port on the wireless access point and install a computer certificate D. &nstall a computer certificate on each computer b using a flopp )ns"er: '* D E3#lanation: 9=2 <@ authentication )n Institute o$ Electrical and Electronics

Engineers &IEEE( standard $or #ort>based net"or0 access control that #ro/ides authenticated net"or0 access to Ethernet net"or0s and "ireless 9=2 << local area net"or0s &A)Ns( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-F 2 A 5@& using computers running !indows $er%er 2""3 can create certificates that support wireless networ/ authentication. The increasing popularit of wireless local area networ/ing *4A,+ technologies, such as those based on the >"2.11 standard, raises an important securit issue. !hen ou install a wireless 4A,, ou must ma/e sure that onl authori0ed users can connect to the networ/ and that no one can ea%esdrop on the wireless communications. Iou can use the !indows $er%er 2""3 5@& to protect a wireless networ/ b identif ing and authenticating users before the are granted access to the networ/. Incorrect )ns"ers: ): !35 depends on encr ption /e s that are generated b a mechanism eBternal to !35 itself, not certificates. +: This option depends on encr ption /e s as well. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >"12>"F QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains 5= !indo"s Ser/er 2==, com#uters and 2== !indo"s @. .ro$essional com#uters TestBing does not use "ireless net"or0ing The net"or0 at TestBing is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-; 2 TestBing enters into a strategic #artnershi# "ith )d/enture !or0s Under the strategic #artnershi#* )d/enture !or0s "ill regularly send em#loyees to TestBing Your design team inter/ie"s the )d/enture !or0s administrator and disco/ers the $ollo"ing: 1. )d/enture !or0s em#loyees require access to the Internet to retrie/e e>mail messages and to bro"se the Internet 2. )d/enture !or0s em#loyees do not need access to the internal net"or0 at TestBing 3. )d/enture !or0s em#loyees all ha/e #ortable com#uters that run !indo"s @. .ro$essional* and they use a "ireless net"or0 in their home o$$ice -. The "ireless net"or0 client com#uters o$ )d/enture !or0s em#loyees must be #rotected $rom Internet>based attac0s )d/enture !or0s sends you a "ireless access #oint that its em#loyees "ill use to access the Internet through your net"or0 You are not allo"ed to change the con$iguration o$ the "ireless access #oint because any change "ill require changes to all o$ the "ireless client com#uters You need to de/elo# a #lan that "ill meet the requirements o$ )d/enture !or0s em#loyees and the security requirements o$ TestBing Your solution must be secure and must minimi1e administrati/e e$$ort !hat should you do% A. &nstall the wireless access point on a separate subnet inside the Test@ing networ/. .onfigure a router to allow onl ATT5, &MA5-, and $MT5 traffic out of the wireless networ/. 1. &nstall the wireless access point on a separate subnet inside the Test@ing networ/. .onfigure a ?5, from the wireless networ/ to the Ad%enture !or/s office networ/. .. &nstall the wireless access point on the Test@ing perimeter networ/. .onfigure (irewall1 to allow wireless networ/ traffic to and from the &nternet. .onfigure (irewall2 to not allow wireless traffic into the Test@ing networ/. D. &nstall the wireless access point outside (irewall1 at Test@ing. 'btain &5 addresses from our &$5 to support all wireless users. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-G 2 )n in$rastructure net"or0 consists o$ a standard cabled net"or0 "ith a "ireless access #oint connected to it !ireless>equi##ed com#uters can then interact "ith the cabled net"or0 by communicating "ith the access #oint Eire"all< "ill no" allo" "ireless net"or0 clients access to the Internet $or bro"sing and E>mail retrie/al*

"hile Eire"all2 "ill not allo" "ireless net"or0 clients access to TestBingJs internal net"or0 Thus* Test0ing and )d/enture !or0s are satis$ied Incorrect )ns"ers: )* +: This does not satisf Test@ingKs securit re6uirements, as the do not use wireless networ/ing. D: &f ou use this option, ou will not be able to e%en access the perimeter networ/. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >"12>"3 QUESTION NO: 4 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The net"or0 contains t"o !indo"s Ser/er 2==, domain controllers )ll ser/ers run !indo"s Ser/er 2==,* and all client com#uters run !indo"s @. .ro$essional You install a "ireless net"or0 You disco/er that the co/erage $or the e3ecuti/e o$$ices is /ery #oor You need to im#ro/e "ireless co/erage $or the e3ecuti/e team in their o$$ice area The design team s#eci$ies the $ollo"ing requirements $or the e3ecuti/e team: 1. E3ecuti/es must be able to access the "ireless net"or0 in all locations in the building* including their o$$ices 2. Non e3ecuti/e em#loyees may use "ireless access #oints in the e3ecuti/e o$$ice area only i$ other access #oints are una/ailable You need to de/elo# a #lan to im#ro/e the co/erage in the e3ecuti/e o$$ices You need to im#lement your #lan by using the minimum amount o$ administrati/e e$$ort !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-> 2 A. Use the .onnection Manager Administration @it *.MA@+ wi0ard to create new ser%ice profiles. 'ne profile will be used for eBecuti%es onl . $end an e2mail message that contains the proper profiles to the proper users. 1. Use the !indows Management &nstrumentation command2line tool with the ,&. and the ,&..',(&C aliases. .. &nstall new access points for the eBecuti%e team with a new dedicated ser%ice set identifier *$$&D+. Use wireless networ/ policies to control use of the $$&Ds on the wireless networ/. D. &nstall new access points for the eBecuti%e team with a new dedicated ser%ice set identifier *$$&D+. Use wireless networ/ policies to control access for ad hoc networ/s. )ns"er: ' E3#lanation: The Net"or0 name &SSID( s#eci$ies the name $or the s#eci$ied "ireless net"or0 Under the IEEE 9=2 << standard* the net"or0 name is also 0no"n as the Ser/ice Set Identi$ier &SSID( To distinguish di$$erent "ireless net"or0s $rom one another* the 9=2 << standard de$ines the ser/ice set identi$ier &SSID( The SSID can be considered the identity element that LgluesL /arious com#onents o$ a "ireless local area net"or0 &A)N( together Tra$$ic $rom "ireless clients that use one SSID can be distinguished $rom other "ireless tra$$ic using a di$$erent SSID Using the SSID* an ). can determine "hich tra$$ic is meant $or it and "hich is meant $or other "ireless net"or0s !e will need to setup two different ,etwor/ name *$$&D+ s, one for users and one for eBecuti%es. Also we can to enhance the deplo ment and administration of wireless networ/s, using a Croup 5olic to centrall create, modif , and assign wireless networ/ policies for Acti%e Director clients. Thus installing new access points with a new dedicated ser%ice set identifier *$$&D+ for the eBecuti%e team and ma/ing use of policies to control the use of the $$&Ds on the wireless networ/ in%ol%es the least amount of administrati%e effort to accomplish the tas/ at hand. Incorrect ans"ers: )9 This option suggests far too much administrati%e effort than is necessar . +9 There is no need to ma/e use of the !M& command line when all that is necessar is to install new access points with new $$&Ds and ma/ing use of a wireless networ/ polic to control its use. D9 The networ/ policies should be to control the user of $$&Ds on the wireless networ/ and not for controlling access for ad hoc networ/s. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 2-= 2 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >"12>"2 5art ;9 5lan securit for data transmission. A9 $ecure data transmission between client computers to meet securit re6uirements. *3 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ an internal net"or0 and a #erimeter net"or0 The internal net"or0 is #rotected by a $ire"all The #erimeter net"or0 is e3#osed to the Internet You are de#loying <= !indo"s Ser/er 2==, com#uters as !eb ser/ers The ser/ers "ill be located in the #erimeter net"or0 The ser/ers "ill host only #ublicly a/ailable !eb #ages You "ant to reduce the #ossibility that users can gain unauthori1ed access to the ser/ers You are concerned that a user "ill #robe the !eb ser/ers and $ind #orts or ser/ices to attac0 !hat should you do% A. Disable (ile and 5rinter $haring on the ser%ers. 1. Disable the &&$ Admin ser%ice on the ser%ers. .. 3nable $er%er Message 1loc/ *$M1+ signing on the ser%ers. D. Assign the $ecure $er%er *Re6uire $ecurit + &5$ec polic to the ser%ers. )ns"er: ) E3#lanation: !e can secure the "eb ser/ers by disabling Eile and .rinter sharing ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F" 2 The (ile and 5rinter $haring for Microsoft ,etwor/s component allows other computers on a networ/ to access resources on our computer b using a Microsoft networ/. This component is installed and enabled b default for all ?5, connections. Aowe%er, it needs to be enabled for 555o3 and dial2up connections. &t is enabled per connection and is necessar to share local folders. The (ile and 5rinter $haring for Microsoft ,etwor/s component is the e6ui%alent of the $er%er ser%ice in !indows,T-.". (ile and 5rinter sharing is not re6uired on web ser%ers because the web pages are accessed o%er web protocols such as http or https, and not o%er a Microsoft 4A,. Incorrect )ns"ers: +: This is needed to administer the web ser%ers. !hilst it could be disabled, disabling (ile and 5rinter sharing will secure the ser%ers more. ': $M1 signing is used to %erif , that the data has not been changed during the transit through the networ/. &t will not help in reducing the possibilit that users can gain unauthori0ed access to the ser%ers. D: This will pre%ent computers on the internet accessing the web pages. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 2, pp. 12;212G QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single acti/e directory domain named TestBing com )ll ser/ers run !indo"s Ser/er 2==, ) ser/er named TestBing2 $unctions as the mail ser/er $or the com#any )ll users use ?icroso$t Outloo0 E3#ress as their email client )n u#date to the com#anyJs "ritten security #olicy s#eci$ies that users must use encry#ted authentication "hile they are retrie/ing email messages $rom TestBing2 You need to com#ly "ith the u#dated #olicy !hat should you do% &'hoose three( A. .onfigure the 5'53 ser%ice on Test@ing2 to use Acti%e Director &ntegrated Authentication 1. .onfigure the $MT5 %irtual ser%er on Test@ing2 to use &ntegrated !indows Authentication .. .onfigure 'utloo/ 3Bpress to use the $ecure 5assword Authentication *$5A+ D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F1 2 .onfigure the $MT5 %irtual ser%er on Test@ing2 to use 1asic Authentication with Transport 4a er $ecurit *T4$+ encr ption 3. .onfigure the 5'53 ser%ice on Test@ing2 to re6uire secure password authentication *$5A for all connections )ns"er: )* '* E

E3#lanation: You can use )cti/e Directory )uthentication to incor#orate the .O., ser/ice into your e3isting )cti/e Directory domain )cti/e Directory integrated authentication su##orts both #lainte3t and Secure .ass"ord )uthentication &S.)( e>mail client authentication +ecause #lainte3t transmits the userJs credentials in an unsecured* unencry#ted $ormat* ho"e/er* the use o$ #lainte3t authentication is not recommended S.) does require e>mail clients to transmit both the user name and authentication !e need to con$igure the .O., ser/ice on TestBing2 to require secure #ass"ord authentication* and "e need to con$igure the email clients to use Secure .ass"ord )uthentication &S.)( Incorrect )ns"ers: +: !e need to configure the 5'53 ser%ice, not the $MT5 %irtual ser%er. D: !e need to configure the 5'53 ser%ice, not the $MT5 %irtual ser%er. De$erence: a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure. Mastering !indows $er%er 2""3. QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The users in the accounting de#artment use their client com#uters to access con$idential $iles o/er the net"or0 The $iles must not be altered by unauthori1ed users as the $iles tra/erse the net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F2 2 You need to secure the data transmissions to and $rom client com#uters in the accounting de#artment You also need to be able to monitor the tra$$ic on the net"or0 and re#ort to IT management the #ercentage o$ band"idth used $or each #rotocol !hat should you do% A. Use &5$ec encr ption. 1. Use $er%er Message 1loc/ *$M1+ signing. .. Use ,T4M%2 authentication. D. Use the @erberos %ersion F authentication protocol. )ns"er: + E3#lanation: Ser/er ?essage +loc0 &S?+( signing determines "hether the com#uter al"ays digitally signs client communications The !indo"s2=== Ser/er* !indo"s2=== .ro$essional* and !indo"s@. .ro$essional authentication #rotocol Ser/er ?essage +loc0 &S?+( su##orts mutual authentication* "hich closes a Lman>in>the>middleL attac0 and su##orts message authentication* "hich #re/ents acti/e message attac0s S?+ signing #ro/ides this authentication by #lacing a digital signature into each S?+* "hich is then /eri$ied by both the client and the ser/er !e canKt use &5$ec 8encr ption8 because this uses 3$5 to encr pt the &5 header. &f we use &5$ec encr ption, we wonKt be able to monitor the traffic. !e could use &5$ec 8integrit 8 but that isnKt listed as an option. &nstead, we should use $er%er Message 1loc/ *$M1+ signing. Incorrect ans"ers: )9 &5$ec ma/es use of 3$5 and AA. 3$5 is to encr pt the &5 header, we cannot ma/e use of &5$ec for then monitoring would not be possible. '* D9 Aighl secure templates shut down ,T4M communication as well as @erberos communication. There would thus not be an thing to monitor. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139 F= 19 $ecure data transmission b using &5$ec. *G 6uestions+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F3 2 QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com TestBing has a main o$$ice and $i/e branch o$$ices The branch o$$ices are connected to the main o$$ice by a !)N connection )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The audit de#artment has users in the main o$$ice and in all branch o$$ices The audit de#artment users share $iles on an audit de#artment secured ser/er at the main o$$ice The $iles must be 0e#t con$idential The audit de#artment is concerned that $iles "ill be ca#tured "hile they are transmitted bet"een the audit de#artment ser/er and the client com#uters The audit de#artment ser/er is con$igured to

#rotect the con$identiality o$ net"or0 transmissions You need to con$igure the audit de#artment client com#uters to $urther ensure the con$identiality o$ net"or0 transmissions You need to ensure that the con$iguration o$ the client com#uters is #eriodically en$orced !hat should you do% A. Use a Croup 5olic ob)ect *C5'+ to assign the .lient *Respond 'nl + &5$ec polic to the client computers. 1. Run the secedit command with the Aisecws.inf predefined securit template on the client computers. .. Use a Croup 5olic ob)ect *C5'+ to configure $er%er Message 1loc/ *$M1+ signing on the client computers. D. Run the secedit command with the Rootsec.inf predefined securit template on the client computers. )ns"er: ' E3#lanation: Ser/er ?essage +loc0 &S?+( is an a##lication>layer #rotocol that allo"s a client to access $iles and #rinters on remote ser/ers 'lients and ser/ers that are con$igured to su##ort S?+ can communicate using S?+ o/er trans#ortand net"or0>layer #rotocols* including Transmission 'ontrol .rotocol &T'.KI.( 1 using a C5', ou are ensuring that the ser%er message bloc/ signing of the client computers is periodicall enforced. Incorrect )ns"ers: ): ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F- 2 This configures the computer to use &5$ec onl when another computer re6uests &5$ec. re6uests from other computers for secured communications. +* D: This does not ensure that the configuration of the client computers is periodicall enforced. De$erence: Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, Clossar . Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 3 QUESTION NO: 2 :OTS.OT You are the net"or0 administer $or TestBing The net"or0 contains !indo"s ;9* !indo"s NT !or0station 4 =* and !indo"s @. .ro$essional client com#uters )ll com#uters run the latest ser/ice #ac0 The net"or0 contains a !indo"s Ser/er 2==, $ile ser/er named Test0ing< TestBingJs "ritten security #olicy requires that data communications must be encry#ted by using I.Sec "hene/er #ossible Other than the de$ault -.Os* there are no additional -rou# .olicy ob2ects &-.Os( "ithin )cti/e Directory or any local -.Os a##lied to the com#uters in the domain You need to con$igure Test0ing< so that it meets the "ritten security #olicy requirements "ithout disabling access $or any client com#uter You also "ant to minimi1e session 0ey negotiation times !hat should you do% To ans"er* con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FF 2 )ns"er: E3#lanation: Select the L)llo" unsecured communication "ith non>I.Sec a"are com#utersL chec0bo3 The Allow Unsecured .ommunication !ith ,on2&5$ec2Aware .omputers chec/boB configures the action to allow an computer2&5$ec capable or not2to communicate. An machine that canKt handle &5$ec will get a normal, insecure connection. 1 default, this properl . &f the Kre not, some computers that ou thin/ are using &5$ec ma connect without securit . De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F; 2 Qames .hellis, 5aul RobichauB, and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""-, .hapter -, pp. 1=F. QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com

The domain contains a !indo"s Ser/er 2==, com#uter named Test0ing< that is located in an organi1ational unit &OU( named Ser/ers Test0ing< contains con$idential data* and all net"or0 communications "ith Test0ing< must be encry#ted by using I.Sec The de$ault 'lient &Des#ond Only( I.Sec #olicy is enabled in the De$ault Domain .olicy -rou# .olicy ob2ect &-.O( You create a ne" -.O and lin0 it to the Ser/ers OU You con$igure the ne" -.O by creating and enabling a custom I.Sec #olicy You monitor and disco/er that net"or0 communications "ith Test0ing< are not being encry#ted You need to /ie" all I.Sec #olices that are being a##lied to Test0ing< !hat should you do% A. Use 4ocal $ecurit 5olic to %iew the &5 $ecurit 5olicies on 4ocal .omputer for Test/ing1. 1. Use 4ocal $ecurit 5olic to %iew the $ecurit 'ptions for Test/ing1. .. Use Resultant $et of 5olic *R$o5+ to run an Rso5 logging mode 6uer to %iew the &5 $ecurit 5olicies on 4ocal .omputer for Test/ing1. D. Use Resultant $et of 5olic *R$o5+ to run an R$o5 planning mode 6uer to %iew the $ecurit 'ptions for Test/ing1. 3. Use &5 $ecurit Monitor to %iew the Acti%e 5olic for Test/ing1. (. Use &5 $ecurit Monitor to %iew the &@3 5olicies for Test/ing1. )ns"er: ' E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FG 2 You can use DSo. to /ie" all the e$$ecti/e grou# #olicy settings $or a com#uter or user* including the I.Sec #olicies To use DSo.* you must $irst load the sna#>in into an ??' console* and then #er$orm a query on a s#eci$ic com#uter &select -enerate DSo. Data $rom the )ction menu(* s#eci$ying the in$ormation you "ant to gather The result is a dis#lay o$ the grou# #olicy settings that the selected com#uter is using Iou can run an R$o5 logging mode 6uer to %iew all of the &5$ec policies that are assigned to an &5$ec client. The 6uer results displa the precedence of each &5$ec polic assignment, so that ou can 6uic/l determine which &5$ec policies are assigned but are not being applied and which &5$ec polic is being applied. !hen ou run a logging mode 6uer , R$o5 retrie%es polic information from the !M& repositor on the target computer, and then displa s this information in the R$o5 console. &n this wa , R$o5 pro%ides a %iew of the polic settings that are being applied to a computer at a gi%en time. Incorrect )ns"ers: )* +: 4ocal $ecurit 5olic is used for configuring purposes. D: Iou can run an R$o5 planning mode 6uer onl on a domain controller. E* E: Iou need to %iew all &5$ec polices that are being applied to Test/ing1, not selected ones. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, .hapter 12 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", pp. G;> QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The audit de#artment has ser/ers that contain highly con$idential $iles The $iles are accessed o/er the A)N by the audit de#artment client com#uters The audit de#artment client com#uters ha/e slo" #rocessors ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F> 2 The net"or0 design requires that the net"or0 transmissions bet"een the audit de#artment ser/ers and client com#uters be con$idential and that any changes to the data in transit must be detectable You create a custom I.Sec $ilter action You need to select the security method settings You need to ensure that you minimi1e the #er$ormance im#act on the audit de#artment client com#uters !hat should you do% A. $elect MDF as the integrit algorithm and D3$ as the encr ption algorithm.

1. $elect $AA1 as the integrit algorithm and D3$ as the encr ption algorithm. .. $elect $AA1 as the integrit algorithm and 3D3$ as the encr ption algorithm. D. $elect MDF as the integrit algorithm and 3D3$ as the encr ption algorithm. )ns"er: ) E3#lanation: ?D5 is an industry>standard one>"ay* <29>bit hashing scheme* de/elo#ed by DS) Data Security* Inc * and used by /arious .oint>to>.oint .rotocol &...( /endors $or encry#ted authentication ) hashing scheme is a method $or trans$orming data &$or e3am#le* a #ass"ord( in such a "ay that the result is unique and cannot be changed bac0 to its original $orm The 'hallenge :andsha0e )uthentication .rotocol &':).( uses challenge res#onse "ith one>"ay ?D5 hashing on the res#onse In this "ay* you can #ro/e to the ser/er that you 0no" your #ass"ord "ithout actually sending the #ass"ord o/er the net"or0 DES &Data Encry#tion Standard( is an algorithm used for strong *F;2bit+ encr ption of 42T5H&5$ec connections. Incorrect )ns"ers: +* '* D: These options would re6uire more processor time. De$erence: Q. .. Mac/in, and &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 implementing, managing, and maintaining a Microsoft !indows $er%er 2""3 networ/ infrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, Clossar QUESTION NO: 5 DD)- DDO. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F= 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, )ll a##lication ser/ers run !indo"s Ser/er 2==, 'lient com#uters in the accounting de#artment run !indo"s @. .ro$essional 'lient com#uters in the engineering de#artment run !indo"s 2=== .ro$essional 'lient com#uters in the sales de#artment run either !indo"s NT !or0station 4 = or !indo"s ;9 )ll client com#uters access data $iles on the a##lication ser/ers You need to #lan the method o$ securing the data transmissions $or the client com#uters You "ant to ensure that the data is not modi$ied "hile it is transmitted bet"een the a##lication ser/ers and the client com#uters You also "ant to #rotect the con$identiality o$ the data* i$ #ossible !hat should you do% To ans"er* drag the a##ro#riate method or methods to the correct de#artmentJs client com#uters ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;" 2 )ns"er: E3#lanation: !e can use &5$3. on !indows 2""" and !indows <5 but we cannot use &5$3. for 4egac clients eBcept for ?5,s. !indows 2""" and !indows <5 both methods are supported in this case and for securit reasons we will use &5$3. rules. $M1 signed is supported b !indows 2""" an <5 b local policies or domain policies to be enforced. To be supported in legac clients ou must modif the registr in !indows => and !indows ,T !indows => includes an updated %ersion of the $M1 authentication protocol. Aowe%er, using $M1 signing slows down performance when it is enabled. This setting should be used onl when networ/ securit is a concern. The performance decrease usuall a%erages between 1"21F percent. $M1 signing re6uires that e%er pac/et is signed for and e%er pac/et must be %erified. !indows ,T -." $er%ice 5ac/ 3 pro%ides an updated %ersion of the $er%er Message 1loc/ *$M1+ authentication protocol, also /nown as the .ommon &nternet (ile $ stem *.&($+ file sharing protocol ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;1 2 I.SE' The &nternet 5rotocol $ecurit *&5sec+ feature in !indows 2""", !indows <5 and !indows $er%er 2""3 was not designed as a full2featured host2based firewall. &t was designed to pro%ide basic permit and bloc/ filtering b using address, protocol and port information in networ/ pac/ets. &5sec was also designed as an administrati%e tool to enhance the securit of communications in a wa that is transparent to the programs. 1ecause of this, it pro%ides traffic filtering that is necessar to negotiate securit for &5sec transport mode or &5sec tunnel mode, primaril for intranet en%ironments where machine trust was a%ailable from the @erberos ser%ice or for specific paths across the

&nternet where public /e infrastructure *5@&+ digital certificates can be used. &5$3. is not supported on legac clients it is )ust supported for ?5,. De$erence: http9HHwww.microsoft.comHwindows2"""Hser%erHe%aluationHnewsHbulletinsHl2tpclient.asp Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter =, p. ;-; @nowledge 1ase Articles9 $M1 on !indows ,T @1 article 1;13G2 $M1 on !indows => @1 article 23"F-F QUESTION NO: 6 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, 'lient com#uters run !indo"s 2=== .ro$essional* !indo"s @. .ro$essional* or !indo"s NT !or0station 4 = TestBing "ants to increase the security o$ the communication on the net"or0 by using I.Sec as much as #ossible The com#any does not "ant to u#grade the !indo"s NT !or0station 4 = client com#uters to another o#erating system The ser/ers use a custom I.Sec #olicy named Domain Ser/ers The rules o$ the Domain Ser/ers I.Sec #olicy are sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;2 2 You create a ne" -rou# .olicy ob2ect &-.O( and lin0 it to the domain You con$igure the -.O to assign the #rede$ined I.Sec #olicy named 'lient &Des#ond Only( )$ter these con$iguration changes* users o$ the !indo"s NT !or0station 4 = com#uters re#ort that they cannot connect to the ser/ers in the domain You "ant to ensure that !indo"s NT !or0station 4 = client com#uters can connect to ser/ers in the domain !hat should you do% A. .hange the All &5 Traffic rule in the Domain $er%ers &5$ec polic to use a preshared /e for authentication. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;3 2 1. .hange the All &5 Traffic rule in the Domain $er%ers &5$ec polic to use the Re6uest $ecurit *'ptional+ filter action. .. Acti%ate the default response rule for the Domain $er%ers &5$ec polic . D. &nstall the Microsoft 42T5H&5$ec ?5, .lient software on the !indows ,T !or/station -." computers. 3. &nstall the Acti%e Director .lient 3Btensions software on the !indows ,T !or/station -." computers. )ns"er: + E3#lanation: The e3hibit sho"s that the ser/er has the LDequire SecurityL I.Sec #olicy The !indo"s NT !or0station clients are unable to use I.Sec* and so cannot communicate "ith the ser/er !e can $i3 this by changing the I.Sec #olicy to Dequest Security &O#tional( This "ill con$igure the ser/er to use I.Sec "hene/er #ossible* but to allo" unsecured communications i$ required Incorrect )ns"ers: )9 &f ou select to use a preshared /e , ou must enter a string of characters that is also /nown to the part with which ou are communicating. '9 Acti%ating the default response rule for the Domain $er%ers &5$ec polic is not going to ensure that !indows ,T !or/station -." client computers will be able to connect to the ser%ers in the domain. D* E9 This will not wor/. !indows ,T !or/station client computers cannot function as an Acti%e Director client. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", pp. G2>2G3= QUESTION NO: 7 DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains $our organi1ational units &OUs(* as sho"n in the "or0 area The :DSSer/ers OU contains <= !indo"s Ser/er 2==, com#uters that contain con$idential human resources in$ormation The !or0station OU contains all o$ the !indo"s @. .ro$essional com#uters in the domain )ll client com#uters need to communicate "ith the human resources ser/ers

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;- 2 The com#anyJs "ritten security #olicy requires that all net"or0 communications "ith the ser/ers that contain human resources data must be encry#ted by using I.Sec 'lient com#uters must also be able to communicate "ith other com#uters that do not su##ort I.Sec You create three -rou# .olicy ob2ects &-.Os(* one $or each o$ the three de$ault I.Sec #olices You need to lin0 the -.Os to the a##ro#riate )cti/e Directory container or containers to satis$y the security and access requirements You "ant to minimi1e the number o$ -.Os that are #rocessed by any com#uter !hat should you do% To ans"er* drag the a##ro#riate -.O or -.Os to the correct )cti/e Directory container or containers in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;F 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;; 2 The ser%ers in the ARJ$er%ers 'U re6uire secure communications, so we must enable the $ecure $er%er *Re6uire $ecurit + &5$ec polic . The clients should ha%e the .lient *Respond 'nl + &5$ec polic assigned. This means that when the clients communicate with an AR ser%er, the ser%er will demand the use of &5$ec, and the client will be able to use &5$ec. The clients will still be able to communicate with other computers without using &5$ec. I.Sec $or :igh security > .omputers that contain highl sensiti%e data are at ris/ for data theft, accidental or malicious disruption of the s stem *especiall in remote dial2up scenarios+, or an public networ/ communications. 1. 'lient &Des#ond Only( This default polic contains one rule, the default response rule. This rule secures communication onl upon re6uest b another computer. This polic does not attempt to negotiate securit for an other traffic. 2. Secure Ser/er &Dequire Security( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;G 2 This default polic has two rules9 the default response rule and a rule that allows the initial inbound communication re6uest to be unsecured, but re6uires that all outbound communication be secured. The filter action for the second rule does not allow &@3 to fall bac/ to unsecured communication. &f the &@3 securit negotiation fails, the outbound traffic is discarded and the communication is bloc/ed. This polic re6uires that all connections be secured with &5$ec. An clients that are not &5$ec2enabled cannot establish connections. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", G2> 5art G9 Troubleshoot securit for data transmission. Tools might include the &5 $ecurit Monitor MM. snap2in and the Resultant $et of 5olic *R$o5+ MM. snap2in. *" 6uestions+ Topic ;, 5lanning, &mplementing, and Maintaining $ecurit &nfrastructure *3- :uestions+ 5art 19 .onfigure Acti%e Director director ser%ice for certificate publication. *3 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest The $orest contains !indo"s Ser/er 2==, ser/ers and !indo"s @. .ro$essional com#uters The $orest consists o$ a $orest root domain named test0ing com and t"o child domains named asia test0ing com and euro#e test0ing com The asia test0ing com domain contains a member ser/er named TestBing2 You con$igure TestBing2 to be an enter#rise certi$ication authority &')(* and you con$igure a user certi$icate tem#late You enable the .ublish certi$icate in )cti/e Directory setting in the certi$icate tem#late You instruct users in both the asia test0ing com and the euro#e test0ing com domains to enroll $or user certi$icates ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;> 2 You disco/er that the certi$icates $or user accounts in the asia test0ing com domain are being #ublished to )cti/e Directory* but the certi$icates $or user accounts in the euro#e test0ing com domain are not You "ant certi$icates issued by TestBing2 to euro#e test0ing com domain user accounts to be #ublished in )cti/e Directory !hat should you do% A. .onfigure user certificate autoenrollment for all domain user accounts in the test/ing.com domain. 1. .onfigure user certificate autoenrollment for all domain user accounts in the europe.test/ing.com domain. .. Add Test@ing2 to the .ert 5ublishers group in the test/ing.com domain. D. Add Test@ing2 to the .ert 5ublishers group in the europe.test/ing.com domain. )ns"er: D E3#lanation: The #roblem here is that TestBingSr/' does not ha/e the necessary #ermission to #ublish certi$icates $or users in child2 test0ing com !e can sol/e this #roblem by adding TestBingSr/' to the 'ert .ublisher grou# in the child2 test0ing com domain Incorrect )ns"ers: )* +: The problem is not enrolment, it is that the certificates are not being published, which points to permissions. ': &t is the europe.test/ing.com domain that has a problem, not the test/ing.com domain. De$erence: Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 3 QUESTION NO: 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single !indo"s 2=== )cti/e Directory $orest that has $our domains )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;= 2 The com#anyJs "ritten security #olicy states that all e>mail messages must be electronically signed "hen sent to other em#loyees You decide to de#loy 'erti$icate Ser/ices and automatically enroll users $or e>mail authentication certi$icates You install !indo"s Ser/er 2==, on t"o member ser/ers and install 'erti$icate Ser/ices You con$igure one !indo"s Ser/er 2==, com#uter as a root certi$ication authority &')( You con$igure the other !indo"s Ser/er 2==, ser/er as an enter#rise subordinate ') You o#en 'erti$icate Tem#lates on the enter#rise subordinate ')* but you are unable to con$igure certi$icates tem#lates $or autoenrollment The 'erti$icate Tem#lates administration tool is sho"n in the e3hibit You need to con$igure )cti/e Directory to su##ort autoenrollment o$ certi$icates !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G" 2 A. Run the adprep Hforestprep command on the schema operations master. 1. 5lace the enterprise subordinate .AKs computer account in the .ert 5ublisher Domain 4ocal group. .. Run the adprep Hdomainprep command on a !indows 2""" $er%er domain controller that is in the same domain as the enterprise subordinate .A. D. &nstall Acti%e Director on the !indows $er%er 2""3 member ser%er that is functioning as the enterprise subordinate .A. .onfigure this ser%er as an additional domain controller in the !indows 2""" Acti%e Director domain. )ns"er: ) E3#lanation: The autoenrollment $eature has se/eral in$rastructure requirements These include: !indo"s Ser/er 2==, schema and Croup 5olic updates !indows 2""" or !indows $er%er 2""3 domain controllers !indows <5 .lient !indows $er%er 2""3, 3nterprise 3dition running as an 3nterprise certificate authorit *.A+ domain controllers. The 3nterprise .A is running on a !indows $er%er 2""3 member ser%er which will wor/ fine onl if the forest schema is a !indows $er%er 2""3 schema. !e can update the forest schema with the adprep Hforestprep command. Incorrect )ns"ers: +: This will happen in the domain in which the .As is installed.

': The adprep Hdomainprep command prepares a !indows 2""" domain for an upgrade to a !indows $er%er 2""3 domain. !e are not upgrading the domain, so this isnKt necessar . D: The .A does not ha%e to be installed on a domain controller. Iou canKt install AD on a !indows 2""3 ser%er until ou run the adprep commands. De$erence: http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwinBpproHmaintainHcertenrl Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 3 QUESTION NO: , ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G1 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain The domain contains a !indo"s Ser/er 2==, com#uter named TestBing5 You are #lanning a #ublic 0ey in$rastructure &.BI( $or the com#any You "ant to de#loy a certi$ication authority &')( on TestBing5 You create a ne" global security grou# named 'ert )dministrators You need to delegate the tas0s to issue* a##ro/e* and re/o0e certi$icates to members o$ the 'ert )dministrators grou# !hat should you do% A. Add the c group in the domain. 1. .onfigure the .ertificates Templates container in the Acti%e Director configuration naming conteBt to assign the .ert Administrators group the Allow 2 !rite permission. .. .onfigure the .ert$r% %irtual director on Test@ingF to assign the .ert Administrators group the Allow 2 Modif permission. D. Assign the .ertificate Managers role to the .ert Administrators group. )ns"er: D E3#lanation: To be able to issue* a##ro/e and re/o0e certi$icates* the 'ert )dministrators grou# needs to be assigned the role o$ 'erti$icate ?anager The 'erti$icate ?anager a##ro/es certi$icate enrollment and re/ocation requests This is a ') role* and is sometimes re$erred to as ') O$$icer Incorrect )ns"ers: )* +* ': 'nl the .ertificate Manager can perform the re6uired tas/s. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 112- to 112>. Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >=" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G2 2 5art 29 5lan a public /e infrastructure *5@&+ that uses .ertificate $er%ices. A9 &dentif the appropriate t pe of certificate authorit to support certificate issuance re6uirements. *- 6uestions+ QUESTION NO: < DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain contains three !indo"s Ser/er 2==, com#uters: Test0ing<* Test0ing2* and Test0ing, You intend to use the three ser/ers as certi$ication authorities &')s( $or the $ollo"ing roles: Ser/er name Dole Test/ing1 root .A Test/ing2 subordinate .A Test/ing3 subordinate .A Test0ing2 "ill be used e3clusi/ely to issue enrolment agent certi$icates Test0ing, "ill be used to issue all other certi$icate ty#es needed in the domain You #lan to ta0e Test0ing< o$$line a$ter the ') hierarchy is established You "ant to minimi1e the #ossibility that unauthori1ed certi$icates might get issued You also "ant to be able to re/o0e certi$icates that are issued by a subordinate ') i$ that ser/er is com#romised* "ithout a$$ecting the certi$icates that are issued by the other subordinate ') You need to design a ') hierarchy that meets the requirements !hat should you do%

To ans"er* drag the a##ro#riate ')s to the correct locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G3 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G- 2 &f ou shift the responsibilit of issuing certificates to subordinate .As, ou can ta/e the root .A offline 2 meaning that ou detach it from the networ/ entirel . This pro%ides a %er high le%el of securit , because attac/ers ha%e no wa of getting to the machine. !hen a subordinate .A re6uires a certificate from the root, ou can either, briefl connect the root .A to the networ/ and then remo%e it again, or ou can literall use a flopp dis/. De$erences: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >>1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GF 2 QUESTION NO: 2 DD)- DDO. You are a net"or0 administrator $or TestBing The net"or0 consists o$ t"o )cti/e Directory $orests No trust relationshi#s e3ist bet"een the t"o $orests )ll com#uters in both $orests are con$igured to use a common root certi$ication authority &')( Each $orest contains a single domain The domain named hr test0ing com contains $i/e !indo"s Ser/er 2==, com#uters that are used e3clusi/ely to host con$idential human resources a##lications and data The domain named test0ing com contains all other ser/ers and client com#uters ) $ire"all se#arates the human resources ser/ers $rom the other com#uters on the net"or0 Only 8.N tra$$ic $rom test0ing com to a remote access ser/er in hr test0ing com is allo"ed through the $ire"all ?anagers need to access data on the ser/ers in hr test0ing com $rom their !indo"s @. .ro$essional com#uters The com#anyJs "ritten security #olicy requires that all communication containing human resources data must be secured by using the strongest I.Sec encry#tion a/ailable You need to con$igure an I.Sec #olicy $or the ser/ers that host the human resources data that com#lies "ith the "ritten security #olicy and gi/es the managers in test0ing com access to the data they need !hat should you do% To ans"er* drag the a##ro#riate con$iguration settings to the I.Sec .olicy 'on$iguration ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G; 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GG 2 certificates, we must affect all traffic, and the ser%er must re6uire securit . The securit of a ?5, is based on the tunneling and authentication protocols that ou use and the le%el of encr ption that ou appl to ?5, connections. (or the highest le%el of securit , use a remote access ?5, based on 42T5H&5$ec with certificate2based &5$ec authentication and Triple2D3$ for encr ption. &f ou decide to use a 55T52based ?5, solution to reduce costs and impro%e manageabilit and interoperabilit , use Microsoft .hallenge Aandsha/e Authentication 5rotocol %ersion 2 *M$2.AA5%2+ as the authentication protocol. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G> 2 De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", p. G33 QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single

)cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, The net"or0 contains <== !indo"s @. .ro$essional com#uters You con$igure a "ireless net"or0 that requires IEEE 9=2 <3 certi$icate>based authentication Only <= o$ the client com#uters are a##ro/ed $or "ireless net"or0 access You need to enable the a##ro/ed com#uters to access the "ireless net"or0 "hile restricting access $or all other com#uters !hat should you do% A. 3stablish an enterprise certification authorit *.A+ for the domain. .reate a global group that contains the user accounts for the emplo ees who will use the appro%ed computers. .reate a certificate template for &333 >"2.1B authentication. (or the global group, configure autoenrollment for certificates based on the certificate template. 1. 3stablish an enterprise certification authorit *.A+ for the domain. .reate a global group that contains the appro%ed computer accounts. .reate a certificate template for &333 >"2.1B authentication. (or the global group, configure the autoenrollment for certificates based on the certificate template. .. .reate a global group that contains the user accounts for the emplo ees who will use the appro%ed computers. .onfigure the securit permissions for the Default Domain 5olic Croup 5olic ob)ect *C5'+ so that onl the new global group can appl to the C5' settings. 3stablish an enterprise certification authorit *.A+ for the domain. D. .reate a global group that contains the appro%ed computer accounts. .onfigure the securit permissions for the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+ so that onl the new global group can appl the C5' settings. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G= 2 3stablish an enterprise certification authorit *.A+ for the domain. )ns"er: + E3#lanation: The question states that only <= o$ the client com#uters are a##ro/ed $or "ireless net"or0 access There$ore "e need to authenticate the com#uters to allo" "ireless access To plan for the configuration of Acti%e Director for our wireless clients, identif the user and computer accounts for wireless users, and add them to a group that will be used in con)unction with a remote access polic to manage wireless access. Iou must also determine how to set the remote access permission on the user and computer accounts. 5ro%ides options that allow ou to specif how computer authentication wor/s with user authentication. 1. &f ou select .omputer onl , authentication is alwa s performed using the computer credentials. User authentication is ne%er performed. 2. &f ou select !ith user re2authentication *recommended+, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. !hen a user logs off of the computer, authentication is performed with the computer credentials. 3. &f ou select !ith user authentication, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. &f a user tra%els to a new wireless access point, authentication is performed using the user credentials. A global group is a securit or distribution group that can contain users, groups, and computers from its own domain as members. Clobal securit groups can be granted rights and permissions for resources in an domain in the forest. Thus ou should establish an enterprise .A for the domain and create a global group that contains all appro%ed computer accounts and then configure auto enrollment of the certificate template for &333 >"2.1B authentication. Incorrect ans"ers: )* '9 The newl created global group must contain the appro%ed computer accounts and not the user accounts for the emplo ees who will use the appro%ed computers. D9 .reating a global group that contains all the appro%ed computer accounts is correct, but then ou also need to configure auto enrollment of the certificate template for &333 >"2.1B authentication. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>" 2 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3

,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >"32>"F QUESTION NO: 4 You are the net"or0 administrator $or TestBing The net"or0 includes a #erimeter net"or0 The #erimeter net"or0 consists o$ a single )cti/e Directory domain named test0ing com The domain contains $our !indo"s Ser/er 2==, !eb ser/ers con$igure as a Net"or0 Aoad +alancing cluster The cluster hosts an Internet e>commerce !eb site You u#grade the !eb site to require users to log on in order to gain $ull access to the site You "ill use )cti/e Directory to store the user accounts !eb site users may access the site by using /arious !eb bro"sers You need to enable and require SSA "hen users log on to the !eb site You need to minimi1e the administrati/e im#act $or users o$ the !eb site !hat should you do% A. 'btain a !eb ser%er certificate from an eBternal certification authorit *.A+ that is widel trusted on the &nternet. &nstall the certificate on each !eb ser%er in the cluster. 1. .onfigure a stand2alone certification authorit *.A+ in the perimeter networ/. 'btain a !eb certificate from the .A. &nstall the certificate on each !eb ser%er in the cluster. .. &nstall .ertificate $er%ices on each !eb ser%er in the cluster, and configure each !eb ser%er as enterprise certification authorit *.A+. .onfigure certificate autoenrollment for all users. D. &nstall .ertificate $er%ices on each !eb ser%er in the cluster, and configure each !eb ser%er as a stand2alone certification authorit *.A+. .onfigure !eb2based certificates enrollment for users. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>1 2 To enable SSA on the "eb cluster "e need a !eb ser/er certi$icate The "eb site is a #ublicly accessible site* so the !eb ser/er certi$icate needs to be trusted by the #ublic com#uters !e should use a !eb ser/er certi$icate $rom an e3ternal certi$ication authority &')( that is "idely trusted on the Internet such as 8erisign Incorrect )ns"ers: +: The public client computers will displa a message sa ing that the ser%er certificate is not trusted. ': The web ser%er needs a !eb ser%er certificate from an eBternal certification authorit . &t does not need to be a .A. D: The web ser%er needs a !eb ser%er certificate from an eBternal certification authorit . &t does not need to be a .A. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >>22>>Bno"ledge base )rticles: Aow to .onfigure .ertificate $er%er for Use with $$4 on &&$ @1 21>--F A'! T'9 .onfigure &&$ !eb $ite Authentication in !indows $er%er 2""3 @1 32-2GA'! T'9 4oad 1alance a !eb $er%er (arm Using 'ne $$4 .ertificate in &&$ @1 3132== 19 5lan the enrollment and distribution of certificates. *12 6uestions+ QUESTION NO: < You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional The net"or0 contains a !indo"s Ser/er 2==, com#uter named Test0ing< that is not a member o$ the domain and a !indo"s Ser/er 2==, member ser/er named Test0ing2 You need to im#lement a #ublic 0ey in$rastructure &.BI( $or the net"or0 You con$igure Test0ing< as a root certi$ication authority &')( You intend to disconnect Test0ing< $rom the net"or0 You con$igure Test0ing2 as a subordinate ')* and you lea/e Test0ing2 connected to the net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>2 2 You need to con$igure Test0ing< to su##ort u#dates to the certi$icate re/ocation list &'DA( and to su##ort certi$icate chain /eri$ication on the net"or0 "hile it is o$$line !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o(

A. 'n Test/ing1, use the .ertification Authorit snap2in to configure the .R4 Distribution 5oint *.D5+ setting to point to a shared folder. Regularl cop the .R4 from Test/ing1 to the shared folder. 1. 'n Test/ing1, use the .ertification Authorit snap2in to configure the .R4 Distribution 5oint *.D5+ setting to point to the .9W!indowsW$ stem32W.ert$r%W.ert3nroll folder. .. 'n Test/ing1, use the .ertification Authorit snap2in to configure the Authorit &nformation Access *A&A+ setting to point to a shared folder. Regularl cop the A&A from Test/ing1 to the shared folder. D. 'n Test/ing1, use the .ertification Authorit snap2in to configure the Authorit &nformation Access *A&A+ setting to point to the .9W!indowsW$ stem32W.ert$r%W.ert3nroll folder. 3. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to enable the 3nroll certificates automaticall setting and then select the Remo%e eBpired certificates, update pending certificates and remo%e re%o/ed certificates option. (. .onfigure all certificate templates on Test/ing2 to be published in Acti%e Director . )ns"er: +* D E3#lanation: ?ost ') con$iguration a$ter installation is done through the 'erti$ication )uthority sna#>in this sna#>in can be used to install and manage certi$ication ser/ices 'DA Distribution .oints or 'D.s are locations on the net"or0 to "hich a ') #ublishes the 'DA In the case o$ an enter#rise ') under !indo"s Ser/er 2==,* )cti/e Directory holds the 'DA and $or a standalone* the 'DA is located in the certsr/Qcertenroll directory Each certi$icate has a location to go $or the latest 'DA (or Test@ing1 to support .R4 and certificate %erification on the networ/ while it is offline, ou need to use the .ertification authorit snap2in to configure a .D52 as well as an A&A setting to point to the .9W!indowsW$ stem32W.ert$r%W.ert3nroll folder. Incorrect ans"ers: )* '9 $etting the .D5 setting as well as the A&A setting on Test@ing1 to point to a shared folder will need the networ/ to be online to wor/. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>3 2 E9 This is not a matter of enrollment and selecting the Remo%e eBpired certificates, etc. that is the function of .R4s. E9 $ubordinate .As are child .As in the hierarch . The are certified b the root authorit and bind its public /e to its identit . Qust as the root .A can issue and manage certificates and certif child .As, a subordinate .A can also perform these actions and certif .As that are subordinate to it in the hierarch . Test@ing2 is a subordinate .A. 1ut this is not what is re6uired. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >>;, ="G QUESTION NO: 2 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains You are res#onsible $or administering one domain* "hich contains users "ho "or0 in the sales de#artment User ob2ects $or the users in the sales de#artment are stored in an organi1ational unit &OU( named Sales in your domain Users in the sales de#artment use a .ublic Bey In$rastructure &.BI( enabled a##lication that requires users to #resent client authentication certi$icates be$ore they are granted access You install 'erti$icate Ser/ices on t"o member ser/ers running !indo"s Ser/er 2==, You con$igure one ser/er as an enter#rise subordinate certi$ication authority &')( and the other ser/er as a stand>alone root ') You need to issue certi$icates that su##ort client authentication to sales users only You need to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a duplicate of the User certificate template and configure it to support autoenrollment. .onfigure the enterprise subordinate .A to issue certificates based on the template. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to autoenroll users for certificates. 1. .reate a duplicate of the .omputer certificate template and configure it to support autoenrollment. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 2>- 2 .onfigure the enterprise subordinate .A to issue certificates based on the template. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to autoenroll computers for certificates. .. .reate a duplicate of the User certificate template and configure it to support autoenrollment. .onfigure the enterprise subordinate .A to issue certificates based on the template. .reate a new Croup 5olic ob)ect *C5'+ and lin/ it to the $ales 'U. .onfigure the C5' to autoenroll sales users for certificates. D. .reate a duplicate of the .omputer certificate template and configure it to support autoenrollment. .onfigure the enterprise subordinate .A to issue certificates based on the template. .reate a new Croup 5olic *C5'+ and lin/ it to the $ales 'U. .onfigure the C5' to autoenroll sales client computers for certificates. )ns"er: ' E3#lanation: The $irst ste# in the creation #rocess is to du#licate an e3isting tem#late Eor a user to request a certi$icate* the user must ha/e the Enroll #ermission assigned to him or her $or manual requests and the )utoenroll #ermission $or automatic requests )utoenrollment enables the request and issuance o$ certi$icates to #roceed "ithout user inter/ention 'reating a ne" -.O "ill minimi1e the amount o$ administrati/e e$$ort* "hile lin0ing it to the Sales OU "ill ensure that certi$icates "ill be issued to the sales users only Incorrect )ns"ers: )* +: This C5' is lin/ed to the Domain .ontrollers 'U, and it generall affects onl domain controllers, because computer accounts for domain controllers are /ept eBclusi%el in the Domain .ontrollers 'U. D: .ertificates need to be issued to sales users, not sales computers. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. =12 QUESTION NO: , You are the net"or0 administrator $or TestBing There is a single acti/e directory domain named TestBing com )ll com#uters on the net"or0 are members o$ the domain )ll domain controllers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>F 2 You are #lanning a .ublic Bey In$rastructure &.BI( The .BI design documents $or TestBing s#eci$y that certi$icates that users request to encry#t $iles must ha/e a /alidity #eriod o$ t"o years The /alidity #eriod o$ the +asic EES certi$icate is one year In the certi$icates Tem#lates console* you attem#t to change the /alidity #eriod $or the +asic EES certi$icate tem#late :o"e/er* the console does not allo" you to change the /alue You need to ensure that you can change the /alue o$ the /alidity #eriod o$ the certi$icate that users request to encry#t $iles !hat should you do% A. &nstall an enterprise .A in each domain. 1. Assign the Domain Admins group the Allow (ull control permission for the 1asic 3($ certificate Template .. .reate a duplicate of the basic 3($ certificate template. 3nable the new template for issuing certificate authorities D. &nstruct users to connect to the .A !eb 3nrolment pages to re6uest a 1asic 3($ certificate. )ns"er: ' E3#lanation: The question states that the /alidity #eriod o$ the +asic EES certi$icate is one year This suggests that "e are using a standalone ') &the de$ault /alidity #eriod $or an enter#rise ') is t"o years( !e cannot change the /alidity #eriod o$ the +asic EES tem#late* but "e can ho"e/er* ma0e a co#y o$ the +asic EES tem#late This "ould enable us to ma0e changes to the co#y o$ the tem#late Incorrect )ns"ers: ): The default %alidit period for an enterprise .A is two ears. This would satisf the re6uirement that the certificates ha%e a %alidit period of two ears. Aowe%er, it does not satisf the re6uirement that 8 ou need to ensure that ou can change the %alue of the %alidit period of the certificate that users re6uest to encr pt files8. Therefore, answer . is a better solution. +: This is not a permissions issue. !e cannot change the %alues in the template because the are hardcoded into the templates. D: !e need to edit the template before the users recei%e the certificates. De$erence:

http9HHsupport.microsoft.comH[id\2F-;32 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>; 2 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >G22>GF QUESTION NO: 4 You are a net"or0 administrator $or TestBing com TestBing #artici#ates in a 2oint /enture "ith )l#ine S0i :ouse Each com#anyJs net"or0 consists o$ a single )cti/e Directory $orest The $unctional le/el o$ each $orest is !indo"s 2==, ) t"o>"ay $orest trust relationshi# e3ists bet"een both com#anies Each com#any maintains its o"n certi$ication authority &')( Users are required to encry#t and digitally sign all e>mail messages relating to the 2oint /enture that are sent bet"een the com#anies Users in the test0ing com domain re#ort that "hen they o#en e>mail messages sent by users in the al#ines0ihouse com domain* they recei/e a security "arning The "arning indicates an error in the certi$icate used to sign the e>mail message You e3amine se/eral e>mails messages and disco/er the error sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>G 2 You need to ensure that users in the test0ing com domain recei/e e>mail messages "ithout recei/ing any error messages You need to accom#lish this tas0 by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. Add the computer account for the enterprise root .A in the alpines/ihouse.com domain to the .ert 5ublisher domain local group in the test/ing.com domain. 1. &n the alpines/ihouse.com domain, delegate the Allow 2 Read user.ertificate permission for contact ob)ects to the Domain Users global group in the test/ing.com domain. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>> 2 .. &n the alpines/ihouse.com domain, eBport the enterprise root certificate to a file. 'n the enterprise root .A in the test/ing.com domain, import the enterprise root certificate from the alpines/ihouse.com domain. D. &n the alpines/ihouse.com domain, eBport the enterprise root certificate to a file. 'n the enterprise root .A in the test/ing.com domain, run the certutil command to publish the root certificate to Acti%e Director . )ns"er: ' E3#lanation9 An enterprise .A is tied into Acti%e Director *AD+ and is re6uired to use it. &n fact, a cop of its own .A certificate itself is stored in Acti%e Director . Users can import certificates into an one of the certificate categories found in the certificate store. &n the .ertificates snap2in, right2clic/ the certificate categor to which ou want to import the certificate, point to All Tas/s, and choose &mport. T pe the certificate filename, which should ha%e a standard certificate format eBtension *.5(<, .512, ..3R, ..RT, .5G1, .$T4, .$5., ..R4, or .$$T+. (or 5@.$ b12 files, which contain pri%ate /e s as well as certificates, t pe the password used to protect the file. E3#orting 'erti$icates and .ri/ate Beys The 3Bport command in the .ertificates snap2in pro%ides two distinct functions. (irst, it allows a certificate or certificate chain to be eBported for the purpose of sharing it with users or computers that are not pri% to a certificate director . $econd, it allows the eBport of a certificate or certificate chain along with the associated pri%ate /e for cr ptographic use on another machine. Iou can eBport an t pe of certificate, including those in root .As. ,aturall , onl certificates with a%ailable pri%ate /e s *that is, personal certificates+ that are mar/ed as eBported can be eBported together. Incorrect o#tions: )9 This option results in unnecessar administrati%e effort that can be a%oided b simpl eBporting and importing the enterprise root certificate to the appropriate domains. +9 This is not a matter of delegating certain permissions for contact ob)ect in the test/ing.com domain. D9 The certutil command is mainl used when certificate ser%ices are installed before &&$ and it will enable an &&$ client to connect b suppl ing the necessar enrolment. This is not what is re6uired. De$erence: .harlie Russel, $haron .rawford L Qason Cerend, Microsoft !indows $er%er 2""3

AdministratorKs .ompanion, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 21 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>= 2 QUESTION NO: 5 You are the net"or0 admin $or TestBing The net"or0 contains !indo"s Ser/er 2==, and !indo"s @. #ro$essional clients )ll com#uters are members o$ the same acti/e directory $orest The com#any uses a .ublic Bey In$rastructure &.BI( enabled a##lication to manage mar0eting data 'erti$icates used "ith this a##lication are managed by the a##lication administrators You install certi$icate ser/ices to create an o$$line stand alone root ') on one !indo"s Ser/er 2==, ser/er You con$igure a 2nd !indo"s Ser/er 2==, ser/er as a stand alone sub ') You instruct users in the mar0eting de#artment to enroll $or certi$icates by using the "eb enrollment tool on the stand alone Sub ') Some users re#ort that "hen they attem#t to com#lete the enrollment #rocess* they recei/e an error message on their certi$icate stating: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=" 2 You need to ensure that users in the mar0eting de#artment do not continue to recei/e this error You also need to ensure that users in the mar0eting de#artment trust certi$icates issued by this ') You create a ne" OU name ?ar0eting !hat else should you do% A. 5lace all mar/eting department computer ob)ects in the Mar/eting 'U. .reate a new C5' and lin/ it to the Mar/eting 'U. 5ublish the root .AKs root certificate in the Trusted Root .ertification Authorities $ection of the C5' 1. 5lace all mar/eting department user ob)ects in the Mar/eting 'U. .reate a new C5' and lin/ it to the mar/eting 'U. &n the user configuration section of the C5', configure a certificate trust list *.T4+ that contains the subKs .A certificate ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=1 2 .. 5lace all mar/eting department computer ob)ects in the Mar/eting 'U. .reate a new C5' and lin/ it to the Mar/eting 'U. &n the computer configuration section of the C5', configure a certificate trust list *.T4+ that contains the subKs .A certificate D. 5lace all mar/eting department user ob)ects in the Mar/eting 'U. .reate a new C5' and lin/ it to the mar/eting 'U. &n the user configuration section of the C5', configure a certificate trust list *.T4+ that contains the rootKs .A certificate )ns"er: D E3#lanation: !e need to con$igure the ?ar0eting de#artment users to trust the root ') !e can do this using a grou# #olicy ob2ect &-.O( !e should #lace the mar0eting de#artment user ob2ects in the ?ar0eting OU and a##ly the -.O to the OU A certificate trust list *.T4+ is a signed list of root certification authorit certificates that an administrator considers reputable for designated purposes. (or the client to trust the certificate, it needs to install a cop of the certificate as a trusted root certificate in its own certificate store. Incorrect )ns"ers: ): This setting is a%ailable for the .omputer .onfiguration node onl . +* ': (or the client to trust the certificate, it needs to install a cop of the certificate as a trusted root certificate in its own certificate store. Thus these options are incorrect. De$erence: .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, pp. C21". QUESTION NO: 6 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing') The com#any uses an enter#rise certi$ication authority &')( on TestBing') to issue certi$icates ) certi$icate to encry#t $iles is autoenrolled to all users The certi$icate is based on a custom Encry#tion Eile System &EES( certi$icate tem#late The /alidity #eriod i$ the certi$icate is set to t"o years ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=2 2 'urrently* the net"or0 is con$igured to use data reco/ery agents You are #lanning to im#lement 0ey archi/al $or the 0eys that users use to decry#t $iles

You con$igure the ') and the custom EES certi$icate tem#late to enable 0ey archi/al o$ the encry#tion #ri/ate 0eys You need to ensure that the #ri/ate EES 0ey o$ each user "ho logs on to the domain is archi/ed !hat should you do% A. .onfigure a new issuance polic for the custom 3($ certificate template. 1. .onfigure the custom 3($ certificate template to reenroll all certificate holders. .. $elect the Automaticall 3nroll .ertificates command in the .ertificates console. D. .onfigure a logon script that runs the gpupdate.eBe Hforce command for the users. )ns"er: + E3#lanation: The question states: L) certi$icate to encry#t $iles is autoenrolled to all users L !e ha/e no" modi$ied the custom EES certi$icate tem#late to enable 0ey archi/al o$ the encry#tion #ri/ate 0eys There$ore* "e no" need to reenroll all certi$icate holders so that they get ne" certi$icates based on the ne" tem#late* and their 0eys are archi/ed EES al"ays attem#ts to enroll $or the +asic EES tem#late The EES dri/er generates an autoenrollment request that )utoenrollment tries to $ul$ill Eor customers that "ant to ensure that a s#eci$ic tem#late is used $or EES &such as to include 0ey archi/al(* the ne" tem#late should su#ersede the +asic EES tem#late This "ill ensure that )utoenrollment "ill not attem#t enrollment $or +asic EES any more Bey )rchi/al > The pri%ate /e database is the same as the database used to store the certificate re6uests. The !indows $er%er 2""3 .ertification Authorit database has been eBtended to support storing the encr pted pri%ate /e along with the associated encr pted s mmetric /e and issued certificate. The reco%er blob will be stored in the same row as the signed certificate re6uest and an other information the .A persists in its database for each re6uest transaction. The actual encr pted blob is stored as an encr pted 5@.$ bG blob. The Microsoft .ertification Authorit uses the Q3T database engine upon which %arious Q3T utilities ma be used for maintenance purposes. Incorrect )ns"ers: ): This would use up too much time. ': The 6uestion states9 8A certificate to encr pt files is autoenrolled to all users.8 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=3 2 D: This option reapplies all settings without optimi0ation. De$erence: http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3Hmainta Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >;> QUESTION NO: 7 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain You are #lanning a #ublic 0ey in$rastructure &.BI( $or the com#any You "ant to ensure that users "ho log on to the domain recei/e a certi$icate that can be used to authenticate to !eb sites You create a ne" certi$icate tem#late named User )uthentication You con$igure a -rou# .olicy ob2ect &-.O( that a##lies to all users The -.O s#eci$ies that user certi$icates must be enrolled "hen the #olicy is a##lied You install an enter#rise certi$ication authority &')( on a com#uter that runs !indo"s Ser/er 2==, Users re#ort that "hen they log on* they do not ha/e certi$icates to authenticate to !eb sites that require certi$icate authentication You "ant to ensure that users recei/e certi$icates that can be used to authenticate to !eb sites !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'n the User Authenticate certificate template, select the Reenroll All .ertificate Aolders command. 1. Assign the Domain Users group the Allow 2 Autoenroll permission for the User Authentication certificate template. .. .onfigure the .A to enable the User Authentication certificate template. D. Assign the Domain Users group the ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=- 2 Allow 2 &ssue and Manage .ertificates permission for the .A. )ns"er: +* '

E3#lanation: Eor users to request certi$icates $rom an enter#rise ')* they must ha/e #ermission to use the tem#lates corres#onding to the certi$icates they need Incorrect )ns"ers: ): 'nl used when critical changes ha%e been made to a certificate template, and ou want it to appl to all users immediatel . D: This would be a securit ris/, since users should not be allowed management permissions. De$erence: .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 2F21-. QUESTION NO: 9 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll com#uters on the net"or0 are members o$ the domain You are #lanning a #ublic 0ey in$rastructure &.BI( $or TestBing You "ant to de#loy smart cards $or all users in the domain You "ant the members o$ a ne" grou# named Smartcard )gents to be able to issue smart cards $or all users You create a ne" global grou# named Smartcard )gents You install an enter#rise certi$ication authority &')( on a !indo"s Ser/er 2==, com#uter named Test0ing< You create a du#licate o$ the Enrollment )gent certi$icate tem#late and change the /alidity #eriod o$ the ne" certi$icate tem#late to three years The name o$ the ne" certi$icate tem#late is Smart'ard Enrollment The con$iguration o$ #ermissions $or the Smartcard Enrollment certi$icate tem#late as sho"n in e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=F 2 :o"e/er* members o$ the Smartcard )gents grou# re#ort that "hen they start the 'erti$icate Dequest !i1ard* they do not see Smartcard Enrollment in the list o$ certi$icate ty#es that they can request You "ant to ensure that members o$ the Smartcard )gents grou# request Smart'ard Enrollment certi$icates !hat should you do% A. Assign the $martcard Agents group the Allow 2 Autoenroll permission for the $martcard 3nrollment certificate template. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=; 2 1. Add the 3nrollment Agent certificate template to the list of superseded templates on the $martcard certificate template. .. .onfigure the enterprise .A to enable the $martcard 3nrollment certificate template. D. .onfigure the enterprise .A to assign the .ertificate Managers role to the $martcard Agents group. 3. &nstruct the members of the $martcard Agents group to connect to the enterprise .A !eb enrolment pages to re6uest certificates. )ns"er: ) E3#lanation9 A client has three wa s to re6uest a certificate from a .A. The most common is autoenrollment. There is a group polic entitled Automatic .ertificate Re6uest $ettings. The propert sheet for this polic enables ou to choose to either 3nroll certificates automaticall or not. Also, ou will need to ensure that 3nroll sub)ect without re6uiring an user input option is selected on the Re6uest Aandling tab of the certificate template propert sheet. Autoenrollment of certificates can be done through Croup 5olic for users and computers. !hen using autoenrollment, users do not need to be aware of the certificates that are enrolled, retrie%ed, or renewed. !hen ou select autoenrollment beha%ior, ou can establish a silent autoenrollment that re6uires 0ero user input. Iou can also re6uire a user to pro%ide input such as when users ha%e smart cards and personal identification numbers *5&,s+. Iou set autoenrollment of computer and user certificates in the Autoenrollment $ettings 5roperties dialog boB, which ou can access b opening Autoenrollment $ettings in .omputer .onfiguration or User .onfigurationH!indows $ettingsH $ecurit $ettingsH5ublic @e 5olicies in a C5' for a site, domain, or 'U. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 139 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >=2, >=F2>=G QUESTION NO: ; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=G 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain The domain contains a !indo"s Ser/er 2==, com#uter named TestBing) You are #lanning a #ublic 0ey in$rastructure &.BI( $or the com#any You "ant to de#loy an enter#rise certi$ication authority &')( on TestBing) You create a ne" global security grou# named 'ert )##ro/ers You install an enter#rise ') and con$igure the ') to issue Bey Deco/ery )gent certi$icates The com#anyJs "ritten security #olicy states that issuance o$ a Bey Deco/ery )gent certi$icate requires a##ro/al $rom a member o$ the 'ert )##ro/ers grou# )ll other certi$icates must be issued automatically You need to ensure that members o$ the 'ert )##ro/ers grou# can a##ro/e #ending enrolment requests $or a Bey Deco/ery )gent certi$icate !hat should you% A. Assign the .ert Appro%ers group the Allow 2 3nroll permissions for the @e Reco%er Agent. 1. Assign the .ert Appro%ers group the Allow 2 &ssue and Manage .ertificates permission for the .A. .. (or all certificate managers, add the .ert Appro%ers group to the list of managed sub)ects. D. Add the .ert Appro%ers group to the eBisting .ert 5ublisher group in the domain. 3. Assign the .ert Appro%ers group the Allow 2 (ull .ontrol permission for the .ertificate Templates container in the Acti%e Director configuration naming conteBt. )ns"er: + E3#lanation: &n order to appro%e certificates ou need certificate manager rights. &n order to get those rights ou need &ssue and Manage .ertificates rights. The option to enable auto enroll or wait for appro%al is made at the certificate template *in this case, the /e reco%er template+. Incorrect )ns"ers: ): !ill allow enroll onl . ': !ill allow all certificate managers. D: .ert publisher group is meant to include the .A ser%ers onl . ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=> 2 E: ,o need to gi%e them full control on the certificate template when we ha%e role separation in windows 2""3 5@&. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >>G QUESTION NO: <= You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, TestBing has <*=== users that need to use certi$icates $or secure e>mail TestBing also uses certi$icates $or Encry#ting Eile Systems &EES( and $or authentication to !eb>based a##lications that are located in the #erimeter net"or0 TestBing is legally required to maintain access to $iles and e>mail messages e/en a$ter em#loyees lea/e TestBing TestBing also has internal requirements stating that administrators must be able to restore lost certi$icate 0eys $or net"or0 users You need to #ro/ide a bac0u# and reco/ery #lan to be used in the e/ent that users accidentally delete or lose their certi$icates and the associated #ri/ate 0eys You need to #lan the ste#s $or con$iguring the certi$ication authority &')( to issue user certi$icates $or EES* secure e>mail* and client authentication Your #lan must also #ro/ide all requirements $or reco/ering #ri/ate 0eys $or user certi$icates Your #lan must minimi1e administrati/e e$$ort !hich three actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. .reate a /e reco%er agent and ac6uire the @e Reco%er Agent certificate for the account. 1. .onfigure the .A with a polic module that re6uires the administrator to eBplicitl issue certificates. .. .onfigure the .A to allow /e archi%al. D. .reate a new certificate template that has the proper application policies and allows /e archi%ing. Add the certificate template to the .A. Allow authenticated users to enroll for certificates b using the new certificate template.

3. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2== 2 .onfigure the certificate template to supersede the Domain .ontroller Authentication certification template. )ns"er: )* '* D E3#lanation: !indo"s Ser/er 2==, #ro/ides a loc0smith o$ sorts &called a Degistration )uthority* or D)( that earlier /ersions o$ !indo"s did not ha/e ) 0ey reco/ery solution* ho"e/er* is not easy to im#lement and requires se/eral ste#s The basic method is as $ollo"s: 1. .reate an account to be used for /e reco%er . 2. .reate a new template to issue to that account. 3. Re6uest a /e reco%er certificate from the .A. -. Aa%e the .A issue the certificate. F. .onfigure the .A to archi%e certificates b using the Reco%er Agents tab of the .A propert sheet ;. .reate an archi%e template for the .A. @e archi%al and reco%er rel on a %ersion 2 template, which is onl a%ailable in !indows $er%er 2""3 3nterprise or datacenter 3ditions. Incorrect ans"ers: +9 The .A should be configured to allow /e archi%al not a polic module that re6uires the administrator to eBplicitl issue certificates. E9 This option will not minimi0e administrati%e effort under the gi%en circumstances. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >>http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3Hmainta QUESTION NO: << DD)- DDO. You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e>Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"" 2 You are #lanning a #ublic 0ey in$rastructure &.BI( $or TestBing TestBingJs "ritten security #olicy states that the #ri/ate 0eys that are used to encry#t $iles must be archi/ed $or later reco/ery You install an enter#rise certi$ication authority &')( on a ser/er that runs !indo"s Ser/er 2==, You create a ne" certi$icate tem#late $or $ile encry#tion You con$igure the certi$icate tem#late so that the #ri/ate 0ey is archi/ed )ll users on the domain are issued certi$icates $rom this tem#late You se#arate the roles o$ 0ey reco/ery agent and certi$icate manager )s #art o$ the #lanning o$ the ') de#loyment* you "ant to document the #rocedure $or ho" to reco/er a #ri/ate 0ey $or a user !hich three actions should you include in your #rocedure% )ns"er: E3#lanation9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"1 2 The .ertutil.eBe program is a command2line alternati%e to the .ertification Authorit console that administrators use to manage a .A. The .ertutil.eBe program is a command2line utilit that can perform the same tas/s as the .ertification Authorit console. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >>http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3Hproddo QUESTION NO: <2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"2 2 You are a net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, The com#any uses a #ublic 0ey in$rastructure &.BI( enabled sales a##lication that

en$orces strong certi$icate re/ocation list &'DA( chec0ing On a/erage* <==*=== users require access to this a##lication ) stand>alone root certi$ication authority &')( is con$igured to issue certi$icates to users 'erti$icate Ser/ices is con$igured as sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"3 2 'erti$icates you issue are /alid $or three years You issue and re/o0e a##ro3imately <=*=== certi$icates #er month $or <2 months )$ter <2 months* users begin to re#ort delays "hen they o#en the sales a##lication You disco/er that the delays occur #eriodically You need to im#ro/e the #er$ormance "hen users o#en the sales a##lication !hat should you do% A. .onfigure .ertificate $er%ices to publish the delta .R4 dail and the base .R4 monthl . 1. .onfigure .ertificate $er%ices to publish the base .R4 to a !eb ser%er on the networ/. &nclude this location in the .R4 distribution point of certificates. .. .onfigure a subordinate .A. &nstruct new users to enroll for certificates b using this .A. D. .onfigure .ertificate $er%ices to publish the base .R4 dail and the delta .R4 monthl . )ns"er: ) E3#lanation9 The .R4 is a list of certificates that are eBpired or in%alid, and it is made a%ailable so that networ/ users can identif whether certificates the recei%e are %alid. .R4s can become %er long on large .As that ha%e eBperienced significant amounts of certificate re%ocation. This can become a burden for clients to download fre6uentl . To help minimi0e fre6uent downloads of length .R4s, delta .R4s can be published. This allows the client to download the most current delta .R4 and combine that with the most current base .R4 to ha%e a complete list of re%o/ed certificates. 1ecause the client will normall ha%e the .R4 cached locall , the use of delta .R4s can potentiall impro%e performance.Delta .R4 is a list containing onl the certificates that ha%e been re%o/ed since the last certificate re%ocation list was published. Delta lists enable new additions to a .R4 to be published without the need to publish the entire .R4 again. Much li/e an incremental bac/up in theor , this ad%ancement helps optimi0e networ/ speed and simplifies the distribution of .R4s. Incorrect ans"ers: +9 .onfiguring .ertificate $er%ices to publish the base .R4 to a !eb ser%er on the networ/ will not ensure that ou ha%e a current up to date re%ocation list and networ/ performance will thus not be impro%ed. ' ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"- 2 9 An certification authorit that is established after the root .A is a subordinate .A. $ubordinate .As gain their authorit b re6uesting a certificate from either the root .A or a higher2le%el subordinate .A. The are certified b the root authorit and bind its public /e to its identit . Qust as the root .A can issue and manage certificates and certif child .As, a subordinate .A can also perform these actions and certif .As that are subordinate to it in the hierarch . Aowe%er, since man certificates are re%o/ed on a monthl basis, it will not impro%e performance if new users enroll for certificates using subordinate .As. This will onl result in e%en more re%ocations. D9 5ublishing the base .R4 on a dail basis and the delta .R4 on a monthl basis will not impro%e performance. Iou should rather ha%e it done %ice %ersa. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, pp. G12G2, >G2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 119 32 .9 5lan for the use of smart cards for authentication. *; 6uestions+ QUESTION NO: < You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, You con$igure a certi$ication authority &')( to issue smart card authentication certi$icates Users "ho ha/e administrati/e res#onsibilities are required to ha/e t"o accounts One account is $or general com#uter use The other account is an

administrati/e account that has administrati/e #ri/ileges and is used only "hen #er$orming administrati/e tas0s You decide to de#loy smart cards to all users in your com#any You issue one smart card to each user $or general com#uter use You enroll each user $or a smart card authentication certi$icate You need to #lan smart card access $or users "ho ha/e administrati/e res#onsibilities ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"F 2 !hat should you do% A. &ssue an additional smart card to users who ha%e administrati%e responsibilities. 3nroll each userKs administrati%e account for a smart card authentication certificate. &nstruct users to use this card when logging on to perform administrati%e tas/s. 1. 3nroll each userKs administrati%e account for a smart card authentication certificate. !hen prompted, store the certificate on the eBisting smart card. &nstruct users to use this card when logging on to perform all tas/s. .. .onfigure Croup 5olic to autoenroll administrati%e users for certificates. &nstruct these users to log on b using their nonadministrati%e accounts. D. &ssue a master card to users who ha%e administrati%e responsibilities. &nstruct users to use this card when logging on to perform administrati%e tas/s. )ns"er: + E3#lanation: Smart card enrollment is the #rocess by "hich a ') grants a certi$icate to the card )$ter enrollment* the user can insert the card at any "or0station on the net"or0* including terminal ser/ices clients and remote access clients* as long as a smart card reader is #resent Smart card logon A smart card is a credit card2si0e de%ice that contains memor and possibl an integrated circuit. !indows $er%er 2""3 can use a smart card as an authentication de%ice that %erifies the identit of a user during logon. The smart card contains the userKs certificate and pri%ate /e , enabling the user to log on to an wor/station in the enterprise with full securit . Incorrect )ns"ers: ): The 6uestion does not state that users with administrati%e responsibilities should ha%e two smart cards. ': the 6uestion states that98 Iou need to plan smart card access for users who ha%e administrati%e responsibilities8. This option tal/s about nonadministrati%e accounts. D: This is an in%alid option. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA "23G" .hapter 12, pp. >=> .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 11 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"; 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll com#uters on the net"or0 are members o$ the domain You are #lanning a #ublic 0ey in$rastructure &.BI( $or TestBing You "ant to de#loy smart cards $or all users in the domain You "ant the members o$ a ne" grou# named Smartcard )gents to be able to issue smart cards $or all users You create a ne" global grou# named Smartcard )gents You install an enter#rise certi$ication authority &')( on a !indo"s Ser/er 2==, com#uter named Test0ing< You create a du#licate o$ the Enrollment )gent certi$icate tem#late and change the /alidity #eriod o$ the ne" certi$icate tem#late to three years The name o$ the ne" certi$icate tem#late is Smart'ard Enrollment The con$iguration o$ #ermissions $or the Smartcard Enrollment certi$icate tem#late as sho"n in e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"G 2 :o"e/er* members o$ the Smartcard )gents grou# re#ort that "hen they start the 'erti$icate Dequest !i1ard* they do not see Smartcard Enrollment in the list o$ certi$icate ty#es that they can request You "ant to ensure that members o$ the Smartcard )gents grou# request Smart'ard Enrollment certi$icates

!hat should you do% A. Assign the $martcard Agents group the Allow 2 Autoenroll permission for the $martcard 3nrollment certificate template. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"> 2 1. Add the 3nrollment Agent certificate template to the list of superseded templates on the $martcard certificate template. .. .onfigure the enterprise .A to enable the $martcard 3nrollment certificate template. D. .onfigure the enterprise .A to assign the .ertificate Managers role to the $martcard Agents group. 3. &nstruct the members of the $martcard Agents group to connect to the enterprise .A !eb enrolment pages to re6uest certificates. )ns"er: ) E3#lanation9 A client has three wa s to re6uest a certificate from a .A. The most common is autoenrollment. There is a group polic entitled Automatic .ertificate Re6uest $ettings. The propert sheet for this polic enables ou to choose to either 3nroll certificates automaticall or not. Also, ou will need to ensure that 3nroll sub)ect without re6uiring an user input option is selected on the Re6uest Aandling tab of the certificate template propert sheet. Autoenrollment of certificates can be done through Croup 5olic for users and computers. !hen using autoenrollment, users do not need to be aware of the certificates that are enrolled, retrie%ed, or renewed. !hen ou select autoenrollment beha%ior, ou can establish a silent autoenrollment that re6uires 0ero user input. Iou can also re6uire a user to pro%ide input such as when users ha%e smart cards and personal identification numbers *5&,s+. Iou set autoenrollment of computer and user certificates in the Autoenrollment $ettings 5roperties dialog boB, which ou can access b opening Autoenrollment $ettings in .omputer .onfiguration or User .onfigurationH!indows $ettingsH $ecurit $ettingsH5ublic @e 5olicies in a C5' for a site, domain, or 'U. QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, Each client com#uter runs either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional The com#any requires that all users log on by using smart cards You de#loy 'erti$icate Ser/ices and smart card readers You con$igure auto>enrollment to issue certi$icates to users Users re#ort that they cannot log on by using a smart card You need to ensure that all users can log on by using a smart card ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"= 2 !hat should you do% A. &n Acti%e Director Users and .omputers, configure all user accounts to re6uire a smart card for interacti%e logon. 1. .onfigure the domain securit polic to re6uire smart cards for interacti%e logon. .. Use the .ertificate $er%ices !eb site to enroll each user for a smart card certificate. D. Add a cop of the enterprise root certificate to the trusted root certification authorities store on each client computer. )ns"er: ' E3#lanation: )lthough the question says Lyou con$igure auto>enrollment to issue certi$icates to usersL* it doesnJt say "hat ty#es o$ certi$icates "ere auto>enrolled You can use the 'erti$icate Ser/ices !eb site to enroll each user $or a smart card certi$icate The recommended method for enrolling users for smart card2based certificates and /e s is through the $mart .ard 3nrollment station that is integrated with .ertificate $er%ices in !indows 2""" $er%er and !indows 2""" Ad%anced $er%er. Incorrect ans"ers: ): This is not necessar . !ith this setting disabled, the users can log on using an method. +: This is not necessar . !ith this setting disabled, the users can log on using an method. D: &n a single domain, the .ertificate Authorit would be trusted b the client computers in the domain. Therefore, it is not necessar to add a cop of the enterprise root certificate to the trusted root certification authorities store on each client computer. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >>G QUESTION NO: 4 DD)- DDO.

You are the net"or0 admin $or TestBing The net"or0 consists o$ a single acti/e directory domain named TestBing com )ll ser/ers run "indo"s ser/er 2==, and clients run @. .ro ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31" 2 You need to im#lement the ca#abilities and requirements in the $ollo"ing table $or the users and com#uters: Ty#e o$ user or com#uter 'a#ability or requirement Domain users $mart card logon re6uired for all users $ecurit global group Abilit to issue smart cards to all domain users Auman recourses ser%ers .ertificate based &5$ec encr ption re6uired for all data transmissions ?5, $er%er 42T5 Re6uired )ll client com#uters are #ortable com#uters and need to connect to the 8.N ser/ers and to the :D resource ser/ers You con$igure a .BI to su##ort the domain users and com#uters You need to s#eci$y "hich ty#e o$ certi$icate* i$ any* each ty#e o$ user or com#uter requires !hat should you do% )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 311 2 E3#lanation: &5$ec should be enabled on the AR ser%ers, ?5, ser%ers and the client computers. The $mart .ard certificates are issued to the users, not the computers. The $ecurit group need 3nrollment Agents certificates. $mart card logon is integrated with the @erberos %ersion F authentication protocol implemented in !indows $er%er 2""3. !hen smart card logon is enabled, the s stem recogni0es a smart2card insertion e%ent as an alternati%e to the standard .trl a Alt a Del secure attention se6uence to initiate a logon. The user is then prompted for the smart card 5&, code, which controls access to operations performed b using the pri%ate /e stored on the smart card. &n this s stem, the smart card also contains a cop of the certificate of the user *issued b an enterprise .A+. This allows the user to roam within the domain. $mart cards enhance the securit of our organi0ation b allowing ou to store eBtremel strong credentials in an eas 2to2use form. Re6uiring a ph sical smart card for authentication %irtuall eliminates the potential for spoofing the identities of our users across a networ/. &n addition, ou can also use smart card applications in con)unction with %irtual pri%ate networ/s and certificate mapping, and in e2commerce. (or man organi0ations, the potential to use smart cards for logon is one of the most compelling reasons for implementing a public /e infrastructure. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 312 2 3nroll clients 2 To participate in a 5@&, users, ser%ices, and computers must re6uest and recei%e certificates from an issuing .A. T picall , enrollment is initiated when a re6uester pro%ides uni6ue identif ing information and a newl generated public /e . The .A administrator or enrollment agent uses this uni6ue identif ing information to authenticate the identit of the re6uester before issuing a certificate. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >=2 QUESTION NO: 5 You are a net"or0 administrator $or TestBing com Your net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, The com#any has users "ho "or0 in the main o$$ice and users "ho "or0 remotely by connecting to a ser/er running Douting and Demote )ccess The com#anyJs "ritten security #olicy requires that administrators in the main o$$ice log on by using smart cards The "ritten security #olicy also requires that remote users use smart cards to access net"or0 resources No other users are required to use smart cards You issue #ortable com#uters that contain smart card readers to administrators and remote users You issue smart cards to administrators and remote users )dministrators and remote users re#ort that they can log on "ithout using a smart card You need to ensure that only administrators are required to use smart cards "hen

"or0ing in the main o$$ice You must also ensure that remote users are required to use smart cards "hen accessing net"or0 resources !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. &n the computer configuration settings of the Default Domain 5olic Croup 5olic ob)ect *C5'+, enable the &nteracti%e logon9 Re6uire smart card setting. 1. 'n the ser%er running Routing and Remote Access, select the 3Btensible authentication protocol *3A5+ chec/ boB and re6uire smart card authentication. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 313 2 .. &n the properties of each administrator account, select the $mart .ard Re6uired for &nteracti%e 4ogon chec/ boB. D. &n the computer configuration settings of the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, enable the &nteracti%e logon9 Re6uires smart card setting. 3. &n the properties of each user account that re6uires remote access, select the $mart .ard Re6uired for &nteracti%e 4ogon chec/ boB. )ns"er: +* ' E3#lanation: !e can require remote users to log on using smart cards only by con$iguring the DD)S ser/er that the remote users connect to require smart card authentication !e can configure the administratorsK user accounts to re6uire smart cards for interacti%e logons. This setting is defined in the user properties in Acti%e Director Users and .omputers. Incorrect )ns"ers: ): This would re6uire that all users log on using a smart card. D: This would re6uire that users use a smart card to log on to onl the domain controllers. The administrators must use smart cards to log on to an machine in the domain. E: This would re6uire that the remote users log on using a smart card to an machine. The donKt need a smart card logon if the are using a machine in the office. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. G2= to G21". Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. ;FF QUESTION NO: 6 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, ?ost o$ the client com#uters are located in the o$$ices o$ indi/idual users Some client com#uters are located in #ublicly accessible locations The com#anyJs "ritten security #olicy includes the $ollo"ing requirements ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31- 2 1. )ll users must use smart cards to log on to a client com#uter 2. Users using the #ublicly accessible client com#uters must be logged o$$ i$ the smart card is remo/ed $rom the smart card reader You con$igure all user accounts to require smart cards $or interacti/e logon You create an organi1ational unit &OU( named .ublic You need to ensure that the a##ro#riate result occurs on each client com#uter "hen a smart card is remo/ed You must achie/e this goal "ithout a$$ecting other com#uters !hat should you do% A. 5lace all computer accounts for the publicl accessible client computers in the 5ublic 'U. .reate a new Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 5ublic 'U. .onfigure the &nteracti%e 4ogon9 $mart card remo%al beha%ior setting to (orce 4ogoff. 1. 5lace the user accounts of all users who use the publicl accessible client computers in the 5ublic 'U. .reate a new Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 5ublic 'U. .onfigure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce loggoff. .. 'n the Default Domain 5olic Croup 5olic ob)ect *C5'+, configure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce logoff. D. 'n the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, configure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce 4ogoff. )ns"er: ) E3#lanation:

us to a##ly a grou# #olicy to the #ublic com#uters The question states that users must be logged o$$ i$ the smart card is remo/ed $rom the smart card reader There is a s#eci$ic setting in grou# #olicy $or this !e can con$igure the Interacti/e Aogon: Smart card remo/al beha/iour setting to Eorce Aogo$$ Incorrect )ns"ers: +: This is a computer setting, not a user setting. ': This will force logoff all users in the domain. 'nl users of the public computers should be logged off when the remo%e their smart cards. D: This will force logoff all users who log on to a domain controller. 'nl users of the public computers should be logged off when the remo%e their smart cards. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31F 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"212, 1"21F to 1"21=, 1"22- to 1"22>. 5art 39 5lan a framewor/ for planning and implementing securit . A9 5lan for securit monitoring. *F 6uestions+ QUESTION NO: < You are the net"or0 administrator $or Test Bing com The net"or0 contains 2= !indo"s Ser/er 2==, database ser/ers The "ritten security #olicy $or TestBing requires that the $ollo"ing ser/ices must be disabled on all database ser/er com#uters: 1. 'om#uter +ro"ser 2. Eile De#lication 3. Inde3ing Ser/ice -. Demote Degistry F. Ser/er ;. Tas0 Scheduler The "ritten security #olicy also requires that the database ser/ers must be #rohibited $rom ha/ing access to the Internet You use a !indo"s @. .ro$essional client com#uter named Test0ing< that has access to the Internet You need to #er$orm a "ee0ly analysis o$ the hot$i3 le/el o$ the database ser/ers com#ared "ith the latest a/ailable u#dates You need to minimi1e the amount o$ administrati/e e$$ort !hat should you do% A. $chedule the mbsacli.eBe command to run wee/l on Test/ing1. .onfigure the mbsacli.eBe parameters to use a file that contains the names of all database ser%ers. 1. 3ach wee/, cop the Mssecure.cab file from the Microsoft !eb site to Test/ing1 and initiate a Remote Des/top connection to each database ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31; 2 Run the mbsacli.eBe command on each database ser%er. .onfigure the mbsacli.eBe parameters to reference Test/ing1 as a data source for the hotfiB information. .. 3ach wee/, initiate a Remote Des/top connection to each database ser%er. Run the wmic.eBe 6fe command on each database ser%er. D. 3ach wee/, initiate a Remote Des/top connection to each database ser%er. Run the hotfiB.eBe command on each database ser%er. )ns"er: + E3#lanation: The command>line #rogram $or running ?+S) is mbsacli e3e ?+S) scans $or security /ulnerabilities in the o#erating system and other ?icroso$t com#onents ?+S) gi/es administrators a re#ort a$ter a scan has been com#leted This re#ort e3#lains "hat security issues "ere disco/ered and ho" to correct them The mbsacli.eBe parameter Hc domainnameWcomputername performs a scan on the selected computer. The mbsacli.eBe parameter 2i ipaddress specifies the &5 address of the computer to be scanned. &f not specified, the default is the local computer. Incorrect )ns"ers: )9 mbsacli.eBe should be run on each database ser%er and not )ust on Test/ing1 as suggested in this option. (urthermore, the parameters should be configured to reference Test/ing1 as data source for the hotfiB information. ': The !indows Management &nstrumentation .ommand *!M&.+ utilit is a command2line interface to the !M& infrastructure. D9 AotfiBes basicall are single2issue related, something li/e an indi%idual update onl . This will definitel not be minimi0ing administrati%e effort.

De$erence: Maintaining a !indows $er%er 2""3 3n%ironment for an M.$3 .ertified on !indows 2""" $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, .hapter >, pp. ->", ->1 and ->=. Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >2>. QUESTION NO: 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31G 2 Your net"or0 consists o$ a single )cti/e Directory domain test0ing com TestBing has a main o$$ice in Den/er and branch o$$ices in .aris and +ogota Each branch o$$ice contains a !indo"s Ser/er 2==, D' )ll client com#uters run !indo"s @. .ro$essional Users in the +ogota o$$ice re#ort intermittent #roblems authenticating to the domain You sus#ect that a s#eci$ic client com#uter is causing the #roblem You need to ca#ture the authentication e/ent details on the domain controller in the +ogota o$$ice so that you can $ind out the I. address o$ the client com#uter that is the source o$ the #roblem !hat should you do% A. .onfigure $ stem Monitor to monitor authentication e%ents 1. .onfigure 5erformance 4ogs and Alerts with a counter log to record the authentication e%ents .. .onfigure ,etwor/ Monitor to record the authentication e%ents D. .onfigure 5erformance 4ogs and Alerts with an alert to trigger on authentication e%ents )ns"er: ' E3#lanation: The question states that you $ind out the I. address o$ the client com#uter that is the source o$ the #roblem Using Net"or0 ?onitor to ca#ture tra$$ic is the only "ay to do this Incorrect )ns"ers: ): This will not displa the &5 address of the client computer that is the source of the problem. +: This will not displa the &5 address of the client computer that is the source of the problem. D: This will not displa the &5 address of the client computer that is the source of the problem. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >2; ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31> 2 QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain )ll ser/ers run !indo"s Ser/er 2==, and all client com#uters run !indo"s @. .ro$essional You are #lanning a security u#date in$rastructure You need to $ind out "hich com#uters are e3#osed to 0no"n /ulnerabilities You need to collect the in$ormation on e3isting /ulnerabilities $or each com#uter e/ery night You "ant this #rocess to occur automatically !hat should you do% A. $chedule the secedit command to run e%er night. 1. $chedule the mbsacli.eBe command to run e%er night. .. &nstall Microsoft 1aseline $ecurit Anal 0er *M1$A+ on one of the ser%ers. .onfigure Automatic Updates on all other computers to use that ser%er. D. &nstall $oftware Update $er%ices *$U$+ on one of the ser%ers. .onfigure the $U$ ser%er to update e%er night. )ns"er: + E3#lanation: !e can schedule the mbsacli e3e command to #eriodically scan $or security /ulnerabilities Incorrect )ns"ers: )* '* D: The 6uestion sa s that ou ha%e to gather information to plan a securit update infrastructure, not fiB it immediatel . De$erence:

Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >3" QUESTION NO: 4 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31= 2 You are the net"or0 administrator $or TestBing The com#any is de#loying a net"or0 that consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional You are #lanning the data transmission security $or the sales de#artment You need to monitor the data transmissions to and $rom the client com#uters in the sales de#artment at all times You need to ensure the integrity o$ the data transmissions to and $rom the client com#uters You also need to be able to im#lement intrusion detection on the sales de#artment tra$$ic !hat should you do% A. Assign a custom &5$ec polic with the &ntegrit and 3ncr ption securit method to the sales department client computers. 1. Assign a custom &5$ec polic with the &ntegrit onl securit method to the sales department client computers. .. Assign a custom &5$ec polic with a custom securit method and the 3D3$ encr ption algorithm to the sales department client computers. D. Assign the .lient *Respond 'nl + &5$ec polic to the sales department client computers. )ns"er: + E3#lanation9 The two primar protocols used b &5$ec9 AA and 3$5. AA pro%ides for data authentication and integrit , and 3$5 also pro%ides those ser%ices, and also adds data confidentialit . AA and 3$5 can be used separatel or together. !hen ou select the Data and address integrit without encr ption *AA+ chec/ boB if ou need to pro%ide data integrit for the pac/etKs &5 header and the data. Then for &ntegrit algorithm, select either MDF *which uses a 12>2bit /e + or $AA1 *which uses a 1;"2bit /e + &f ou need to pro%ide both integrit and encr ption for data confidentialit , to monitor the &5$3. traffic because it is encr pted. &f ou need to diagnose 3$5 software2encr pted communication, ou must disable 3$5 encr ption and use 3$52null encr ption b changing the &5$ec polic on both computers. messages. Incorrect )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32" 2 )9 Using both AA and 3$5 is the onl wa to both protect the &5 header and encr pt the data. Aowe%er, this le%el of protection is rarel used because of the increased o%erhead that AA would incur for pac/ets that are alread ade6uatel protected b 3$5. 3$5 protects e%er thing but the &5 header, and modif ing the &5 header does not pro%ide a %aluable target for attac/ers. Cenerall , the onl %aluable information in the header is the addresses, and these cannot be spoofed effecti%el because 3$5 guarantees data origin authentication for the pac/ets. '9 This option will wor/ if oui want both integrit and encr ption for data confidentialit then select the Data integrit and encr ption *3$5+ chec/boB. Then under increased performance, ou can choose this+, MDF, or $AA1. Under 3ncr ption algorithm, choose ,one, D3$, or 3D3$. Aowe%er, this is not what is needed. D9 .lient *Respond 'nl + is the least secure default polic .Iou might want to implement this polic for intranet computers that need to respond to &5$ec re6uests but do not re6uire secure communications. &f ou implement this polic , the computer will use secured data communications when re6uested to do so b another computer. This polic uses the default response rule, which creates d namic &5$ec filters for inboundHoutbound traffic based on the portHprotocol re6uested. This will not enable ou to implement intrusion detection of the $ales department traffic. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 1", pp. G322G3F QUESTION NO: 5 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com You install a "ireless net"or0 You con$igure the net"or0 to use !ired Equi/alent .ri/acy &!E.( You install !indo"s Ser/er 2==, on a ser/er named TestBingSr/,

You install a "ireless net"or0 ada#ter in TestBingSr/, The com#anyJs "ritten security #olicy $or im#lementing "ireless de/ices includes the $ollo"ing requirements: 1. )dministrators must be able to identi$y unauthori1ed "ireless de/ices that attem#t to connect to the "ireless net"or0 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 321 2 )dministrators must be able to monitor "ireless net"or0 de/ice status* including radio channels in$ormation and signal strength* $or "ireless de/ices You need to com#ly "ith the security monitoring requirements !hat should you do% A. Add the !ireless Monitor snap2in to enable logging and to %iew !ireless .lient &nformation. 1. .onfigure preferred networ/s in the wireless networ/ polic for the Default Domain 5olic Croup 5olic ob)ect *C5'+. .. &nstall and configure ,etwor/ Monitor on Test@ing$r%3 to capture and anal 0e networ/ traffic, D. &n the wireless networ/ polic for the Default Domain 5olic Croup 5olic ob)ect *C5'+, in the ,etwor/s to access list, select An a%ailable networ/ *access point preferred+. )ns"er: ) E3#lanation9 !ireless Monitor allows ou to %iew details about access points and wireless clients. Iou can use this information to troubleshoot our wireless ser%ice. The !ireless .onfiguration ser%ice logs information in !ireless Monitor that allows ou to9 1. &dentif ser%ice configuration changes. 2. .hec/ the e%ents logged in the !ireless .onfiguration ser%ice log that are generated from outside of our networ/, such as media e%ent notifications, >"2.1< e%ents, and timer eBpiration e%ents. 3. .hec/ how the !ireless .onfiguration ser%ice reacts to eBternal e%ents b following transitions, as the are reflected in the log. &f ou want to enable or disable logging of client information then right2clic/ the !ireless .lient &nformation node and ma/e the appropriate selection. This should compl with the compan securit monitoring re6uirements. Incorrect ans"ers: +9 This tab is used mainl to add a new wireless networ/ to the eBisting one. This is not the same as monitoring. '9 ,etwor/ Monitor allows ou to capture data, identif the source, and anal 0e the content and format of the message. Aowe%er, the %ersion of ,etwor/ Monitor that ships with !indows $er%er 2""3 can anal 0e onl traffic addressed to the networ/ interface card *,&.+ on the ser%er itself or that is sent b the ser%er on which it is running. This will not compl with the compan Ks monitoring re6uirements. D9 !hen ou configure new or eBisting wireless networ/ connections or connect to an a%ailable wireless networ/, ou can choose the wireless networ/ t pes of which An ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 322 2 a%ailable networ/ *access point preferred+ is one. &n access point preferred wireless there are an a%ailable. &f an access point networ/ is not a%ailable, a connection to a computer2to2computer wireless networ/ is attempted. 3.g., if ou use our laptop at wor/ in an access point wireless networ/, and then ou ta/e our laptop home to use in our computer2to2computer home networ/, the !indows .onfiguration ser%ice will change our wireless networ/ settings as needed so that ou can connect to our home networ/. This poses a securit ris/ and does not compl with the compan Ks securit monitoring re6uirements. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >1G 19 5lan a change and configuration management framewor/ for securit . *1 6uestion+ QUESTION NO: < You are the Net"or0 administrator $or TestBing The net"or0 consists o$ a single domain )cti/e Directory $orest and a single !indo"s NT 4 = domain The $unctional le/el o$ the $orest is !indo"s 2=== The )cti/e Directory domain contains com#uter accounts and t"o !indo"s Ser/er 2==, domain controllers The )cti/e Directory domain also uses -rou# .olicy ob2ects &-.Os( The !indo"s NT 4 = domain contains user )ccounts The !indo"s NT 4 = domain also uses System .olicy to con$igure usersJ com#uters

You no longer "ant the settings that "ere con$igured by using the system #olices a##lied to com#uters !hat should you do% A. .reate a new s stem polic that contains user configuration settings that re%erse the pre%ious s stem policies. Replace the old s stem policies with the new s stem policies. 1. .reate a new C5' that contains user configuration settings that re%erse the pre%ious s stem policies. Appl the new C5' to the Acti%e Director domain. .. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 323 2 Raise the functional le%el of the Acti%e Director domain to !indows $er%er 2""3 interim. D. Raise the functional le%el of the forest to !indows $er%er 2""3 interim. )ns"er: ) E3#lanation: Unli0e !indo"s 2=== &or later( -.Os* !indo"s NT system #olicy settings stay in #lace e/en a$ter the system #olicy is remo/ed To remo/e the system #olicy settings* "e must create another system #olicy that re/erses the settings $rom the #re/ious system #olicies Incorrect )ns"ers: +: Croup 5olic 'b)ects *C5's+ ha%e no effect on !indows ,T computers. ': The functional le%el of the forest or domain will ha%e no effect on the computers in the !indows ,T domain. D: The functional le%el of the forest or domain will ha%e no effect on the computers in the !indows ,T domain. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >3" 5art -9 5lan a securit update infrastructure. Tools might include Microsoft 1aseline $ecurit Anal 0er and Microsoft $oftware Update $er%ices. *3 6uestions+ QUESTION NO: < You are the net"or0 administrator $or 'ostoso Atd The net"or0 contains a single )cti/e Directory domain named 'ontoso com )ll com#uters on the net"or0 are members o$ the domain 'ontoso* Atd has a main o$$ice and 2= branch o$$ices Each branch o$$ice has a connection to the main o$$ice Only the main o$$ice has a connection to the Internet ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32- 2 You are #lanning a security u#date in$rastructure $or your net"or0 You de#loy a central So$t"are U#date Ser/ices &SUS( ser/er at the main o$$ice and an SUS ser/er at each branch o$$ice The SUS ser/er at the main o$$ice uses !indo"s U#date to obtain security #atches You "ant to minimi1e the amount o$ band"idth used on the connection to the Internet and on the connection bet"een the o$$ices to do"nload security #atches !hich t"o actions should you ta0e% A. .onfigure the $U$ ser%ers at the branch office to use !indows Update to obtain securit patches. 1. .onfigure the $U$ ser%ers at the branch offices to use the central $U$ ser%er for updates. .. .onfigure Automatic Updates on the $U$ ser%ers at the branch offices to use the central $U$ ser%er for updates. D. .onfigure Automatic Updates on all computers to use the $U$ ser%er on the local networ/. 3. .onfigure Automatic Updates on all computers to use the default update ser%ice location. )ns"er: +* D E3#lanation: !e must set u# the SUS branch o$$ices ser/er to #ic0u# the u#dates $orm the ser/er in the main o$$ice +y con$iguring a SUS ser/er in the main o$$ice you sa/e net"or0 band"idth* because the branch o$$ice ser/ers "ill not need to use the internet connection !ith this solution* the main o$$ice SUS ser/er do"nloads $rom the main o$$ice SUS ser/er and the client com#uters do"nload the u#dates $rom the local SUS ser/er Incorrect )ns"ers: ): This is an unnecessar use of the internet connection. ': Iou need to configure the $U$ ser%er software to download the updates, not automatic updates. E: The default update ser%ice location is Microsoft. This is an unnecessar use of the

internet connection. De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139 > ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32F 2 QUESTION NO: 2 You are the net"or0 administrator $or TestBing The com#any has a main o$$ice and 2= branch o$$ices You recently com#leted the design o$ the com#any net"or0 The net"or0 design consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers "ill run !indo"s Ser/er 2==, The main o$$ice "ill contain $our domain controllers* and each branch o$$ice "ill contain one domain controller The branch o$$ice domain controllers "ill be administered $rom the main o$$ice You need to ensure that the domain controllers are 0e#t u#>to>date "ith so$t"are u#dates $or !indo"s Ser/er 2==, a$ter their initial de#loyment You "ant to ensure that the domain controllers automatically install the u#dates by using the minimum amount o$ administrati/e inter/ention You also "ant to con$igure the settings by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. &n $ stem 5roperties, on the Automatic Update tab, enable @eep m computer up to date, and then select Download the updates automaticall and notif me when the are read to be installed. 1. &n the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, enable .onfigure Automatic Updates with option 3 2 Auto download and notif for install. .. &n the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, enable .onfigure Automatic Updates with option - 2 Auto download and schedule the install. D. &n $ stem 5roperties, on the Automatic Updates tab, enable Bee# my com#uter u# to date* and then select Automaticall download the updates, and install them on the schedule that & specif . )ns"er: ' E3#lanation: The question states that LYou "ant to ensure that the domain controllers automatically install the u#dates by using the minimum amount o$ administrati/e inter/entionL The "ay to do this is to con$igure the automatic u#dates "ith the o#tion to )uto do"nload and schedule the install The easiest "ay to con$igure the domain controllers "ith this setting is to con$igure a grou# #olicy ob2ect $or the domain controllers The problem with this solution is that the domain controllers ma automaticall restart after the updates are installed. $cheduling the updates to install out of business hours will minimi0e an disruption. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32; 2 Incorrect )ns"ers: ): &t is easier to configure the domain controllers using group polic . +: This solution will download the updates, but it will not install them until an administrator manuall clic/s the install button in the notification dialog boB. Answer . automates the procedure more b scheduling the installation to occur at a set time without an further administrati%e inter%ention. D: &t is easier to configure the domain controllers using group polic . De$erence: .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 139 > QUESTION NO: , You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll #roduction ser/ers are located in an organi1ational unit &OU( named Ser/ers You maintain a lab that contains test ser/ers )ll test ser/ers are located in an OU named Test Ser/ers You are #lanning to de#loy critical !indo"s u#dates to all ser/ers in the Ser/ers OU by using So$t"are U#date Ser/ices &SUS(* "hich is hosted on t"o dedicated SUS ser/ers named Test0ing< and Test0ing2 Test0ing< and Test0ing2 are located in an OU named SUS ser/ers You synchroni1e Test0ing< to do"nload $rom the ?icroso$t !indo"s U#date ser/ers You a##ro/e the rele/ant u#dates $or your ser/ers on Test0ing< You need to minimi1e the im#act o$ a##lying the critical u#dates to the #roduction

ser/ers !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .reate a Croup 5olic 'b)ect *C5'+ to configure computers to download and install critical updates from Test/ing1, and lin/ it to the Test $er%ers 'U. .reate a second C5' to configure computers to download and install critical updates from Test/ing2, and lin/ it to the $er%ers 'U. 1. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32G 2 .onfigure Test/ing2 to automaticall download appro%ed and tested updates from Tes/ing1. .. .onfigure Test/ing2 to manuall download appro%ed and tested updates from Test/ing1. D. .reate a Croup 5olic 'b)ect *C5'+ to configure computers to download and install critical updates from Test/ing1, and lin/ it to the $er%ers 'U. .reate a second C5' to configure computers to download and install critical updates from Test/ing2, and lin/ it to the Test $er%ers 'U. )ns"er: )* ' E3#lanation: SUS "or0s by retrie/ing u#dates $rom ?icroso$t and storing these u#dates on a ser/er that has the SUS tool installed 'lients then can be con$igured to connect to SUS and retrie/e a##ro/ed hot$i3es and #atches $rom the SUS ser/er Since the question mentions that Test0ing< is synchroni1ed to do"nload $rom the ?icroso$t !indo"s U#date ser/ers and then you a##ro/e the rele/ant u#dates $or your ser/ers on Test0ing<* you should create a -.O to con$igure com#uters to do"nload and install critical u#dates $rom Test0ing<* and lin0 this -.O to the Test Ser/ers OU since all test ser/ers are located in said OU )$ter that you should create another -.O to con$igure com#uters to do"nload a##ro/ed critical u#dates $rom Test0ing2 &"hich "ill then ha/e the a##ro/ed* tested u#dates( and lin0 this -.O to the Ser/ers OU To minimi1e the a##lication im#act these critical u#dates may ha/e* TestBing2 should be con$igured to manually do"nload a##ro/ed and tested u#dates Incorrect )ns"ers: +: !hen automaticall downloading appro%ed and tested updates from Test@ing1, ou ris/ the chance of the computer perhaps ha%ing to be restarted to ma/e the updates ta/e effect. This is hardl minimi0ing the impact of appl ing critical updates to the production ser%ers. D: The updates must first be lin/ed the Test $er%ers 'U so that it can be tested in the lab containing the test ser%ers. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, pp. >3", >3G2>3= .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 13 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32> 2 Topic G, $imulations *1= :uestions+ QUESTION NO: < SI?UA)TION You are the net"or0 administrator $or TestBing com You ha/e recently de#loyed a ne" )cti/e Directory domain )ll domain controllers run !indo"s Ser/er 2==, The net"or0 contains !indo"s NT !or0station* !indo"s ;9 client com#uters* and !indo"s @. client com#uters You disco/er that the !indo"s NT !or0station client com#uters and !indo"s ;9 client com#uters cannot communicate "ith the domain controllers You do not e3#erience this #roblem "ith the !indo"s @. client com#uters You ha/e /eri$ied that there are no net"or0 connecti/ity issues You need to con$igure -rou# .olicy ob2ects &-.Os( to ensure that all client com#uters can communicate "ith the domain controllers You "ant to ensure that the domain controllers su##ort I. #ac0et encry#tion "here #ossible You need to accom#lish these con$igurations by con$iguring as $e" settings as #ossible You cannot create ne" -.Os or -.O lin0s !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32= 2

)ns"er: !e need to un>assign the LSecure Ser/erL I.sec #olicy $rom the De$ault Domain 'ontrollers OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33" 2 Ste# G< In -rou# .olicy ?anagement* e3#and the tree and select the -rou# .olicy Ob2ects $older ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 331 2 $tep b2. Dight clic0 the De$ault Domain 'ontrollers .olicy and select Edit $tep b3. E3#and the 'om#uter 'on$iguration section to sho" I. Security .olicies ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 332 2 $tep b-. Dight clic0 on the LSecure Ser/er &Dequire Security(L #olicy and select Un>assign ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 333 2 QUESTION NO: 2 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, or !indo"s 2=== Ser/er )ll client com#uters run !indo"s @. .ro$essional or !indo"s NT 4 = S.6a You need to con$igure a -rou# .olicy Ob2ect &-.O( named -.=2 You need to ensure that client com#uters and member ser/ers are $orced to use the most secure authentication #rotocols "ithout disru#ting the a/ailability o$ net"or0 resources !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33- 2 )ns"er: .ending ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33F 2 QUESTION NO: , SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing)* "hich is located in a branch o$$ice TestBing) is used as a $ile and #rint ser/er TestBing) contains a shared #rinter named TestBing.rinter You #er$orm a security audit o$ your net"or0 +ased on this audit* you disable se/eral ser/ices on TestBing) Users in the branch o$$ice re#ort a number o$ #roblems These include the $ollo"ing #roblems: 1. Users cannot see ser/ers in the net"or0 o$$ice by using ?y Net"or0 .laces 2. Users cannot #rint documents on TestBing.rinter You need to enable the a##ro#riate ser/ices to resol/e these issues "ithout unnecessarily com#romising the secure con$iguration o$ TestBing) You need to ensure that in the e/ent o$ a ser/er reboot* these ser/ices remain enabled !hat should you do% )ns"er: !e need to restart the 'om#uter +ro"ser ser/ice and the .rint S#ooler ser/ice !e need to change the start>u# ty#e o$ the t"o ser/ices to L)utomaticL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33; 2 Ste# G< 'lic0 Start U .rograms U )dministrati/e Tools U Ser/ices to o#en the Ser/ices console $tep b2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33G 2 Dight clic0 on the 'om#uter +ro"ser ser/ice and select .ro#erties $tep b3. 'hange the start>u# ty#e to )utomatic and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV

4eading the wa in &T testing and certification tools, www.test/ing.com 2 33> 2 $tep b-. Dight clic0 on the 'om#uter +ro"ser ser/ice and select Start to start the ser/ice ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33= 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-" 2 Ste# G5 De#eat ste#s 2>4 $or the .rint S#ooler ser/ice ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-1 2 QUESTION NO: 4 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing< TestBing< is used as a domain controller* $ile ser/er and #rint ser/er In the #ast* TestBing< "as also used to host intranet content* including streaming media :o"e/er* TestBing< is no longer used to host intranet content You need to con$igure TestBing< to remo/e unnecessary com#onents and ser/ices Your solution must not #re/ent TestBing< $rom $unctioning in its assigned ser/er roles or increase the /ulnerability o$ TestBing< to security threats !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-2 2 )ns"er: !e need to uninstall IIS Ste# G< O#en the )dd or Demo/e .rograms a##let in 'ontrol .anel then clic0 L)ddKDemo/e !indo"s 'om#onentsL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-3 2 $tep b2. 'lear the )##lication Ser/er chec0bo3 and clic0 Ne3t ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-- 2 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-F 2 Ste# G, 'lic0 Einish "hen !indo"s 'om#onents !i1ard $inishes QUESTION NO: 5 SI?UA)TION ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-; 2 You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named TestBing com You con$igure a -rou# .olicy ob2ect &-.O( named -.Ol to require target com#uters to use S?+ signing "hen requested You con$igure a -.O named -.=2 to require target com#uters to use S?+ signing $or all communications The com#anyJs "ritten security #olicy states that all S?+ data sent to member ser/ers in the human resources &:D( and sales de#artments must be digitally signed )ll other com#uters should use S?+ signing only "hen they are communicating "ith member ser/ers )ll client com#uter accounts are located in an organi1ational unit &OU( named 'lient'om#uters )ll member ser/er accounts in the sales de#artment are located in an OU named SalesSer/ers )ll member ser/er accounts in the :D de#artment are located in an OU named :DSer/ers You need to modi$y the -.O lin0s to ensure that S?+ signing $unctions as required The number o$ -.O lin0s needs to be 0e#t as lo" as #ossible !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-G 2 )ns"er: Ain0 -.O2 &require S?+ signing( to :Dser/ers OU and SalesSer/ers OU Ain0 -.O< &S?+ signing i$ requested( to 'lient'om#uters OU

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-> 2 $tep b1. In -rou# .olicy ?anagement* e3#and the test0ing com tree until you can see the organisational units $tep b2. Dight clic0 on the :DSer/ers OU and select LAin0 an E3isting -.O L ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-= 2 $tep b3. Select -.O2 and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F" 2 $tep b-. Dight clic0 on the SalesSer/ers OU and select LAin0 an E3isting -.O L ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F1 2 $tep bF. Select -.O2 and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F2 2 $tep b;. Dight clic0 on the 'lient'om#uters OU and select LAin0 an E3isting -.O L ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F3 2 $tep bG. Select -.O< and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F- 2 QUESTION NO: 6 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named Ser/er< Ser/er< runs lIS 6 = Ser/er< is issued an SSA certi$icate The certi$icate is located at ':Q'ertne" cer You need to install this certi$icate $or the De$ault !eb Site and ensure that users can access the De$ault !eb Site by using the UDA htt#s:KKser/er< Your solution must not require users to s#eci$y a T'. #ort number in the ser/erJs UDA !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FF 2 )ns"er: 'on$igure "eb site to use SSA and install cert $tep b1. 'lic0 Start U .rograms U )dministrati/e Tools U Internet Ser/ices ?anager E3#and the tree to sho" the De$ault !eb Site ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F; 2 $tep b2. Dight clic0 on the De$ault !eb Site and select .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FG 2 $tep 3. On the Directory Security tab* clic0 the Ser/er 'erti$icate button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F> 2 $tep b-. Eollo" the 'erti$icate !i1ard to im#ort the certi$icate located at ':Q'ertne" cer ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F= 2

$tep bF. On the !eb Site tab* enter 44, as the SSA #ort 44, is the de$ault #ort $or SSA communications so the users "ill not ha/e to enter a #ort number "hen accessing htt#s:KKser/er< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;" 2 QUESTION NO: 7 SI?UA)TION You are the net"or0 administrator $or TestBing comJs )cti/e Directory domain You are con$iguring a security tem#late to ensure that all net"or0 $ile ser/ers meet the $ollo"ing requirements: 1. )ll success$ul authentication attem#ts $rom both domain and local user accounts must be audited 2. The ma3imum security log si1e must be 2=*49= B+ ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;1 2 3. The security log must o/er"rite e/ents as needed -. The :el#Des0 and )dministrators security grou#s must be able to log on locally You need to con$igure the Eile Ser/ers security tem#late located in the ??' $ile console< msc on the des0to# to accom#lish this goal !hat should you do% )ns"er: $tep b1. O#en 'onsole< msc on the des0to# ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;2 2 $tep b2. The $irst requirement o$ the question states: )ll success$ul authentication attem#ts $rom both domain and local user accounts must be audited E3#and Aocal .olicies and clic0 on )udit .olicy ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;3 2 $tep b3. Double clic0 L)udit account logon e/entsL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;- 2 $tep b-. 'hec0 the LDe$ine these #olicy settings in the tem#lateL chec0bo3 and ensure the LSuccessL chec0bo3 is chec0ed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;F 2 Ste# G5 De#eat ste# 4 $or the L)udit logon e/entsL #olicy ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;; 2 $tep b;. The second requirement o$ the question states: The ma3imum security log si1e must be 2=*49=Bb In the Security Tem#lates console* clic0 LE/ent AogL in the le$t #ane then double clic0 L?a3imum security log si1eL in the right #ane ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;G 2 $tep bG. 'hec0 the chec0bo3 and enter 2=49= $or the log si1e then clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;> 2 $tep b>. The third requirement o$ the question states: the security log must o/er"rite e/ents as needed Double clic0 LDetention method $or security logL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 3;= 2 $tep b=. 'hec0 the chec0bo3 and ensure LO/er"rite e/ents as neededL is selected then clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G" 2 $tep b1". The $ourth requirement o$ the question states: The :el#Des0 and )dministrators security grou#s must be able to log on locally 'lic0 on User Dights )ssignment in the le$t #ane then double clic0 L)llo" log on locallyL in the right #ane ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G1 2 $tep b11. 'hec0 the chec0bo3 and clic0 the L)dd User or -rou#L button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G2 2 Ste# G<2 Ty#e )dministrators and clic0 O0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G3 2 Ste# <, De#eat ste#s << and <2 $or the :el#Des0 grou# Ste# G<4 'lic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G- 2 QUESTION NO: 9 SI?UA)TION You are the net"or0 administrator $or TestBing com )ll client com#uters run !indo"s @. .ro$essional The net"or0 uses D:'. to con$igure client com#uters ) user named Tom re#orts that his #ortable com#uter can no longer connect to com#any resources "hen it is connected to the com#any net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GF 2 You disco/er that Tom modi$ied the com#uterJs T'.KI. con$iguration to $unction "ith his home net"or0 You need to con$igure the com#uter so that it connects to com#any resources "hen it is on the com#any net"or0 and connects to home resources "hen it is on TomJs home net"or0 !hat should you do% )ns"er: !e need to con$igure the A)N connection to use D:'. and con$igure a static I. address $or use at home $tep b1. O#en Net"or0 'onnections either by clic0ing Start U Settings U Net"or0 'onnections or right clic0ing on ?y Net"or0 .laces and selecting .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G; 2 $tep b2. Dight clic0 on Aocal )rea 'onnection and select .ro#erties ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GG 2 $tep b3. Select Internet .rotocol &T'.KI.( and clic0 the .ro#erties button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G> 2 $tep b-. Ta0e a note o$ the I. settings ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G= 2 $tep bF.

Select LObtain an I. address automaticallyL then select LObtain DNS ser/er address automaticallyL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>" 2 $tep b;. On the L)lternate 'on$igurationL tab* enter the I. con$iguration you noted in ste# 4* then clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>1 2 QUESTION NO: ; SI?UA)TION You are the net"or0 administrator $or 'ontoso* Atd The net"or0 contains a !indo"s Ser/er 2==, com#uter that runs 'erti$icate Ser/ices and ser/es as an enter#rise certi$ication authority &')( You need to achie/e the $ollo"ing goals: 1. 'on$igure 'erti$icate Ser/ices to issue code>signing certi$icates 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>2 2 Use the 'erti$icate Ser/ices !eb inter$ace to request a code> signing certi$icate $or yoursel$ 3. Ensure that only a user named +runo has the authority to add certi$icates to )cti/e Directory !hat should you do% )ns"er: .ending QUESTION NO: <= SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter that runs 'erti$icate Ser/ices and ser/es as a certi$ication authority &')( )ll com#any com#uters are con$igured to do"nload a 'erti$icate De/ocation Aist &'DA( $rom the ') ) user named Tess Bing retires $rom the com#any You need to ensure that TessJs certi$icate cannot be used on the ') You also need to immediately u#date the 'DA !hat should you do on the ser/er% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>3 2 )ns"er: .ending QUESTION NO: << SI?UA)TION You are the net"or0 administrator $or TestBing com You are con$iguring security on the !indo"s Ser/er 2==, com#uters in the human resources &:D( de#artment )ll ser/ers $or the :D de#artment are located in the :D Ser/ers organi1ational unit &OU( You need to con$igure security $or these ser/ers by using e3isting -rou# .olicy ob2ects &-.Os( 'om#any #olicy dictates that you should not create additional -.Os You ha/e been instructed to use -.Ol to con$igure these settings In addition* you must ensure the $ollo"ing requirements are met 1. !eb hosting ser/ices should not be installed on these ser/ers 2. !eb hosting com#onents should not be installed on these ser/ers in the $uture 3. Other ser/ices on these ser/ers should not be a$$ected ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>- 2 You need to con$igure settings by using the minimal amount o$ con$igurations on the -.O !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>F 2 )ns"er: Ste# G< In -rou# .olicy ?anagement* e3#and the tree until you can see the Organi1ational Units $tep b2. Dight clic0 on the :DSer/ers OU and select LAin0 an E3isting -.O L ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>; 2

$tep b3. Select -.O< and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>G 2 $tep b-. Dight clic0 on -.O< and select Edit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>> 2 $tep bF. E3#and 'om#uter 'on$iguration U )dministrati/e Tem#lates and select Internet In$ormation Ser/ices In the right #ane* double clic0 L.re/ent IIS installationL ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>= 2 $tep b;. Select LEnabledL and clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=" 2 QUESTION NO: <2 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 includes t"o user #o#ulated net"or0 segments and contains a !indo"s Ser/er 2==, com#uter that $unctions as a D:'. ser/er )ll client com#uters use the D:'. ser/er Decently* the $ollo"ing changes "ere made to the net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=1 2 1. The DNS ser/er at <= <= 2= <7 "as re#laced by a DNS ser/er at <= <= 2= <6 2. The host addresses o$ the router inter$aces on each segment "ere changed $rom < to 2 You need to recon$igure the D:'. ser/er to re$lect these net"or0 changes !hat should you do% )ns"er: Ste# G< 'lic0 Start U .rograms U )dministrati/e Tools U D:'. to o#en the D:'. management console ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=2 2 $tep b2. !e need to change the DNS ser/er address Select Ser/er O#tions and double clic0 L==5 Name Ser/ersL in the right #ane ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=3 2 $tep b3. Enter the I. address <= <= 2= <6 and clic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=- 2 $tep b-. Select the <= <= 2= <7 address and clic0 Demo/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=F 2 $tep bF. !e need to change the router address $or each o$ the t"o sco#es Select Sco#e O#tions in the le$t #ane $or the $irst sco#e* then double clic0 L==, DouterL in the right #ane ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=; 2 $tep b;. Enter the I. address <= <= 2= 2 and clic0 )dd ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=G 2 $tep bG.

Select <= <= 2= < and clic0 Demo/e ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=> 2 De#eat ste#s 5>7 to change the router address $or the second sco#e QUESTION NO: <, SI?UA)TION You are the net"or0 administrator $or 'ontoso* Atd The net"or0 contains a !indo"s Ser/er 2==, com#uter named Ser/er< Ser/er< runs the Douting and Demote )ccess ser/ice* and is used to create a 8.N connection bet"een o$$ices in Ne" Yor0 and +oston The 8.N connection is a demand>dial inter$ace ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3== 2 The +oston 8.N ser/er has been renamed to router contoso com You need to con$igure the Ne" Yor0 8.N ser/er to re$lect this change You disco/er that the Ne" Yor0 8.N ser/er maintains a constant connection to the +oston o$$ice at all times You "ant the connection to be terminated "hene/er there is no intero$$ice tra$$ic $or <= minutes or more In the e/ent that the 8.N connection is needed but not connected* you "ant the Ne" Yor0 8.N ser/er to automatically reattem#t the connection e/ery <= seconds until a connection is achie/ed You need to recon$igure the Ne" Yor0 8.N ser/er to accom#lish these goals !hat should you do% )ns"er: Ste# G< ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"" 2 'lic0 Start U .rograms U )dministrati/e Tools U Douting and Demote )ccess 'lic0 the Net"or0 Inter$aces icon to dis#lay the net"or0 inter$aces in the right #ane Double clic0 on the 8.N inter$ace $tep b2. 'hange the host name to router contoso com ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"1 2 $tep 3. Select the O#tions tab ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"2 2 $tep b-. 'hange the connection ty#e to LDemand dialL Set the idle time be$ore hanging u# to <= minutes Set the redial attem#ts to the ma3imum ;; and the redial inter/al to <= seconds 'lic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"3 2 QUESTION NO: <4 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The net"or0 contains an organi1ational unit &OU( named Ser/ers )ll ser/ers "ithin the Ser/ers OU run !indo"s Ser/er 2==, You are res#onsible $or managing the security settings in $our -rou# .olicy ob2ects &-.Os( named -.=<* -.=2* -.=, and -.=4 )ll data that is sent to and $rom the ser/ers in the Ser/ers OU must be encry#ted ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"- 2 You need to ensure that no other com#uters on the net"or0 "ill encry#t data unless they are communicating "ith the ser/ers in the Ser/ers OU 'om#any #olicy states that you must use only e3isting -.O lin0s !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"F 2 )ns"er: 'on$igure the I.Sec #olicy $or the Ser/ers OU -.O to LSecure Ser/er &Dequire Security( 'on$igure the I.Sec #olicy $or "hiche/er -.O a##lies to the client com#uters to L'lient &Des#ond Only(L

QUESTION NO: <5 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter that runs 'erti$icate Ser/ices in a stand>alone con$iguration and ser/es as a certi$ication authority &')( Users use the !eb>based 'erti$icate Ser/ices inter$ace to request digital certi$icates ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"; 2 You need to ensure that only authenticated domain users can access the !eb>based inter$ace You must not change the "ay users access other !eb>based content on the same ser/er You must ensure that user credentials cannot be #assed in clear te3t across the net"or0 !hat should you do% )ns"er: .ending QUESTION NO: <6 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter named TestBing< TestBing< runs the Douting and Demote )ccess ser/ice* and is used to establish 8.N connections to a remote com#any o$$ice You need to con$igure the 8.N connection to automatically select either the ..T. or the A2T. #rotocol You also need to con$igure the Aocal )rea 'onnection inter$ace to dro# all incoming T'. tra$$ic on #orts 9= and 44, Your solution must not change the ability o$ TestBing< to send and recei/e other tra$$ic ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"G 2 !hat should you do% )ns"er: Ste# G< 'lic0 Start U .rograms U )dministrati/e Tools U Douting and Demote )ccess 'lic0 the Net"or0 Inter$aces icon to dis#lay the net"or0 inter$aces in the right #ane Double clic0 on the 8.N inter$ace ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"> 2 $tep b2. 'lic0 the Net"or0ing tab ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"= 2 $tep b3. Select L)utomaticL $rom the dro# do"n list then clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1" 2 $tep b-. The second requirement o$ the question is to con$igure the Aocal )rea 'onnection inter$ace to dro# all incoming T'. tra$$ic on #orts 9= and 44, Under I. Douting* select -eneral the double clic0 Aocal )rea 'onnection ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -11 2 $tep bF. 'lic0 the Inbound Eilters button ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -12 2 $tep b;. 'lic0 Ne" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -13 2 $tep bG. Enter the net"or0 address* select T'. $rom the dro# do"n list and enter #ort 9= then clic0 OB ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1- 2 $tep b>. De#eat $or #ort 44,

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1F 2 $tep b=. 'lic0 OB t"ice to close the dialog bo3es ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1; 2 QUESTION NO: <7 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The net"or0 contains an organi1ational unit &OU( named :D Ser/ers )ll ser/ers "ithin the :D Ser/ers OU run !indo"s Ser/er 2==, com#uters You con$igure the -rou# .olicy ob2ects &-.Os( and settings sho"n in the $ollo"ing table: -.O Setting -.O< I. Security .olicy: Secure Ser/er &Dequire Security( -.O2 I. Security .olicy: 'lient &Des#ond Only( -.O, ?icroso$t Net"or0 Ser/er: Digitally sign communications &al"ays( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1G 2 -.O4 ?icroso$t Net"or0 'lient: Digitally sign communications &i$ ser/er agrees( You lin0 some o$ the -.Os to some o$ the )cti/e Directory nodes :o"e/er* all data sent to and $rom the ser/ers in the :D Ser/ers OU is not encry#ted You need to ensure that only data sent to and $rom the ser/ers in the :D Ser/ers OU is encry#ted You also need to ensure that S?+ signing is not con$igured on any com#uters in your en/ironment The number o$ -.O lin0s needs to be 0e#t as lo" as #ossible You cannot create any additional -.Os* and you cannot recon$igure the e3isting -.Os !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1> 2 )ns"er: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1= 2 QUESTION NO: <9 SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory domain and uses se/eral domain controllers TestBing com * does not currently ha/e a #ublic 0ey in$rastructure &.BI( You need to install 'erti$icate Ser/ices on a !indo"s Ser/er 2==, com#uter You must ensure that the certi$icate store is automatically #ublished to )cti/e Directory 'erti$icate Ser/ices should use a sel$>signed root certi$icate* "hich uses a distinguished name o$ rootca test0ing com You "ant the sel$>signed root certi$icate to be /alid $or three years !hat should you do% )ns"er: QUESTION NO: <; SI?UA)TION You are the net"or0 administrator $or TestBing com The net"or0 contains a !indo"s Ser/er 2==, com#uter that runs 'erti$icate Ser/ices and ser/es as a certi$ication authority &')( ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2" 2 ) user named ?ary +a0er has a certi$icate issued by the ser/er This certi$icate is used only $or client authentication ?ary changes her surname to L-ibsonL and needs to ha/e her certi$icate re$lect this change ?ary already has used the 'erti$icate Ser/ices !eb>based inter$ace to request the necessary certi$icate You need to ensure that ?ary is only able to use her ne" certi$icate to authenticate to the net"or0 !hat should you do% )ns"er: Topic >, Miscellaneous *-- :uestions+ QUESTION NO: < ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -21 2 You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single

)cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, You install 'erti$icate Ser/ices and con$igure an o$$line root certi$ication authority &')( You also con$igure an enter#rise subordinate ') in the domain Em#loyees in the mar0eting de#artment use a #ublic 0ey in$rastructure &.BI( enabled a##lication to store secure mar0eting data Em#loyees require a certi$icate that su##orts client authentication to gain access to this a##lication User ob2ects $or em#loyees in the mar0eting de#artment are stored in an organi1ational unit &OU( named ?ar0eting You create a -rou# .olicy ob2ect &-.O( that con$igures users $or autoenrollment* and you lin0 the -.O to the ?ar0eting OU You create a du#licate o$ the User certi$icate tem#late named Em#loyee and assign #ermission to allo" autoenrollment $or users in the mar0eting de#artment You con$igure the Em#loyee tem#late to #rom#t the user during enrolment )n em#loyee in the mar0eting de#artment named Da/id Aindberg re#orts that "hen he attem#ts to use the mar0eting a##lication* he recei/es a message stating that he does not ha/e a client authentication certi$icate Da/id is unable to use the mar0eting a##lication You e3amine Da/id AindbergJs user ob2ect* sho"n in the e3hibit NN?ISSIN-NN You need to ensure that Da/id can use the mar0eting a##lication !hat should you do% A. 3dit Da%id 4indbergKs user ob)ect to include an e2mail address. 1. Add Da%id 4indbergKs user ob)ect to the .ert 5ublishers domain local group. .. 'n Da%id 4indbergKs computer, use the !eb enrolment tool to connect to the subordinate .A and download a cop of the subordinate .AKs certificate. D. 'n Da%id 4indbergKs computer, use the !eb enrolment tool to connect to the subordinate .A and download the most recent certificate re%ocation list *.R4+. )ns"er: D E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -22 2 9 .As can re%o/e as well as issue certificates. After a certificate is re%o/ed, it needs to be published to a .R4 distribution point. .lients chec/ the .R4 periodicall before the can trust a certificate. (ollowing this reasoning it could be that his certificate could ha%e been re%o/ed. To ma/e sure that he can use the mar/eting application he should ma/e use of the !eb enrolment tool to connect to the subordinate .A and download the latest .R4. Incorrect ans"ers: )9 This is probabl a case of a re%o/ed .A and editing 4indbergKs user ob)ect to include an e2mail address will not address the issue at hand. +9 This will not ensure that Da%id will be able to ma/e use of the mar/eting application. ' matter of downloading the latest .R4 from the subordinate .A. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. ="= QUESTION NO: 2 You are the net"or0 administrator $or TestBing )ll !eb ser/ers on the net"or0 run !indo"s Ser/er 2==, The net"or0 also contains a !indo"s Ser/er 2==, com#uter named Test0ing< So$t"are U#date Ser/ices &SUS( is installed on Test0ing< You are testing the security con$iguration o$ a !eb ser/er named Test0ing2 Test0ing2 is used on TestBingJs intranet TestBingJs "ritten security #olicy #rohibits the intranet ser/ers $rom communicating "ith Internet resources You run the ?icroso$t +aseline Security )naly1er &?+S)( on Test0ing2 and recei/e the results sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -23 2 You need to run ?+S) success$ully !hat should you do% A. Temporaril enable Test/ing2 to access the &nternet, and run M1$A again. 1. Run the mbsacli.eBe command, and run M1$A again. .. Run M1$A again. .onfigure M1$A to use the $U$ ser%er. D. 3nsure that !indows Update is correctl configured on Test/ing2, and run M1$A again.

)ns"er: ) E3#lanation: The e3hibit sho"s that many o$ the scans could not be run This is due to those issues not being a/ailable on Test0ing2 "hich is used on the intranet Eor ?+S) to run success$ully* you "ill need to access the Internet Thus you should tem#orarily connect to the internet "hile the scan is running so that you do not /iolate the "ritten security #olicy o$ the com#any Incorrect ans"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2- 2 +9 Running mbsacli.eBe is the same as running M1$A, but from a command prompt. This will not ensure that the scans will be successful. '9 Running M1$A using the $U$ ser%er means that Test/ing2 will ha%e to access the &nternet on a permanent basis and this is again the compan securit polic . D9 &t is not a matter of ensuring that !indows Update is correctl configured. Test@ing2 should connect to the &nternet temporaril will allow scans to be run successfull without %iolating the compan securit polic . De$erence9 Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 11, p. >33 QUESTION NO: , You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, One o$ the domain controllers is con$igured as a subordinate enter#rise certi$ication authority &')( TestBing also has an o$$line root ') )ll client com#uters run !indo"s @. .ro$essional TestBing does business "ith a distributor named 'oho 8ineyard Users at TestBing $requently access secured !eb sites at 'oho 8ineyard These sites are secured by using certi$icates issued by an enter#rise ') at 'oho 8ineyard Users at TestBing re#ort that they recei/e security alerts $rom the !eb bro"ser "hene/er they try to access secured !eb sites at 'oho 8ineyard Users can access the sites a$ter they ac0no"ledge the "arnings* but many choose to cancel the o#eration in order to be sure that the net"or0 is secure You need to con$igure the TestBing net"or0 to #re/ent these security alerts $rom a##earing "hen accessing the secured !eb sites at 'oho 8ineyard !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'btain a cop of the .oho ?ine ard root certificate from .oho ?ine ard. 1. &ssue a certificate to the .oho ?ine ard !eb ser%er from the Test@ing enterprise .A. .. &mport the certificate into the Trusted Root .ertification Authorities section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. D. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2F 2 5lace the .oho ?ine ard secured !eb sites in the list of trusted sites in the &nternet 3Bplorer Maintenance section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. )ns"er: )* ' E3#lanation: 'ross>Trust :ierarchies > Eor a .BI entity to use a certi$icate #ro/ided by a ')* the entity must trust that ') This trust is established "hen the entity has a co#y o$ the ')Js certi$icate located in its local certi$icate store Using the #ublic 0ey contained in the certi$icate* the entity can /eri$y the ')Js digital signature :o"* then* does the certi$icate get $rom the ') to the entityJs local store% Un$ortunately* there is not 2ust one ans"er -rou# #olicies under )cti/e Directory* #reloaded certi$icates in !indo"s Ser/er 2==,* and do"nloads $rom the !indo"s U#date !eb site are the most common "ays I$ your organi1ation must e3change data "ith e3ternal #arties* there needs to be a "ay to recogni1e and trust a third>#arty ') as i$ it "ere a #art o$ your local chain o$ trust To do this you can either use a certi$icate trust list &'TA(* or you can create a cross>trust hierarchy* "hich enables an e3ternal ') to be /ie"ed as a subordinate ') in your local trust chain Incorrect )ns"ers: +* D: .oho ?ine ard must be part of Test/ingKs organi0ation for this to be possible. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, pp. >>3.

QUESTION NO: 4 You are the net"or0 admin $or lit"are inc The com#anyJs "ritten security #olicy requires that you maintain a co#y o$ all #ri/ate 0eys issued by TestBingJs enter#rise root ') You create a du#licate o$ the user tem#late named Em#loyee and con$igure the tem#late as sho"n in the Em#loyee .ro#erties e3hibit: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2; 2 You con$igure the ') to archi/e #ri/ate 0eys by using a Bey Deco/ery )gent 'erti$icate You create a test user account named .eter and request a ne" em#loyee certi$icate You issue the certi$icate to .eter You reinstall the OS on your test com#uter and attem#t to reco/er .eterJs #ri/ate 0ey Your attem#t $ails and generates the $ollo"ing error message: ':Q certutil >-et0ey 'ertUtil: > -etBeycommand $ailed 'ertUtil: 'annot $ind ob2ect or #ro#erty You need to ensure that $uture attem#ts to reco/er #ri/ate 0eys associated "ith Em#loyee certi$icates succeed ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2G 2 !hat should you do% A. Using Croup 5olic , deplo a cop of the /e reco%er agent certificate to all client computers. 1. &n the 3mplo ee template, select the Archi%e sub)ectKs encr ption pri%ate /e chec/ boB. .. &n the emplo ee template, select the Allow pri%ate /e to be eBported chec/ boB. D. Run the certutil 2 dspublish command to publish the @e Reco%er Agent certificate to Acti%e Director . )ns"er: ' E3#lanation: The Dequest :andling tab has o#tions including minimum 0ey si1e and certi$icate #ur#ose The certi$icate #ur#ose can be encry#tion* signature* or signature and encry#tion There is also an o#tion to allo" the e3#ort o$ the #ri/ate 0ey Incorrect )ns"ers: ): @e reco%er is deplo ed %ia the .ertificate $er%ices +: Iou are attempting to reco%er the /e , not archi%e it D: This option will not wor/ since the certutil command is not responding positi%el . De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, 2""-, .hapter 12 QUESTION NO: 5 You are a net"or0 administrator $or TestBing The com#any consists o$ a single )cti/e Directory domain named test0ing com )ll client com#uters run !indo"s @. .ro$essional The com#anyJs main o$$ice is located in Dallas You are a net"or0 administrator at the com#anyJs branch o$$ice in +oston You create a -rou# .olicy ob2ect &-.O( that redirects the Start menu $or users in the +oston branch o$$ice to a shared $older on a $ile ser/er ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2> 2 Se/eral users in +oston re#ort that many o$ the #rograms that they normally use are missing $rom their Start menus The #rograms "ere a/ailable on the Start menu the #re/ious day* but did not a##ear "hen the users logged on today You log on to one o$ the client com#uters )ll o$ the required #rograms a##ear on the Start menu You /eri$y that users can access the shared $older on the ser/er You need to $ind out "hy the Start menu changed $or these users !hat are t"o #ossible "ays to achie/e this goal% &Each correct ans"er #resents a com#lete solution 'hoose t"o( A. &n the Croup 5olic Management .onsole *C5M.+, select the file ser%er that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant $et 'f 5olic *R$o5+ in planning mode. 1. &n the Croup 5olic Management .onsole *C5M.+, select one of the affected user accounts and run Resultant $et of 5olic *R$o5+ in logging mode. .. 'n one of the affected client computers, run the gpresult command.

D. 'n one of the affected client computers, run the gpupdate command. 3. 'n one of the affected client computers, run the secedit command. )ns"er: +* ' E3#lanation: !e need to /ie" the e$$ecti/e grou# #olicy settings $or the users or the com#uters that the users are using !e can use g#result or DSo. -#result displa s Croup 5olic settings and Resultant $et of 5olic *R$o5+ for a user or a computer. DSo. pro%ides details about all polic settings that are configured b an Administrator, including Administrati%e Templates, (older Redirection, &nternet 3Bplorer Maintenance, $ecurit $ettings, $cripts, and Croup 5olic $oftware &nstallation. &t consists of two modes, planning mode and logging mode. !ith planning mode, ou can simulate the effect of polic settings that ou want to appl to a computer and user. 4ogging mode reports the eBisting polic settings for a computer and user that is currentl logged on. Incorrect )ns"ers: ): !e need to test the effecti%e polic from a userKs computer, not the file ser%er. D: Cpupdate, is the tool used to refresh the polic settings in !indows <5 and !indows $er%er 2""3. E: $ecedit is the tool used to refresh the polic in !indows 2""" professional and ser%er editions. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2= 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 129 3F QUESTION NO: 6 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 includes 2= ser/ers running !indo"s Ser/er 2==, and ,== client com#uters running either !indo"s @. .ro$essional or !indo"s 2=== .ro$essional You install a ne" member ser/er named TestBing,* $or use by the Einance de#artment TestBing, runs !indo"s Ser/er 2==, You install a Einance a##lication that runs as a ser/ice on TestBing, !hen you restart TestBing,* the logon screen does not a##ear You attem#t to restart TestBing, using sa$e mode* and then again using the Aast Bno"n -ood 'on$iguration +oth o$ "hich are unsuccess$ul )ll Sa$e ?ode o#tions are unsuccess$ul You reinstall TestBing, using a clean installation o$ !indo"s Ser/er 2==, You disco/er that the Einance a##lication is not com#atible "ith a security u#date You install a #atch #ro/ided by the Einance so$t"are manu$acturer TestBing, reboots success$ully and the Einance so$t"are no" success$ully runs as a ser/ice You "ant to #re/ent this ty#e o$ #roblem ha##ening again You "ant to con$igure the e3isting ser/ers so that you can quic0ly reco/er $rom this ty#e o$ $ailure !hat should you do% A. Alwa s install ser%ices using Add or Remo%e 5rograms. 1. 'n each ser%er, install and use the Reco%er .onsole. .. 'n each ser%er, create an Automated $ stem Reco%er *A$R+ dis/. D. ,eBt time the problem occurs, use De%ice Dri%er Roll 1ac/. )ns"er: + E3#lanation: 1. !e /now that this ser%ice causes the failure. 2. !e want minimum of time and minimum of data loss. 3. !e want a solution for all ser%ers. -. !e want to ma/e sure other ser%ices that fail do not result in the same t pe of failure. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3" 2 Using the Deco/ery 'onsole* you can enable and disable ser/ices This method is recommended onl if ou are an ad%anced user who can use basic commands to identif and locate problem dri%ers and files. To use the Reco%er .onsole, restart the computer with the installation .D for the operating s stem in the .D dri%e. !hen prompted during teBt2mode setup, press R to start the Reco%er .onsole. !hat it does: 1. (rom the Reco%er .onsole, ou can access the dri%es on our computer. Iou can then ma/e an of the following changes so that ou can start our computer9 1. 3nable or disable de%ice dri%ers or ser%ices. 2. .op files from the installation .D for the operating s stem, or cop files from other remo%able media. (or eBample, ou can cop an essential file that had been deleted. 3. .reate a new boot sector and new master boot record *M1R+ Incorrect )ns"ers:

): 4ocated in .ontrol 5anel on the client machine, this option is used b users to manage software on their own computers. ': using 1ac/up or other means. D: Dri%er Roll 1ac/ is done through De%ice Manager, and allows for use of a dri%er that was pre%iousl configured for a de%ice. De$erence9 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 1" QUESTION NO: 7 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains !eb ser/ers that run !indo"s Ser/er 2==, You use Sys#re# to create a baseline image $or !eb ser/ers You instruct a technician to install !indo"s Ser/er 2==, on 2= ne" !eb ser/ers by using the baseline image ) ne" ser/ice #ac0 is subsequently released You need to install the ne" ser/ice #ac0 on all !eb ser/ers You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -31 2 A. .op the ser%ice pac/ installation files to a shared folder. &nstall the ser%ice pac/ on each !eb ser%er from the shared folder. 1. .reate an organi0ational unit *'U+ named !eb ser%ers. .reate a Croup 5olic ob)ect *C5'+ to assign the ser%ice pac/ pac/age to users. 4in/ the C5' to the !eb $er%ers 'U. Mo%e the !eb ser%ers into the !eb $er%ers 'U. .. .reate an organi0ational unit *'U+ named !eb $er%ers. .reate a Croup 5olic ob)ect *C5'+ to assign the ser%ice pac/ pac/age to computers. 4in/ the C5' to the !eb $er%ers 'U. Mo%e the !eb ser%ers into the !eb $er%ers 'U. D. .reate a .mdlines.tBt file for use with the baseline $ sprep image in order to run the ser%ice pac/ pac/age. )ns"er: ' E3#lanation: ) ser/ice #ac0 is a so$t"are u#date #ac0age #ro/ided by ?icroso$t $or one o$ its #roducts ) ser/ice #ac0 contains a collection o$ $i3es and enhancements #ac0aged into a single sel$>installing archi/e $ile To distribute a ser%ice pac/, create a shared folder and either eBtract the ser%ice pac/ to that folder or cop the contents of the ser%ice pac/ .D to the folder. Then, using the Acti%e Director Users And .omputers snap2in, create or select an eBisting C5'. .lic/ 3dit and the Croup 5olic 'b)ect 3ditor console appears, focused on the selected C5'. 3Bpand the .omputer .onfigurationW$oftware $ettings node. Right2clic/ $oftware &nstallation and choose ,ew, then 5ac/age. 3nter the path to the ser%ice pac/Ks Update.msi file. 1e certain to use a U,. format *for eBample, WW$er%erW$hare+ and not a local %olume path, such as Dri%e9W5ath. &n the Deplo $oftware dialog boB, select Assigned. .lose the Croup 5olic 'b)ect 3ditor console. .omputers within the scope of the C5'2in the site, domain, or 'U branch to which the polic is lin/ed2automaticall deplo the ser%ice pac/ at the neBt startup. Iou can create a baseline securit configuration in a C5' directl , or import a securit template into a C5'. 4in/ the baseline securit C5' to 'Us in which member ser%ersK computer ob)ects eBist. Incorrect )ns"ers: ): &nstalling the ser%ice pac/ on each ser%er would re6uire a lot of administrati%e effort. +: $er%ice pac/s must be applied to the computers not the users. D: $er%ice pac/s can be applied without running the $ sprep image. De$erence: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -32 2 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, Clossar . Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter =. Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and

G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter =. QUESTION NO: 9 You are the net"or0 administrator $or TestBing )ll ser/ers run !indo"s Ser/er 2==, You con$igure a baseline security tem#late +aseline in$ Se/eral o#erations grou#s are res#onsible $or creating tem#lates containing settings that satis$y o#erational requirements You recei/e the tem#lates sho"n in the $ollo"ing table O#erations grou# Tem#late name )##lies to (ile and 5rint Test@ing(ile.inf (ile ser%ers Database Test@ingD1.inf Database ser%ers $ecurit Test@ing$ec.inf All resource ser%ers The o#erations grou#s agree that in the case o$ con$licting settings* the #riority order listed in the $ollo"ing table establishes the resultants setting Tem#late .riority Test@ing$ec.inf 1 1aseline.inf 2 $pecific ser%er role template 3 You need to create one or more -rou# .olicy ob2ects &-.Os( to im#lement the security settings You "ant to minimi1e the amount o$ administrati/e e$$ort required "hen changes are requested by the /arious o#erations grou#s !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -33 2 A. .reate a C5' and import the following templates in the following order9 1aseline.inf, Test@ing$ec.inf. .reate a C5' for each ser%er role and import onl the specific template for that role into each respecti%e C5'. 1. .reate a C5' and import the following templates in the following order9 Test@ing$ec.inf, 1aseline.inf. .reate a C5' for each ser%er role and import onl the specific template for that role into each respecti%e C5'. .. .reate a C5' for each ser%er role and import the following templates in the following order9 1aseline.inf, specific ser%er role template, Test@ing$ec.inf. D. .reate a C5' and import the following templates in the following order9 Test@ing$ec.inf, Test@ingD1.inf, Test@ing(ile.inf, 1aseline.inf. )ns"er: ) E3#lanation: !indo"s Ser/er 2==, #rocesses -.Os $rom the bottom o$ the list to the to# o$ the list* "ith the to#most -.O ha/ing the $inal authority +ecause #olicies contained in -.Os "ill* by de$ault* o/er"rite #olicies o$ #re/iously a##lied* "e "ould need to im#ort the +aseline in$ be$ore the TestBingSec in$ tem#late Incorrect )ns"ers: +: 1ecause policies contained in C5's will, b default, o%erwrite policies of pre%iousl '* D: 1ecause we need to import templates specific to each of two ser%er roles, we need a separate C5' for each ser%er role. De$erence: Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsotf 5ress, Redmond, !ashington, 2""-, .hapter F QUESTION NO: ; DD)- DDO. You are a net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains ,= domains TestBing has 4== o$$ices The net"or0 contains <5=*=== user ob2ects )ll ser/ers run !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3- 2 You are res#onsible $or administering the mar0eting de#artment* "hich has o$$ices in North )merica and Euro#e* as sho"n in the "or0 area O$$ices in Toronto* 'hicago* and Ne" Yor0 are #art o$ the america test0ing com domain O$$ices in .aris* +onn* and Dome are #art o$ the euro#e test0ing com domain The number o$ users in each o$$ice is sho"n in the $ollo"ing table O$$ice Number o$ users Toronto GF" .hicago 2" ,ew Ior/ ;F" 5aris ;F" 1onn 1" Rome 1F Users in the +onn* Ne" Yor0* and Toronto o$$ices require access to a

directory>enabled a##lication that stores con$iguration in$ormation in the global catalog You need to #lan the #lacement o$ domain controllers $or the net"or0 You need to ensure that each user can log on "ithout using cached credentials and that users ha/e access to the a##lication i$ a !)N connection $ails You need to achie/e this goal "hile minimi1ing the increase in !)N tra$$ic !hat should you do% To ans"er* drag the a##ro#riate domain controller con$iguration or con$igurations to the correct location or locations in the "or0 area ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3F 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3; 2 Acti%e Director uses the Clobal .atalog *C.+, which is a cop of all the Acti%e Director ob)ects in the forest, to let users search for director information across all the domains in the forest. The C. helps in /eeping a list of e%er ob)ect without holding all accessibilit . De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. F-". ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3G 2 QUESTION NO: <= You are a net"or0 administrator $or TestBing The net"or0 consists o$ t"o )cti/e Directory domains )ll ser/ers run !indo"s Ser/er 2==, TestBing has o$$ices in Ne" Yor0 and Dome The t"o o$$ices are connected by a <29>Bb#s !)N connection Each o$$ice is con$igured as a single domain Each o$$ice is also con$igured as an )cti/e Directory site TestBing stores #rinter location in$ormation in )cti/e Directory Users $requently #er$orm searches o$ )cti/e Directory to $ind in$ormation on #rinters by selecting the Entire Directory o#tion Users in the Ne" Yor0 O$$ice re#ort that res#onse time is unacce#tably slo" "hen searching $or #rinters You need to im#ro/e the res#onse time $or users in the Ne" Yor0 o$$ice !hat should you do% A. 5lace a domain controller for the Rome domain in the ,ew Ior/ office. 1. 5lace a domain controller for the ,ew Ior/ domain in the Rome office. .. 3nable uni%ersal group membership caching in the ,ew Ior/ office. D. .onfigure a global catalog ser%er in the ,ew Ior/ office. )ns"er: D E3#lanation: )cti/e Directory uses the -lobal 'atalog &-'(* "hich is a co#y o$ all the )cti/e Directory ob2ects in the $orest* to let users search $or directory in$ormation across all the domains in the $orest The -' hel#s in 0ee#ing a list o$ tra$$ic "hile still #ro/iding ma3imum accessibility Incorrect )ns"ers: )* +: These options re6uire users to search %ia the !A, connection, which will not impro%e the response time. ': Uni%ersal group membership caching allows a domain controller to cache uni%ersal group membership information, thus reducing the need for a global catalog ser%er to be contacted during the user authentication process. De$erence: Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter >, p. F-". ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3> 2 Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 1 QUESTION NO: << You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single

)cti/e Directory domain test0ing com The net"or0 contains three !indo"s Ser/er 2==, domain controllers named Ser/erTB<* Ser/erTB2 and Ser/erTB, Ser/erTB< holds the schema master role and the domain naming master role Ser/erTB2 holds the relati/e ID &DID( master role Ser/erTB, holds the .D' emulator master role and the in$rastructure master role Ser/erTB2 $ails and cannot be restarted You log on to Ser/erTB, as the administrator and sei1e the DID master role Aater* Ser/erTB2 is re#aired and can be brought bac0 online You "ant Ser/erTB2 to hold the DID master role again !hat should you do% A. Restart $er%erT@2 while it is connected to the networ/. Use the ,tdsutil utilit and sei0e the R&D master role. Reconnect $er%erT@2 to the networ/. 1. Restart $er%erT@2 while it is disconnected from the networ/. Use the ,tdsutil and sei0e the R&D master role. Reconnect $er%erT@2 to the networ/. .. Reinstall !indows $er%er 2""3 on $er%erT@2. Restore the s stem state from the most recent bac/up to $er%erT@2. Reconnect $er%erT@2 to the networ/. D. Reinstall !indows $er%er 2""3 on $er%erT@2. 5romote $er%erT@2 to become a domain controller. Transfer the R&D master role to $er%erT@2. )ns"er: D E3#lanation: ) domain controller "hose DID master role has been sei1ed can only be brought bac0 online by reinstalling !indo"s Ser/er 2==, Incorrect )ns"ers: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3= 2 ): $er%erT@2 was the R&D master before it failed. That role was sei0ed to $er%erT@3. &f we restart $er%erT@2, there will be two R&D masters. (urthermore, we can onl sei0e a role if the domain controller that holds that role fails. +: !e cannot sei0e the R&D master role if $er%erT@2 is not connected to the networ/. (urthermore, we can onl sei0e a role if the domain controller that holds that role fails. ': $er%erT@2 was the R&D master before it failed. That role was sei0ed to $er%erT@3. Aowe%er, if we bring $er%erT@2 bac/ online, there will be two R&D masters. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter -. QUESTION NO: <2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The domain includes a !indo"s Ser/er 2==, com#uter that runs Terminal Ser/ices The terminal ser/er has a com#uter account in an organi1ational unit &OU( named Terminal Ser/ers ) -rou# .olicy ob2ect &-.O( named TS Settings is lin0ed to the Terminal Ser/ers OU This -.O is con$igured "ith settings that must a##ly "hen users are logged on to the terminal ser/er The com#any "ants users to ha/e their normal settings "hen connected to the terminal ser/er* e3ce#t settings that con$licts "ith the settings in the TS Settings -.O You disco/er that "hen users are logged on to the terminal ser/er* they recei/e only the settings $rom the TS Settings -.O* "ithout any o$ their o"n settings You use the -rou# .olicy ?anagement 'onsole &-.?'( to e3amine the con$iguration o$ the TS Settings -.O The rele/ant #ortion o$ the con$iguration is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --" 2 You need to ensure that #olicy settings a##ly #ro#erly to users logging on the terminal ser/er !hat should you do% A. 3nable the 1loc/ 5olic inheritance setting for the Terminal $er%ers 'U. 1. Disable the ,o '%erride setting for the T$ $ettings C5'. .. Modif the T$ $ettings C5' to use loopbac/ processing in Merge mode. D. Disable the 'nl allow local profiles setting in the T$ settings C5'. )ns"er: + E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --1 2

9 !hen Croup 5olic is not affecting users and computers in a site, domain, or 'U, ma/e sure that the intended polic is not being bloc/ed. Ma/e sure no polic set at a higher le%el of Acti%e Director has been set to ,o '%erride. &f 1loc/ 5olic &nheritance and ,o '%erride are both used, /eep in mind that ,o '%erride ta/es precedence. Incorrect )ns"ers: ): Enabling the +loc0 .olicy inheritance setting for the Terminal $er%ers 'U will pre%ent the application of C5's higher in the hierarch from being inherited b the Terminal $er%ers 'U. Thus, onl the T$ $ettings C5' will be applied. ': 4oopbac/ is a new Croup 5olic setting that pro%ides alternati%es to the default method of obtaining the ordered list of C5's whose user configuration settings affect a user. 1 default, a userKs settings come from a C5' list that depends on the userKs location in Acti%e Director . 4oopbac/ operates in replace mode or merge mode. &n merge mode, user settings that do not conflict with computer settings are applied. &f there is a conflict between the two, the computer settings o%erride the user settings. D: The 'nl allow local profiles is a new Croup 5olic option that permits a computer to ignore user settings in roaming profiles. 1 default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer. &f the ha%e pre%iousl logged on to this computer, the roaming profile is merged with the local profile. !hen the users log off this computer, the local cop of their profile, including an changes the ha%e made, is merged with the ser%er cop of their profile. &f the Onlyallo" local #ro$iles setting is enabled, the user recei%es a local profile, rather than the roaming profile. De$erence: Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"21G, 1"21= to 1"22". http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HallHdeplo guideHen2usHDefault.asp[u Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 2, pp. 11". QUESTION NO: <, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --2 2 You are the administrator o$ the TestBing com#any net"or0 The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 includes 5= ser/ers running !indo"s Ser/er 2==, and <=== client com#uters running !indo"s @. .ro$essional )ll client com#uters are in an organisational unit &OU( named 'lients )ll ser/er com#uters are in an organisational unit &OU( named Ser/ers You disco/er that most o$ the ser/ers are running the S?T. ser/ice and the Telnet ser/ice These ser/ices are not required and should be disabled !hat is the easiest "ay to ensure that the ser/ices are al"ays disabled on the ser/ers% A. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to appl a logon script that disables the unnecessar ser%ices. 4in/ the C5' to the $er%ers 'U. 1. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ and import the Aisecws.inf securit template. 4in/ the C5' to the $er%ers 'U. .. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to set the startup t pe of the unnecessar ser%ices to Disabled. 4in/ the C5' to the $er%ers 'U. D. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to appl a startup script to stop the unnecessar ser%ices. 4in/ the C5' to the $er%ers 'U. )ns"er: ' E3#lanation: The ser/ers ha/e been mo/ed to an OU This ma0es it easy $or us to con$igure the ser/ers using a grou# #olicy !e can sim#ly assign a grou# #olicy to the Ser/ers OU to disable the ser/ices Incorrect )ns"ers: ): The logon script would onl run when someone logs on to the ser%ers. &tKs li/el that the ser%ers will be running with no one logged in. +: The Aisecws.inf securit template is designed for wor/stations, not ser%ers. D: The startup script would onl run when the ser%ers are restarted. A group polic would be refreshed at regular inter%als. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 --3 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 119 FF QUESTION NO: <4 You are the net"or0 administrator $or TestBing You need to test a ne" a##lication The a##lication requires 2 #rocessors and 2 -+ o$ D)? The a##lication also requires shared $olders and installation o$ so$t"are on client com#uters You install the a##lication on a !indo"s Ser/er 2==, !eb Edition com#uter and install the a##lication on 2= test client com#uters You then disco/er that only some o$ the client com#uters can connect and run the a##lication You turn o$$ some com#uters and disco/er that the com#uter that $ailed to o#en the a##lication can no" run the a##lication You need to identi$y the cause o$ the $ailure and u#date your test #lan !hat should you do% A. &ncrease the maBimum number of wor/er processes to 2" for the default application pool 1. Use addHremo%e programs to add the application ser%er windows component .. .hange the application pool to identif the local ser%ice for the default application pool D. .hange the test ser%er '$ to !indow $er%er 2""3 $tandard 3dition or 3nterprise )ns"er: D E3#lanation: )lthough !indo"s Ser/er 2==, !eb Edition su##orts u# to 2-+ o$ $or the a##lication There$ore* "e need to install !indo" Ser/er 2==, Standard Edition or Enter#rise Edition to su##ort enough D)? Incorrect )ns"ers: )* ': 3dition reser%es 1C1 for the operating s stem so onl 1C1 of RAM is a%ailable for the application. $o, changing the application pool will not resol%e this problem. +: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --- 2 The application ser%er component includes &&$ and A$5. These would be part of the default installation on a !eb $er%er. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 2> QUESTION NO: <5 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The $unctional le/el o$ the domain is !indo"s Ser/er 2==, The domain contains !indo"s Ser/er 2==, com#uters and !indo"s @. .ro$essional com#uters The domain consists o$ the containers sho"n in the e3hibit )ll #roduction ser/er com#uter accounts are located in an organi1ational unit &OU( named Ser/ers )ll #roduction client com#uter accounts are located in an OU named Des0to#s There are -rou# .olicy ob2ects &-.Os( lin0ed to the domain* to the Ser/ers OU* and to the Des0to# OU The com#any recently added ne" requirements to its "ritten security #olicy Some o$ the ne" requirements a##ly to all o$ the com#uters in the domain* some requirements a##ly to only ser/ers* and some requirements a##ly to only client com#uters You intend to im#lement the ne" requirements by ma0ing modi$ications to the e3isting -.Os You con$igure <= ne" !indo"s @. .ro$essional com#uters and 5 ne" !indo"s Ser/er 2==, com#uters in order to test the de#loyment o$ settings that com#ly "ith the ne" security requirements by using -.Os You use the -rou# .olicy ?anagement 'onsole &-.?'( to du#licate the e3isting -.Os $or use in testing ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --F 2 You need to decide "here to #lace the test com#uter accounts in the domain You "ant to minimi1e the amount o$ administrati/e e$$ort required to conduct the test "hile minimi1ing the im#act o$ the test on #roduction com#uters You also "ant to a/oid lin0ing -.Os to multi#le containers !hat should you do% A. 5lace all test computer accounts in the test/ing.com container. 1. 5lace all test computer accounts in the .omputers container. .. 5lace the test client computer accounts in the Des/tops 'U and the test ser%er computer accounts in the $er%ers 'U. D. .reate a child 'U under the Des/tops 'U for the test client computer accounts.

.reate a child 'U under the $er%ers 'U for the test ser%er computer accounts. 3. .reate a new 'U named Test under the test/ing.com container. .reate a child 'U under the Test 'U to test client computer accounts. .reate a second child 'U under the Test 'U to test ser%er computer accounts. )ns"er: E E3#lanation: To minimi1e the im#act o$ the test on #roduction com#uters* "e can create a test OU "ith child OUs $or the ser/ers and the client com#uter accounts Settings that should a##ly to the ser/ers and client com#uters can be a##lied to the Test OU* and settings that should a##ly to the ser/ers or the client com#uters can be a##lied to the a##ro#riate child OUs Incorrect )ns"ers: ): Iou cannot place computer accounts directl under the domain container. The must be in an 'U or in a built in container such as the .omputers container. +: !e need to separate the ser%ers and the client computers into different 'Us. ': This solution would appl the new settings to eBisting production computers. D: This could wor/ but ou would ha%e more group polic lin/s. (or eBample, the C5' settings that need to appl to the ser%ers and the client computers would need to be lin/ed to both 'Us. &t would easier to lin/ the C5' to a single parent 'U. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 19 2=23" QUESTION NO: <6 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --; 2 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll member ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional )ll client com#uter accounts in the domain are located in an organi1ational unit &OU( named !or0stations You need to distribute a ne" a##lication to all client com#uters on the net"or0 You create a -rou# .olicy ob2ect &-.O( that includes the a##lication #ac0age in the so$t"are installation settings o$ the 'om#uter 'on$iguration section o$ the -.O You assign the -.O to the !or0stations OU Se/eral days later* users re#ort that the ne" a##lication is still not installed on their client com#uters You need to ensure that the a##lication is installed on all client com#uters !hat should you do% A. &nstruct users to restart their client computers. 1. &nstruct users to run !indows Update on their client computers. .. &nstruct users to force a refresh of the computer polic settings on their client computers. D. &nstruct users to force a refresh of the user polic settings on their client computers. )ns"er: ) E3#lanation: !hen an a##lication is assigned to a com#uter* the so$t"are is de#loyed "hen it is sa$e to do so &that is* "hen the o#erating system $iles are closed( This generally means that the so$t"are "ill be installed "hen the com#uter starts u#* "hich ensures that the a##lications are de#loyed #rior to any user logging on Eor this scenario* "e need to tell the users to restart their client com#uters Incorrect )ns"ers: +: !indows Update is used to update the operating s stem with the latest securit patches etc. ': Iou applied the polic se%eral da s ago. The client computers should ha%e the C5' b now. D: The setting isnKt in the user section of the group polic . De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --G 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 19 2=23" QUESTION NO: <7 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com TestBing merges "ith a com#any named )cme You need to create ne" user accounts $or all o$ the )cme em#loyees The e>mail address $ormat $or all users at )cme is aliasIacme com The users need to continue to use their e>mail addresses a$ter the merger To decrease con$usion*

these users also need to be able to use their e>mail addresses as their user logon names "hen logging on to the com#any net"or0 You need to ensure that ne" users can log on by using their e>mail addresses as their logon names You "ant to achie/e this goal by incurring the minimum cost and by using the minimum amount o$ administrati/e e$$ort !hat should you do% A. .reate a new domain tree named acme.com in the test/ing.com forest. .reate user accounts for all of the users in the acme.com domain. 1. .reate a new forest named acme.com. .reate user accounts for all of the users in the acme.com domain. .onfigure a forest trust relationship between the two forests. .. .reate user accounts for all of the new users in the test/ing.com domain. .onfigure the e2mail addresses for all of the Acme users as aliasUacme.com. D. .onfigure acme.com as an additional user principal name *U5,+ suffiB for the test/ing.com forest. .onfigure each user account to use the acme.com U5, suffiB. )ns"er: D E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --> 2 You can sim#li$y the logon #rocess $or users by enabling U.N logon !hen U.N logon is enabled* all users use the same U.N su$$i3 to log on to their domains U.N names are com#rised o$ the userJs logon name and the DNS name o$ the domain !hen you enable U.N logon* usersJ logon names remain the same e/en "hen their domains change Iou might choose to enable U5, logon if9 1. Domain names in our enterprise are compleB and difficult to remember. 2. Users in our organi0ation might change domains as a result of domain consolidation or other organi0ational changes. 3. All domains in the forest are in nati%e mode. -. User logon names are uni6ue within the forest. F. A global catalog ser%er is a%ailable to match the U5, to the correct domain account. Iou can use one U5, suffiB for all users in the forest. Incorrect )ns"ers: )* +: .reating a new domain tree or forest and recreating the user accounts for all of the users in the acme.com domain would re6uire eBcessi%e administrati%e effort. ': .reating new user accounts for all of the users in the acme.com domain would re6uire eBcessi%e administrati%e effort. Using the U5, logon feature would re6uire less administrati%e effort. De$erence: Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. =F2;. QUESTION NO: <9 You are the net"or0 administrator $or TestBing The com#any consists o$ t"o subsidiaries named 'ontoso* Atd* and 'ity .o"er C Aight The net"or0 contains t"o )cti/e Directory $orests named contoso com and c#and< com The $unctional le/el o$ each $orest is !indo"s Ser/er 2==, ) t"o>"ay $orest trust relationshi# e3ists bet"een the $orests You need to achie/e the $ollo"ing goals: 1. Users in the contoso com $orest must be able to access all resources in the c#and< com $orest 2. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --= 2 Users in the c#and< com $orest must be able to access only resources on a ser/er named :D)##s contoso com You need to con$igure the $orest trust relationshi# and the resources on :D)##s contoso com to achie/e the goals !hich three actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose three( A. 'n a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selecti%e authentication. 1. 'n a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest2wide authentication. .. 'n a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selecti%e authentication.

D. 'n a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest2wide authentication. 3. Modif the discretionar access control list *DA.4s+ on ARApps.contoso.com to allow access to the 'ther 'rgani0ation securit group. (. Modif the discretionar access control lists *DA.4s+ on ARApps.contoso.com to den access to This 'rgani0ation securit group. )ns"er: )* D* E E3#lanation: !hen all the domains in t"o $orests trust each other* and need to authenticate users* establish a $orest trust bet"een the $orests !hen only some o$ the domains in t"o !indo"s Ser/er2==, $orests trust each other* establish one>"ay or t"o>"ay e3ternal trusts bet"een the domains that require inter$orest authentication Selecti/e authentication bet"een $orests > Using Acti%e Director Domains and Trusts, ou can determine the scope of authentication between two forests that are )oined b a forest trust.Iou can set selecti%e authentication differentl for outgoing and incoming forest trusts. !ith selecti%e trusts, administrators can ma/e fleBible forest2wide access control decisions. &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. (or eBample, if (orestA has an incoming forest trust from (orest1 and forest2wide authentication is used, users from (orest1 would be able to access an resource in (orestA *assuming the ha%e the re6uired permissions+. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F" 2 &f ou decide to set selecti%e authentication on an incoming forest trust, ou need to manuall assign permissions on each domain and resource to which ou want users in the second forest to ha%e access. To do this, set a control access right Allowed to authenticate on an ob)ect for that particular user or group from the second forest. !hen a user authenticates across a trust with the $electi%e authentication option enabled, an 'ther 'rgani0ation securit &D *$&D+ is added to the userKs authori0ation data. The presence of this $&D prompts a chec/ on the resource domain to ensure that the user is allowed to authenticate to the particular ser%ice. 'nce the user is authenticated, then the ser%er to which he authenticates adds the This 'rgani0ation $&D if the 'ther 'rgani0ation $&D is not alread present. 'nl one of these special $&Ds can be present in an authenticated userKs conteBt. Ta/ing the abo%e mentioned into account then options A, D and 3 will ma/e sure that users in the contoso.com forest ha%e forest2wide access. Incorrect )ns"ers: +: &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. Aowe%er, users in the cpand1.com forest must be able to access onl resources on a ser%er named ARApps.contoso.com. !e should therefore use selecti%e authentication for the cpandl.com forest to access the contoso.com. ': Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, the need forest2wide access. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-> to -2-=. Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, p. 2F-. QUESTION NO: <; You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com The )cti/e Directory database contains 5== ?+ o$ in$ormation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F1 2 TestBing has its main o$$ice in ?osco" and a branch o$$ice in ?ins0 The t"o o$$ices are connected by a 56>Bb#s !)N connection that is used only $or )cti/e Directory re#lication The ?osco" o$$ice has 45= users* and the ?ins0 o$$ice has <5 users The ?ins0 o$$ice has a single !indo"s Ser/er 2==, domain controller and t"o !indo"s Ser/er 2==, $ile and #rint ser/ers The hard dis0 containing the o#erating system on the domain controller in ?ins0 $ails and cannot be reco/ered You need to re>establish a domain controller that contains a current co#y o$ )cti/e Directory in the ?ins0 o$$ice You need to achie/e this goal as quic0ly as #ossible

!hat should you do% A. Replace the hard dis/ on the domain controller. &nstall !indows $er%er 2""3 on the domain controller. &nstall Acti%e Director from restored bac/up files. 1. &nstall Acti%e Director on a file and print ser%er. (orce replication. .. &nstall Acti%e Director on a file and print ser%er from restored bac/up files. D. Replace the hard dis/ on the domain controller. &nstall !indows $er%er 2""3 on the domain controller. (orce replication. )ns"er: ' E3#lanation: !e need to re>establish a domain controller in the ?ins0 o$$ice as quic0ly as #ossible There$ore* "e should install )cti/e Directory $rom restored bac0u# $iles )ns"er ) is the recommended ans"er* but ans"er ' is quic0er !e can use the ne" dc#romo Kad/ command to #romote the D' $rom a bac0u# o$ the system state data o$ an e3isting domain controller The Kad/ s"itch is onl necessar when ou want to create a domain controller from restored bac/up files. &t is not re6uired when creating an additional domain controller o%er the networ/. (or additional domain controllers in an eBisting domain, ou ha%e the option of using the install from media feature, which is new in !indows $er%er2""3. &nstall from media allows ou to pre2populate Acti%e Director with $ stem $tate data bac/ed up from an eBisting domain controller. This bac/up can be present on local .D, D?D, or hard dis/ partition. Installing $rom media drastically reduces the time required to install directory in$ormation by reducing the amount o$ data that is re#licated o/er the net"or0 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F2 2 &nstalling from media is most beneficial in large domains or for installing new domain controllers that are connected b a slow networ/ lin/. Incorrect )ns"ers: ): This would wor/ but answer . is 6uic/er. +: !e do not want to replicate a F""M1 Acti%e Director database o%er a F;@bps !A, lin/. D: !e do not want to replicate a F""M1 Acti%e Director database o%er a F;@bps !A, lin/. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2G QUESTION NO: 2= You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain that contains only one domain controller The domain controller is named TestBingSr/) The domain contains only one site named 8alencia You are adding a ne" site named +arcelona You need to #romote an e3isting !indo"s Ser/er 2==, member ser/er named TestBingSr/+ to be an additional domain controller o$ the domain ) 56Bb#s !)N connection connects the 8alencia and +arcelona sites You need to install TestBingSr/+ as a ne" domain controller on the +arcelona site You need to minimi1e the use o$ the !)N connection during this #rocess !hat should you do% A. $et the site lin/ cost between the ?alencia and 1arcelona sites to F". 5romote Test@ing$r%1 to be an additional domain controller in the 1arcelona site. 1. Restore the bac/up files from the s stem state data on Test@ing$r%A to a folder on Test@ing$r%1 and install Acti%e Director b running the dcpromo Had% command. .. 5romote Test@ing$r%1 to be an additional domain controller b running the dcpromo command o%er the networ/. D. 5romote Test@ing$r%1 to be an additional domain controller b using an unattended installation file. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F3 2 )ns"er: + E3#lanation: !e "ant to minimi1e the use o$ the !)N lin0 !e can use the ne" dc#romo Kad/ command to #romote the D' $rom a bac0u# o$ the system state data o$ an e3isting domain controller &nstalling from media drasticall reduces the time re6uired to install director information b reducing the amount of data that is replicated o%er the networ/. &nstalling from media is most beneficial in large domains or for installing new domain controllers

that are connected b a slow networ/ lin/. To use the install from media feature, ou first create a bac/up of $ stem $tate from the eBisting domain controller, then restore it to the new domain controller b using the Restore to9 Alternate location option. &n this scenario, we can restore the s stem state data to a member ser%er, then use that restored s stem state data to promote a member ser%er to a domain controller. Incorrect )ns"ers: ): $ite lin/ costs are a mechanism for controlling replication traffic. &n this scenario we need to install Acti%e Director , not control Acti%e Director replication. ': Running the dcpromo command o%er the networ/ will result in large amounts of traffic across the !A, lin/. !e want to reduce this. D: !e could promote Test@ing$r%1 to a domain controller b using unattended installation, howe%er, Acti%e Director would need to be s nchroni0ed with the Acti%e Director on Test@ing$r%A. This s nchroni0ation would result in !A, traffic that could be reduced b installing Acti%e Director from a bac/up. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 29 2; 22>. Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 2=-2;, 2=>23"". QUESTION NO: 2< You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll ser/ers run !indo"s Ser/er 2==, )ll client com#uters run !indo"s @. .ro$essional ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F- 2 User accounts are con$igured as local administrators so that users can install so$t"are ) des0to# su##ort team su##orts end users The des0to# su##ort teamJs user accounts are all members o$ a grou# named Su##ort You create a so$t"are restriction #olicy that only #re/ents users $rom running registry editing tools by $ile hash rule You a##ly the #olicy to all user accounts in the domains The des0to# su##ort team re#orts that "hen they attem#t to run registry editing tools* they recei/e the $ollo"ing error message: L!indo"s cannot o#en this #rogram because it has been #re/ented by a so$t"are restriction #olicy Eor more in$ormation* o#en E/ent 8ie"er or contact your system administratorL You need to ensure that only the des0to# su##ort team can run registry editing tools !hat should you do% A. .onfigure the software restriction policies to be enforced for all users eBcept local administrators. 1. Ma/e users members of the 5ower Users group instead of the Administrators group. .. Use a logon script to cop the registr editing tools to the root of dri%e .. Assign the Domain Admins group the Allow 2 Read permission for the registr editing tools in the new location. D. (ilter the software restriction polic to pre%ent the $upport group from appl ing the polic . )ns"er: D E3#lanation: !e can #re/ent the so$t"are restriction #olicy $rom a##lying to the su##ort grou# by sim#ly assigning the su##ort grou# the Deny > Dead andKor the Deny > )##ly grou# #olicy #ermission Incorrect ans"ers: ): The users are local administrators. The polic must appl to the local administrators. +: The polic applies to all users. &t will still appl to the support group. .hanging the local users group membership will ha%e no effect on the polic . ': The software restriction polic is using a hash rule to pre%ent the use of the registr editing tools. &t does not matter where the tools are located, the still will not run. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FF 2 De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. =9 1; QUESTION NO: 22 You are the net"or0 administrator $or TestBing Your user account is a member o$ the Schema )dmins grou# The net"or0 consists o$ a single )cti/e Directory $orest

that contains three domains The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, ) !indo"s Ser/er 2==, domain controller named TestBing) holds the schema master role )n a##lication named )##lication< creates additional schema classes You notice that this a##lication created some classes that ha/e incorrect class names You need to correct the class names as quic0ly as #ossible !hat should you do% A. Deacti%ate the Application1 classes that ha%e the incorrect class names. $et the default securit permission for the 3%er one group for those schema classes to Den . 1. Deacti%ate the Application1 classes that ha%e the incorrect class names. .reate the Application1 classes with the correct class names. .. Rename the description of the Application1 classes to the correct class name. &nstruct the de%elopers of Application1 to change the code of the application so that the renamed schema classes can be used. D. &nstruct the de%elopers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the Acti%e Director $chema console. )ns"er: + E3#lanation: !e need to deacti/ate the )##lication< classes that ha/e the incorrect class names This is because you cannot delete or rename a class !e can only deacti/ate the incorrect classes and recreate the classes "ith the correct class names E3tending the schema > ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F; 2 !hen the set of classes and attributes in the base Acti%e Director schema do not meet our needs, ou can eBtend the schema b modif ing or adding classes and attributes. Iou should onl eBtend the schema when absolutel necessar . The easiest wa to eBtend the schema is through the $chema Microsoft Management .onsole *MM.+ snap2in. Iou should alwa s de%elop and test our schema eBtensions in a test lab before mo%ing them to our production networ/. Schema e3tensions are not re/ersible > Attributes or classes cannot be remo%ed after creation. At best, the can be modified or deacti%ated. Deacti/ating a class or attribute > Domain controllers running !indows $er%er2""3 do not permit the deletion of classes or attributes, but the can be deacti%ated if the are no longer needed or if there was an error in the original definition. A deacti%ated class or howe%er, it is easil reacti%ated. &f our forest has been raised to the !indows $er%er2""3 functional le%el, ou can reuse the ob)ect identifier *go%erns&d and attribute&d %alues+, the ldapDispla ,ame, and the schema&dCU&D that were associated with the defunct class or attribute. This allows ou to change the ob)ect identifier associated with a particular class or attribute. The onl eBception to this is that an attribute used as a rdnAtt&d of a class continues to own its attribute&d, ldapDispla ,ame, and schema&dCuid %alues e%en after being deacti%ated *for eBample, those %alues cannot be reused+. &f our forest has been raised to the !indows $er%er2""3 functional le%el, ou can deacti%ate a class or attribute and then redefine it. Incorrect )ns"ers: ): &t is not necessar to den access to the classes after deacti%ating them. !e need to recreate the classes with the correct names. ': .hanging the description of a class does not rename the class. &t is not possible to rename a class. D: !e need to deacti%ate the classes that ha%e the incorrect class names. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 11 QUESTION NO: 2, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FG 2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ single )cti/e Directory $orest that contains t"o domains and $our sites )ll ser/ers run !indo"s Ser/er 2==, You are res#onsible $or administering domain controllers in one site Your site contains $our domain controllers The hard dis0 that contains the )cti/e Directory database $ails on a domain controller named TESTBIN-2 You re#lace the $ailed dis0 You need to reco/er TESTBIN-2 You need to achie/e this goal "ithout a$$ecting e3isting )cti/e Directory data !hat should you do%

A. 5erform a nonauthoritati%e restoration of the Acti%e Director database. 1. 5erform an authoritati%e restoration of the Acti%e Director database. .. Use the ,tdsutil utilit to run the semantic database anal sis command. D. Use the ,tdsutil utilit to run the restore subtree command. )ns"er: ) E3#lanation: You ha/e $our domain controllers in your site You can sim#ly #er$orm a non>authoritati/e restore o$ the )cti/e Directory database )ny changes to the )cti/e Directory database since the data "as bac0ed u# "ill be re#licated $rom another domain controller Incorrect )ns"ers: +: This is not necessar . This will o%erwrite the Acti%e Director database on the other domain controllers. The other domain controllers will ha%e the most recent copies of the Acti%e Director database. These changes can be replicated to the failed machine. ': Iou can use this process to generate reports on the number of records present in the Acti%e Director database, including deleted and phantom records. &t is not used to restore the Acti%e Director database. D: !e need to restore the entire Acti%e Director database, not )ust a subtree of it. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 39 --2-> ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F> 2 QUESTION NO: 24 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains a single domain named test0ing com Organi1ational units &OUs( in the domain are con$igured as sho"n in the Domain Structure e3hibit )ll client com#uters run !indo"s @. .ro$essional )ll client com#uter accounts are located in the TestBing 'om#uters OU Your user account is a member o$ the Domain )dmins security grou# )ll user accounts that are members o$ the Domain )dmins security grou# are located in the Domain )dmins OU )ll ser/ice des0 users ha/e user accounts that are members o$ the Sr/Des0-r# security grou# )ll accounts that are members o$ this grou# are located in the Ser/ice Des0 Sta$$ OU ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F= 2 You use the -rou# .olicy ?anagement 'onsole &-.?'( to create a -rou# .olicy ob2ect &-.O( named Install )dmin Tools You con$igure the -.O as $ollo"s: 1. In the -.O* create a so$t"are installation #ac0age that assigns the !indo"s Ser/er 2==, )dministration Tools .ac0 &admin#a0 msi( to users 2. Ain0 the -.O to the IT Users OU 3. Demo/e the )uthenticated Users built>in grou# $rom the list o$ users and grou#s that "ere delegated #ermissions $or the -.O -. )ssign the Sr/Des0-r# security the )llo" > Dead #ermission $or -.O Ser/ice des0 users re#ort that the administrati/e tools needed $or their 2ob are not installed You use the -.?' to e3amine the history o$ -rou# .olicy a##lication $or one o$ the a$$ected users The rele/ant results are sho"n in the -.?' e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;" 2 You also disco/er that "hen you log on to a com#uter normally used by a ser/ice des0 user* the administrati/e tools are automatically a/ailable $or you You need to ensure that administrati/e tools can also be installed by -rou# .olicy $or all users "ith accounts in the IT Users OU* "ithout increasing the administrati/e #ri/ileges o$ any users !hat should you do% A. 4in/ the &nstall Admin Tools C5' to the $er%ice Des/ $taff 'U. Mo%e the computer accounts for computers used b ser%ice des/ users to the $er%ice Des/ $taff 'U. 1. .hange the securit filtering on the &nstall Admin Tools C5' to grant the $r%Des/Crp securit group the abilit to appl the C5'. .. Mo%e the $r%Des/Crp securit group to the Domain Admins 'U. D. Modif the C5' to assign the Administration Tools 5ac/ to computers instead of to users. )ns"er: + E3#lanation: You need to assign the )llo" > )##ly -rou# .olicy #ermission* not

2ust the )llo" > Dead #ermission* to the Sr/Des0-r# grou# Incorrect )ns"ers: ): 4in/ing the &nstall Admin Tools C5' to the $er%ice Des/ $taff 'U on its own wonKt help. The $r%Des/Crp would still onl ha%e Allow 2 Read permissions. ': Ma/ing the $r%Des/Crp a member of the Domain Admins 'U would gi%e them too much permissions. D: The C5' should appl to users not computers because we are controlling application based on user groups. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1. QUESTION NO: 25 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;1 2 You are the net"or0 administrator $or TestBing You are im#lementing a ne" !indo"s Ser/er 2==, net"or0 en/ironment You install one )cti/e Directory $orest root domain named c#andl com You install the $irst domain controller named D'< You con$igure D'< as a D:'. ser/er and as an )cti/e Directory>integrated DNS ser/er "ith dynamic u#dates enabled Aater you install an additional domain controller named D'2 You cannot raise the $unctional le/el o$ the domain to !indo"s Ser/er 2==, You disco/er that the ser/ice locator &SD8( resource records o$ D'< are not created in the c#andl com 1one on the DNS ser/er You run the Dcdiag tool on D'< and recei/e the out#ut sho"n in the e3hibit You need to ma0e it #ossible to raise the $unctional le/el o$ the domain to !indo"s Ser/er 2==, !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;2 2 A. Upgrade D.2 to a global catalog ser%er. 1. Use the DA.5 ser%er locator utilit to find out which DA.5 ser%ers are a%ailable in the cpandl.com 0one. .. $tart the ,et 4ogon ser%ice on D.1. D. Restart the D,$ $er%er ser%ice on D.1 to enable D,$ clients to resol%e host names b answering 6ueries and update re6uests. )ns"er: ' E3#lanation: SD8 records are required $or clients to locate hosts that #ro/ide required ser/ices The Netlogon ser/ice registers a set o$ de$ault SD8 resource records on the DNS ser/er :o"e/er* the e3hibit indicates that the NetAogon ser/ice is sto##ed on D'< !e should restart this ser/ice Incorrect )ns"ers: ): The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not affect the forest le%el. +: DA.5 is used to assign &5 configurations to DA.5 clients. Aowe%er, the $?R records are missing. !e will thus not be able to locate the DA.5 ser%er. D: The D,$ ser%er does not ha%e the $R? records. Restarting the D,$ ser%ice will not generate these records. !e should start the ,et4ogon ser%ice. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 29 ->2F2 QUESTION NO: 26 :OTS.OT You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains multi#le domains The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;3 2 The $orest contains se/eral )cti/e Directory sites that re#resent branch o$$ices and a site named ?ainO$$ice that re#resent the central data center ) site named +ranch< contains one domain controller named Ser/er< that is not a global catalog ser/er The ?ainO$$ice site contains one domain controller named Ser/er2 that is a global catalog ser/er

You need to use uni/ersal grou# membershi# caching in the +ranch< site !hich com#onent or com#onents should you con$igure% To ans"er* select the a##ro#riate com#onent or com#onents in the "or0 area )ns"er: E3#lanation: Select the LNTDS Site SettingsL $or the +ranch< o$$ice in the right hand #ane ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;- 2 Uni%ersal group membership caching, is enabled or disabled in the ,TD$ $ettings 5roperties dialog boB of the Acti%e Director $ites and $er%ices console. This must be performed in the site where ou want to enable uni%ersal group membership caching, i.e., in the 1ranch1 site. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2-1 to F2-F, F2-> to F2F". Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. 31, F-3, F-G, FF"2FF2. QUESTION NO: 27 You are a net"or0 administrator $or TestBing* "hich has $i/e regional o$$ices and ,*=== branch o$$ices Each branch o$$ice contains <= users +ranch o$$ices are connected to the nearest regional o$$ice by a 56>Bb#s !)N connection ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;F 2 The net"or0 consists o$ a single )cti/e Directory $orest that contains one domain $or each regional o$$ice )ll ser/ers run !indo"s Ser/er 2==, Each branch o$$ice contains one domain controller that is con$igured as an additional domain controller in the regional domain $or the branch o$$ice The site lin0 bet"een each branch o$$ice and the corres#onding regional domain is con$igured to re#licate e/ery ,= minutes Users in the branch o$$ice re#ort that a##lications res#ond slo"ly "hen they access resources in the corres#onding regional o$$ice You monitor the !)N connection that connects se/eral o$ the branch o$$ices and disco/er that utili1ation increases $rom ,= #ercent to more than ;= #ercent on a regular basis You need to im#ro/e the res#onse time o$ a##lications "hen they access resources in the regional o$$ice You need to ensure that users can log on "ithout using cached credentials i$ the !)N connection $ails !hat should you do% A. Remo%e Acti%e Director from the file and print ser%er in each branch office. 'n the site lin/ between each branch office and the corresponding regional office, increase the replication inter%al. 1. 3nable uni%ersal group membership caching in each branch office. .onfigure the site lin/ between each branch office and the corresponding regional office to be a%ailable onl during off2pea/ hours. .. .onfigure the domain controller in each branch office as a global catalog ser%er. D. 'n the site lin/ between each branch office and the corresponding regional office, decrease the replication inter%al. )ns"er: D E3#lanation: Response times for that application are slow because replication traffic is too much. Decreasing the replication schedule will reduce the amount of replication traffic b allowing amounts of changes to be replicated. Incorrect )ns"ers: ): &ncreasing the replication inter%al will increase the amount of changes that must be replicated at a time. This might increase replication traffic. +: !e donKt want to use cached credentials. ': ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;; 2 The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not control replication.

De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2G to F2>. Deborah 4ittle)ohn $hinder, Dr. Thomas !. $hinder, .had Todd and 4aura Aunter, &mplementing, Managing, and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure Cuide L D?D Training $ stem, $ ngress 5ublishing &nc., Roc/land, 2""3, pp. --=2-F2, -F>, -F>2-F=. QUESTION NO: 29 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com )ll ser/ers run !indo"s Ser/er 2==, TestBingJs "ritten security #olicy requires that all administrati/e #ass"ords be changed e/ery ,= days You con$igure the domain security #olicy to en$orce the "ritten security #olicy ) security audit re/eals that the #ass"ord used to log on to domain controllers in Directory Ser/ices Destore mode is <= months old You need to ensure that all #ass"ords are changed in accordance "ith the "ritten security #olicy You must accom#lish this tas0 "ithout causing disru#tion to user access !hat should you do% A. Restart each domain controller in Director $er%ices Restore More. Use .omputer Management to reset the password for the Administrator account. 1. Use the ,tdsutil utilit to reset the password on each domain controller for Director $er%ices Restore Mode. .. .onfigure the Domain .ontroller $ecurit 5olic to enforce the written securit polic . D. Reset the Administrator password b using Acti%e Director Users and .omputers. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;G 2 )ns"er: + E3#lanation: In !indo"s Ser/er 2==,* you use the Ntdsutil utility to modi$y the Directory Ser/ice Destore ?ode )dministrator #ass"ord Incorrect )ns"ers: ): Restarting the domain controllers will cause a disruption in user access. ': The Domain .ontroller $ecurit 5olic is enforced when the domain controller is booted and can be refreshed at set inter%als. Aowe%er, the Director $er%ice Restore Mode Administrator password is a user account setting, not a computer account setting and should be enforced when t he user logs on. D: Director $er%ice Restore Mode Administrator password cannot be set in Acti%e Director Users and .omputers. De$erences: M$ @nowledgebase Article 322;G29 Aow to reset the Director $er%ice Restore Mode Administrator Account 5assword in !indows $er%er 2""3. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F3. QUESTION NO: 2; :OTS.OT You are the Net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll domain controllers run !indo"s Ser/er 2==, The user accounts $or the #rocessing de#artment are located in an Organi1ational Unit &OU( named #rocessing You need to de#loy an a##lication to all users in the #rocessing de#artment You create a -rou# .olicy Ob2ect &-.O( and lin0 it to the #rocessing OU You #lace the msi $ile $or the a##lication in a shared $older on the net"or0 You con$igure the User 'on$iguration section o$ the -.O to de#loy the a##lication You need to ensure that the a##lication is immediately ready $or use "hen a user logs on to a client com#uter You also need to #re/ent any user $rom continuing to use the a##lication i$ the userJs user account is mo/ed to another OU !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;> 2 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;= 2 $elect the following chec/ boBes9 1. Assigned. 2. Uninstall this application when it falls out of the scope of management.

3. &nstall this application at logon. -. 1asic !e need to assign the application to the users and select the 8&nstall this application at logon8 option to ensure that the application is immediatel read for use when a user logs on to a client computer. To pre%ent an user from continuing to use the application if the userKs user account is mo%ed to another 'U, we need to select the 8Uninstall this application when it falls out of the scope of management8 option. The 81asic8 option ensures that the application installs with minimal *or no+ user inter%ention. De$erence9 ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G" 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 129 2QUESTION NO: ,= You are the net"or0 administrator $or TestBing com The net"or0 consists o$ a single )cti/e Directory $orest that contains one $orest root domain named test0ing com and t"o child domains named euro#e test0ing com and usa test0ing com The $unctional le/el o$ the $orest is !indo"s 2=== nati/e The test0ing com domain contains a !indo"s 2=== Ser/er domain controller named TestBing, that is running Ser/ice .ac0 4 or later You ta0e TestBing, o$$line You also remo/e all re$erences to TestBing, $rom the 'on$iguration container in )cti/e Directory Ei/e days later* you u#grade all remaining domain controllers to !indo"s Ser/er 2==, You then raise the $unctional le/el o$ the $orest to !indo"s Ser/er 2==, You need to integrate TestBing, into the ne" )cti/e Directory in$rastructure You "ant TestBing, to be an additional domain controller o$ the euro#e test0ing com domain !hat should you do% A. Upgrade Test@ing3 to !indows $er%er 2""3. Add the computer account for Test@ing3 into the .omputers container of the europe.test/ing.com domain. 1. Demote Test@ing3 to a !indows 2""" member ser%er b running the dcpromo Hforceremo%al command. Upgrade Test@ing3 to a !indows $er%er 2""3 member ser%er. Run the dcpromo command to promote Test@ing3 to be an additional domain controller of the europe.test/ing.com domain. .. Demote Test@ing3 to a !indows 2""" member ser%er b running the dcpromo Hforceremo%al command. Add the computer account for Test@ing3 into the Domain .ontrollers organi0ational unit *'U+ of the europe.test/ing.com domain. D. Upgrade Test@ing3 to !indows $er%er 2""3. Add the computer account for Test@ing3 into the Domain .ontrollers organi0ational unit *'U+ of the europe.test/ing.com domain. )ns"er: + E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G1 2 Once the $orest $unctional le/el is raised to !indo"s Ser/er 2==,* you cannot add a !indo"s 2=== domain controller to the $orest !e "ould need to u#grade the !indo"s 2=== domain controller to !indo"s Ser/er 2==, :o"e/er* "e must $irst demote the !indo"s 2=== domain controller and then u#grade it to !indo"s Ser/er 2==, )dd it to the net"or0 and then #romote it Incorrect )ns"ers: )* D: &f we upgrade the !indows 2""" domain controller to !indows $er%er 2""3 while it is disconnected from the networ/, the upgraded computer will assume that it is the first domain controller for the domain. &t will then old the R&D, Clobal .atalog and $chema Master roles. This will cause a conflict when we e%entuall add the domain controller to the networ/. ': 'nce the forest functional le%el is raised to !indows $er%er 2""3, ou cannot add a !indows 2""" ser%er to the forest. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -22to -23G. QUESTION NO: ,< You are a net"or0 administrator $or TestBing com The net"or0 consists o$ t"o )cti/e Directory domains "ith three sites )ll ser/ers run !indo"s Ser/er 2==, TestBing has o$$ices in three cities and each o$$ice is con$igured as a se#arate site The net"or0 con$iguration is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 -G2 2 The com#any has <*75= users in the .aris o$$ice* <*75= users in the Dome o$$ice* and 25 users in the +onn o$$ice -lobal catalog ser/ers are con$igured in each site )utomatic site lin0 bridging is disabled ) "ritten com#any #olicy requires that no !)N connection e3ceed 7= #ercent #ea0 utili1ation You e3amine the !)N connection bet"een the Dome and .aris o$$ices and disco/er that the utili1ation reaches ;5 #ercent during )cti/e Directory re#lication ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G3 2 You need to reduce the !)N tra$$ic associated "ith the )cti/e Directory re#lication on the connection bet"een the Dome and .aris o$$ices You need to ensure that users in the Dome o$$ice can log on to the domain i$ a !)N connection $ails !hat should you do% A. Decrease the replication inter%al on the site lin/ connecting the 5aris and Rome sites. 1. Remo%e the global catalog ser%er from the Rome office. 3nable uni%ersal group membership caching in the Rome site. .. 3nable slow lin/ detection in the Default Domain 5olic Croup 5olic ob)ect *C5'+ in the rome.test/ing.com domain. D. .onfigure a site lin/ bridge between the site lin/ that connects the Rome and 5aris sites and the site lin/ that connects the 5aris and 1onn sites. )ns"er: + E3#lanation9 The Clobal .atalog *C.+ contains a full replica of all Acti%e Director ob)ects in its host domain plus a partial replica of all director ob)ects in e%er domain in the forest. A C. contains information about all ob)ects in all domains in the forest, so finding information in the director does not re6uire unnecessar 6ueries across domains. A single 6uer to the C. produces the information about where the ob)ect can be found. &t pro%ides information about ob)ects that are located in other domains in the forest. Uni%ersal group membership caching allows a site that does not contain a global catalog ser%er to be configured to cache uni%ersal group memberships for users who log on to the domain controller in the site. This abilit allows a domain controller to process user logon re6uests without contacting a global catalog ser%er when a global catalog ser%er is una%ailable. The cache is refreshed periodicall as determined in the replication schedule. Incorrect ans"ers: ): Reducing the replication inter%al will reduce the amount of data that must be replicated at a time. Aowe%er, this is not what will ensure that Rome office can log on to the domain in case of !A, connection failure. '* D: 3nabling slow lin/ detection or configuring a site lin/ bridge will not reduce that amount of data that must be replicated at a time. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22F to F23F, F2F= to F2;>. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G- 2 QUESTION NO: ,2 You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains three domains The $unctional le/el o$ the $orest and o$ all three domains is !indo"s Ser/er 2==, TestBing has a main o$$ice and ,= branch o$$ices Each branch o$$ice is connected to the main o$$ice by a 56>Bb#s !)N connection You con$igure the main o$$ice and each branch o$$ice as a se#arate )cti/e Directory site You de#loy a !indo"s Ser/er 2==, domain controller at the main o$$ice and at each branch o$$ice Each domain controller is con$igured as a DNS ser/er You can log on to the net"or0 $rom client com#uters in the branch o$$ices at any time :o"e/er* users in the branch o$$ices re#ort that they cannot log on to the net"or0 during #ea0 hours You need to allo" users to log on to the net"or0 $rom branch o$$ice com#uters You do not "ant to a$$ect the #er$ormance o$ the branch o$$ice domain controllers You need to minimi1e )cti/e Directory re#lication tra$$ic across the !)N connections !hat should you do% A. Use Acti%e Director $ites and $er%ices to enable uni%ersal group membership caching for each branch office site. 1. Use the D,$ console to configure the branch office D,$ ser%ers to forward re6uests to a D,$ ser%er in the main office. .. Use Acti%e Director $ites and $er%ices to configure each branch office domain controller as a global catalog ser%er.

D. Use the D,$ console to configure the branch office D,$ ser%ers to use an Acti%e Director 2integrated 0one. )ns"er: ) E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GF 2 !hen a user logs on to the net"or0* the global catalog #ro/ides uni/ersal grou# membershi# in$ormation $or the account to the domain controller #rocessing the user logon in$ormation I$ a global catalog is not a/ailable "hen a user initiates a net"or0 logon #rocess* the user is able to log on only to the local com#uter unless the site has been s#eci$ically con$igured to cache uni/ersal grou# membershi# loo0u#s "hen #rocessing user logon attem#ts In this scenario the domain controller must contact the global catalog ser/er across a !)N lin0 that is saturated Enabling uni/ersal grou# membershi# caching "ill o/ercome this #roblem Incorrect )ns"ers: +: !hen users log on, the re6uests are sent to the global catalog not the D,$ ser%er. ': .onfigure each branch office domain controller as a global catalog ser%er would result in increased replication traffic. !e want to a%oid this. D: An Acti%e Director 2integrated 0one is a D,$ 0one that is part of Acti%e Director and is part of Acti%e Director replication. Ma/ing the D,$ 0one a part of Acti%e Director will not o%ercome logon latenc and will lead to an increase in replication traffic. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-3. QUESTION NO: ,, You are a net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain test0ing com The net"or0 contains three !indo"s Ser/er 2==, domain controllers You are creating the reco/ery #lan $or TestBing )ccording to the e3isting bac0u# #lan* domain controllers are bac0ed u# by using normal bac0u#s each night The normal bac0u#s o$ the domain controllers include the system state o$ each domain controller Your reco/ery #lan must incor#orate the $ollo"ing organi1ational requirements: 1. )cti/e Directory ob2ects that are accidentally or maliciously deleted must be reco/erable 2. )cti/e Directory must be restored to its most recent state as quic0ly as #ossible ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G; 2 3. )cti/e Directory database re#lication must be minimi1ed You need to create a #lan to restore a deleted organi1ational unit &OU( !hich t"o actions should you include in your #lan% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. Restart a domain controller in Director $er%ices Restore Mode. 1. Restart a domain controller in $afe Mode. .. Use the ,tdsutil utilit in $afe Mode. D. Restore the s stem state b using the Alwa s replace the file on m computer option. 3. Use the ,tdsutil to perform an authoritati%e restore operation of the appropriate subtree. )ns"er: )* E E3#lanation: I$ an OU gets deleted $rom the )cti/e Directory* "e can restore it $rom a bac0u# o$ the system state data Directory Ser/ices Destore ?ode is a sort o$ sa$e mode in "hich "e can boot a domain controller "ithout loading the )cti/e Directory This "ill enable us to restore all or #art o$ the )cti/e Directory database To ensure that the deleted 'U isnKt deleted again b replication from another domain controller, we must use the ,tdsutil utilit to mar/ the restored subtree as authoritati%e. Incorrect )ns"ers: +: To restore part of the Acti%e Director , we must start a domain controller in Director $er%ices Restore Mode, not safe mode. ': part of it. D: This will o%erwrite the eBisting Acti%e Director database. De$erence9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F3. QUESTION NO: ,4

Net"or0 Diagram ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GG 2 You notice that a$ter the $orest trust relationshi# is deleted* the membershi# lists $or some o$ the domain local grou#s are no longer accurate !hen you /ie" a membershi# list* it contains entries "ithout user>$riendly names ) sam#le is sho"n in the ?embershi# Aist e3hibit NN?ISSIN-NN You need to delete all the un0no"n grou#s $rom the membershi# list $or the domain local grou#s You "ant to achie/e this goal by using the minimum amount o$ administrati/e e$$ort* and "ithout modi$ying the access to resources $or users in the test0ing com $orest !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G> 2 A. .reate new domain local groups. Add the re6uired global groups from the test/ing.com forest to the domain local groups. Crant appropriate permissions to the domain local groups. Delete the original domain local groups. 1. Re2create the trust relationship between test/ing.com forest and the fabri/am.com forest. Delete all fabri/am.com global accounts from the domain local group membership lists. Delete the trust relationship between the two forests. .. ?erif all remaining trust relationships. Then delete the un/nown accounts from the domain local groups. D. Delete all the affected domain local groups. Re2create the groups. Add the appropriate global groups from the test/ing.com forest to the groups. Crant appropriate permissions to the domain local groups. )ns"er: ' E3#lanation9 A method of see/ and destro will represent the least administrati%e effort. To /eep administrati%e effort to the minimum and deleting all the un/nown groups from the membership list without modif ing access to resources for the test/ing.com forest users, then ou should %erif all remaining trust relationships and then delete the un/nown accounts from the domain local groups. Incorrect ans"ers9 )9 .reating new domain local groups and adding onl the re6uired test/ing.com forest global group to the domain local group will not re%eal where un/nown accounts are located. &t could well be that amongst the re6uired global test/ing.com forest group there are un/nown accounts. +9 This option suggests too much administrati%e effort to complete the tas/. And it will also result in modif ing access to resources for the test/ing.com forest users. D9 Aow would ou /now which are all the affected groups without %erif ing the trust relationships first. De$erence9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 G" ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G= 2 QUESTION NO: ,5 You are a net"or0 administrator $or TestBing The net"or0 contains a !indo"s Ser/er 2==,* Enter#rise Edition $ile ser/er named TestBing, that contains t"o /olumes con$igured as dri/e : and dri/e H Dri/e : contains 4= -+ o$ unused s#ace and dri/e H contains <2 -+ o$ unused s#ace TestBing, contains the shared $olders sho"n in the $ollo"ing table Eile system #ath Share name Dis0 s#ace used by shared $olders A9WAome(olders Aome(olders 2" C1 A9WCroup(olders Croup(olders 2" C1 Q9WTest@ingData T@Data 1; C1 Each $ile in the TestBingData $older is modi$ied or deleted e/ery se/en days on a/erage* and ne" $iles are added $requently Users o$ten request that #rior /ersions o$ $iles be restored $rom bac0u# ta#es )ll users ha/e !indo"s @. .ro$essional com#uters You "ant to enable users to restore #rior /ersions o$ modi$ied or deleted $iles in the TestBingData $older

!hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 3nable $hadow .opies of $hared (olders on dri%e Q and configure an >2C1 storage area on dri%e Q. 1. 3nable $hadow .opies of $hared (olders on dri%e Q and configure a 2"2C1 storage area on dri%e A. .. 3nable automatic caching of documents for T@Data. D. 3nable manual caching of documents for T@Data. 3. &nstall Twcli32.msi on each userKs client computer. (. &nstall Adminpa/.msi on each userKs client computer. )ns"er: +* E E3#lanation ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->" 2 9 To store the shadow copies of another %olume on the same file ser%er, a %olume can be dedicated on separate dis/s. (or eBample, if user files are stored on A9W, another %olume such as $9W can be used to store the shadow copies. Using a separate %olume on separate dis/s pro%ides better performance and is recommended for hea%il used file ser%ers. ,ote9 &f shadow copies are stored on the same %olume as the user files, note that a burst of dis/ inputHoutput *&H'+ can cause all shadow copies to be deleted. &f the sudden deletion of shadow copies is unacceptable to administrators or end users, it is best to use a separate %olume on separate dis/s to store shadow copies. !indows $er%er 2""3 includes the client software for %olume shadow cop in its Z$ stemrootZW$ stem32W.lientsWTwclient folder. The client software to access pre%ious %ersions of files is Twcli32.msi. This needs to be installed on e%er client computer. This is a difficult 6uestion because answer A or 1 will wor/. !e need to decide which dis/ to store the shadow copies on. Dri%e A has enough spare space. !ith more space, we can store more shadow copies. Also, placing the shadow copies on a separate dis/ or %olume pro%ides better performance. Incorrect ans"ers: '* D9 This is not a caching concern that will address the issue. Iou should rather enable shadow copies so that ou can enable users to restore prior %ersions of modified and deleted files. E9 The Adminpa/.msi can be used to repair console issues related to file corruption and software deplo ment, but in this case ou would need the Twcli32.msi. De$erence9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. ;9 -1 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 39 1" QUESTION NO: ,6 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named TestBing com The com#any has an o$$ice in San Diego* "hich is con$igured as a single )cti/e Directory site ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->1 2 The com#any has 5== users The com#any o#ens a ne" o$$ice in Aos )ngeles* "hich em#loys 5= users ) T< line connects both o$$ices You con$igure the Aos )ngeles o$$ice as a single site You create a subnet ob2ect $or the Aos )ngeles o$$ice In the Aos )ngeles o$$ice* you install and con$igure a ser/er named Test0ingD'< as a domain controller and global catalog ser/er You con$igure the Aos )ngeles site to use Test0ingD'< and the Aos )ngeles subnet ob2ect You con$igure a site lin0 that connects the site in San Diego and the site in Aos )ngeles You need to ensure that client com#uters in Aos )ngeles connect to Test0ingD'< $or authentication You also need to ensure that changes to the domain are re#licated as soon as #ossible !hat should you do% A. .onfigure the inter%al for the site lin/ to its minimum %alue. 1. Remo%e the 4os Angeles site and mo%e Test/ingD.1 and the 4os Angeles subnet ob)ect to the $an Diego site. .. .reate an R5.2based connection ob)ect at each of the two sites. D. .reate a site lin/ bridge between the two sites. )ns"er: ) QUESTION NO: ,7 You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory $orest that contains one domain The $unctional le/el o$ the $orest is !indo"s 2===* and the $unctional le/el o$ the domain is !indo"s 2=== mi3ed

The domain contains $our domain controllers named Test0ingD'<* Test0ingD'2* Test0ingD',* and Test0ingD'4 There are t"o sites in the $orest Test0ingD'< and Test0ingD'2 are in one site Test0ingD', and Test0ingD'4 are in the other site Test0ingD'< $ails You need to "ait until the $ollo"ing "ee0 to restore Test0ingD'< !hile connected to Test0ingD',* you #er$orm a bul0 im#ort o$ user accounts and recei/e an error message stating that a number o$ user accounts could not be created ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->2 2 !hat should you do% A. $ei0e the 5D. emulator role to Test/ingD.3. 1. $ei0e the relati%e &D *R&D+ master role to Test/ingD.3 .. .reate a replication ob)ect to connect Test/ingD.3 to Test/ingD.2. D. Raise the functional le%el of the domain and the functional le%el of the forest to !indows $er%er 2""3. )ns"er: + QUESTION NO: ,9 E3hibit: NNN ?ISSIN- NNN You are the net"or0 administrator $or TestBing The com#any has a main o$$ice and one branch o$$ice )ll client com#uters run !indo"s @. .ro$essional The net"or0 consists o$ a single )cti/e Directory $orest that contains a single domain named test0ing com The $orest has t"o sites named ?ainO$$ice and +ranchO$$ice The organi1ational unit &OU( structure is sho"n in the e3hibit ) "ritten com#any #olicy requires di$$erent -rou# .olicy ob2ects &-.Os( to be lin0ed to the /arious OUs )ll o$ the users in the +ranchO$$ice site require a s#eci$ic a##lication You create a ne" -.O named +ranch)##s and con$igure it to assign the required a##lication to all users in the +ranchUsers OU ) s#ecial #ro2ect suddenly requires t"o users "ho normally "or0 in the ?ainO$$ice site to ta0e their #ortable com#uters to "or0 in the +ranchO$$ice site !hen these users log on to the net"or0 at the branch o$$ice* the required a##lication is not automatically installed on their #ortable com#uters You /eri$y that all other -.Os are being a##lied #ro#erly You need to ensure that the a##lication is automatically installed on these t"o #ortable com#uters The a##lication must not be installed on any o$ the other com#uters in the main o$$ice You must also ensure that settings that are currently a##lied to the t"o users remain in e$$ect !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->3 2 A. Mo%e the two user accounts from the Main'fficeUsers 'U to the 1ranchUsers 'U. 1. Mo%e computer accounts for the two users from the Main'ffice.lients to the 1ranch.lients 'U. .. 4in/ the 1ranchApps C5' to the Main'ffice site D. 4in/ the 1ranchApps C5' to the 1ranch'ffice site. )ns"er: ) E3#lanation: Or + E3hibit is needed to decide "hether )( or +( is the #re$erred ans"er QUESTION NO: ,; You are the net"or0 administrator $or TestBing The net"or0 consists o$ a single )cti/e Directory domain named test0ing com )ll com#uters on the net"or0 are members o$ the domain You are #lanning a #ublic 0ey in$rastructure &.BI( $or the com#any You "ant to ensure that users "ho log on to the domain recei/e a certi$icate that can be used to authenticate to !eb sites You create a ne" certi$icate tem#late named User )uthentication You con$igure a -rou# .olicy ob2ect &-.O( that a##lies to all users The -.O s#eci$ies that user certi$icates must be enrolled "hen the #olicy is a##lied You install an enter#rise certi$ication authority &')( on a com#uter that runs !indo"s Ser/er 2==, Users re#ort that "hen they log on* they do not ha/e certi$icates to authenticate to !eb sites that require certi$icate authentication You "ant to ensure that users recei/e certi$icates that can be used to authenticate to !eb sites !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. 'n the User Authenticate certificate template, select the Reenroll All .ertificate Aolders command.

1. Assign the Domain Users group the Allow 2 Autoenroll permission for the User Authentication certificate template. .. .onfigure the .A to enable the User Authentication certificate template. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->- 2 D. Assign the Domain Users group the Allow 2 &ssue and Manage .ertificatespermission for the .A. )ns"er: +* ' QUESTION NO: 4= You are the net"or0 administrator $or TestBing )ll !eb ser/ers on the net"or0 run !indo"s 2=== Ser/er The !eb ser/ers run se/eral a##lications* including a collaborati/e !eb>based a##lication that uses )S. NET and !eb Distributed )uthoring and 8ersioning &!ebD)8( You #lan to migrate the !eb ser/ers to !indo"s Ser/er 2==, You use the 'on$igure Your Ser/er !i1ard to con$igure a !indo"s Ser/er 2==, com#uter as an a##lication ser/er* and you enable )S. NET in the #rocess You install the !eb>based a##lication on the ser/er Users no" re#ort that "hen they attem#t to access the collaborati/e !eb>based a##lication* they recei/e the error message sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->F 2 You need to enable the collaborati/e !eb>based a##lication to $unction on !indo"s Ser/er 2==, "hile maintaining !eb ser/er security !hat should you do% A. Use &&$ Manager to disable anon mous access. 1. Use &&$ Manager to allow the !ebDA? !eb ser%ice eBtension and to allow AttpeBt.dll. .. Use &&$ Manager to grant the users of the !eb2based application permissions for the default !eb site. D. Use &&$ Manager to allow the Acti%e $er%er 5ages !eb ser%ice eBtension and to allow Asp.dll. )ns"er: D QUESTION NO: 4< You are the net"or0 administrator $or TestBing The com#any currently has the DNS domain name test0ing com registered $or use $or the com#any !eb site and e>mail addresses The test0ing com domain names#ace is currently hosted on DNS ser/ers that are o"ned by the com#anyJs IS. ) $ire"all se#arates the #ublicly accessible net"or0 $rom the internal com#any net"or0 DNS is not used on the internal com#any net"or0 'om#any IT #olicy $or the ne" directory ser/ices in$rastructure includes the $ollo"ing requirements: 1. )ll )cti/e Directory data must be isolated $rom e3ternal users 2. )ll internal DNS names#ace must be isolated $rom e3ternal users You install a !indo"s 2==, Ser/er com#uter on the internal net"or0* and you install the DNS Ser/er ser/ice on the ser/er You need to #lan the ne" names#ace design $or your com#any Your #lan must com#ly "ith the com#any IT #olicy !hat should you do% A. .reate a primar 0one named ad.test/ing.com on the internal D,$ ser%er. 1. .reate a secondar 0one named test/ing.com on the internal D,$ ser%er. ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->; 2 .. .reate a stub 0one named ad.test/ing.com on the internal D,$ ser%er. D. .reate a delegation record on the &$5Ks D,$ ser%er for the internal D,$ ser%er. 3. .onfigure 0one transfers between the &$5Ks D,$ ser%er and the internal D,$ ser%er. )ns"er: ) QUESTION NO: 42 You are the net"or0 administrator $or TestBing com TestBing has o$$ices in 'hicago* Ne" Yor0 and Toronto Each o$$ice em#loys 5== #eo#le The net"or0 consists o$ a single )cti/e Directory $orest "ith one domain in each o$$ice Each domain contains t"o domain controllers named Test0ing< and Test0ing2 )ll domain controllers run !indo"s Ser/er 2==, Each o$$ice is con$igured as an )cti/e Directory site The domain structure is sho"n in the e3hibit ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->G 2 Ne" Yor0 Toronto

?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->> 2 The !indo"s Ser/er 2==, com#uter named Test0ing< test0ing com holds all o#erations master roles $or its domain* and it holds both $orest>le/el o#erations master roles The !indo"s Ser/er 2==, com#uter named Test0ing< sales test0ing com and Test0ing< #rod test0ing com hold all o#erations master roles $or their res#ecti/e domains !)N connecti/ity bet"een the o$$ices is unreliable You need to #lan the #lacement o$ global catalog ser/ers $or the net"or0 You need to ensure that each user can log on in the e/ent o$ the $ailure o$ a single domain controller and !)N connection You need to ensure that the consistency o$ uni/ersal grou# membershi# in$ormation remains intact !hich t"o actions should you ta0e% &Each correct ans"er #resents #art o$ the solution 'hoose t"o( A. .onfigure both domain controllers in test/ing.com as global catalog ser%ers. 1. .onfigure onl Test/ing1 in each domain as a global catalog ser%er. .. .onfigure onl Test/ing2 in each domain as a global catalog ser%er. D. 3nable uni%ersal group membership caching for each site. 3. 3nable uni%ersal group membership caching for the .hicago office. (. 3nable uni%ersal group membership caching for the Toronto office and the ,ew Ior/ office. )ns"er: )* E QUESTION NO: 4, :OTS.OT You are the net"or0 administrator $or Test0ing* Inc The net"or0 consists o$ a single )cti/e Directory $orest The $unctional le/el o$ the $orest is !indo"s Ser/er 2==, The $orest contains a root domain named test0ing com and t"o child domains named Euro#e test0ing com and usa test0ing com )ll domain controllers run !indo"s Ser/er 2==, Each domain contains one DNS ser/er The DNS ser/er in test0ing com is named TBDNS<* and the DNS ser/er in euro#e test0ing com is named TBDNS2* and the DNS ser/er in usa test0ing com is named TBDNS, Each DNS ser/er in a child domain is res#onsible $or name resolution in only its domain The T'.KI. #ro#erties o$ all client com#uters in the child domains are con$igured to use only the DNS ser/er in their domain )ll records o$ all DNS ser/er are stored in )cti/e Directory ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->= 2 You create a ne" a##lication directory #artition named DNSdata test0ing com You enlist TBDNS< and TBDNS2 in this a##lication directory #artition You need to enable all users in the test0ing com domain to access resources in the euro#e test0ing com domain by using host names Users in the test0ing com domain do not need to access resources in the usa test0ing com domain You need to con$igure the 1one re#lication sco#e o$ the euro#e test0ing com domain at TBDNS2 !hat should you do% To ans"er con$igure the a##ro#riate o#tion or o#tions in the dialog bo3 )ns"er: E3#lanation: ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=" 2 QUESTION NO: 44 You are a net"or0 administrator $or TestBing The net"or0 consists o$ 2= )cti/e Directory domains )ll ser/ers run !indo"s Ser/er 2==, TestBing has 24= o$$ices Each o$$ice is con$igured as an )cti/e Directory site TestBing has a branch o$$ice that contains $our users User ob2ects $or these users are stored in the australia test0ing com domain The branch o$$ice is connected to the cor#orate net"or0 by a 56>Bb#s !)N connection The branch o$$ice contains a domain controller named TestBing<7 that is con$igured as an additional domain controller $or the australia test0ing com domain )n )cti/e Directory site is con$igured $or the branch o$$ice TestBing<7 is a member o$ this site )n I. site lin0 e3ists bet"een the branch o$$ice and the main o$$ice The !)N connection is a/ailable only during business hours Users in the branch o$$ice re#ort slo" res#onse times on the !)N connection You e3amine the !)N connection and disco/er that the #roblem is caused by )cti/e Directory re#lication You need to im#ro/e the #er$ormance o$ the !)N connection !hat should you do% ?isit our reseller at www.5rometric?U3.com for lastest %ersion and special priceV 4eading the wa in &T testing and certification tools, www.test/ing.com

2 -=1 2 A. .onfigure Test@ing1Gas a global catalog ser%er. 1. 3nable uni%ersal group membership caching in the branch office. .. Remo%e Acti%e Director from Test@ing1G and configure Test@ing1G as a member ser%er. D. 'n the site lin/ that connects the branch office to the corporate networ/, increase the replication inter%al. )ns"er: D Microsoft 70-297 :*anning$ I)&*e)enting$ and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure 45A wit% e6&*anations ersion 3!"0 4eading the wa in &T testing and certification tools, www.test/ing.com 222 Important Note, Please Read Carefully Other TestKing products A+ 'ffline Testing engine Use the offline Testing engine product topractice the 6uestions in an eBam en%ironment. 1+ $tud Cuide *not a%ailable for all eBams+ 1uild a foundation of /nowledge which will be useful also after passing the eBam. Latest Version !e are constantl re%iewing our products. ,ew material is added and old material is re%ised. (ree updates are a%ailable for =" da s after the purchase. Iou should chec/ our member 0one at Test@ing and update 32- da s before the scheduled eBam date. Aere is the procedure to get the latest %ersion9 1.Co towww.test/ing.com 2..lic/ on Mem er !one"Log in 3.The latest %ersions of all purchased products are downloadable from here. Qust clic/ the lin/s. (or mostupdates,itisenough )ust to print the new 6uestions at the end of the new %ersion, not the whole document. #eed ac$ &f ou spot a possible impro%ement then please let us /now. !e alwa s interested in impro%ing product 6ualit . (eedbac/ should be send to feedbac/Utest/ing.com. Iou should include the following9 3Bam number, %ersion, page number, 6uestion number, and our login &D. 'ur eBperts will answer our mail promptl . Copyright 3ach i5AD file contains a uni6ue serial number associated with our particular name and contact information for securit purposes. $o if we find out that a particular i5AD file is being distributed b ou, Test@ing reser%es the right to ta/e legal action against ou according to the &nternational .op right 4aws. 4eading the wa in &T testing and certification tools, www.test/ing.com 232 Ta le of Contents Topic 1, 5lanning and &mplementing an Acti%e Director &nfrastructure *G- :uestions+ F 5art 19 5lan a strateg for placing global catalog ser%ers. F A9 3%aluate networ/ traffic considerations when placing global catalog ser%ers. *= 6uestions+ F 19 3%aluate the need to enable uni%ersal group caching. *; 6uestions+ 22 5art 29 5lan a fleBible operations master role placement. 3A9 5lan for business continuit of operations master roles. *3 6uestions+ 319 &dentif operations master role dependencies. *F 6uestions+ 3= 5art 39 &mplement an Acti%e Director director ser%ice forest and domain structure. -> A9 .reate the forest root domain. *" 6uestions+ -> 19 .reate a child domain. *1 6uestion+ -> .9 .reate and configure Application Data 5artitions. *" 6uestions+ F" D9 &nstall and configure an Acti%e Director domain controller. *F 6uestions+ F" 39 $et an Acti%e Director forest and domain functional le%el. *= 6uestions+ FG (9 3stablish trust relationships. T pes of trust relationships might include eBternal trusts, shortcut trusts, and cross2forest trusts. *> 6uestions+ G> 5art -9 &mplement an Acti%e Director site topolog . =" A9 .onfigure site lin/s. *; 6uestions+ =" 19 .onfigure preferred bridgehead ser%ers. *> 6uestions+ 1".. .onfigure &ntersite Replication *- 6uestions+ 121 5art F9 5lan an administrati%e delegation strateg . 12> A9 5lan an organi0ational unit *'U+ structure based on delegation re6uirements. *> 6uestions+ 12>

19 5lan a securit group hierarch based on delegation re6uirements. *2 6uestions+1-= 1-= Topic 2, Managing and Maintaining an Acti%e Director &nfrastructure *32 :uestions+1F; 5art 19 Manage an Acti%e Director forest and domain structure. 1F; A9 Manage trust relationships. *3 6uestions+ 1F; 19 Manage schema modifications. *2 6uestions+ 1;3 .9 Add or remo%e a U5, suffiB. *2 6uestions+ 1;; 5art 29 Monitor Acti%e Director replication failures. Tools might include Replication Monitor, 3%ent ?iewer, and support tools. 1;= A9 Monitor Acti%e Director replication. *1 6uestion+ 1;= 19 Monitor (ile Replication ser%ice *(R$+ replication. *" 6uestions+ 1G1 5art 39 Restore Acti%e Director director ser%ices. 1G1 A9 5erform an authoritati%e restore operation. *; 6uestions+ 1G1 19 5erform a nonauthoritati%e restore operation. *G 6uestions+ 1G= 5art -9 Troubleshoot Acti%e Director . 1=2 A9 Diagnose and resol%e issues related to Acti%e Director replication. *G 6uestion1s+=2 1=2 19 Diagnose and resol%e issues related to operations master role failure. *1 6uestio2n"+ 3 2"3 4eading the wa in &T testing and certification tools, www.test/ing.com 2-2 .9 Diagnose and resol%e issues related to the Acti%e Director database. *3 6uestio2n"s-+ 2"Topic 3, 5lanning and &mplementing User, .omputer, and Croup $trategies *23 :uestions+ 21" 5art 19 5lan a distribution group strateg . *1 6uestion+ 21" 5art 29 5lan a securit group strateg . *; 6uestions+ 212 5art 39 5lan a user authentication strateg . 221 A9 5lan a smart card authentication strateg . *3 6uestions+ 221 19 .reate a password polic for domain users. *2 6uestions+ 22F 5art -9 5lan an 'U structure. 22> A9 Anal 0e the administrati%e re6uirements for an 'U. *" 6uestions+ 22> 19 Anal 0e the Croup 5olic re6uirements for an 'U structure. *1 6uestion+ 22> 5art F9 &mplement an 'U structure. 23" A9 .reate an 'U. *2 6uestions+ 23" 19 Delegate permissions for an 'U to a user or to a securit group. *; 6uestions+ 233 .9 Mo%e ob)ects within an 'U hierarch . *2 6uestions+ 2-G Topic -, 5lanning and &mplementing Croup 5olic *;= :uestions+ 2F" 5art 19 5lan Croup 5olic strateg . 2F" A9 5lan a Croup 5olic strateg b using Resultant $et of 5olic *R$o5+ 5lanning mode. *" 6uestions+ 2F" 19 5lan a strateg for configuring the user en%ironment b using Croup 5olic . *> 6uestions+ 2F" .9 5lan a strateg for configuring the computer en%ironment b using Croup 5olic . *1G 6uestions+ 2;F 5art 29 .onfigure the user en%ironment b using Croup 5olic . 2=; A9 Distribute software b using Croup 5olic . *12 6uestions+ 2=; 19 Automaticall enroll user certificates b using Croup 5olic . *2 6uestions+ 31.9 Redirect folders b using Croup 5olic . *2 6uestions+ 31G D9 .onfigure user securit settings b using Croup 5olic . *1" 6uestions+ 32" 5art 39 Deplo a computer en%ironment b using Croup 5olic . 33G A9 Distribute software applications b using Croup 5olic . *1" 6uestions+ 33G 19 Automaticall enroll computer certificates b using Croup 5olic . *1 6uestion+ 3F= .9 .onfigure computer securit settings b using Croup 5olic . *G 6uestions+ 3;1 Topic F, Managing and Maintaining Croup 5olic *2- :uestions+ 3G1 5art 19 Troubleshoot issues related to Croup 5olic application deplo ment. Tools might include R$o5 and the gpresult command. *G 6uestions+ 3G1 5art 29 Maintain installed software b using Croup 5olic . 3>1 A9 Distribute updates to software distributed b Croup 5olic . *- 6uestions+ 3>1 19 .onfigure automatic updates for networ/ clients b using Croup 5olic . *- 6ues3t>ioGns+ 3>G 5art 39 Troubleshoot the application of Croup 5olic securit settings. Tools might include R$o5 and the gpresult command. *= 6uestions+ 3=3 Topic ;, $imulations *1- :uestions+ -"= 4eading the wa in &T testing and certification tools, www.test/ing.com 2F2 Topic G, Miscellaneous :uestions *1G :uestions+ F21 Total Num er of %uestions& '() 4eading the wa in &T testing and certification tools, www.test/ing.com 2;2

Topic 1, 5lanning and &mplementing an Acti%e Director &nfrastructure *G- :uestions+ 5art 19 5lan a strateg for placing global catalog ser%ers. A9 3%aluate networ/ traffic considerations when placing global catalog ser%ers. *= 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains0 The functional le2el of the forest and of all three domains is 4indo/s ,er2er '5560 TestKing has a main office and 65 ranch offices0 +ach ranch office is connected to the main office y a (78K ps 41N connection0 .ou configure the main office and each ranch office as a separate 1cti2e 3irectory site0 .ou deploy a 4indo/s ,er2er '556 domain controller at the main office and at each ranch office0 +ach domain controller is configured as a 3N, ser2er0 .ou can log on to the net/or$ from client computers in the ranch offices at any time0 9o/e2er, users in the ranch offices report that they cannot log on to the net/or$ during pea$ hours0 .ou need to allo/ users to log on to the net/or$ from ranch office computers0 .ou do not /ant to affect the performance of the ranch office domain controllers0 .ou need to minimi!e 1cti2e 3irectory replication traffic across the 41N connections0 4hat should you do: A. Use Acti%e Director $ites and $er%ices to enable uni%ersal group membership caching for each branch office site. 1. Use the D,$ console to configure the branch office D,$ ser%ers to forward re6uests to a D,$ ser%er in the main office. .. Use Acti%e Director $ites and $er%ices to configure each branch office domain controller as a global catalog ser%er. D. Use the D,$ console to configure the branch office D,$ ser%ers to use an Acti%e Director 2integrated 0one. 4eading the wa in &T testing and certification tools, www.test/ing.com 2G2 1ns/er& 1 +;planation& 4hen a user logs on to the net/or$, the glo al catalog pro2ides uni2ersal group mem ership information for the account to the domain controller processing the user logon information0 If a glo al catalog is not a2aila le /hen a user initiates a net/or$ logon process, the user is a le to log on only to the local computer unless the site has een specifically configured to cache uni2ersal group mem ership loo$ups /hen processing user logon attempts0 In this scenario the domain controller must contact the glo al catalog ser2er across a 41N lin$ that is saturated0 +na ling uni2ersal group mem ership caching /ill o2ercome this pro lem0 Incorrect 1ns/ers& <& !hen users log on, the re6uests are sent to the global catalog not the D,$ ser%er. C& .onfigure each branch office domain controller as a global catalog ser%er would result in increased replication traffic. !e want to a%oid this. 3& An Acti%e Director 2integrated 0one is a D,$ 0one that is part of Acti%e Director and is part of Acti%e Director replication. Ma/ing the D,$ 0one a part of Acti%e Director will not o%ercome logon latenc and will lead to an increase in replication traffic. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-3. %*+,TION NO& ' 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 .ou configure t/o 1cti2e 3irectory sites named Test$ing- and Test$ing'0 Test$ingcontains all of the operations masters and t/o glo al catalog ser2ers0 Test$ing' contains a domain controller named ,er2er-0 .ou create a site lin$ named ,iteLin$that includes Test$ing- and Test$ing'0 .ou need to pro2ide glo al catalog ser2ices locally in Test$ing'0 4eading the wa in &T testing and certification tools, www.test/ing.com 2>2 4hich 1cti2e 3irectory component should you configure: To ans/er, select the appropriate component in the /or$ area0 1ns/er& +;planation& ,elect =NT3, ,ettings= under ,+RV+R-0

The global catalog ser%ice is added or remo%ed in the ,TD$ $ettings 5roperties dialog boB of the Acti%e Director $ites and $er%ices console. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2-1 to F2-F, F2-> to F2F" Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0 The net/or$ consists of t/o 1cti2e 3irectory domains0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing has offices in se2eral cities as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2=2 +ach office is configured as an 1cti2e 3irectory site0 There are glo al catalog ser2ers in the Toronto and Paris sites0 .ou ena le uni2ersal group mem ership caching for all other sites0 *sers in your company use an application that is integrated /ith 1cti2e 3irectory0 The application reads data from the glo al catalog0 *sers report that during periods of pea$ acti2ity, the application responds slo/ly0 .ou need to impro2e the response time of the application0 4hat should you do: A. Disable uni%ersal group membership caching in the .hicago, ,ew Ior/, 1onn, and Rome sites. 1. Decrease the replication inter%al on the site lin/s that connect the .hicago and ,ew Ior/ sites to the Toronto sites, and on the site lin/s that connect the 1onn and Rome sites to the 5aris site. .. .onfigure global catalog ser%ers in the .hicago, ,ew Ior/, 1onn, and Rome sites. D. 5erform an offline defragmentation of the Acti%e Director database on the domain controllers in the Toronto and 5aris sites. 1ns/er& C +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1" 2 The application reads data from the glo al catalog, ho/e2er, there are >lo al Catalog ser2ers only in Toronto and Paris0 Therefore, glo al catalog information must e accessed across the 41N lin$s, /hich is /here the pro lem occurs0 4e need to add >lo al Catalog ser2ers in the Chicago, Ne/ .or$, <onn, and Rome sites0 Incorrect 1ns/ers& 1& Uni%ersal group membership caching is used for logon purposes. &t is thus irrele%ant to this scenario. <& Decreasing the replication inter%al will not impro%e response times. The .hicago, ,ew Ior/, 1onn, and Rome sites must still access the global catalog information across the !A, lin/s. 3& Deframenting the Acti%e Director database will not impro%e response times catalog information across the !A, lin/s. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F-G, FF"2FF2. %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 TestKing has offices in Chicago, Ne/ .or$ and Toronto0 +ach office employs (55 people0 The net/or$ consists of a single 1cti2e 3irectory forest /ith one domain in each office0 +ach domain contains t/o domain controllers named Test$ing- and Test$ing'0 1ll domain controllers run 4indo/s ,er2er '5560 +ach office is configured as an 1cti2e 3irectory site0 The domain structure is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11 2 Ne/ .or$ Toronto

4eading the wa in &T testing and certification tools, www.test/ing.com 2 12 2 The 4indo/s ,er2er '556 computer named Test$ing-0test$ing0com holds all operations master roles for its domain, and it holds oth forest8le2el operations master roles0 The 4indo/s ,er2er '556 computer named Test$ing-0sales0test$ing0com and Test$ing-0prod0test$ing0com hold all operations master roles for their respecti2e domains0 41N connecti2ity et/een the offices is unrelia le0 .ou need to plan the placement of glo al catalog ser2ers for the net/or$0 .ou need to ensure that each user can log on in the e2ent of the failure of a single domain controller and 41N connection0 .ou need to ensure that the consistency of uni2ersal group mem ership information remains intact0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .onfigure both domain controllers in test/ing.com as global catalog ser%ers. 1. .onfigure onl Test/ing1 in each domain as a global catalog ser%er. .. .onfigure onl Test/ing2 in each domain as a global catalog ser%er. D. 3nable uni%ersal group membership caching for each site. 3. 3nable uni%ersal group membership caching for the .hicago office. (. 3nable uni%ersal group membership caching for the Toronto office and the ,ew Ior/ office. 1ns/er& 1, # +;planation& 4e could ha2e glo al catalog ser2er s in each site0 This /ould ensure that users can log on in the e2ent of a 41N connection failure0 9o/e2er, /e also need to ensure the consistency of uni2ersal group mem ership information0 Therefore, placing glo al catalog ser2ers in the remote sites are not an option0 Instead, /e need to ena le uni2ersal group mem ership caching for oth remote sites0 #or redundancy purposes, the main site must ha2e more than one glo al catalog0 Incorrect 1ns/ers& <, C& (or redundanc purposes, the main site must ha%e more than one global catalog. +& !e need to enable uni%ersal group membership caching for both remote sites. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& ( .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory domains0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing has offices in Ne/ .or$ and Rome0 The t/o offices are connected y a -'A8K ps 41N connection0 +ach office is configured as a single domain0 +ach office is also configured as an 1cti2e 3irectory site0 TestKing stores printer location information in 1cti2e 3irectory0 *sers freBuently perform searches of 1cti2e 3irectory to find information on printers y selecting the +ntire 3irectory option0 *sers in the Ne/ .or$ Office report that response time is unaccepta ly slo/ /hen searching for printers0 .ou need to impro2e the response time for users in the Ne/ .or$ office0 4hat should you do: A. 5lace a domain controller for the Rome domain in the ,ew Ior/ office. 1. 5lace a domain controller for the ,ew Ior/ domain in the Rome office. .. 3nable uni%ersal group membership caching in the ,ew Ior/ office. D. .onfigure a global catalog ser%er in the ,ew Ior/ office. 1ns/er& 3 +;planation& The glo al catalog is the central repository of information a out 1cti2e 3irectory o Cects in a tree or forest0 The domain controller that holds a copy of the glo al catalog is called a glo al catalog ser2er0 The glo al catalog ena les a user to log on to a net/or$ y pro2iding uni2ersal group mem ership information to a domain controller /hen a logon process is initiated, and ena les finding directory information regardless of /hich domain in the forest actually contains the data0 Incorrect 1ns/ers&

1& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1- 2 This would wor/ but it is unnecessar . Replicating the entire Acti%e Director from the Rome office to the ,ew Ior/ office o%er the slow !A, lin/ is a waste of resources. A global catalog ser%er in the ,ew Ior/ office would suffice. <& This wonKt sol%e the problem at all. C& Uni%ersal Croup caching *as its name implies+ caches information about uni%ersal groups. This scenario in%ol%es searching for printers which is nothing to do with uni%ersal groups. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a forest root domain named test$ing0com and a child domain named child'0test$ing0com The functional le2el of the forest is 4indo/s ,er2er '5560 The company uses uni2ersal groups to pre2ent temporary employees from accessing confidential information on computers in the forest0 The child-0test$ing0com domain contains a 4indo/s '555 ,er2er computer named TestKing-0 TestKing- runs an application that ma$es freBuent L31P Bueries to the glo al catalog0 TestKing- is located on a su net associated /ith an 1cti2e 3irectory site named ,ite' that has no glo al catalog ser2ers0 ,ite' is connected to another site y a 41N connection0 .ou need to ena le the application on TestKing- to run at high performance le2els and to continue operating if a 41N connection fails0 .ou also need to minimi!e traffic o2er the 41N connection0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F 2 A. 3nable uni%ersal group membership caching in $ite2. 1. .onfigure at least one global catalog ser%er in $ite2. .. Add the A@3IJ4'.A4JMA.A&,3W$ stemW.urrent.ontrol$etW.ontrolW4saW&gnoreC.(2ailures /e to the registr on all domain controllers in $ite2. D. Remo%e $er%er1 from the child1.test/ing.com domain and add it to a wor/group. 1ns/er& < +;planation& The application needs to read data from the glo al catalog0 This information is stored on the glo al catalog ser2ers in the other site0 This means that the application needs to contact the glo al catalog ser2ers o2er a 41N lin$0 4e can impro2e performance y configuring a glo al catalog ser2er in site'0 This /ill ena le the application to contact a glo al catalog ser2er o2er fast L1N connections0 It /ill also ena le the application to run if the 41N lin$ fails0 Incorrect 1ns/ers& 1& Uni%ersal group caching li/el has no effect on the application. Uni%ersal group information is )ust a small part of the information stored in the global catalog. The application would still need to contact a global catalog ser%er. C& This setting allows users to log on to a domain if the domain controller is unable to contact a global catalog ser%er. &t will ha%e no effect on the application. 3& The application wonKt be able to 6uer the global catalog if the computer isnKt a member of the domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2->2F to F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& D 9OT,POT

.ou are a net/or$ administrator for TestKing0com0 The rele2ant portion of your net/or$ configuration is sho/n in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1; 2 TestKing has offices in Toronto and Ne/ .or$0 The Toronto office has (55 employees, and the Ne/ .or$ office has -(5 employees0 +mployees in oth offices use an application that freBuently reads configuration data in the glo al catalog0 .ou install 4indo/s ,er2er '556 on all domain controllers0 .ou create a single 4indo/s ,er2er '556 1cti2e 3irectory domain0 The functional le2el of the forest is 4indo/s ,er2er '5560 .ou configure ser2ers as sho/n in the follo/ing ta le0 ,er2er name Configuration Test/ing1 Domain controller, domain naming master, schema master Test/ing2 Domain controller, 5D. emulator master, relati%e &D *R&D+ Test/ing3 Member ser%er, file and print ser%er Test/ing- Member ser%er, !eb ser%er Test/ingF Domain controller Test/ing; Member ser%er, file and print ser%er .ou need to plan the placement of glo al catalog ser2ers for TestKing0com0 .ou need to ensure that the application performs /ell during times of pea$ acti2ity0 .ou need to ensure that the application continues to function in the e2ent of multiple glo al catalog failures0 4here should you place the glo al catalog ser2er or ser2ers: To ans/er, select the appropriate computer or computers in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G 2 1ns/er& +;planation& ,elect Test$ing-, Test$ing' and Test$ing(0 'nl domain controllers can function as Clobal .atalog ser%ers. &n this case, onl Test/ing1, Test/ing2 and Test/ingF are domain controllers. !e need to use all domain controllers to ensure that the application continues to function in the e%ent of multiple global catalog failures. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& A 3R1> 3ROP .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains 65 domains0 TestKing has )55 offices0 The net/or$ contains -(5,555 user o Cects0 1ll ser2ers run 4indo/s ,er2er '5560 .ou are responsi le for administering the mar$eting department, /hich has offices in North 1merica and +urope, as sho/n in the /or$ area0 Offices in Toronto, Chicago, and Ne/ .or$ are part of the america0test$ing0com domain0 Offices in Paris, <onn, and Rome are part of the europe0test$ing0com domain0 The num er of users in each office is sho/n in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1> 2 Office Num er of users Toronto GF" .hicago 2" ,ew Ior/ ;F" 5aris ;F" 1onn 1" Rome 1F *sers in the <onn, Ne/ .or$, and Toronto offices reBuire access to a directory8ena led application that stores configuration information in the glo al catalog0 .ou need to plan the placement of domain controllers for the net/or$0 .ou need to ensure that each user can log on /ithout using cached credentials and that users ha2e access to the application if a 41N connection fails0 .ou need to achie2e this goal /hile minimi!ing the increase in 41N traffic0 4hat should you do:

To ans/er, drag the appropriate domain controller configuration or configurations to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1= 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2" 2 to put one Clobal .atalog ser%er in each site with users who re6uire access to the To be able to log on without using cached credentials, we need to enable uni%ersal group membership caching in the .hicago and Rome offices *because the donKt ha%e Clobal .atalog ser%ers+. The Rome office connects to the 5aris office. As we ha%e enabled uni%ersal group membership caching in the Rome office, we should ha%e a Clobal catalog ser%er in the 5aris office, so that the Rome office domain controller can cache the uni%ersal group membership from the 5aris office Clobal .atalog. Reference& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F"F2F"=, F-3, F-G, FF"2FF2. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". %*+,TION NO& E .ou are a net/or$ administrator for TestKing that has a main office and fi2e ranch offices0 The net/or$ consists of si; 1cti2e 3irectory domains0 1ll ser2ers run 4indo/s ,er2er '5560 +ach office is configured as a single domain0 +ach office is also configured as an 1cti2e 3irectory site0 TestKing uses an application ser2er that Bueries user information from the glo al catalog0 .ou install application ser2ers in the main office and in three ranch offices0 The net/or$ is configured as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22 2 .ou monitor the 41N connections et/een the main office and each ranch office and disco2er that the utili!ation increased from D5 percent to E5 percent0 *sers report slo/ response times /hen accessing information on the application ser2er0 .ou need to place glo al catalog ser2ers in offices /here they /ill impro2e the response times for the application ser2ers0 .ou need to achie2e this goal /ith a minimum amount of increase in 41N traffic0 In /hich office or offices should you place a ne/ glo al catalog ser2er or ser2ers: ?Choose all that apply@ A. 1erlin 1. Rio de Qaneiro 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23 2 .. ,ew Delhi D. $t 5etersburg 3. .airo 1ns/er& <, C, 3 +;planation& <ecause the application ser2er Bueries >lo al catalog attri utes, /e this case Rio de Faneiro, Ne/ 3elhi and ,t Peters urg0 Incorrect 1ns/ers& 1& 1erlin does not host an application ser%er and therefore does not re6uire a Clobal .atalog $er%er. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F"F2F"=. 19 3%aluate the need to enable uni%ersal group caching. *; 6uestions+ %*+,TION NO& .ou are the administrator of the Test$ing company net/or$0 Test$ing has a main office and a small ranch office0 +ach office is configured as an 1cti2e 3irectory site in the test$ing0com domain0 1ll ser2ers run 4indo/s ,er2er '556 and all client computers run 4indo/s GP Professional0 The ranch office is connected to the

main office y a -'AK ps 41N lin$0 T/o domain controllers are located in each office0 The main office domain controllers are named Main3C- and Main3C'0 The ranch office domain controllers are named <ranch3C- and <ranch3C'0 Main3C- is an 1cti2e 3irectory8integrated 3N, ser2er and a glo al catalog ser2er0 *sers in the ranch office report that it ta$es a long time to log on to the net/or$0 .ou need to reduce the logon time for users in the ranch office0 4hat should you do: A. &nstall another domain controller in the branch office. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2- 2 1. &n Acti%e Director $ites and $er%ices, enable uni%ersal group membership caching for 1ranchD.1. .. &n Acti%e Director $ites and $er%ices, mo%e MainD.2 to the branch office site. D. Decrease the %alue of the replication inter%al at the site lin/ between main office and the branch office. 1ns/er& < +;planation& It ta$es a long time to log on in the ranch office ecause the ranch office domain controller needs to contact the glo al catalog ser2er ?Main3C-@ o2er a slo/ 41N lin$0 1 glo al catalog ser2er is a domain controller that stores information a out all o Cects in the forest, ut not their attri utes, so that applications can search 1cti2e 3irectory /ithout referring to specific domain controllers that store the reBuested data0 !e can impro%e the logon times for the branch office users b enabling uni%ersal group membership caching on a branch office domain controller. Uni%ersal group membership caching allows the domain controller to cache uni%ersal group membership information for users. This eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Incorrect 1ns/ers& 1, C& Adding another domain controller in the branch office wonKt impro%e logon times. 3& Reducing the replication inter%al will not o%ercome the problem of the branch office domain controller needs to contact the global catalog ser%er *MainD.1+ o%er a slow !A, lin/ Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F 2 %*+,TION NO& ' .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one root domain and multiple child domains0 The functional le2el of all child domains is 4indo/s ,er2er '5560 The functional le2el of the root domain is 4indo/s '555 nati2e0 .ou configure a 4indo/s ,er2er '556 computer named Test$ing- to e a domain controller for an e;isting child domain0 Test$ing- is located at a ne/ ranch office and you connect Test$ing- to a central data center y a persistent VPN connection o2er a 3,L line0 Test$ing- has a single replication connection /ith a ridgehead domain controller in the central data center0 .ou configure 3N, on Test$ing- and create secondary for/ard loo$up !ones for each domain in the forest0 .ou need to minimi!e the amount of traffic o2er the VPN connection caused y logon acti2ities0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .onfigure the D,$ 0ones to be Acti%e Director 2integrated 0ones. 1. .onfigure Test/ing1 to be the 5D. emulator for the domain. .. .onfigure Test/ing1 to be a global catalog ser%er. D. .onfigure uni%ersal group membership caching on Test/ing1. 1ns/er& C, 3 +;planation& Logon traffic o2er the VPN is caused y the local domain controller

retrie2ing uni2ersal group information from a glo al catalog ser2er0 4e can reduce this traffic y either configuring TestKing- to e a glo al catalog ser2er, or y ena ling uni2ersal group mem ership caching on TestKing-0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2; 2 A global catalog ser%er stores information about all ob)ects in the forest, but not their attributes, so that applications can search Acti%e Director without referring to specific domain controllers that store the re6uested data. Uni%ersal group membership caching, on the other hand allows the domain controller to cache uni%ersal group membership information for users. This eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Incorrect 1ns/ers& 1& &n Acti%e Director 2integrated 0ones the D,$ Rone is replicated as part of Acti%e Director . This will increase replication traffic. 4ogon traffic o%er the ?5, is caused b the local domain controller retrie%ing uni%ersal group information from a global catalog ser%er. &t is not caused b D,$ replication. <& A 5D. 3mulator is re6uired for authentication purposes for !indows ,T -." clients. Thus the 5D. emulator is not used in the logon process *eBcept for down2le%el clients+. Reference9 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter F Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -23". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 TestKing has offices in Toronto, Ne/ .or$, and Chicago0 The net/or$ connections are sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G 2 The net/or$ consists of t/o 1cti2e 3irectory domains0 *ser o Cects for users in the Toronto office and the Ne/ .or$ office are stored in the test$ing0com domain0 *ser o Cects for users in the Chicago office are stored in the production0test$ing0com0 1cti2e 3irectory is configured as sho/n in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2> 2 Location Num ers of *sers Num er of 3omain Controllers Num er of glo al Catalog ser2ers Toronto ;F" - 2 ,ew Ior/ 1F 1 " .hicago F"" 3 2 *sers in the Ne/ .or$ office freBuently report that they cannot log on to the net/or$, or that logging on ta$es a 2ery long time0 .ou notice increased glo al catalog Bueries to ser2ers in the Toronto office during pea$ logon times0 .ou need to impro2e logon performance for users in the Ne/ .or$ office /ithout increasing 41N traffic that is due to replication0 4hat should you do: A. .onfigure the domain controller in the ,ew Ior/ office as a global catalog ser%er. 1. .onfigure Acti%e Director to cache uni%ersal group membership for the Toronto office. .. &nstall an additional domain controller in the ,ew Ior/ office. D. .onfigure Acti%e Director to cache uni%ersal group memberships for the ,ew Ior/ office.

1ns/er& 3 +;planation& Logons for Ne/.or$ must contact a glo al catalog ser2er across the 41N to chec$ the uni2ersal group mem ership from the glo al catalog in Toronto0 Configuring uni2ersal group mem ership caching at the Ne/.or$ site /ould speed up logons and /ould not generate additional 41N traffic0 Incorrect 1ns/ers& 1& This would onl ma/e sense if there were applications that need a Clobal .atalog. <& caching is not re6uired in that office. (urthermore, the Toronto office does ha%e two Clobal .atalog ser%ers. C& The number of Domain .ontrollers is sufficient for the number of users in ,I. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2= 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& ) 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains multiple domains0 The functional le2el of the forest is 4indo/s ,er2er '5560 The forest contains se2eral 1cti2e 3irectory sites that represent ranch offices and a site named MainOffice that represent the central data center0 1 site named <ranchcontains one domain controller named ,er2er- that is not a glo al catalog ser2er0 The MainOffice site contains one domain controller named ,er2er' that is a glo al catalog ser2er0 .ou need to use uni2ersal group mem ership caching in the <ranch- site0 4hich component pr components should you configure: To ans/er, select the appropriate component or components in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3" 2 1ns/er& +;planation& ,elect the =NT3, ,ite ,ettings= for the <ranch- office in the right hand pane0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31 2 Uni%ersal group membership caching, is enabled or disabled in the ,TD$ $ettings 5roperties dialog boB of the Acti%e Director $ites and $er%ices console. This must be performed in the site where ou want to enable uni%ersal group membership caching, i.e., in the 1ranch1 site. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& (3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains multiple domains0 The functional le2el of the forest is 4indo/s ,er2er '5560 The forest includes t/o 1cti2e 3irectory sites named TestKing,ite- and TestKing,ite'0 TestKing,ite- contains t/o domain controllers that are glo al catalog ser2ers named TestKing1 and TestKing<0 TestKing,ite' contains t/o domain controllers that are not glo al catalog ser2ers named TestKingC and TestKing30 The t/o sites are connected y a 41N connection0 *sers in TestKing,ite' report that logon times are unaccepta ly long0 .ou need to impro2e logon times for the users in TestKing,ite' /hile minimi!ing replication traffic on the 41N connection0 9o/ should you configure the net/or$: To ans/er, drag the appropriate configuration option or options to the correct

location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32 2 1ns/er& +;planation& !e need to impro%e logon times for the users in Test@ing$ite2 while minimi0ing replication traffic on the !A, connection. 4ogon times in Test@ing$ite2 are slow because the domain controllers need to contact a global catalog ser%er in Test@ing$ite1 for uni%ersal group information. !e can pre%ent this b enabling Uni%ersal group membership caching in Test@ing$ite2. 3nabling Uni%ersal group membership caching at the site le%el will ensure that all the domain controllers in Test@ing$ite2 will be able to cache the information. !e could impro%e logon times b placing a global catalog ser%er enabling Uni%ersal group membership caching is a better solution. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33 2 Uni%ersal group membership caching allows the domain controller to cache uni%ersal group membership information for users. Iou can enable domain controllers that are running !indows $er%er2""3 to cache uni%ersal group memberships b using the Acti%e Director $ites and $er%ices snap2in. 3nabling uni%ersal group membership caching eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-;. Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory that contains t/o domains named test$ing0com and chicago0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 The net/or$ contains t/o sites named Ne/ .or$ and Chicago0 1 -'A8K ps site lin$ connects the Ne/ .or$ and Chicago sites0 The test$ing0com domain contains a domain controller named TK- in the Ne/ .or$ site0 The Chicago test$ing0com domain contains a domain controller named TK' in the Chicago site0 TK- is an 1cti2e 3irectory8integrated 3N, ser2er and a glo al catalog ser2er0 There are -,(55 users in the Ne/ .or$ site and A5 users in the Chicago site0 *sers in the Chicago site report that it ta$es a long time to log on to the net/or$0 .ou need to ensure that the users in the Chicago site can log on faster0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3- 2 A. Decrease the %alue of the MaBimum lifetime for user tic/et @erberos polic in the Default Domain 5olic Croup 5olic ob)ect *C5'+ of the chicago.test/ing.com domain. 1. 3nable uni%ersal group membership caching for T@2 in Acti%e Director $ites and $er%ices. .. 3nable the &nteracti%e 4ogon9 ,umber of pre%ious logons to cache securit polic in the Default Domain 5olic Croup 5olic ob)ect *C5'+ of the chicago.test/ing.com domain. D. Decrease the %alue of the replication inter%al at the site lin/ between the .hicago and ,ew Ior/ sites. 1ns/er& < +;planation& The reason /hy it ta$es a long time to log on to 3C' is ecause 3C' needs to contact 3C- o2er a 41N lin$ to o tain uni2ersal group information /hene2er someone logs on0 The glo al catalog ser2er is the domain controller that stores information a out all o Cects in the forest, ut not their attri utes, so that applications can search 1cti2e 3irectory /ithout referring to specific domain controllers that store the reBuested data0 Li$e all domain controllers, a glo al catalog ser2er stores full, /rita le replicas of the schema and configuration directory partitions and a full, /rita le replica of the domain directory partition for the domain that it is hosting0 !e can pre%ent !A, traffic b sing Uni%ersal group membership caching. Uni%ersal

group membership caching allows the domain controller to cache uni%ersal group membership information for users. Iou can enable domain controllers that are running !indows $er%er 2""3 to cache uni%ersal group memberships b using the Acti%e Director $ites and $er%ices snap2in. 3nabling uni%ersal group membership caching eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Incorrect 1ns/ers& 1& !indows $er%er 2""3 uses @erberos for authentication purposes. &t does not affect logon times. C& The &nteracti%e 4ogon9 ,umber of pre%ious logons to cache securit polic determines the number of times a user can log on to a !indows domain using cached account information. All pre%ious usersK logon information is cached locall so that, in the e%ent that a domain controller is una%ailable during subse6uent logon attempts, the are able to log on. This is enabled b default is set to 1". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F 2 3& The problem in this scenario is not a replication problem. D.2 needs to contact D.1 o%er a !A, lin/ to obtain uni%ersal group information whene%er a user logs on. Reducing the replication inter%al will not resol%e this problem. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F". Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2. $er%er Aelp9 &nteracti%e 4ogon 5art 29 5lan a fleBible operations master role placement. A9 5lan for business continuit of operations master roles. *3 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named test$ing0com0 The net/or$ contains four 4indo/s ,er2er '556 domain controllers0 The 3N, ,er2er ser2ice is running on t/o 4indo/s ,er2er '556 mem er ser2ers in the domain0 .ou decide to create a ne/ child domain named de20test$ing0com in the forest0 .ou install 4indo/s ,er2er '556 on a ne/ ser2er0 .ou Coin the ser2er to the contoso0com domain0 The first domain controller installed in the contoso0com domain fails ecause of a hard/are failure0 .ou find out that it /ill ta$e se2eral days to repair the domain controller0 .ou decide to continue creating the ne/ child domain0 .ou attempt to promote the mem er ser2er to a domain controller in the de20contoso0com domain0 The promotion of the domain controller fails0 .ou recei2e the follo/ing message& The operation failed ecause& 1cti2e 3irectory could not contact the domain naming master 3C-0test$ing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3; 2 =The specified ser2er cannot perform the reBuested operation=0 The ser2er has een disCoined from domain TestKing0 .ou need to resol2e the error to create the ne/ domain0 4hat should you do: A. .onfigure the D,$ client settings on the new ser%er to use the D,$ ser%er that is authoritati%e for the test/ing.com domain. 1. .onfigure the D,$ ser%er for the test/ing.com 0one to ha%e a 0one named de%.test/ing.com. .onfigure the 0one for d namic updates. .. .onfigure one of the other test/ing.com domain controllers to hold all of the operations master roles. D. .onfigure one of the eBisting domain controllers as a global catalog ser%er. 1ns/er& C +;planation& The first domain controller installed in the forest /ill y default, ha2e the domain naming master operations master role0 The Buestion states that the first domain controller installed fails due to a hard/are failure0 This means that the forest has no domain naming master0 1 domain naming master is reBuired to create

additional domains in the forest0 To add another domain, /e need to configure one of the other test$ing0com domain controllers to hold at least the domain naming master role ?or as the ans/er states, all of the operations master roles@0 Incorrect 1ns/ers& 1& This is not a D,$ problem. <& This is not a D,$ problem. 3& !e need a domain naming master, not a global catalog ser%er. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F"12F">. %*+,TION NO& ' 3R1> 3ROP 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domains /ith three sites0 3omain- is used as an empty root domain for security purposes0 3omain- has a domain controller only in Test$ing-0 3omain' has domain controllers in all three sites0 The domain controllers in Test$ing- and Test$ing' are glo al catalog ser2ers0 +ach client computer on the net/or$ runs 4indo/s NT 4or$station )05, 4indo/s '555 Professional, or 4indo/s GP Professional0 .ou and your administration staff are located at Test$ing-, /here you perform administrati2e tas$s0 .ou /ant to minimi!e net/or$ traffic as much as possi le0 The num er of user accounts per site for each domain is sho/n in the follo/ing ta le0 Test$ing- Test$ing' Test$ing6 *sers 8 3omain- ( 5 5 *sers 8 3omain' ( -55 '(,555 .ou are planning the placement of the operations master role holders0 .ou need to place your operations master roles in the appropriate sites0 9o/ many operations master roles should you place in each site: To ans/er, drag the appropriate num er of roles to the correct locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3> 2 1ns/er& +;planation& Domain1 had one domain controller onl in the Test/ing1 site. Therefore, the domain controller in Domain1 will need all fi%e ($M' roles9 the $chema role, the Domain ,aming Master role, the 5rimar Domain .ontroller *5D.+ 3mulator Role, the Relati%e &dentifier *R&D+ Master Role, and the &nfrastructure Master Role. Domain2 has domain controllers in all three sites but most users are in site Test/ing3. The two forest2wide roles 2 the $chema role and the Domain ,aming Master role 2 cannot be assigned again. This lea%es us with three roles. The 5rimar Domain .ontroller *5D.+ 3mulator Role and the Relati%e &dentifier *R&D+ Master Role should be in the site with the most users, and the &nfrastructure Master Role can be placed in the remaining site. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -22= to -23". Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F213 to F21-. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3= 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 3""2312, F"F2F">. %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 1ll domain controllers run 4indo/s ,er2er '5560 The domain controllers are configured as sho/n in the follo/ing ta le0 .ou plan to ta$e TestKing,r23 offline for maintenance0 1nother net/or$ administrator plans to add -,'(5 ne/ user accounts /hile TestKing,r23 is offline0 .ou need to ensure that the net/or$ administrator can add the user accounts /hile TestKing,r23 is offline0 .ou also need to ensure that there is no disruption of user account creation after TestKing,r23 is rought ac$ online0

4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Use the ,tdsutil utilit to connect to Test@ing$r%A. 1. Use the ,tdsutil utilit to connect to Test@ing$r%D. .. Remo%e the global catalog ser%er role from Test@ing$r%D. D. Add the global catalog ser%er role to Test@ing$r%D. 3. Transfer the R&D master role. 1ns/er& 1, + 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -" 2 +;planation& The RI3 master is assigned to allocate uniBue seBuences of relati2e I3s to each domain controller in its domain0 1s the domain controllers use the I3s allocated, they contact the RI3 master and are allocated additional seBuences as needed0 1t any time, the RI3 master role can e assigned to only one domain controller in each domain0 The Relati2e I3 is part of a security I3 ?,I3@ that uniBuely identifies an account or group /ithin a domain0 4e /ill e creating -'(5 ne/ user accounts so the domain controller /ill need to contact the RI3 master to o tain more RI3s0 !e can transfer the R&D master role using the ntdsutil utilit . Incorrect 1ns/ers& <& !e need to connect to the computer we will be transferring the role to, not from. C& Remo%ing the Clobal .atalog on Test@ing$r%D wonKt accomplish an thing. 3& Test@ing$r%D is alread a global catalog ser%er. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 1, p. 3" http9HHwww.microsoft.comHtechnetHtree%iewHdefault.asp[url\HtechnetHprodtechnolHwindowsser%er2""3HproddocsHentser%erH19 &dentif operations master role dependencies. *F 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0 TestKing has '( offices in maCor cities throughout the /orld0 The net/or$ consists of a single 1cti2e 3irectory forest that contains fi2e domains0 1ll domain controllers run 4indo/s '555 ,er2er0 +ach domain contains user o Cects for fi2e offices0 The offices in Paris and Toronto pro2ide help des$ ser2ices to '5,555 users in all domains0 The help des$ freBuently processes group mem ership changes reBuested y department managers0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1 2 9elp des$ administrators report that changes made to group mem erships are often lost and ha2e to e re8created0 .ou disco2er that this pro lem is caused y replication conflicts that occur /hen a large num er of help des$ reBuests are eing processed in a short period of time0 .ou upgrade all domain controllers to 4indo/s ,er2er '5560 9elp des$ administrators continue to report that /or$ is often lost during times of pea$ acti2ity0 .ou need to reduce the amount of /or$ lost y help des$ administrators0 .ou /ant accomplish this tas$ y using the minimum amount of administrati2e effort0 4hat should you do: A. 3nsure that all help des/ administrators are connecting to the 5D. emulator in their domain when the perform updates to group memberships. 1. Raise the functional le%el of the domain and of the forest to !indows $er%er 2""3. .. 3nable uni%ersal group membership caching on domain controllers used b the help des/ administrators. D. Disable site lin/ bridging for all site lin/s in the forest. 1ns/er& 1 +;planation& The P3C emulator master is responsi le for authentication reBuests for accounts /ith recently changed pass/ords, if the change has not een replicated yet to the entire domain0 In additions, the P3C emulator recei2es preferential replication of pass/ord changes performed y other domain controllers in the domain0 If a pass/ord /as recently changed, that change ta$es time to replicate to e2ery domain controller in the domain0 Incorrect 1ns/ers& <& The functional le%el of the forest will not reduce the amount of replication that occurs at an one time. C& Uni%ersal group membership caching enables users to log on to the domain when the !A, lin/ is down. The help2des/ staff is alread logged on. 3& $ite lin/ bridging wonKt reduce the amount of replication that occurs at an one time.

Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -22;. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2 2 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest0 The forest functional le2el is 4indo/s '5550 The forest consists of a forest root domain named test$ing0com and t/o child domains named child-0test$ing0com and child'0test$ing0com0 The functional le2el of all three domains is 4indo/s '555 nati2e0 1ll domain controllers in the forest run 4indo/s '555 ,er2er0 .our user account has administrati2e pri2ileges is in the child-0test$ing0com domain and is a mem er of the follo/ing groups& ,chema 1dmins, 3omain 1dmins, and 3omain *sers0 .ou need to successfully run the adprep0e;e "forestprep command0 4hat should you do: A. Run the adprep.eBe Hforestprep command on the 5D. emulator for the test/ing.com domain. 1. Restart the schema master in Director $er%ices Restore Mode and run the adprep.eBe Hforestprep command. .. Add our user account that has administrati%e pri%ileges to the 3nterprise Admins group. Run the adprep.eBe Hforestprep command on the schema master. D. Run the adprep.eBe Hdomain prep command on the 5D. emulator for the test/ing.com domain. Then run the adprep.eBe Hforestprep command on the schema master. 3. Run the adprep.eBe Hdomainprep command on the infrastructure master in each domain. Then run the adprep.eBe Hforestprep command on the schema master. 1ns/er& C +;planation& <ecause #orestPrep updates the schema and configuration partitions in 1cti2e 3irectory, the account used to run #orestPrep must e a mem er of the ,chema 1dmins and +nterprise 1dmins security groups0 Incorrect 1ns/ers& 1, <, 3& To run adprep.eBe Hforestprep, ou must be a member of the $chema Admins securit group, as well as the 3nterprise Admins securit group. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 32F. Microsoft 3Bchange $er%er 2""3, 2""-, p 2212 to 221F %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory forest that contains a forest root domain named test$ing0com and one child domain named miami0test$ing0com0 1ll domain controllers run 4indo/s '555 ,er2er0 The miami0test$ing0com domain contains one 4indo/s ,er2er '556 mem er ser2er named Test$ing'0 .ou attempt to promote Test$ing' to e an additional domain controller of the miami0test$ing0com domain0 The promotion fails and you recei2e the error message sho/n in the e;hi it0 .ou need to resol2e the error in order to promote Test$ing' to e an additional domain controller of the miami0test$ing0com domain0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. (orce replication between the schema master and the 5D. emulator of onl the test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -- 2 1. (orce replication between the schema master and the 5D. emulator of the test/ing.com and the miami.test/ing.com domain. .. Run the adprep Hforestprep command on the schema master of the test/ing.com domain. D. Run the adprep Hdomainprep command on the infrastructure master of onl the test/ing.com domain. 3. Run the adprep Hdomainprep command on the infrastructure masters of the test/ing.com domain and the miami.test/ing.com domain.

1ns/er& C, + +;planation& To promote a 4indo/s ,er2er '556 mem er ser2er to a domain controller in a 4indo/s '555 domain, .ou must run the adprep "forestprep command on the e;isting 4indo/s '555 ,er2er domain controller holding the schema operations master role0 .ou must also run the adprep "domainprep command on the 4indo/s '555 ,er2er domain controller holding Infrastructure Operations Master role for the domain that you are going to upgrade0 Incorrect 1ns/ers& 1, <& The 5D. 3mulator is used for authentication purposes for !indows ,T -." machines. 3& Iou must run the adprep Hdomainprep command on the !indows 2""" $er%er domain controller holding &nfrastructure 'perations Master role for the domain that ou are going to upgrade, i.e., miami.test/ing.com. Reference9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. pp. ;1-2;1F. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 32F. %*+,TION NO& ) 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 The domain contains three 1cti2e 3irectory sites named Test$ing-, Test$ing', and Test$ing60 The sites are connected y site lin$s as sho/n in the /or$ area0 ,iteLin$- and ,iteLin$' include redundant, high8speed 41N connections0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F 2 +ach site has one su net associated /ith it0 The num er of computers in each site and the operating system that the computers are running are indicated in the follo/ing ta le0 Operating system Test$ing- Test$ing' Test$ing6 !indows => F" 3" FF" !indows ,T !or/station -." F" 2" FF" !indows 2""" 5rofessional " F"" 1"" !indows <5 5rofessional 1"" " " !indows $er%er 2""3 1" 2" 1F Test$ing- contains a 4indo/s ,er2er '556 domain controller named ,er2er- that is the relati2e I3 ?RI3@ master for the domain0 Test$ing' contains t/o 4indo/s ,er2er '556 domain controllers named ,er2er' and ,er2er60 ,er2er' is the infrastructure master for the domain0 Test$ing6 contains a 4indo/s ,er2er '556 domain controller named ,er2er)0 .ou need to decide /here to place the P3C emulator role holder0 .ou /ant to optimi!e the o2erall response time for users in all sites0 4here should you place the P3C emulator role: To ans/er, select the appropriate domain controller or domain controllers in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -; 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G 2 5lace the 5D. emulator on Test/ing3. This site has the most !indows => and ,T -." wor/stations which need a 5D. emulator to contact to logon while <5 L !indows 2""" can logon at an D.. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -> 2 Reference9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. F;F2F;G.

Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, p. F"F. %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0 The TestKing net/or$ consists of a single 1cti2e 3irectory forest that contains three domains& a forest root domain, named test$ing0com, and t/o child domains named asia0test$ing0com and africa0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 +ach of the domains contains t/o 4indo/s ,er2er '556 domain controllers named 3C- and 3C'0 3C-0test$ing0com is the schema master as /ell as the domain naming master0 3C- in each of the child domains is the P3C emulator master, the relati2e I3 ?RI3@ master, and the infrastructure master0 3C- in each of the three domains is also a glo al catalog ser2er0 1 user named Tess King is a mem er of the Medicine ,tudents security group0 9er user account resides in the africa0test$ing0com domain0 Tess King marries and ecome Tess +d/ards0 <ecause of the name change, the domain administrator of africa0test$ing0com changes the Last name field of TessH user account from King to +d/ards0 9o/e2er, the administrator of the asia0test$ing0com domain disco2ers that the user account for Tess is still listed as Tess King0 .ou need to ensure that the user account for Tess +d/ards is correctly listed in the Medicine ,tudents group0 4hat should you do: A. Transfer the 5D. emulator master role from D.1 to D.2 in each domain. 1. Transfer the infrastructure master role from D.1 to D.2 in each domain. .. Transfer the R&D master role from D.1 to D.2 on each domain. D. Transfer the schema master role from D.1 to D.2 in the test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -= 2 1ns/er& < +;planation& Pro lems li$e this can occur /hen the Infrastructure master role is on the same domain controller as the >lo al Catalog0 The infrastructure master updates the group8to8user reference /hene2er group mem erships change and replicates these changes across the domain0 The infrastructure master compares its data /ith that of a glo al catalog0 >lo al catalogs recei2e regular updates for o Cects in all domains through replication, so the glo al catalog data /ill al/ays e up to date0 If the infrastructure master finds that its data is out of date, it reBuests the updated data from a glo al catalog0 The infrastructure master then replicates that updated data to the other domain controllers in the domain0 Unless there is onl one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. &f the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will ne%er find data that is out of date, so it will ne%er replicate an changes to the other domain controllers in the domain. Transferring the &nfrastructure master role to a different computer would resol%e this problem. There is no reason to transfer an other master roles. Incorrect 1ns/ers& 1& The 5D. 3mulator is responds to !indows ,T - 1D.s. &t also recei%es all new password and loc/out information changes immediatel for the entire domain. ,either of these functions will ensure that the user account changes are updated in the domain. C& The R&D Master /eeps trac/ of the allocation R&Ds to domain controllers to ensure that two domain controllers do not hand out the same $&D. 3& The $chema Master controls what is allowed in the Acti%e Director director . Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F"F2F"=. 5art 39 &mplement an Acti%e Director director ser%ice forest and domain structure. A9 .reate the forest root domain. *" 6uestions+ 19 .reate a child domain. *1 6uestion+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F" 2 %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named test$ing0com0 .ou ha2e a user account named TestKingIadmin that is a mem er of the 3omain

1dmins glo al group0 .ou need to create a ne/ child domain named N10test$ing0com in the forest0 .ou install a stand8alone 4indo/s ,er2er '556 computer named TK60 .ou use the 1cti2e 3irectory Installation 4i!ard to promote TK6 to a domain controller in the ne/ domain0 .ou choose to create a domain controller for a ne/ child domain in an e;isting domain tree0 .ou enter the user name and pass/ord for TestKingIadmin0 .ou choose test$ing0com as the parent domain, and you type N1 as the name of the child domain0 .ou recei2e the error message sho/n in the e;hi it0 JJJMI,,IN>JJJ .ou need to e a le to create the ne/ child domain0 4hat should you do: A. 3nter the networ/ credentials for a member of the local Administrati%e group. 1. Add T@3 to the test/ing.com domain and then run the Acti%e Director &nstallation !i0ard. .. 3nter the networ/ credentials for a member of the 3nterprise Admins group for the test/ing.com forest. D. 3nter the networ/ credentials for a member of the $chema Admins group for the test/ing.com forest. 1ns/er& C +;planation& 4e donHt ha2e the e;hi it, ut from the ans/ers, /e can guess that the pro lem is a permissions pro lem0 To add a domain in a forest, you need to e a mem er of the +nterprise 1dmins group0 Therefore, to add the domain, you need to enter the net/or$ credentials for a mem er of the +nterprise 1dmins group for the test$ing0com forest0 Incorrect 1ns/ers& 1& To add a domain in a forest, ou need to be a member of the 3nterprise Admins group. Iou do need administrati%e rights on the local computer, but that alone isnKt enough. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1 2 <& This is not necessar . 3& To add a domain in a forest, ou need to be a member of the 3nterprise Admins group, not the $chema Admins group. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2; to -2> .9 .reate and configure Application Data 5artitions. *" 6uestions+ D9 &nstall and configure an Acti%e Director domain controller. *F 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com that contains t/o domain controllers0 <oth domain controllers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The only account in the 3omain 1dmins security group is the 1dministrator account in the domain0 +ach night, a full ac$up is made of the hard dis$s in each domain controller0 .ou disa le the local 1dministrator account in the 3efault 3omain Policy >roup Policy o Cect ?>PO@0 .ou disco2er that you are no longer a le to log on to either domain controller as the 1dministrator from the domain0 .ou need to ensure that you can log on to oth domain controllers as the 1dministrator from the domain0 4hat should you do: A. Restart one domain controller in $afe Mode. 4og on as Administrator. .reate an account for a second administrator. Restart the domain controller and use the new account to remo%e the restrictions on the local Administrator accounts. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2 2 1. Restore the entire hard dis/ on one domain controller b using the last nightl bac/up before the change was made. Restart the domain controller. Allow time for Acti%e Director replication to complete. .. Restart one domain controller and use a !indows $er%er 2""3 .D to run the Reco%er .onsole. $top the C5. ser%ice. Restart the domain controller.

D. Restart one domain controller in Director $er%ices Restore Mode. 5erform an authoritati%e restore operation of the Domain .ontrollers 'U in Acti%e Director from the last nightl bac/up before the change was made. Restart the domain controller. 1ns/er& 1 +;planation& The default domain group policy o Cect is disa ling the 1dministrator accounts0 4hen you restart a domain controller in safe mode, the group policy isnHt applied, so the administrator account isnHt disa led0 .ou need to start the computer in ,afe Mode /ith Net/or$ing0 This /ill ena le you to access 1cti2e 3irectory *sers and Computers0 .ou canHt modify e;isting o Cects, ut you can create a ne/ administrati2e account0 Then you can re oot in normal mode and log in using the ne/ administrati2e account and the ne/ account to remo2e the restrictions on the local 1dministrator accounts0 Incorrect 1ns/ers& <& &t is not necessar to restore the entire hard dis/. (urthermore, this wonKt wor/, because the C5' would plicate to the restored ser%er and ouKd be bac/ to s6uare one. C& This will pre%ent all C5's in the Croup 5olic .ontainer *C5.+ for being applied and would constitute a serious securit ris/. 3& The default domain group polic would still appl to the restored domain controller ob)ects, so the administrator account will be disabled. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"212, 112; %*+,TION NO& ' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3 2 .ou are the net/or$ administrator for TestKing, The net/or$ consists of a single 1cti2e 3irectory domain /ith t/o sites named Test$ing- and Test$ing'0 Test$ingcontains t/o domain controllers0 Test$ing' contains one domain controller0 +ach site contains t/o mem er ser2ers0 1ll domain controllers are ac$ed up e2ery night0 +ach of the domain controllers is installed /ith a similar hard/are configuration, /hich includes a single processor and a single hard dis$0 .ou create se2eral user accounts on the domain controller in Test$ing'0 The hard dis$ on that domain controller fails0 .ou install a ne/ hard dis$ on the domain controller and restore the domain controller from the most recent ac$up tape0 .ou notice that the ne/ user accounts you created on the domain controller do not appear0 The only /ay that you can restore the user accounts is to re8create them0 .ou need to configure the domain controllers so that the loss of data in 1cti2e 3irectory is minimi!ed during a similar hard dis$ failure0 4hat should you do: A. .onfigure an eBisting member ser%er as an additional domain controller in Test/ing2. 1. &nstall an additional hard dis/ in each domain controller. Mo%e the Acti%e Director log files to the new hard dis/. .. &nstall an additional hard dis/ in each domain. Mo%e the Acti%e Director database file to the new hard dis/. D. .onfigure a new site lin/ between Test/ing1 and Test/ing2. 1ns/er& 1 +;planation& To ensure redundancy in the Test$ing' site in the e2ent of a failure to the domain controller, /e should add another domain controller to the site0 4e could do this y promoting one of the mem er ser2ers in the Test$ing' site to a domain controller0 Incorrect 1ns/ers& <, C& The placement of the Acti%e Director log files or database will not ensure that the Acti%e Director information is a%ailable should the new hard dri%es fail. 3& .reating a new site lin/ will not ensure redundanc in the Test/ing2 site Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F- 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 221= to 222; %*+,TION NO& 6 .ou are the administrator of TestKingHs 4indo/s '556 net/or$0 The net/or$ contains t/o 1cti2e 3irectory sites& Munich and ,ingapore0 The net/or$ also consists of t/o domains& fa ri$am0com and asia0fa ri$am0com0 The net/or$ is configured as sho/n in the e;hi it0 *sers from the ,ingapore office often tra2el to the Munich office /ith their porta le

computers0 4hen these users log on to the net/or$ from Munich, their computers display the te;t =1pplying your personal settings= for a long time0 .ou /ant to ensure that users from ,ingapore do not e;perience these delays /hen they log on to the net/or$ from Munich0 4hat should you do: A. Associate the Munich subnet with the $ingapore site. 1. .reate a trust relationship so that fabri/am.com trusts asia.fabri/am.com. .. &nstall a domain controller for asia.fabri/am.com in the Munich subnet. D. Use the Acti%e Director $ites and $er%ices snap2in to mo%e D.3 to the Munich site. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF 2 1ns/er& C +;planation& The asia0fa ri$am0com domain is in the ,ingapore site0 4hen a user from ,ingapore logs on in Munich the client computer connects to a domain controller in ,ingapore to authenticate the user and do/nload any policy settings0 This traffic o2er the 41N lin$ is /hat is causing the delay0 4e can pre2ent this y installing a domain controller for the asia0fa ri$am0com domain in Munich0 This /ay, the logon process for ,ingapore users in Munich can occur locally0 Incorrect 1ns/ers& 1& The Munich subnet should be associated with the Munich site. Associating the Munich subnet with the $ingapore site would cause all authentication traffic from clients in Munich to go o%er the !A, lin/ to $ingapore. <& A two2wa transiti%e trust alread eBists between the domains. 3& D.3 is ph sicall in $ingapore. The logon traffic would still tra%el o%er the !A, lin/ to D.3. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F23 to F2; %*+,TION NO& ) .ou are the administrator of TestKing Inc0 The net/or$ consists of a single domain0 The companyHs main office is located in ,outh 1frica and ranch offices are located in 1sia and +urope0 The offices are connected y dedicated '(78K ps lines0 To minimi!e logon authentication traffic across the slo/ lin$s, you create an 1cti2e 3irectory site for each company office and configure site lin$s et/een the sites0 *sers in ranch offices report that it ta$es a long time to log on to the domain0 .ou monitor the net/or$ and disco2er that all authentication traffic is still eing sent to the domain controllers in ,outh 1frica0 .ou need to impro2e net/or$ performance0 4hat should you do: A. $chedule replication to occur more fre6uentl between the sites. 1. $chedule replication to occur less fre6uentl between the sites. .. .reate a subnet for each ph sical location, associate the subnets with the $outh Africa site, and mo%e the domain controller ob)ects to the $outh Africa site. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F; 2 D. .reate a subnet for each ph sical location, associate each subnet with its site, and mo%e each domain controller ob)ect to its site. 1ns/er& 30 +;planation& .ou ha2e created the sites and configured site lin$s, ut you ha2enHt configured the sites0 To configure the site you need to create a su net o Cect for each physical location and associate each su net /ith its site0 Then mo2e each domain controller o Cect to its site0 This /ill configure acti2e directory so that authentication reBuests get sent to the HlocalH domain controller rather than going across the 41N lin$s0 Incorrect 1ns/ers& 1& ,o replication will occur between the sites, because all domain controllers in the same *default+ site. The domain controller ob)ects need to be mo%ed to their respecti%e sites. <& ,o replication will occur between the sites, because all domain controllers in the same *default+ site. The domain controller ob)ects need to be mo%ed to their respecti%e sites. C& !e donKt want all the subnets to be in one site. The should be in their respecti%e sites. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F23 to F2; %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain that contains only one domain controller0 The domain controller is named TestKing,r210 The domain contains only one site named

Valencia0 .ou are adding a ne/ site named <arcelona0 .ou need to promote an e;isting 4indo/s ,er2er '556 mem er ser2er named TestKing,r2< to e an additional domain controller of the domain0 1 (7K ps 41N connection connects the Valencia and <arcelona sites0 .ou need to install TestKing,r2< as a ne/ domain controller on the <arcelona site0 .ou need to minimi!e the use of the 41N connection during this process0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FG 2 4hat should you do: A. $et the site lin/ cost between the ?alencia and 1arcelona sites to F". 5romote Test@ing$r%1 to be an additional domain controller in the 1arcelona site. 1. Restore the bac/up files from the s stem state data on Test@ing$r%A to a folder on Test@ing$r%1 and install Acti%e Director b running the dcpromo Had% command. .. 5romote Test@ing$r%1 to be an additional domain controller b running the dcpromo command o%er the networ/. D. 5romote Test@ing$r%1 to be an additional domain controller b using an unattended installation file. 1ns/er& < +;planation& 4e /ant to minimi!e the use of the 41N lin$0 4e can use the ne/ dcpromo "ad2 command to promote the 3C from a ac$up of the system state data of an e;isting domain controller0 &nstalling from media drasticall reduces the time re6uired to install director information b reducing the amount of data that is replicated o%er the networ/. &nstalling from media is most beneficial in large domains or for installing new domain controllers that are connected b a slow networ/ lin/. To use the install from media feature, ou first create a bac/up of $ stem $tate from the eBisting domain controller, then restore it to the new domain controller b using the Restore to9 Alternate location option. &n this scenario, we can restore the s stem state data to a member ser%er, then use that restored s stem state data to promote a member ser%er to a domain controller. Incorrect 1ns/ers& 1& $ite lin/ costs are a mechanism for controlling replication traffic. &n this scenario we need to install Acti%e Director , not control Acti%e Director replication. C& Running the dcpromo command o%er the networ/ will result in large amounts of traffic across the !A, lin/. !e want to reduce this. 3& !e could promote Test@ing$r%1 to a domain controller b using unattended installation, howe%er, Acti%e Director would need to be s nchroni0ed with the Acti%e Director on Test@ing$r%A. This s nchroni0ation would result in !A, traffic that could be reduced b installing Acti%e Director from a bac/up. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 222; to 222> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F> 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 2=-2;, 2=>23"" 39 $et an Acti%e Director forest and domain functional le%el. *= 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one forest root domain named test$ing0com and t/o child domains named europe0test$ing0com and usa0test$ing0com0 The functional le2el of the forest is 4indo/s '555 nati2e0 The test$ing0com domain contains a 4indo/s '555 ,er2er domain controller named TestKing6 that is running ,er2ice Pac$ ) or later0 .ou ta$e TestKing6 offline0 .ou also remo2e all references to TestKing6 from the Configuration container in 1cti2e 3irectory0 #i2e days later, you upgrade all remaining domain controllers to 4indo/s ,er2er '5560 .ou then raise the functional le2el of the forest to 4indo/s ,er2er '5560 .ou need to integrate TestKing6 into the ne/ 1cti2e 3irectory infrastructure0 .ou /ant TestKing6 to e an additional domain controller of the europe0test$ing0com domain0 4hat should you do: A. Upgrade Test@ing3 to !indows $er%er 2""3. Add the computer account for Test@ing3 into the .omputers container of the europe.test/ing.com domain. 1. Demote Test@ing3 to a !indows 2""" member ser%er b running the dcpromo

Hforceremo%al command. Upgrade Test@ing3 to a !indows $er%er 2""3 member ser%er. Run the dcpromo command to promote Test@ing3 to be an additional domain controller of the europe.test/ing.com domain. .. Demote Test@ing3 to a !indows 2""" member ser%er b running the dcpromo Hforceremo%al command. Add the computer account for Test@ing3 into the Domain .ontrollers organi0ational unit *'U+ of the europe.test/ing.com domain. D. Upgrade Test@ing3 to !indows $er%er 2""3. Add the computer account for Test@ing3 into the Domain .ontrollers organi0ational unit *'U+ of the europe.test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F= 2 1ns/er& < +;planation& Once the forest functional le2el is raised to 4indo/s ,er2er '556, you cannot add a 4indo/s '555 domain controller to the forest0 4e /ould need to upgrade the 4indo/s '555 domain controller to 4indo/s ,er2er '5560 9o/e2er, /e must first demote the 4indo/s '555 domain controller and then upgrade it to 4indo/s ,er2er '5560 1dd it to the net/or$ and then promote it0 Incorrect 1ns/ers& 1, 3& &f we upgrade the !indows 2""" domain controller to !indows $er%er 2""3 while it is disconnected from the networ/, the upgraded computer will assume that it is the first domain controller for the domain. &t will then old the R&D, Clobal .atalog and $chema Master roles. This will cause a conflict when we e%entuall add the domain controller to the networ/. C& 'nce the forest functional le%el is raised to !indows $er%er 2""3, ou cannot add a !indows 2""" ser%er to the forest. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -22to -23G %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains0 The functional le2el of all three domains is 4indo/s '555 nati2e0 TestKing is merging /ith a company named 1cme0 The 1cme net/or$ consists of a single 1cti2e 3irectory forest that contains one domain named acme0com0 The functional le2el of the domain is 4indo/s '555 nati2e0 The forests of oth companies are sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;" 2 .ou need to allo/ users in each forest to fully access resources in the domains of the other forest0 In addition, users must e a le to log on et/een domains y using Ker eros authentication0 .ou need to ensure that users can continue to access all resources y using their e;isting user accounts0 4hat should you do: A. Demote the !indows 2""" domain controllers in the acme.com domain to become member ser%ers. 5romote these ser%ers into the test/ing.com domain. 1. Demote the !indows 2""" domain controllers in the acme.com domain to become member ser%ers. Upgrade these ser%ers to !indows $er%er 2""3. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;1 2 5romote the upgraded computers to become domain controllers for a new domain tree in the Test@ing forest. .. Upgrade the !indows 2""" domain controllers in the acme.com domain to !indows $er%er 2""3. .reate eBternal trust relationships between the root domains of each forest. D. Upgrade all domain controllers in both forests to !indows $er%er 2""3. Raise the functional le%el of both forests to !indows $er%er 2""3. .reate a forest trust relationship between the root domains of each forest. 1ns/er& 3 +;planation& To ena le users in each forest to fully access resources in the domains of the other forest and log on to either domain /ith Ker eros authentication, /e need to create a forest trust et/een the t/o forests0 To create a forest trust, the forests must e in 4indo/s '556 domain functional le2el0 This reBuires that all domain controllers in each domain are running 4indo/s ser2er '5560 Incorrect 1ns/ers& 1& This will decommission the acme.com domainHforest. This isnKt a re6uirement.

<& This will decommission the acme.com forest. This isnKt a re6uirement. C& !e need a forest trust to enable @erberos authentication across the trust lin/. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -2-3 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;2 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;3 2 1 domain controller named dc-0corp0test$ing0com runs 4indo/s '555 ,er2er0 1ll other domain controllers run 4indo/s ,er2er '5560 TestKing is engaged in a Coint 2enture /ith Lit/are, Inc0 The net/or$ of Lit/are, Inc0, consists of a single 1cti2e 3irectory forest named lit/areinc0com that contains one domain0 The functional le2el of the lit/areinc0com forest is 4indo/s ,er2er '5560 .ou need to ensure that the users of TestKing can log on to the lit/areinc0com forest0 .ou upgrade dc-0corp0test$ing0com to 4indo/s ,er2er '5560 4hich t/o additional courses of action should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Raise the functional le%el of corp.test/ing.com domain and the east.corp.test/ing.com domain to !indows 2""" nati%e. Raise the functional le%el of the test/ing.com forest to !indows $er%er 2""3. 1. Raise the functional le%el of the corp.test/ing.com domain to !indows 2""" nati%e. Raise the functional le%el of the east.corp.test/ing.com domain to !indows $er%er 2""3. Raise the functional le%el of the west.test/ing.com domain to !indows $er%er 2""3. .. .reate a one2wa forest trust relationship in which the test/ing.com forest trusts the litwareinc.com forest. D. .reate a one2wa forest trust relationship in which the litwareinc.com forest trusts the test/ing.com forest. 1ns/er& 1, 3 +;planation& relationship0 The minimum forest functional le2el for a forest trust relationship is 4indo/s ,er2er '5560 This must e the forest functional le2el of the root domain in the t/o forests0 To raise the forest functional le2el to 4indo/s ,er2er '556, all domain must e at least 4indo/s '555 nati2e0 Incorrect 1ns/ers& <& !e cannot raise a child domain to a functional le%el higher than that of the parent domain. The east.corp.test/ing.com domain is a child domain of the corp.test/ing.com domain. C& The litwareinc.com forest trusts the test/ing.com forest because Test@ing users must be able to log on to the litwareinc.com forest. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;- 2 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -2-3 %*+,TION NO& ) 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest0 The functional le2el of the forest is 4indo/s '5550 The forest consists of a forest root domain named test$ing0com and t/o child domains named asia0test$ing0com and europe0test$ing0com0 The functional le2el of all the domains is 4indo/s '555 mi;ed0 +ach domain contains one domain controller running 4indo/s ,er2er '5560 1ll of the other domain controllers in the forest run 4indo/s '555 ,er2er0 TestKing recently acBuired another company named 1cme that has an 1cti2e 3irectory forest named acme0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 .ou need to e a le to esta lish a forest trust relationship et/een test$ing0com and acme0com0 4hat should you do: To ans/er, drag the appropriate action or actions to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;F 2 1ns/er&

+;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;; 2 The 6uestion eBplicitl as/s for a 8(orest Trust Relationship8, rather than )ust an eBternal trust. To create a forest trust relationship, both forests must be in !indows 2""3 functional le%el. (or this functional le%el, all domains must be in !indows 2""3 functional le%el which re6uires that all domain controllers are running !indows 2""3 $er%er. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;G 2 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 .ou are implementing a ne/ 4indo/s ,er2er '556 net/or$ en2ironment0 .ou install one 1cti2e 3irectory forest root domain named cpandl0com0 .ou install the first domain controller named 3C-0 .ou configure 3C- as a 39CP ser2er and as an 1cti2e 3irectory8integrated 3N, ser2er /ith dynamic updates ena led0 Later you install an additional domain controller named 3C'0 .ou cannot raise the functional le2el of the domain to 4indo/s ,er2er '5560 .ou disco2er that the ser2ice locator ?,RV@ resource records of 3C- are not created in the cpandl0com !one on the 3N, ser2er0 .ou run the 3cdiag tool on 3C- and recei2e the output sho/n in the e;hi it0 .ou need to ma$e it possi le to raise the functional le2el of the domain to 4indo/s ,er2er '5560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;> 2 4hat should you do: A. Upgrade D.2 to a global catalog ser%er. 1. Use the DA.5 ser%er locator utilit to find out which DA.5 ser%ers are a%ailable in the cpandl.com 0one. .. $tart the ,et 4ogon ser%ice on D.1. D. Restart the D,$ $er%er ser%ice on D.1 to enable D,$ clients to resol%e host names b answering 6ueries and update re6uests. 1ns/er& C +;planation& ,RV records are reBuired for clients to locate hosts that pro2ide reBuired ser2ices0 The Netlogon ser2ice registers a set of default ,RV resource records on the 3N, ser2er0 9o/e2er, the e;hi it indicates that the NetLogon ser2ice is stopped on 3C-0 4e should restart this ser2ice0 Incorrect 1ns/ers& 1& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not affect the forest le%el. <& DA.5 is used to assign &5 configurations to DA.5 clients. Aowe%er, the $?R records are missing. !e will thus not be able to locate the DA.5 ser%er. 3& The D,$ ser%er does not ha%e the $R? records. Restarting the D,$ ser%ice will not generate these records. !e should start the ,et4ogon ser%ice. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter -, p. 2G; $er%er Aelp 2 ,et4ogon %*+,TION NO& 7 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ;= 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains fi2e domains and 65 remote sites located in cities throughout the /orld0 There are a total of )5,555 users in the fi2e domains0 1ll remote sites are connected to the company net/or$ y unrelia le (78K ps 41N connections0 +ach site contains at least one domain controller and one glo al catalog ser2er0 1ll domain controllers in the forest run 4indo/s ,er2er '5560 The functional le2el of all the domains in the forest is 4indo/s '555 nati2e0

.ou plan to deploy se2eral 1cti2e 3irectory8ena led applications o2er the ne;t si; months0 +ach of these applications /ill add attri utes to the glo al catalog or modify e;isting attri utes in the glo al catalog0 .ou need to ma$e modifications to the 1cti2e 3irectory infrastructure in order to prepare for these deployments0 .ou plan to accomplish this tas$ during off8pea$ hours0 .ou need to ensure that you can minimi!e any potential net/or$ disruption that /ould e caused y the deployment of these applications in the future0 .ou also need to ensure that the modifications do not disrupt user access to resources0 4hat should you do: A. Decrease the tombstone lifetime attribute in the Acti%e Director $chema ,&D$2$er%ice ob)ect class. 1. Remo%e the global catalog role from the global catalog ser%ers in each remote site. .. Raise the functional le%el of the forest to !indows $er%er 2""3. D. .onfigure uni%ersal group membership caching in each remote site. 1ns/er& C +;planation& To prepare for the ne/ application the est option is to raise the forest functional le2el0 This /ill ena le us to deacti2ate any /rong schema class, and create 3N, and 1cti2e 3irectory partitions for the ne/ applications Domain controllers running !indows $er%er 2""3 do not permit the deletion of classes or attributes, but the can be deacti%ated if the are no longer needed or if there was an error in the original definition. A deacti%ated class or attribute is considered defunct. A 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G" 2 &f our forest has been raised to the !indows $er%er 2""3 functional le%el, ou can reuse the ob)ect identifier *go%erns&d and attribute&d %alues+, the ldapDispla ,ame, and the schema&dCU&D that were associated with the defunct class or attribute. This allows ou to change the ob)ect identifier associated with a particular class or attribute. &f our forest has been raised to the !indows $er%er 2""3 functional le%el, ou can deacti%ate a class or attribute and then redefine it. Incorrect 1ns/ers& 1& The tombstone lifetime is the number of da s that a deleted ob)ect will remain in the Acti%e Director before itKs deleted. The garbage collector runs e%er 12 hours on each ser%er to delete ob)ects whose tombstone lifetimes ha%e eBpired. Aowe%er, we are not deleting Acti%e Director ob)ects in this scenario. <& The sites are lin/ed to the compan networ/ through unreliable !A, connections. Remo%ing the Clobal .atolog from these sites will result in log on problems for users as well as the applicationKs access to Acti%e Director . 3& Uni%ersal group membership caching can be used to impro%e logon times for users. &t will not affect the applicationKs access to Acti%e Director . Reference9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. 1F3= %*+,TION NO& D 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest0 The functional le2el of the forest is 4indo/s '5550 The forest consists of a root domain named test$ing0com and t/o child domains named europe0test$ing0com and australia0test$ing0com0 The functional le2el of all domains is 4indo/s '555 nati2e0 1ll domain controllers in the test$ing0com domain run 4indo/s ,er2er '5560 1ll domain controllers in the europe0test$ing0com and australia0test$ing0com domains run 4indo/s '555 ,er2er0 .ou need to a le to rename all domain controllers in test$ing0com0 .ou /ant to minimi!e impact to the net/or$0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G1 2 To ans/er, drag the appropriate action or actions to the correct location or locations in the /or$ area0 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G2 2 To rename domain controllers, the domains ha%e to be in !indows 2""3 functional le%el. !e donKt ha%e the option to raise the domain functional le%els, but upgrading the forest functional le%el will automaticall upgrade the domain functional le%els if the domains are in !indows 2""" nati%e functional le%el. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and

Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter -, p. 32" M$ white paper9 $tep2b 2$tep Cuide to &mplementing Domain Rename M$ @nowledge base article9 :>1-F>= A'! T'9 Rename a !indows 2""3 Domain .ontroller 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G3 2 %*+,TION NO& A 3R1> 3ROP .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory forest test$ing0com0 The functional le2el of the forest is 4indo/s '5550 The forest consists of a root domain named test$ing0com and t/o child domains named africa0test$ing0com and asia0test$ing0com0 The functional le2el of the domains is 4indo/s '555 nati2e0 1ll domain controllers in the test$ing0com domain run 4indo/s ,er2er '5560 1ll domain controllers in the africa0test$ing0com and asia0test$ing0com domains run 4indo/s '555 ,er2er0 .ou need to e a le to rename all domain controllers in test$ing0com0 .ou /ant to minimi!e impact to the net/or$0 4hat should you do: To ans/er, drag the appropriate action or actions to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G- 2 1ns/er& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GF 2 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G; 2 To rename domain controllers, the domains ha%e to be in !indows 2""3 functional le%el. !e donKt ha%e the option to raise the domain functional le%els, but upgrading the forest functional le%el will automaticall upgrade the domain functional le%els if the domains are in !indows 2""" nati%e functional le%el. To rename a 4indo/s ,er2er '556 domain controller, Iou must be a member of the Domain Admins group or the 3nterprise Admins group in Acti%e Director . Domain functional le%el is set to !indows $er%er 2""3 NOT+9 I'U do not need to raise the forest le%el, )ust domain le%el. Note& 1efore ou rename a domain controller in a domain with multiple domain controllers, ma/e sure that the computer that ou want to rename is not the global catalog ser%er and that it does not hold other (leBible $ingle Master 'perations *($M'+ roles. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter -, p. 32" M$ white paper9 $tep2b 2$tep Cuide to &mplementing Domain Rename M$ @nowledge base article :>1-F>=9 A'! T'9 Rename a !indows 2""3 Domain .ontroller %*+,TION NO& E .ou are the net/or$ administrator for 1cme0 1cme consists of t/o su sidiaries namely Mime; and Test$ing Ltd0 The net/or$ contains t/o 1cti2e 3irectory forests0 The functional le2el of each domain is 4indo/s '555 nati2e0 1ll domain controllers run 4indo/s '555 ,er2er0 +;ternal relationships e;ist et/een domains, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 GG 2 *ser accounts and resources are located in the child domains0 1ll user principal names ?*PNs@ in each forest comply /ith a standard company e8mail address0 +ach domain controller functions as a 3N, ser2er0 1ll 3N, !ones are 1cti2e 3irectory8integrated !ones0 The test$ing0com and mime;0com 3N, !ones ha2e no root ?=0=@ !one0 3N, ser2ers in each forest root 3N, !one are configured /ith root hints to Internet root ser2ers0 .ou upgrade each domain controller in oth forests to 4indo/s ,er2er '5560 .ou raise the functional le2el for each domain to 4indo/s ,er2er '5560 .ou plan to implement a smart8card authentication strategy for the entire company0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G> 2 .ou need to ensure that users are a le to access resources in all domains in each

forest and on the Internet0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 .ou also need to ensure that access to resources is not disrupted0 4hich t/o courses of action should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .reate a two2wa eBternal trust relationship between the two forest root domains. Raise the functional le%el of the forest to !indows $er%er 2""3. 1. Raise the functional le%el of the forest to !indows $er%er 2""3. Replace eBisting trust relationships with a two2wa forest trust relationship between the two forest root domains. .. .reate root hints between D,$ ser%ers in each child domain and D,$ ser%ers in the root domain for the opposite forest. D. .reate conditional D,$ forwarders between domain controllers in each root domain. 1ns/er& <, 3 +;planation& Raising the forest functional le2el to 4indo/s ,er2er'556 ena les you to ta$e ad2antage of all 4indo/s ,er2er'556 forest8le2el features0 If any domains in the forest are still operating at the 4indo/s ,er2er'556 interim functional le2el, you /ill e una le to raise the forest functional le2el to 4indo/s ,er2er'5560 +nsure that all domains are operating at the 4indo/s ,er2er'556 functional le2el efore you raise the forest functional le2el0 To ha2e a complete trust et/een all the test$ing domains and all the mime; domains, /e need to create a forest trust relationship et/een the t/o forest root domains0 This can only e done after the functional le2el of the forests has een raised to 4indo/s ,er2er '5560 &f our internal networ/ does not ha%e a pri%ate root and our users need access to other namespaces, such as a networ/ belonging to a partner compan , use conditional forwarding to enable ser%ers to 6uer for names in other name spaces. .onditional forwarding in !indows $er%er2""3D,$ eliminates the need for secondar 0ones b configuring D,$ ser%ers to forward 6ueries to different ser%ers based on the domain name. &n order to a%oid traffic and get the resources from an of the forest we need to configure conditional forwarding in each 0one. !ith option D we will create in test/ing.com a conditional forwarder to mimeB.com, and in mimeB.com a conditional forwarder to test/ing.com. Incorrect ans/ers& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 G= 2 19 &n order to create a two2wa eBternal trust relationship between the two forest root domains, ou first need to raise the functional le%el of the forest to !indows $er%er 2""3 C9 There is no need to root hints between D,$ ser%ers in each child domain when all that is necessar is to create conditional forwarding between the two domain controllers in each root domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -9 -22-(9 3stablish trust relationships. T pes of trust relationships might include eBternal trusts, shortcut trusts, and cross2forest trusts. *> 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for 1cme Inc0 .our net/or$ consists of a single 1cti2e 3irectory forest that contains one domain named acme0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 1cme, Inc0 acBuires a company named TestKing0 The TestKing net/or$ consists of a single 1cti2e 3irectory forest that contains a root domain named test$ing0com and a child domain named asia0test$ing0com0 The functional le2el of the forest is 4indo/s '5550 The functional le2el of the asia0test$ing0com domain is 4indo/s '555 nati2e0 1 usiness decision y TestKing reBuires that asia0test$ing0com domain to e remo2ed0 .ou need to mo2e all user accounts from the asia0test$ing0com domain to the acme0com domain y using the 1cti2e 3irectory Migration Tool0 .ou need to accomplish this tas$ /ithout changing the logon rights and permissions for all other users0 .ou need to ensure that users in asia0test$ing0com can log on to acme0com y using their current user names and pass/ords0 4hat should you do: A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >" 2 .reate a two2wa !indows $er%er 2""3 eBternal trust relationship between the

acme.com domain and the test/ing.com domain. 1. .reate a one2wa !indows $er%er 2""3 eBternal trust relationship in which the acme.com domain trusts the test/ing.com domain. .. .reate a temporar two2wa eBternal trust relationship between the acme.com domain and the asia.test/ing.com domain. D. .reate a temporar one2wa eBternal trust relationship in which the asia.test/ing.com domain trusts the acme.com domain. 1ns/er& C +;planation& To use 13MT, /e need a t/o /ay trust et/een the acme0com domain and the asia0test$ing0com domain0 Incorrect 1ns/ers& 1& This would enable users in test/ing.com to log in to acme.com and users in acme.com to log in to test/ing.com. <& This would enable users in test/ing.com to log in to acme.com. 3& The trust must be a two2wa trust. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;1>, ;1=2;21, ;2=2;-1 %*+,TION NO& ' .ou are the net/or$ administrator of a company that consists of t/o su sidiaries named TestKing and Contoso, Ltd0 The net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domain trees, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >1 2 ,ome users are temporarily relocated from 9ong King to Ne/ .or$0 Their user accounts remain in the asia0contoso0com domain, and they use their principal names ?*PNs@ to log on from the namerica0test$ing0com domain0 The relocated users report that their authentication time is e;tremely slo/0 .ou need to impro2e their authentication time0 4hat should you do: A. .reate a uni%ersal securit group in the asia.contoso.com domain and add the relocated users into the group. Add the uni%ersal group to the domain local groups in the asia.contoso.com domain that ha%e permission for the ob)ect to which the users need access. 1. .reate a uni%ersal securit group in the namerica.test/ing.com domain and add the relocated users into the group. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >2 2 Add the uni%ersal group to the domain local groups in the asia.contoso.com domain that ha%e permission for the ob)ects to which the users need access. .. .reate a shortcut trust relationship in which the asia.contoso.com domain trusts the namerica.test/ing.com domain. D. .reate a shortcut trust relationship in which the namerica.test/ing.com domain trusts the asia.contoso.com domain. 1ns/er& 3 +;planation& Logon times can e slo/ /hen t/o domains are logically distant from each other in a forest or tree hierarchy0 1 shortcut trust must e e;plicitly created et/een the t/o domains to impro2e logon times0 The direction needs to e from asia0contoso0com ecause the user accounts are located there0 Thus, the namerica0test$ing0com domain must trust the asia0contoso0com domain0 Incorrect 1ns/ers& 1, <& Uni%ersal securit groups are most often used to assign permissions to related resources in multiple domains. Aowe%er, the problem here is not access permissions but slow authentication times. A permissions problem would produce an error message. C& The direction is wrong. The User accounts are in the asia.contoso.com domain thus users are authenticated in the asia.contoso.com now those authentications must be trusted b the namerica.test/ing.com domain. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 122F to 122G, >2; %*+,TION NO& 6 .ou are the net/or$ administrator for 10 3atum Corporation0 The company has a su sidiary named TestKing0 The 10 3atum Corporation net/or$ consists of a single

1cti2e 3irectory forest0 The forest contains one domain named adatum0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 The TestKing net/or$ consists of a single 4indo/s NT )05 domain named T+,TKIN>0 1 file ser2er named ,er2er- is a mem er of the adatum0com domain0 1ll users in oth domains need to sa2e files on ,er2er- e2ery day0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >3 2 .ou need to allo/ users in the TestKing domain to access files on ,er2er-0 .ou need to ensure that the domain administrators of the TestKing domain cannot grant users in the adatum0com domain permissions on ser2ers in the TestKing domain0 4hat should you do: A. Upgrade the Test@ing domain to !indows $er%er 2""3 and ma/e this domain the root domain of a second tree in the eBisting forest. 1. Upgrade the Test@ing domain to !indows $er%er 2""3 and ma/e this domain the root domain of a new forest. .reate a two2wa forest trust relationship. .. .reate a one2wa eBternal trust relationship in which the adatum.com domain trusts the Test@ing domain. D. .reate a one2wa eBternal trust relationship in which the Test@ing domain trusts the adatum.com domain. 1ns/er& C +;planation& *sers in the TestKing domain need to access resources on ,er2er- in the adatum domain0 *sers in the adatum domain do not need access to resources in the TestKing domain0 Therefore, /e need a one8/ay e;ternal trust relationship in /hich the adatum0com domain trusts the TestKing domain0 Incorrect 1ns/ers& 1& &t is not necessar to upgrade the Test@ing domain. (urthermore, this solution would enable users in the adatum domain to access resources in the Test@ing domain *Test@ing administrators could grant permissions to the adatum users to access resources+. <& &t is not necessar to upgrade the Test@ing domain. (urthermore, this solution would enable users in the adatum domain to access resources in the Test@ing domain *Test@ing administrators could grant permissions to the adatum users to access resources+. 3& This solution would enable users in the adatum domain to access resources in the Test@ing domain *Test@ing administrators could grant permissions to the adatum users to access resources+, but users in the Test@ing domain would not be able to access resources on $er%er1 *in the adatum domain+. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-1 to -2-> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >- 2 %*+,TION NO& ) .ou are the net/or$ administrator for a company named TestKing 9oldings0 The company consists of t/o su sidiaries named Contoso, Ltd, and City Po/er K Light0 The net/or$ contains t/o 1cti2e 3irectory forests named contoso0com and cpand-0com0 The functional le2el of each forest is 4indo/s ,er2er '5560 1 t/o8/ay forest trust relationship e;ists et/een the forests0 .ou need to achie2e the follo/ing goals& 1. *sers in the contoso0com forest must e a le to access all resources in the cpand-0com forest0 2. *sers in the cpand-0com forest must e a le to access only resources on a ser2er named 9R1pps0contoso0com0 .ou need to configure the forest trust relationship and the resources on 9R1pps0contoso0com to achie2e the goals0 4hich three actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose three@ A. 'n a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selecti%e authentication. 1. 'n a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest2wide authentication. .. 'n a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selecti%e authentication. D. 'n a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest2wide authentication. 3. Modif the discretionar access control list *DA.4s+ on ARApps.contoso.com to allow access to the 'ther 'rgani0ation securit group. (. Modif the discretionar access control lists *DA.4s+ on ARApps.contoso.com to den access to This 'rgani0ation securit group.

1ns/er& 1, 3, + +;planation& 4hen all domains in t/o forests trust each other and need to authenticate users, esta lish a forest trust et/een the forests0 4hen only some of the domains in t/o 4indo/s ,er2er '556 forests trust each other, esta lish one8/ay or t/o8/ay e;ternal trusts et/een the domains that reBuire interforest authentication0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >F 2 Using Acti%e Director Domains and Trusts, ou can determine the scope of authentication between two forests that are )oined b a forest trust. Iou can set selecti%e authentication differentl for outgoing and incoming forest trusts. !ith selecti%e trusts, administrators can ma/e fleBible forest2wide access control decisions. &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. Incorrect 1ns/ers& <& &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. Aowe%er, users in the cpand1.com forest must be able to access onl resources on a ser%er named ARApps.contoso.com. !e should therefore use selecti%e authentication for the cpandl.com forest to access the contoso.com. C& Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, the need forest2wide access. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-> to -2-= Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, p. 2F%*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The company consists of t/o su sidiaries named TestKing0, and TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory forests0 1ll ser2ers run 4indo/s ,er2er '5560 The domain configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >; 2 The North 1merican department in the company is renamed to North/ind Traders0 .ou rename the N10test$ing0com domain to north/indtraders0com0 .ou change the Net<IO, name for the domain to north/indtraders0 The north/indtraders0com domain is a second tree in the test$ing0com forest0 1fter the domain is renamed, users in the north/indtraders0com domain report that they cannot access any shared resourced in the fa ri$am0com domain0 In addition, users in the fa ri$am0com domain report that they cannot access shared resources in the norh/indtraders0com domain0 .ou need to re8ena le the sharing of resources et/een the north/indtraders0com domain and the fa ri$am0com domain0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >G 2 A. .hange the ,et1&'$ name for the northwindtraders.com domain to ,A. 1. Delete and re2create the two one2wa trust relationships between the northwindtraders.com domain and the fabri/am.com domain. .. .onfigure conditional forwarding on the D,$ ser%er in the fabri/am.com domain to forward re6uests for the northwindtraders.com domain to the D,$ ser%ers in the test/ing.com domain. D. Reset the computer account passwords on all of the domain controllers in the northwindtraders.com domain. 1ns/er& < +;planation& 1fter renaming the domain, the e;ternal trust relationships /ill need to e recreated0 Incorrect 1ns/ers& 1& .hanging the ,et1&'$ name will not affect the trust relationship. C& A conditional forwarder is a D,$ ser%er on a networ/ that is used to forward D,$ 6ueries according to the D,$ domain name in the 6uer . &t does not affect trust relationships. 3& The computer account passwords will not affect the trust relationship.

Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1, pp. 3;2-" M$ !hite paper $tep2b 2$tep Cuide to &mplementing Domain Rename %*+,TION NO& 7 .ou are the net/or$ administrator at 1cme Inc0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named acme0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 1cme purchase a company named TestKing0 The TestKing net/or$ consists of one 4indo/s NT )05 account domain and t/o 4indo/s NT )05 resource domains, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >> 2 1ll file resources are stored on file ser2ers in the acme0com domain and in the T+,TKIN>,O*RC+- domain0 .ou need to accomplish the follo/ing goals& 1. .ou need to minimi!e the num er of trust relationships that must e maintained in the net/or$ en2ironment0 2. *sers in each company must e a le to access the file resources on the file ser2ers in the other companyHs domain0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .reate a one2wa eBternal trust relationship in which the T3$T@&,C$'UR.31 domain trusts the acme.com domain. 1. .reate a one2wa eBternal trust relationship in which the acme.com domain trusts the T3$T@&,C$'UR.31 domain. .. .reate a one2wa eBternal trust relationship in which the acme.com domain trusts the T3$T@&,CA..'U,T domain. D. .reate a one2wa eBternal trust relationship in which the T3$T@&,CA..'U,T domain trusts the acme.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 >= 2 1ns/er& 1, C +;planation& The file resources in the TestKing net/or$ are located in the T+,TKIN>,O*RC+- domain0 In the 1cme net/or$, the file resources are in the acme0com domain0 Users in the Test@ing networ/ are located in the T3$T@&,CA..'U,T$ domain while users in the Acme networ/ are located in the acme.com domain. (or users in the acme.com domain to access file resources in the Test@ing networ/, we would need the T3$T@&,C$'UR.31 domain to trust the acme.com domain. (or users in the Test@ing networ/ to access file resources in the acme.com domain, we need the acme.com domain to trust the T3$T@&,CA..'U,T domain. Incorrect 1ns/ers& <& &n one2wa trust relationships, the direction of access is alwa s in the opposite direction. Thus, if the acme.com domain trusts the T3$T@&,C$'UR.31 domain, then the T3$T@&,C$'UR.31 domain can access the acme.com domain. Therefore, the one2wa trust is in the wrong direction. 3& &n one2wa trust relationships, the direction of access is alwa s in the opposite direction. Thus, if the T3$T@&,CA..'U,T domain trusts the acme.com domain, then the acme.com domain can access the T3$T@&,CA..'U,T domain. Aowe%er, the file resources in the Test@ing networ/ are in the T3$T@&,C$'UR.31 domain. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -3, 31F231G, 3=; %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The company consists of three su sidiaries named Test$ing Ltd, #a ricam Inc and 1datum Corporation0 The net/or$ consists of three 1cti2e 3irectory forests that include e;ternal trust relationships, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =" 2 The functional le2el of each forest is 4indo/s '5550 The functional le2el of each domain is 4indo/s '555 nati2e0 4eading the wa in &T testing and certification tools, www.test/ing.com

2 =1 2 TestKing reBuires users in each domain to e a le to access resources in all domains across all forests y using the minimum num er of trust relationships0 .ou need to ensure that users donHt ha2e accounts in one of the other t/o forests0 .ou need to accomplish this goal y using the minimum amount of administrati2e effort0 .ou upgrade e2ery domain controller to 4indo/s ,er2er '5560 4hich additional action or actions should you ta$e: ?Choose all that apply@0 A. Raise the functional le%el of each forest to !indows $er%er 2""3 1. .reate shortcut relationship between each child domain. .. Replace eBisting eBternal trust relationship with two2wa forest trust relationships. D. .reate a two2wa forest trust relationship between test/ing.com and fabricam.com. 1ns/er& 1, C, 3 +;planation& 4e ha2e 4indo/s '555 forests /hich mean /e can only create one8/ay trusts et/een the forests0 If /e raise the functional le2el of each forest to 4indo/s ,er2er '556, /e can use t/o8/ay forest trust relationships /hich /ill reduce the num er of reBuired trust relationships0 (orest trust relationships are not transiti%e. This means that although test/ing.com trusts adatum.com and adatum.com trusts fabri/am.com, test/ing.com does not trust fabri/am.com. Therefore, we need to configure a two2wa forest trust relationship between test/ing.com and fabricam.com. Incorrect 1ns/ers& <& .reating shortcut trust relationships between each child domain is not necessar and will add to the number of trust relationships. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -9 -12-F 5art -9 &mplement an Acti%e Director site topolog . A9 .onfigure site lin/s. *; 6uestions+ %*+,TION NO& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =2 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith si; sites0 These sites are located in si; different cities0 The site configuration is sho/n in the e;hi it0 The site lin$s are configured as sho/n in the follo/ing ta le0 ,ite lin$ name Replication schedule Replication freBuency $ite4in/2122 2- hours per da 1 hour $ite4in/21232- ;9"" 5.M. to ;9"" A.M. 1 hour $ite4in/222F2; 1"9"" 5.M. to ;9"" A.M. 2 hours 1ll user accounts for the entire company are created y net/or$ administrators in Test$ing-0 The num er of employees in the office at Test$ing6 is gro/ing rapidly0 ,e2eral accounts for ne/ employees are created for users in Test$ing6 e2ery day0 The ne/ employees report that they cannot log on to the domain on the same day that their accounts are created0 They can log on to the domain successfully the ne;t day0 .ou need to ensure that the employees can log on to the domain on the same day that their accounts are created0 .ou also need to ensure that the replication traffic et/een the Test$ing- and Test$ing6 is compressed0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =3 2 A. Mo%e the Acti%e Director domain controller ob)ects from Test/ing3 to Test/ing1. 1. Add the Acti%e Director subnet ob)ect for Test/ing3 to Test/ing1. .. Reconfigure $ite4in/2122 to include Test/ing1, Test/ing2, and Test/ing3. Remo%e Test/ing3 from $ite4in/21232-. D. Remo%e Test/ing1 from $ite4in/21232-. 1ns/er& C +;planation& The changes to 1cti2e 3irectory in Test$ing- are replicated to Test$ing' and hour later and to the other sites only after 7 P0M0 in the case of Test$ing6 and Test$ing), and after -5 P0M to Test$ing( and Test$ing70 Incorrect 1ns/ers& 1& Mo%ing the Acti%e Director domain controller ob)ects from Test/ing3 to Test/ing1 will not change the replication schedule. <& Adding Acti%e Director subnet ob)ect for Test/ing3 to Test/ing1 will not change the replication schedule. 3& Remo%ing Test/ing1 from $ite4in/21232- would mean that changes made in Test/ing1 are ne%er replicated to Test/ing3 and Test/ing-. &nstead, replication will occur

onl between Test/ing3 and Test/ing-. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --;2-->, -F22-F-, -FG2-;" %*+,TION NO& ' 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith four sites0 The sites are connected y site lin$s, as sho/n in the /or$ area0 41N connection Type of connection 12aila le and/idth $ite T@1 2 $ite T@2 F; @bps 3" percent $ite T@2 2 $ite T@3 T3 G" percent $ite T@3 2 $ite T@- T1 -" percent $ite T@- 2 $ite T@1 T3 G" percent 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =- 2 .ou need to ensure that the Kno/ledge Consistency Chec$er ?KCC@ uses the faster connection lin$s /hen possi le0 4hat should you do: To ans/er, drag the appropriate site lin$ cost or costs to the correct location or locations in the /or$ area0 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =F 2 $ite lin/ costs determine which lin/s are first used for replication. The lin/ with the lowest cost is used first. &f that lin/ is down, the lin/ with the neBt lowest cost is used. !e must therefore assign the lowest cost to the site lin/s with the highest a%ailable bandwidth, i.e., $ite T@1 2 $ite T@- and $ite T@2 2 $ite T@3. !e must then assign the site lin/ with the neBt highest a%ailable bandwidth *$ite T@3 2 $ite T@-+ the neBt lowest cost. The site lin/ with the lowest a%ailable bandwidth *$ite T@1 2 $ite T@2+ must ha%e the highest cost. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --=2-F2, -F>, -F>2-F= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =; 2 %*+,TION NO& 63R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 TestKing has a main office and four ranch offices0 +ach ranch office is connected to the main office y a 41N connection0 .ou configure an 1cti2e 3irectory site for each office0 The sites and 41N connections are sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 =G 2 .ou need to create site lin$s to minimi!e replication traffic o2er 41N connections0 4hich site lin$ or site lin$s should you create: To ans/er, drag the appropriate site lin$ or site lin$s to the correct location or locations in the /or$ area0 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 => 2 3ach branch office is onl connected to the main office. Therefore, site lin/s should be between the main office and the branch offices, no between two branch offices. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2G to F2> %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith fi2e sites0

.ou configure the fi2e 1cti2e 3irectory sites in accordance /ith the reBuirements of the companyHs site configuration design0 The net/or$ and site configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 == 2 The site configuration design also reBuires you to configure site lin$ ridges0 The design reBuires the site lin$s connecting TestKing-, TestKing', and TestKing6 to e transiti2e and all other site lin$s to e nontransiti2e0 .ou need to configure site lin$ ridges to comply /ith the site configuration design0 4hich action or actions should you ta$e: ?Choose all that apply@ A. Disable automatic site lin/ bridging in the &5 ob)ect properties. 1. .reate new site lin/s between each of the Acti%e Director sites. .. Remo%e each of the sites from the default site lin/. D. .reate a new site lin/ bridge. Add the site lin/s connecting Test@ing1, Test@ing2, and Test@ing3 to the site lin/ bridge. 3. .reate a new lin/ bridge. Add the site lin/s connecting Test@ing3, Test@ing-, and Test@ingF to the site lin/ bridge. 1ns/er& 1, C, 30 +;planation& 1& !e must disable automatic site lin/ bridging in the &5 ob)ect properties, to pre%ent all site lin/s being transiti%e. C& remo%ed, and site lin/s ha%e been manuall added. 1ut, we should do this )ust to be sure. 3& The design re6uires the site lin/s connecting $ite1, $ite2, and $ite3 to be transiti%e. Therefore, we should create a new site lin/ bridge and add the site lin/s connecting $ite1, $ite2, and $ite3 to the site lin/ bridge. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"" 2 Incorrect 1ns/ers& <& This would mean that e%er site is connected to each of the other sites. +& This would ma/e the site lin/s connecting $ite3, $ite-, and $iteF transiti%e. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --=2-F2, -F>, -F>2-F= M$ !indows ser%er 2""3 Deplo ment @it9 Designing and Deplo ing Director and $ecurit $er%ices9 2 $etting $ite 4in/ 5roperties %*+,TION NO& ( .ou are the net/or$ administrator for TestKing, a company that has three offices0 The offices are in <oston, Chicago, and Ne/ .or$0 1ll three offices are connected y leased lines as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"1 2 TestKing is deploying a 4indo/s ,er2er '556 forest0 .ou create a single 1cti2e 3irectory domain named test$ing0com0 .ou configure each office as a single site0 .ou configure three domain controllers in N.,ite0 .ou create a domain controller in each of the other sites0 .ou create site lin$s ased on the net/or$ topology0 +ach leased line is represented y a site lin$0 +ach site lin$ connects only t/o sites0 The cost and the schedule for all site lin$s is the same0 The sites and site lin$s are named as sho/n in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"2 2 ,ite lin$ name Lin$ed site Lin$ed site ,I1oston ,I$ite 1os$ite ,I.hi ,I$ite .hi$ite .hi1oston .hi$ite 1os$ite *sers report that net/or$ reBuests et/een <os,ite and Chi,ite are ta$ing much longer than they used to ta$e0 .ou disco2er that replication traffic is using an unaccepta ly large percentage of the and/idth et/een <os,ite and Chi,ite .ou need to reduce replication traffic o2er the Chi<oston site lin$0 4hat should you do: A. .reate an $MT52based connection ob)ect from a domain controller in ,I$ite to a domain controller in 1os$ite. 1. &ncrease the cost of the .hi1oston site lin/.

.. .reate a site lin/ bridge that includes the ,I1oston and ,I.hi site lin/s. D. &ncrease the replication inter%al for the ,I1oston site lin/. 1ns/er& < +;planation& To reduce the replication traffic o2er the Chi<oston site lin$, /e need to increase the site lin$ cost of that site lin$0 The Chi<oston site lin$ cost should e higher than that of the other t/o site lin$s0 Replication traffic /ill then pass o2er the site lin$ /ith the lo/est cost0 Incorrect 1ns/ers& 1& Iou can use either &5 or $MT5 as the protocol for replication traffic. Aowe%er, $MT5 replication re6uires an 3nterprise .ertification Authorit *3.A+ because 5ublic @e encr ption and certificates are used to %erif identit of domain controllers and pro%ide digital signatures. &t would be easier to increase the site lin/ cops for the .hi1oston site C& 1 default, all site lin/s are bridged together, ma/ing the site lin/s transiti%e. !e need to disable the transiti%e propert of the .hi1oston site lin/ rather than create another site lin/ bridge. 3& &ncreasing the replication inter%al for the ,I1oston site lin/ will result in e%en more replication traffic passing o%er the ,I.hi and .hi1oston site lin/s. Reference& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"3 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --=2-F2, -F>, -F>2-F= M$ !indows ser%er 2""3 Deplo ment @it9 Designing and Deplo ing Director and $ecurit $er%ices9 2 $etting $ite 4in/ 5roperties %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 TestKing has three offices0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith three sites0 +ach office is configured as a separate site0 TestKing opens a ne/ ranch office in Montreal that has -5 users0 This office does not contain a domain controller0 The Montreal Office has 41N connections to t/o of the e;isting offices0 1 router is installed at each of the four offices to route net/or$ traffic across the 41N connections0 The net/or$ after the addition of the Montreal Office is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"- 2 .ou need to ensure that /hen the users in the Montreal office log on the domain during normal operations, they /ill e authenticated y a domain controller in TestKing ,ite'0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .reate a new &5 subnet ob)ect that includes the subnet used in the Montreal 'ffice. 4in/ the new subnet ob)ect to the Test@ing $ite2 site ob)ect. 1. .reate a new &5 subnet ob)ect that includes the subnet used in the Montreal 'ffice. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"F 2 4in/ the new subnet ob)ect to the Test@ing $ite3 site ob)ect. .. .reate an additional site for the Montreal 'ffice. .onfigure a site lin/ to Test@ing $ite3 with a cost of 3"". .onfigure a site lin/ to Test@ing $ite2 with a cost of 2"". D. .reate an additional site for the Montreal 'ffice. .onfigure a site lin/ to Test@ing $ite2 with a cost of 3"". .onfigure a site lin/ to Test@ing $ite3 with a cost of 2"". 3. Assign &5 addresses to the client computers in the Montreal 'ffice that are on the same &5 subnet as the networ/ at $ite2. 1ns/er& 1, C +;planation& 1& &f we create a new subnet for the Montreal site that contains a Domain .ontroller for the Montreal site, all the computers that are in that subnet will logon %ia the Domain .ontroller on the Montreal subnet. C& &f we create a new site, and configure a site lin/ to Test@ing $ite3 with a cost of 3"" and a site lin/ to Test@ing $ite2 with a cost of 2"", user logons will go o%er the site lin/ with the lowest cost first and will use the other site lin/ as a fail o%er mechanism. Incorrect 1ns/ers& <& Users in the Montreal office should be authenticated b a domain controller in

Test@ing $ite2. Therefore we should lin/ the new subnet ob)ect to the Test@ing $ite2 site ob)ect, and not the Test@ing $ite3 site ob)ect. 3& Users in the Montreal office should be authenticated b a domain controller in Test@ing $ite2. Therefore, the Test@ing $ite 2 site lin/ should ha%e a lower cost. +& !e could assign &5 addresses to the client computers in the Montreal 'ffice that are on the same &5 subnet as the networ/ at $ite2. Aowe%er, the networ/ will be easier to administrate if the offices are on separate sites. This is therefore not the best option. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter ;, p. -3M$ !indows ser%er 2""3 Deplo ment @it9 Designing and Deplo ing Director and $ecurit $er%ices92 $etting $ite 4in/ 5roperties 19 .onfigure preferred bridgehead ser%ers. *> 6uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"; 2 %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith t/o sites0 +ach site contains t/o domain controllers0 One domain controller in each site is a glo al catalog ser2er0 .ou add a domain controller to each site0 +ach ne/ domain controller has a faster processor than the e;isting domain controllers0 TestKing reBuires 1cti2e 3irectory replication to flo/ through the ser2ers that ha2e the most po/erful CP*s in each site0 .ou need to configure the intersite replication to comply /ith TestKingHs reBuirement for 1cti2e 3irectory replication0 4hat should you do: A. .onfigure the new domain controllers as global catalog ser%ers. 1. .onfigure the new domain controller in each site as a preferred bridgehead ser%er for the &5 transport. .. .onfigure the new domain controller in each site as a preferred bridgehead ser%er for the $MT5 transport. D. .onfigure an additional &5 site lin/ between the two sites. Assign a lower site lin/ cost to this site lin/ than the site lin/ cost for the original site lin/. 1ns/er& < +;planation& Director information is replicated both within and among sites. Acti%e Director replicates information within a site more fre6uentl than across sites. This balances the need for up2to2date director information with the limitations imposed b a%ailable networ/ bandwidth. Iou can customi0e how Acti%e Director replicates information using site lin/s to specif how our sites are connected. Acti%e Director uses the information about how sites are connected to generate .onnection ob)ects that pro%ide efficient replication and fault tolerance. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"G 2 use and how often the lin/ should be used. Acti%e Director uses this information to determine which site lin/ will be used to replicate information. .ustomi0ing replication schedules so replication occurs during specific times, such as when networ/ traffic is low, will ma/e replication more efficient. 'rdinaril , all domain controllers are used to eBchange information between sites, but ou can further control replication beha%ior b specif ing a bridgehead ser%er for inter2site replicated information. A bridgehead ser%er is dedicated for inter2site replication. Iou can also establish a bridgehead ser%er when our deplo ment uses proB ser%ers, such as for sending and recei%ing information through a firewall. Incorrect 1ns/ers& 1& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not control replication. C& Iou can use either &5 or $MT5 as the protocol for replication traffic. Aowe%er, $MT5 replication re6uires an 3nterprise .ertification Authorit *3.A+ because 5ublic @e encr ption and certificates are used to %erif identit of domain controllers and pro%ide digital signatures.

3& !e can control the flow of replication traffic b creating a new site lin/ with a lower cost. Replication will then occur across the site lin/ with the lower cost. Aowe%er, this option does not specif that the new site lin/ must be between MainD.3 and 1ranchD.3. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter ;, pp. -F32-FF M$ !indows $er%er 2""3 Deplo ment @it 2 Designing and Deplo ing Director and $ecurit $er%ices 2 Acti%e Director Replication .oncepts %*+,TION NO& ' 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The company consists of t/o su sidiaries named TestKing and TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory domains /ith t/o sites0 The sites are named ,ite- and ,ite'0 The domains are named test$ing0com and fa ri$am0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"> 2 The net/or$ includes one 1cti2e 3irectory application partition named 1ppPartition-0 This application partition is replicated to domain controllers in ,iteand ,ite'0 The net/or$ contains si; domain controllers0 The domain controller locations and the roles of the domain controllers are identified in the /or$ area elo/0 .ou need to configure preferred ridgehead ser2ers in each site0 .ou need to configure the minimum num er of domain controllers as preferred ridgehead ser2ers such that no ridgehead ser2ers /ill e automatically selected0 4hich domain controller or domain controllers should you configure as preferred ridgehead ser2ers: To ans/er, select the appropriate domain controller or domain controllers in the /or$ area0 1ns/er& +;planation& ,elect 3C'0test$ing0com and 3C(0test$ing0com &f ou specif preferred bridgehead ser%ers, ou must assign one bridge2head ser%er for each domain and writable director partition combination in our forest. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1"= 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2>, F231 to F232 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith three sites named Test$ing-, Test$ing', and Test$ing60 The sites and site lin$s are configured to use Test$ing' to connect Test$ing- and Test$ing60 +ach site contains three 4indo/s ,er2er '556 domain controllers0 1 domain controller in each site is configured as a preferred ridgehead ser2er0 1ll user and group accounts are created in Test$ing-0 ,e2eral ne/ users start /or$ in Test$ing'0 4hen they attempt to log on to the net/or$, the logon fails0 .ou confirm that the user accounts are created and are 2isi le in Test$ing- and Test$ing'0 .ou disco2er that the preferred IP ridgehead ser2er in Test$ing' failed0 .ou repair the ser2er and confirm that replication is successful to Test$ing'0 .ou need to ensure that the failure of a single domain controller in any site /ill not interfere /ith 1cti2e 3irectory replication et/een sites0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .onfigure an &5 site lin/ between Test/ing1 and Test/ing3. 1. .onfigure two domain controllers in each site as preferred &5 bridgehead ser%ers. .. .onfigure two domain controllers in each site as preferred $MT5 bridgehead ser%ers. D. .onfigure each site to ha%e no preferred bridgehead ser%ers. 3. .onfigure an $MT5 site lin/ between each of the sites. Assign a cost of 2"" to the $MT5 site lin/. 1ns/er& <, 3 +;planation& 3irectory information is replicated oth /ithin and among sites0 1cti2e 3irectory replicates information /ithin a site more freBuently than across sites0 This alances the need for up8to8date directory information /ith the limitations imposed y a2aila le net/or$ and/idth0

4eading the wa in &T testing and certification tools, www.test/ing.com 2 11" 2 Iou customi0e how Acti%e Director replicates information b using site lin/s to specif how our sites are connected. Acti%e Director uses the information about how sites are connected to generate .onnection ob)ects that pro%ide efficient replication and fault tolerance. Acti%e Director uses this information to determine which site lin/ will be used to replicate information. .ustomi0ing replication schedules so replication occurs during specific times, such as when networ/ traffic is low, will ma/e replication more efficient. Iou can further control replication beha%ior b specif ing a bridgehead ser%er for inter2site replicated information. The bridgehead ser%er is a specific ser%er ou want to dedicate for inter2site replication, rather than using an ser%er a%ailable. Iou can also establish a bridgehead ser%er when our deplo ment uses proB ser%ers, such as for sending and recei%ing information through a firewall. Incorrect 1ns/ers& 1& $ite1 is lin/ed to $ite3 through $ite2. Adding a direct site lin/ between $ite1 and $ite3 will create an alternati%e path for replication between $ite1 and $ite3. This howe%er does not address redundanc for $ite2. C, +& Iou can use either &5 or $MT5 as the protocol for replication traffic. Aowe%er, $MT5 replication re6uires an 3nterprise .ertification Authorit *3.A+ because 5ublic @e encr ption and certificates are used to %erif identit of domain controllers and pro%ide digital signatures. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1221 to 122-, F23 to F2>, F22F to F23G %*+,TION NO& ) .ou are the administrator of the Test$ing company net/or$0 Test$ing has a main office and a ranch office0 +ach office is configured as an 1cti2e 3irectory site in the test$ing0com domain0 1ll ser2ers run 4indo/s ,er2er '556 and all client computers run 4indo/s GP Professional0 The ranch office is connected to the main office y a '(7K ps 41N lin$0 The main office has t/o domain controllers named Main3C- and Main3C'0 The ranch office has t/o domain controllers named <ranch3C- and <ranch3C'0 .ou purchase t/o ne/ ser2ers0 Main3C6 /ill e a domain controller in the main office0 <ranch3C6 /ill e a domain controller in the ranch office0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 111 2 To impro2e net/or$ performance, you /ant to configure the intersite replication to flo/ through the ne/ ser2ers0 4hat should you do: A. .onfigure MainD.3 and 1ranchD.3 as global catalog ser%ers. 1. .onfigure MainD.3 and 1ranchD.3 as a preferred bridgehead ser%er for the &5 transport. .. .onfigure MainD.3 and 1ranchD.3 as a preferred bridgehead ser%er for the $MT5 transport. D. &n Acti%e Director $ites and $er%ices, configure an additional &5 site lin/ between the two sites. Assign a lower site lin/ cost to this site lin/ than the site lin/ cost for the original site lin/. 1ns/er& < +;planation& 3irectory information is replicated oth /ithin and among sites0 1cti2e 3irectory replicates information /ithin a site more freBuently than across sites0 This alances the need for up8to8date directory information /ith the limitations imposed y a2aila le net/or$ and/idth0 Iou customi0e how Acti%e Director replicates information b using site lin/s to specif how our sites are connected. Acti%e Director uses the information about how sites are connected to generate .onnection ob)ects that pro%ide efficient replication and fault tolerance. Acti%e Director uses this information to determine which site lin/ will be used to replicate information. .ustomi0ing replication schedules so replication occurs during specific times, such as when networ/ traffic is low, will ma/e replication more efficient. Iou can further control replication beha%ior b specif ing a bridgehead ser%er for inter2site replicated information. The bridgehead ser%er is a specific ser%er ou want to dedicate for inter2site replication, rather than using an ser%er a%ailable. Iou can also establish a bridgehead ser%er when our deplo ment uses proB ser%ers, such as for sending and recei%ing information through a firewall. Incorrect 1ns/ers& 1& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b

pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not control replication. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 112 2 C& Iou can use either &5 or $MT5 as the protocol for replication traffic. Aowe%er, $MT5 replication re6uires an 3nterprise .ertification Authorit *3.A+ because 5ublic @e encr ption and certificates are used to %erif identit of domain controllers and pro%ide digital signatures. 3& !e can control the flow of replication traffic b creating a new site lin/ with a lower cost. Replication will then occur across the site lin/ with the lower cost. Aowe%er, this option does not specif that the new site lin/ must be between MainD.3 and 1ranchD.3. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter ;, pp. -F32-FF M$ !indows $er%er 2""3 Deplo ment @it 2 Designing and Deplo ing Director and $ecurit $er%ices 2 Acti%e Director Replication .oncepts %*+,TION NO& ( .ou are a net/or$ administrator for TestKing0com0 The company has offices in Paris and Ne/ .or$0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com that contains si; domain controllers, as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 113 2 The Paris and Ne/ .or$ offices are connected y an IP site lin$0 The si; domain controllers are configured as sho/n in the follo/ing ta le0 ,er2er name #unction Test@ing1 (ile and print ser%er Test@ing2 Application ser%er Test@ing3 Routing and Remote Access ser%er Test@ing- Routing and Remote Access ser%er Test@ingF (ile and print ser%er Test@ing; Application ser%er .ou notice that at regular inter2als the CP* utili!ation on some of the file and print ser2ers increases to -55 percent for a period of time0 3uring this time, the ser2ers ecome unresponsi2e to user reBuests0 .ou disco2er that this pro lem occurs during 1cti2e 3irectory replication0 .ou need to ensure that the file and print ser2ers are responsi le to use reBuests during 1cti2e 3irectory replication0 4hat should you do: A. &ncrease the replication inter%al of the site lin/ connecting the two offices. 1. Decrease the replication inter%al of the site lin/ connecting the two offices. .. .onfigure Test@ing1 and Test@ingF as preferred bridgehead ser%ers. D. .onfigure Test@ing3 and Test@ing- as preferred bridgehead ser%ers. 1ns/er& 3 +;planation& The poor performance of the #ile and Print ser2ers is due to 1cti2e 3irectory replication0 The replication is occurring et/een the #ile and Print ser2ers0 This is ecause they are configured as preferred ridgehead ser2ers0 4e can impro2e their performance y configuring the replication to occur et/een different ser2ers ?in this case, the RR1, ser2ers, TestKing6 and TestKing)@0 4e do this y configuring TestKing6 and TestKing) as preferred ridgehead ser2ers0 Incorrect 1ns/ers& 1& The problems occur during replication. This solution will decrease the fre6uenc of the problems, but it wonKt eliminate the problems. <& The problems occur during replication. This solution will increase the fre6uenc of the problems. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11- 2 C& Test@ing1 and Test@ingF are alread preferred bridgehead ser%ers. This is the cause of the problem. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22F to F23Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/

&nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22- to F22> %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 TestKing consists of t/o su sidiaries named Contoso, Ltd0, and TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory domains in a single forest /ith four sites0 The net/or$ configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11F 2 1ll client computers run 4indo/s GP Professional0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11; 2 *sers /ho ha2e accounts in the fa ri$am0com domain freBuently tra2el to ,ite60 4hen these users log on to the net/or$ in ,ite6, the logon process can ta$e up to -5 minutes0 .ou disco2er that /hen these users log on to the net/or$ in ,ite6, they are authenticated y 3C(0#a ri$am0com in ,ite-0 .ou need to ensure that TestKing0com0, users can log on more Buic$ly from ,ite60 4hat should you do: A. &ncrease the site lin/ cost for $ite4in/2123 to F"". 1. .onfigure a site lin/ bridge that will bridge $ite4in/232- and $ite4in/222-. .. Modif the subnet ob)ect lin/ed to $ite3 so that is lin/ed to $ite1. D. Mo%e the D.F.(abri/am.com domain controller ob)ect from $ite1 to $ite3. 1ns/er& < +;planation& ,iteLin$8-86 is across a slo/ 41N lin$0 <y crating a site lin$ that ridges ,iteLin$868) and ,iteLin$8'8), /e /ould create an alternati2e path to 3C70fa ri$am0com0 Incorrect 1ns/ers& 1& &ncreasing the $ite 4in/ cost for $ite4in/2123 will not impro%e log on time. C& $ite 3 is alread lin/ed to $ite1 %ia $ite4in/2123 3& Mo%ing the D.F.fabri/am.com domain controller to $ite3 would resol%e the problem but might cause problems when (abri/am users log on from $ite1. This is thus not the best option. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2G to F2> %*+,TION NO& D .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com com /ith t/o sites0 1ll ser2ers run 4indo/s ,er2er '5560 The net/or$ is configured as sho/n in the Net/or$ 3iagram e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11G 2 .ou use Replication Monitor to monitor 1cti2e 3irectory replication0 .ou disco2er that replication connections are eing esta lished as sho/n in the Replication Monitor e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11> 2 .ou need to ensure that replication ta$es place only et/een defined preferred ridgehead ser2ers0 .ou need to accomplish this tas$ /ithout incurring any additional replication traffic0 4hat should you do: A. .onfigure T3$T@&,C1 and T3$T@&,CF as additional D,$ ser%ers. 1. .onfigure T3$T@&,C3 and T3$T@&,C; as additional D,$ ser%ers. .. .onfigure onl T3$T@&,C2 and T3$T@&,C- as preferred bridgehead ser%ers. D. .onfigure onl T3$T@&,C3 and T3$T@&,C- as preferred bridgehead ser%ers. 1ns/er& C +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 11= 2 4e ha2e replication et/een the ridgehead ser2ers and et/een the 3N, ser2ers0 If /e configure the 3N, ser2ers as ridgehead ser2ers, all the replication /ill occur et/een only those t/o machines0 !hen two sites are connected b a site lin/, the replication s stem automaticall creates connections between specific domain controllers in each site called bridgehead ser%ers. &n Microsoft !indows 2""", intersite replication of the director partitions between domain controllers in different sites is performed b the domain controllers *one per director partition+ in those sites designated b the @.. as the bridgehead ser%er. &n !indows

$er%er 2""3, the @.. ma designate more than one domain controller per site hosting the same director partition as a candidate bridgehead ser%er. The replication connections created b the @.. are randoml distributed between all candidate bridgehead ser%ers in a site to share the replication wor/load. 1 default, the randomi0ed selection process ta/es place onl when new connection ob)ects are added to the site. Aowe%er, ou can run a new !indows Resource @it tool called Acti%e Director 4oad 1alancing *AD41+ to rebalance the load each time a change occurs in the site topolog or in the number of domain controllers the site. &n addition, AD41 can stagger schedules so that the outbound replication load for each domain controller is spread out e%enl across time. Incorrect 1ns/ers& 1, <, 3& !e ha%e replication between the bridgehead ser%ers and between the D,$ ser%ers. &f we configure the D,$ ser%ers as bridgehead ser%ers, all the replication will occur between onl those two machines. 'nl T3$T@&,C2 and T3$T@&,C- are D,$ ser%ers, therefore those two ser%ers should be made the bridgehead ser%ers, not T3$T@&,C1, T3$T@&,C3, T3$T@&,CF, or T3$T@&,C;. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2> to F2= Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, p. -F= %*+,TION NO& A 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12" 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one root domain and one child domain0 The forest also contains three separate sites, as sho/n in the Net/or$ 3iagram e;hi it0 The net/or$ is not fully routed and there is no direct physical connection et/een ,ite- and ,ite60 ,ite lin$s are not ridged0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 121 2 .ou disco2er that the domain controllers for europe0test$ing0com located in ,iteha2e additional accounts that are not on the domain controllers for europe0test$ing0com located in ,ite60 .ou e;amine the directory ser2ice log in +2ent Vie/er on a domain controller for europe0test$ing0com8 .ou disco2er the error message sho/n in the +rror Message e;hi it0 .ou need to resol2e the condition that is causing this error0 4hat should you do: A. Add a domain controller for the europe.test/ing.com domain to $ite2. 1. .onfigure a site lin/ bridge between the site lin/s for $ite1 and $ite3. .. .onfigure at least one domain controller in each site to be a global catalog ser%er. D. .reate a site lin/ between $ite1 and $ite3. 1ns/er& < +;planation& There is no physical connecti2ity et/een ,ite- and ,ite60 4e ha2e a site lin$ et/een ,ite- and ,ite' and et/een ,ite' and ,ite60 4e should therefore create a site lin$ ridge et/een the site lin$s for ,ite- and ,ite60 1ny replication et/een ,ite- and ,ite6 /ill then tra2el o2er the t/o e;isting site lin$s0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 122 2 'ne computer in an gi%en site owns the role of creating inbound replication connection ob)ects between bridgehead ser%ers from other sites. This domain controller is /nown as the &nter2$ite Topolog Cenerator. !hile anal 0ing the $ite 4in/ and $ite 4in/ 1ridge structure to determine the most cost2effecti%e route to s nchroni0e a naming conteBt between two points, it ma determine that a site does not ha%e membership in an $ite 4in/ and therefore has no means to create a replication ob)ect to a bridgehead ser%er in that site. Incorrect 1ns/ers& 1& This will cause eBcessi%e replication traffic between site2 and site3. This defeats the ob)ect of using sites to control replication traffic. C& Clobal .atalog placement is not the cause of the error in this 6uestion. 3& !e ha%e no ph sical connecti%it between site1 and site3. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L

D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter ;, p. -2G Troubleshooting 3%ent &D 13119 @nowledge .onsistenc .hec/er @1 article 21-G-F .. .onfigure &ntersite Replication*- 6uestions+ %*+,TION NO& - 9OT,POT .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain consists of four sites as sho/n in the /or$ area0 Pedro is another administrator for TestKing0com0 Pedro is responsi le for managing the freBuency of 1cti2e 3irectory replication among the four sites0 .ou need to allo/ Pedro to manage the freBuency of intersite replication0 .ou must ensure that Pedro cannot modify any other o Cects0 4here should you grant Pedro the permission that he needs: To ans/er, select the appropriate node in the dialog o;0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 123 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12- 2 1n IP site lin$ connects your site and the site at TestKingHs main office0 TestKing replaces your router /ith a fire/all de2ice0 The fire/all is configured to allo/ 9TTP, ,MTP, #TP, NTTP, glo al catalog Bueries, and VPN pac$ets to pass0 .ou disco2er that replication /ith other sites is not occurring0 .ou need to ensure that you can replicate /ith other sites0 .ou need to achie2e this goal /ithout remo2ing or reconfiguring the fire/all0 4hat should you do: A. .reate a new $MT5 site lin/ between our site and each of the other sites. 1. .onfigure one domain controller in our site as a global catalog ser%er. .. .onfigure both domain controllers in our site to use a fiBed port when replicating. D. .reate a ?5, between our site and the site at the main office. 1ns/er& 3 +;planation& 4e need to ena le replication through an Internet connection0 The est solution /ould e to use a 2irtual pri2ate net/or$ ?VPN@ connection et/een our site and the corporate net/or$0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12F 2 Incorrect 1ns/ers& 1& Iou can use either &5 or $MT5 as the protocol for replication traffic. Aowe%er, $MT5 replication re6uires an 3nterprise .ertification Authorit *3.A+ because 5ublic @e encr ption and certificates are used to %erif identit of domain controllers and pro%ide digital signatures. <& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not control replication. C& !e need to create a connection %ia the &nternet. .onfiguring ports for replication on its own will not accomplish this. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F" Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith si; sites0 The 1cti2e 3irectory site configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12; 2 The net/or$ connection connecting ,iteTest$ing6 and ,iteTest$ing) has more than A5 percent utili!ation during TestKingHs usiness hours0 The net/or$ and/idth is reBuired for a critical usiness application, and so you must ensure that 1cti2e 3irectory replication does not interfere /ith the application0 The other net/or$ connections ha2e adeBuate and/idth to support 1cti2e 3irectory replication0 .ou must ensure that 1cti2e 3irectory replication traffic does not cross the net/or$

connection connecting ,iteTest$ing6 and ,iteTest$ing) during TestKingHs usiness hours0 Replication connecting all other 1cti2e 3irectory sites must occur at least e2ery three hours throughout the day0 4hat should you do: A. .onfigure the replication schedule for the site lin/ connecting $iteTest/ing3 and $iteTest/ing- to replicate onl during nonbusiness hours. 1. Disable automatic site lin/ bridging. .reate one site lin/ bridge that bridges the site lin/s connecting $iteTest/ing1, $iteTest/ing2, and $iteTest/ing3. .reate another site lin/ bridge that bridges the site lin/s connecting $iteTest/ing-, $iteTest/ingF, and $iteTest/ing;. .. .onfigure one domain controller in $iteTest/ing3 and one domain controller in $iteTest/ing- as preferred bridgehead ser%ers. D. .onfigure the site lin/ cost between $iteTest/ing3 and $iteTest/ing- to be 1,""". .onfigure the other site lin/ costs to be 1"". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12G 2 1ns/er& 1 +;planation9 &n Acti%e Director , the replication process ensures that changes made to a replica on one domain controller are s nchroni0ed to replicas on all other domain controllers within the domain. .reating, modif ing, mo%ing, or deleting an ob)ect triggers replication between domain controllers. Acti%e Director replicates information in two wa s9 intrasite *within a site+ and intersite *between sites+. This means that if ou configure replication schedule between $ite Test@ing3 and $ite T3stt/ing- to be during non2business hours, then ou will ensure that replication traffic does not cross the networ/ connection between business hours. Incorrect 1ns/ers& <& Replication needs to occur between $iteTest/ing3 and $iteTest/ing-. Disabling automatic sitelin/ bridging will not pre%ent this. C& This will limit replication to occur onl between these two ser%ers. Aowe%er, we must pre%ent replications from occurring during business hours. 3& !hen we ha%e redundant lin/s, we can use site lin/ costs to determine which lin/s are used for replication traffic. Aowe%er, there is no alternati%e route between $iteTest/ing3 and $iteTest/ing-. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --=2-F2, -F>, -F>2-F=. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F9 -, 1" %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith three sites named ,ite-, ,ite', and ,ite60 ,ite lin$s are configured et/een the sites so that ,ite- and ,ite6 are connected y using ,ite'0 The site lin$s are configured as sho/n in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12> 2 ,ite lin$ Replication schedule Replication inter2al Cost $ite1 2 $ite2 site lin/ 19"" A.M. 2 ;9"" A.M. ;" minutes 2"" $ite2 2 $ite3 site lin/ >9"" 5.M. 2 19"" A.M. 3" minutes F"" 1ll user and group accounts are managed y net/or$ administrators at ,ite-0 *sers at ,ite6 report that it ta$es more than a day for changes made to 1cti2e 3irectory at ,ite- to e 2isi le in the domain at ,ite60

.ou must ensure that the changes made y 1cti2e 3irectory at ,ite- et/een A&55 10M0 and 7&55 P0M0 are 2isi le at ,ite6 /hen the usiness opens at A&55 10M0 the ne;t day0 4hat should you do: A. Modif the replication inter%al for the site lin/ between $ite1 and $ite2 to 3" minutes. 1. Modif the replication schedule for the site lin/ between $ite2 and $ite3 to replicate between ;9"" 5.M. and 19"" A.M. .. Modif the site lin/ cost between $ite2 and $ite3 to be 2"". D. Modif the replication schedule for the site lin/ between $ite1 and $ite2 to replicate between =9"" 5.M. and 293" A.M. 1ns/er& 3 +;planation& In this scenario, /hen an administrator in ,ite- ma$es a change to 1cti2e 3irectory, this information is replicated to ,ite' et/een -&55 10M0 and 7&55 10M the ne;t morning0 This information is then replicated to ,ite6 et/een A&55 P0M0 and -&55 10M that e2ening0 *sers in ,ite6 /ill thus see the changes /hen they start /or$ the follo/ing morning0 !e should change the replication schedule for the site lin/ between $ite1 and $ite2 to occur earlier. Then, when an administrator in $ite1 ma/es a change to Acti%e Director , this information is replicated to $ite2 between =9"" 5.M. and 293" A.M that e%ening. This information is then replicated to $ite3 between >9"" 5.M. and 19"" A.M. Users in $ite3 will then see the changes when the start wor/ the neBt morning. Incorrect 1ns/ers& 1& Replication is configured to occur on a schedule. Reducing the replication inter%al will thus not resol%e this problem. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 12= 2 <& !hen an administrator in $ite1 ma/es a change to Acti%e Director , this information is replicated to $ite2 between 19"" A.M. and ;9"" A.M the neBt morning. &f this information is then replicated to $ite3 between ;9"" 5.M. and 19"" A.M that e%ening, users in $ite3 will still see the changes onl when the start wor/ the following morning. C& $ite lin/ costs will influence the path along which replication occurs when we ha%e redundant lin/s. &n this case, $ite1 is connected to $ite3 through $ite2. There is thus no alternati%e or redundant lin/s. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2G to F2> 5art F9 5lan an administrati%e delegation strateg . A9 5lan an organi0ational unit *'U+ structure based on delegation re6uirements. *> 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains named test$ing0com, child-0test$ing0com and child'0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 +ach domain contains 4indo/s ,er2er '556 file and print ser2ers0 1ll of the file and print ser2er computer accounts are located in the default Computers container in each domain0 There is a central operations department that is responsi le for administering the file ser2er computer accounts in all domains0 There is a separate operations department for each domain that is responsi le for administering the print ser2er computer accounts in that domain0 .ou need to delegate authority to create an en2ironment to support your file and print ser2er administration reBuirements0 .ou need to create an organi!ational unit ?O*@ structure to support the delegation of authority reBuirements0 4hat should you do: A. .reate a top2le%el 'U for file ser%er computer accounts under the test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13" 2 .reate a top2le%el 'U for print ser%er computer accounts under the test/ing.com domain. 1. .reate a top2le%el 'U for file ser%er computer accounts under the test/ing.com domain. .reate a top2le%el 'U for print ser%er computer accounts under each domain. .. .reate a top2le%el 'U for file ser%er computer accounts under each domain. .reate a top2le%el 'U for print ser%er computer accounts under each domain. D. .reate a top2le%el 'U for file ser%er computer accounts under each domain. .reate a child 'U for print ser%er computer accounts under each file ser%er 'U. 1ns/er& C

+;planation& The central operations department is responsi le for administering the file ser2er computer accounts in all domains and there is a separate operations department for each domain that is responsi le for administering the print ser2er computer accounts in that domain0 Thus, /e need t/o top8le2el O*s0 Incorrect 1ns/ers& 1, <& 'Us cannot transcend domains therefore the 'U structure needs to be implemented at the child domain le%el, not at the test/ing.com domain. 3& There is no need for child 'Us as the central operations department is not responsible for the print ser%er accounts. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of an 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 131 2 TestKing has a main office and four ranch offices, /hich are located in one country0 +ach office has a data center that contains domain controllers and ser2ers /ith a corresponding 1cti2e 3irectory site0 There is a central operations department in the main office that is responsi le for administering all resource ser2ers and domain controllers in all locations0 +ach office has a local operations department that is responsi le for administering all client computers /ithin the indi2idual departmentHs office only0 The local operations departments are also responsi le for running ac$ups on the ser2ers in their data centers0 The computer accounts for all domain controllers are located in the default 3omain Controllers organi!ational unit ?O*@0 The computer accounts for all other computers are located in the default Computers container0 .ou decide to use delegation of authority to meet the reBuirements for administration of computer accounts0 .ou need to create an O* structure for computer accounts to support the delegation of authority reBuirements0 .ou /ant to minimi!e the amount of administrati2e effort reBuired to maintain the en2ironment0 4hat should you do: A. .reate a top2le%el 'U under the test/ing.com domain for each office. Mo%e the computer accounts of all computers in each office to the appropriate 'U for that office. 1. .reate a top2le%el 'U named .orpJ.omputers under the test/ing.com domain. .reate a separate child 'U for each office and place the child 'Us under .orpJ.omputers. Mo%e all of the client and resource ser%er computer accounts located in each office to the appropriate child 'U for that office. .. .reate a top2le%el 'U named $er%ers under the test/ing.com domain. Mo%e the computer accounts of resource ser%ers and domain controllers in all offices to the $er%ers 'U. .reate an 'U named Des/tops under the test/ing.com domain. Mo%e the computer accounts of the client computers in all offices to the Des/tops 'U. D. .reate a top2le%el 'U named $er%ers under the test/ing.com domain. .reate a separate child 'U for each office under $er%ers. Mo%e the computer accounts of all resource ser%ers in each office to the appropriate child 'U for that office. .reate an 'U named Des/tops under the test/ing.com domain. .reate a separate child 'U for each office under Des/tops. Mo%e the computer accounts of all client computers in each office to the appropriate child 'U for that office. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 132 2 3. .reate a top2le%el 'U named $er%ers under the test/ing.com domain. .reate a separate child 'U for each office under $er%ers. Mo%e the computer accounts of all resource ser%ers and domain controllers in each office to the appropriate child 'U for that office. .reate a top2le%el 'U named Des/tops under the test/ing.com domain. .reate a separate child 'U for each office under Des/tops. Mo%e the computer accounts of all client computers in each office to the appropriate child 'U for that office. 1ns/er& + +;planation& 4e ha2e a central operations department that is responsi le for

administering all resource ser2ers and domain controllers in all locations0 The ne/ ha2e a local operations department in each office that is responsi le for administering all client computers /ithin the indi2idual departmentHs office only, as /ell as running ac$ups on the ser2ers in their data centers0 Therefore, we need a top2le%el 'U under the test/ing.com domain so that the central operations department can administer all resource ser%ers and domain controllers in all locations. Incorrect 1ns/ers& 1, C& All computer accounts are located in the default computers container in the domain. Therefore it is not necessar to mo%e them to the top le%el 'U. Also, we need to allow the local operations department in each office to administer all client computers within the indi%idual departmentKs office, as well as running bac/ups on the ser%ers in their data centers. <& The local operations department in each office is responsible for administering all client computers within the indi%idual departmentKs office onl , and is responsible for running bac/ups onl on the ser%ers in their data centers. 5lacing the client computers as well as the resource computers in the same 'U will allow the local operations department to administer the resource ser%ers as well. 3& The local operations department in each office is responsible for running bac/ups on all the ser%ers in their data centers, not )ust the resource ser%ers. Therefore, the child 'U for each office under the $er%ers 'U must contain the computer accounts of all resource ser%ers and domain controllers in each office to the appropriate child 'U for that office. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 4eading the wa in &T testing and certification tools, www.test/ing.com 2 133 2 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 .ou plan to create an 1cti2e 3irectory domain named test$ing0com that /ill ha2e a functional le2el of 4indo/s ,er2er '5560 TestKing has one main office and four ranch offices, /hich are all located in one country0 1 central security department in the main office is responsi le for creating and administering all user accounts in all offices0 +ach office has a local help des$ department that is responsi le for resetting pass/ords /ithin the indi2idual departmentHs office only0 1ll user accounts are located in the default *sers container0 .ou need to create an organi!ational unit ?O*@ structure to support the delegation of authority reBuirements0 .ou /ant to minimi!e the amount of administrati2e effort reBuired to maintain the en2ironment0 4hat should you do: A. .reate a top2le%el 'U named Test/ingJUsers under the tes/ing.com domain. .reate a separate child 'U for each office under Test/ingJUsers. Mo%e the user accounts of all emplo ees in each office to the child 'U for that office. 1. .reate a top2le%el 'U named MainJ'ffice under the test/ing.com domain. Mo%e the user accounts of all users in the main office to the MainJ'ffice 'U. .reate a separate child 'U for each branch office under the MainJ'ffice 'U. Mo%e the user accounts of all users in each branch office to the child 'U for that office. .. .reate a top2le%el 'U named Test/ingJUsers under the test/ing.com domain. .reate a child 'U named .entralJ$ecurit under Test@ingJUsers. Mo%e the user accounts of the central securit department users to the .entralJ$ecurit 'U. .reate a child 'U named AelpJDes/ under Test@ingJUsers. Mo%e the user accounts of the help des/ users to the AelpJDes/ 'U. D. .reate a top2le%el 'U named Test@ingJUsers under the test/ing.com domain. .reate a child 'U named .entralJ$ecurit under Test@ingJUsers. Mo%e the user accounts of the central securit department users to the .entralJ$ecurit 'U. 1ns/er& 1 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13- 2 +;planation& T/o O* le2els /ill fit the reBuirement0 .ou can delegate control for central security on the O* =Test$ingL*sers= and each office can e administered y the local help des$ team0 Incorrect 1ns/ers& <& All user accounts are located in the default Users container in the domain. Therefore it is not necessar to mo%e them to the top le%el 'U

C, 3& There is not need for a .entralJsecurit 'U as administrators at each branch office are responsible for administrating user accounts in their respecti%e branch. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -211 %*+,TION NO& ) +;hi it M1 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13F 2 +;hi it M< 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13; 2 +;hi it MC 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13G 2 +;hi it M3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13> 2 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one domain0 The company has its main office and one ranch office in ,an #rancisco0 The company has additional ranch offices in Chicago, Ne/ .or$, and Toronto0 1dministrators at the main office are responsi le for managing all o Cects in the domain0 1dministrators at each ranch office are responsi le for managing user and computer o Cects for employees /ho /or$ in the same ranch office as the administrator0 1dministrators for the ,an #rancisco ranch office are also responsi le for managing user and computer o Cects for employees /ho /or$ in the main office0 These users are managed as a single unit0 .ou /ant administrators to e authori!ed to ma$e changes only to the o Cects for /hich they are responsi le0 .ou need to plan an organi!ation unit ?O*@ structure that allo/s the delegation of reBuired permissions0 .ou /ant to achie2e this goal y using the minimum amount of administrati2e effort0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 13= 2 4hich O* structure should you use: A. 3Bhibit A 1. 3Bhibit 1 .. 3Bhibit . D. 3Bhibit D 1ns/er& 1 +;planation& 1dministrators at each ranch office are responsi le for managing user and computer o Cects for employees /ho /or$ in the same ranch office as the administrator0 1 separate O* for each office /ill achie2e this0 Administrators for the $an (rancisco branch office are also responsible for managing user and computer ob)ects for emplo ees who wor/ in the main office. !e can put the main office user and computer accounts in the $an (rancisco 'U. Administrators at the main office are responsible for managing all ob)ects in the domain. The Main office administrators can be set permissions at the domain le%el. The permissions will appl to all 'Us. Incorrect 1ns/ers& <& Administrators at the main office are responsible for managing all ob)ects in the domain. The Main office administrators can be set permissions at the domain le%el, not the 'U le%el. C& Administrators at each branch office are responsible for managing user and computer ob)ects for emplo ees who wor/ in the same branch office as the administrator. Therefore, we need a separate 'U for each office. 3& Administrators at each branch office are responsible for managing user and computer ob)ects for emplo ees who wor/ in the same branch office as the administrator. A separate 'U for each office will achie%e this. Aowe%er, there are four branch offices9 $an (rancisco, .hicago, Toronto and ,ew Ior/. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 4eading the wa in &T testing and certification tools, www.test/ing.com

2 1-" 2 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The company has its main office in Chicago and ranch offices in Toronto and Ne/ .or$0 The main office contains a sales department and a mar$eting department0 The companyHs MI, department is responsi le for administration of the entire domain0 +ach office has an IT group that is responsi le for the administration of user accounts0 In addition, the main office MI, group has one administrator to manage the sales department and one administrator to manage the mar$eting department0 .ou need to plan the organi!ational unit ?O*@ structure for TestKing0com0 .ou /ant administrators to e delegated control to only o Cects for /hich they are responsi le0 .our plan must ensure that permissions can e maintained y using the minimum amount of administrati2e effort0 4hich O* structure should you use: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-1 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-2 2 A. 5lan A 1. 5lan 1 .. 5lan . D. 5lan D 1ns/er& 1 +;planation& The CompanyHs MI, department is responsi le for administration of the entire domain0 They can e set permissions at the domain le2el0 These permissions /ould apply to all O*s in the domain0 3ach office has an &T group that is responsible for the administration of user accounts. A separate 'U for each office would allow the necessar delegation of control. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-3 2 The main office M&$ group has one administrator to manage the sales department and one administrator to manage the mar/eting department. 'Us in the main office 'U *.hicago+ would allow the necessar delegation of control. Incorrect 1ns/ers& <& The main office M&$ group has one administrator to manage the sales department and one administrator to manage the mar/eting department. !e need 'Us in the main office 'U *.hicago+ to allow for the necessar delegation of control. C& The .ompan Ks M&$ department is responsible for administration of the entire domain but there is a second le%el of administration9 The main office M&$ group has one administrator to manage the sales department and one administrator to manage the mar/eting department. 3& The .ompan Ks M&$ department is responsible for administration of the entire domain. The can be set permissions at the domain le%el. These permissions would appl to all 'Us in the domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& 7 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 .ou are responsi le for configuring 1cti2e 3irectory security for the domain0 1ll groups for the domain are in an organi!ational unit ?O*@ named >roups0 Resource groups /ill e used to pro2ide permissions to users in accounts groups0 The human resources department needs to e a le to manage the mem ership of only the accounts groups0 The ser2er support department needs to e a le to manage the mem ership of only the resource groups0 The 3omain 1dmins group needs to e a le to manage all groups0 .ou need to configure the O* structure to allo/ the appropriate permissions to e granted0 .ou /ant to achie2e this goal y using the minimum amount of administrati2e effort0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-- 2 To ans/er, drag the appropriate O* or O*s to the correct location or locations in the /or$ area0

1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-F 2 !e need to create two top le%el 'Us to delegate control of the appropriate departments to the appropriate groups. 1 ha%ing the 'Us at the same le%el means that neither department will ha%e control o%er the other 'U. The human resources department needs to be able to manage the membership of onl the accounts groups. An 'U for the accounts groups will enable us to delegate the necessar permissions to the Auman Resources department. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-; 2 The ser%er support department needs to be able to manage the membership of onl the resource groups. An 'U for the resource groups will enable us to delegate the necessar permissions to the $er%er $upport department. The Domain Admins group needs to be able to manage all groups. The domain admins group has permission to manage all groups in the domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& D 3R1> 3ROP The companyHs departments are di2ided into t/o main di2isions named Operations and ,upport0 The local IT staff at each location are responsi le for user support at their location, regardless of the userHs di2ision0 The research and de2elopment ?RK3@ department has its o/n IT support staff0 The RK3 department maintains its o/n IT support staff regardless of location0 .ou need to plan a top8le2el organi!ational unit ?O*@ structure that facilitates delegation of administrati2e control0 4hich top8le2el O* or O*s should you create: To ans/er, drag the appropriate top8le2el O* or O*s to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-G 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-> 2 The local &T staff at each location is responsible for user support at their location, regardless of the userKs di%ision. An 'U for each location will enable the local &T staff to manage resources in that location *eBcept for RLD resources+. The research and de%elopment *RLD+ department has its own &T support staff. The RLD department maintains its own &T support staff regardless of location. An 'U for RLD resources will enable the RLD support staff to manage the RLD resources. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& A .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The functional le2el of the domain is 4indo/s ,er2er '5560 The organi!ational unit ?O*@ structure is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1-= 2 TestKing uses an G0(55 directory ser2ice ena led product to support a sales and mar$eting application0 The application is used only y users in the sales department and the mar$eting department0 The application uses InetOrgPerson o Cects as user accounts0 InetOrgPerson o Cects ha2e een created in 1cti2e 3irectory for all ,ales and Mar$eting users0 These users are instructed to log on y using their InetOrgPerson o Cect as their user account0 Microsoft Identity Integration ,er2er is configured to copy changes to InetOrgPerson o Cects from 1cti2e 3irectory to the G0(55 directory ser2ice ena led product0 1ll InetOrgPerson o Cects for mar$eting employees are located in the Mar$eting O*0 1ll InetOrgPerson o Cects for sales employees are located in the ,ales O*0 King is another administrator in TestKing0 King is responsi le for managing the

o Cects for users /ho reBuire access to the G0(55 directory ser2ice ena led product0 .ou need to configure 1cti2e 3irectory to allo/ King to perform his responsi ilities0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F" 2 4hich action or actions should you ta$e: ?Choose all that apply@ A. 'n the domain, grant @ing the permission to manage user ob)ects. 1. 'n the domain, grant @ing the permission to manage &netorg5erson ob)ects. .. 'n the $ales 'U, bloc/ the inheritance of permissions. D. 'n the Mar/eting 'U, bloc/ the inheritance of permissions. 3. 'n the De% 'U, bloc/ the inheritance of permissions. 1ns/er& <, + +;planation& The administrator needs to manage the InetorgPerson o Cects0 4e could delegate this tas$ to the administrator or /e can use permissions at the domain le2el to accomplish this0 9o/e2er, the permissions shouldnHt apply to the 3e2 O*, so /eHll ha2e to loc$ the inheritance of the permissions for the 3e2 O*0 Incorrect 1ns/ers& 1& @ing needs to manage the &netorg5erson ob)ects, not he user ob)ects. C, 3& User accounts are located in the $ales 'U and the Mar/eting 'U. 1loc/ing inheritance to these 'Us would mean that the permissions will not appl to these 'Us. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21> to =22", =223 to =22; 19 5lan a securit group hierarch based on delegation re6uirements. *2 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 .ou /or$ in the corporate IT department0 TestKing consists of -' usiness di2isions0 +ach usiness di2ision has its o/n top8le2el organi!ational unit ?O*@ in the domain0 +ach usiness di2ision is responsi le for managing its o/n O* structure0 The O* of each di2ision includes an administrati2e group for that di2ision0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F1 2 Mem ers of each administrati2e group ha2e the 1llo/ 8 Read permission for their di2isionHs O* o Cect and the 1llo/ 8 #ull Control permission for all child o Cects of the O* structure of only their o/n di2ision0 The administrators of each di2ision must e appro2ed y the mem ers of the 3omain 1dmins group0 .ou need to pre2ent administrators of indi2idual di2isions from adding additional administrators in their administrati2e group0 .ou need to ensure that mem ers of the 3omain 1dmins group are a le to manage those groups0 4hat should you do: A. .reate a new 'U under the 'U of each di%ision. Mo%e the appropriate administrati%e groups into the new 'Us. 1loc/ the inheritance of permissions. !hen prompted, remo%e permissions applied from the parent. 1. Assign the Domain Admins group the Allow 2 (ull .ontrol permission for the administrati%e groups in the 'U of each di%ision. .. .reate a new 'U at the same le%el in the 'U structure as the 'Us of the indi%idual di%isions. Mo%e all the administrati%e groups of the di%isions into the new 'U. D. .reate a Restricted Croups Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 'U of each di%ision. 1ns/er& C +;planation& 4e need to ensure that mem ers of the 3omain 1dmins group are a le to manage the usiness di2isions O*s and /e need to pre2ent administrators of indi2idual di2isions from adding additional administrators in their administrati2e group0 4e can accomplish this y placing the administrati2e groups of the di2isions into a top8le2el O* that is managed y the 3omain 1dmins group0 Incorrect 1ns/ers& 1& .reating an 'U under each di%ision will ma/e the new 'U a child 'U of the business di%ision. This will allow the administrators of the di%ision to manage the new 'U. <& Assigning the Domain Admins group the Allow 2 (ull .ontrol permission for the administrati%e groups in the 'U of each di%ision wonKt pre%ent the di%ision administrators from also managing the 'U. 3& .reating a Restricted Croups Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 'U of each di%ision will pre%ent the administrators from adding more administrators to their administrati%e groups but this wonKt allow the Domains Admins group from managing the

administrati%e groups. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F2 2 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& ' +;hi it 1 +;hi it < 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F3 2 +;hi it C 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F- 2 +;hi it 3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FF 2 .ou are the net/or$ administrator for TestKing, a company /ith si; offices0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 +ach office has users /ho /or$ in the sales, mar$eting, and production departments0 1ll 1cti2e 3irectory administration is performed y the IT group0 The IT group pro2ides a help des$, a le2el8t/o support group, and an MI, group0 +ach office has one employee /ho /or$s for the help des$ group0 1dministrati2e responsi ilities are listed in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F; 2 >roup Role Aelp des/ User account maintenance for all emplo ees who are not management 4e%el2two support User account maintenance for all emplo ees, the help des/ users, and all management users M&$ group $er%ice account maintenance, maintenance of domain administrator accounts, and built2in accounts in Acti%e Director .ou need to plan an organi!ational unit ?O*@ structure that allo/s delegation of administration0 .our plan must ensure that permissions can e maintained y using the minimum amount of administrati2e effort0 4hich O* structure should you use: A. 3Bhibit A 1. 3Bhibit A .. 3Bhibit . D. 3Bhibit D 1ns/er& C +;planation& 4e need to delegate the management of different groups of users0 4e ha2e the non8management employees, /ho should e managed y the 9elp 3es$ staff0 4e ha2e the employees ?including management and help des$ staff@, /ho should e managed y the le2el ' staff0 The MI, group need to manage e2ery other account0 To solution to this 6uestion is to delegate the management of user accounts at domain le%el for the M&$ group. Delegate the management of user accounts to the 3mplo ees 'U to the help des/ staff. Delegate the management of user accounts to the .orp 'U to the second2le%el support staff. Incorrect 1ns/ers& 1, <& 4e%el 2 staff should manage AeldDes/, 3mplo ees and Managers. 3& !e need to delegate administrati%e control based on user groups, not on office location. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1FG 2 Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L

D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -">2-11 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 Topic 2, Managing and Maintaining an Acti%e Director &nfrastructure *32 :uestions+ 5art 19 Manage an Acti%e Director forest and domain structure. A9 Manage trust relationships. *3 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domains named test$ing0com and de20test$ing0com0 1ll domain controllers run 4indo/s ,er2er '5560 The functional le2el of the forest is 4indo/s ,er2er '5560 TestKing acBuires a company named >raphic 3esign Institute0 The >raphic 3esign Institute net/or$ consist of a single 1cti2e 3irectory forest that contains a single domain named graphicdesigninstitute0com0 1ll domain controllers run 4indo/s ,er2er '5560 The functional le2el of the forest is 4indo/s ,er2er '5560 *sers in the test$ing0com domain reBuire access to file and print resources stored on a computer named ser2er-0graphicdesigninstitute0com0 *sers in the graphicdesigninstitute0com domain reBuire access to all computers in the test$ing0com forest0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F> 2 .ou must pro2ide administrators /ith the a ility to grant users access to the reBuired resources0 4hat should you do: A. .reate a two2wa forest trust relationship between the test/ing.com domain and the graphicdesigninstitute.com domain. &n the test/ing.com domain, enable forest2wide authentication for the graphicdesigninstitute.com domain. &n the graphicdesigninstitute.com domain, enable selecti%e authentication for the test/ing.com domain. 1. .reate a two2wa eBternal trust relationship between the test/ing.com domain and the graphicdesigninstitute.com domain. .. .reate a one2wa forest trust relationship in which the graphicdesigninstitute.com domain trusts the test/ing.com domain. &n the test/ing.com domain, enable forest2wide authentication for the graphicdesigninstitute.com domain. D. .reate a one2wa eBternal trust relationship in which the test/ing.com domain trusts the graphicdesigninstitute.com domain. .reate a second incoming eBternal trust relationship on the graphicdesigninstitute.com domain. $pecif that the trust relationship in between the de%.test/ing.com domain and the graphicdesigninstitute.com domain. 1ns/er& 1 +;planation& 4hen all domains in t/o forests trust each other and need to authenticate users, esta lish a forest trust et/een the forests0 4hen only some of the domains in t/o 4indo/s ,er2er '556 forests trust each other, esta lish one8/ay or t/o8/ay e;ternal trusts et/een the domains that reBuire interforest authentication0 Using Acti%e Director Domains and Trusts, ou can determine the scope of authentication between two forests that are )oined b a forest trust. Iou can set selecti%e authentication differentl for outgoing and incoming forest trusts. !ith selecti%e trusts, administrators can ma/e fleBible forest2wide access control decisions. &f ou use forest2wide authentication on an incoming forest trust, users from the outside forest ha%e the same le%el of access to resources in the local forest as users who belong to the local forest. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1F= 2 Incorrect 1ns/ers& <, 3& !e ha%e two separate forests here. !e would re6uire a forest trust relationship between them. C& Users in the test/ing.com domain re6uire access to the graphicdesigninstitute.com domain. !e will thus need the graphicdesigninstitute.com domain to trust the test/ing.com domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam

Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-> to -2-= Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, p. 2F%*+,TION NO& ' Net/or$ 3iagram 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;" 2 .ou notice that after the forest trust relationship is deleted, the mem ership lists for some of the domain local groups are no longer accurate0 4hen you 2ie/ a mem ership list, it contains entries /ithout user8friendly names0 1 sample is sho/n in the Mem ership List e;hi it0 JJMI,,IN>JJ .ou need to delete all the un$no/n groups from the mem ership list for the domain local groups0 .ou /ant to achie2e this goal y using the minimum amount of administrati2e effort, and /ithout modifying the access to resources for users in the test$ing0com forest0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;1 2 A. .reate new domain local groups. Add the re6uired global groups from the test/ing.com forest to the domain local groups. Crant appropriate permissions to the domain local groups. Delete the original domain local groups. 1. Re2create the trust relationship between test/ing.com forest and the fabri/am.com forest. Delete all fabri/am.com global accounts from the domain local group membership lists. Delete the trust relationship between the two forests. .. ?erif all remaining trust relationships. Then delete the un/nown accounts from the domain local groups. D. Delete all the affected domain local groups. Re2create the groups. Add the appropriate global groups from the test/ing.com forest to the groups. Crant appropriate permissions to the domain local groups. 1ns/er& C +;planation9 A method of see/ and destro will represent the least administrati%e effort. To /eep administrati%e effort to the minimum and deleting all the un/nown groups from the membership list without modif ing access to resources for the test/ing.com forest users, then ou should %erif all remaining trust relationships and then delete the un/nown accounts from the domain local groups. Incorrect ans/ers9 19 .reating new domain local groups and adding onl the re6uired test/ing.com forest global group to the domain local group will not re%eal where un/nown accounts are located. &t could well be that amongst the re6uired global test/ing.com forest group there are un/nown accounts. <9 This option suggests too much administrati%e effort to complete the tas/. And it will also result in modif ing access to resources for the test/ing.com forest users. 39 Aow would ou /now which are all the affected groups without %erif ing the trust relationships first. Reference9 .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 G" %*+,TION NO& 6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;2 2 .ou /or$ as a net/or$ administrator at TestKing0 .ou administer the 4indo/s '556 domain TestKing0com and a child domain named child-0TestKing0com0 The child-0TestKing0com domain contains all of the user accounts for the net/or$0 .our company acBuires a company named Contoso, Ltd0 The Contoso, Ltd0, net/or$ consists of a single 1cti2e 3irectory forest that contains a forest root domain named contoso0com and a child domain named child-0contoso0com0 1ll domain controllers run 4indo/s '555 ,er2er0 <oth domains contain user accounts and resource ser2ers0 The domains and e;isting trust relationships are sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com

2 1;3 2 .ou need to create the minimum num er of trust relationships reBuired for the users in the child-0TestKing0com domain to access resources in oth domains in the contoso0com forest0 4hat should you do: A. .reate a one2wa trust relationship in which the Test@ing.com domain trusts the contoso.com domain. 1. .reate a one2wa trust relationship in which the contoso.com domain trusts the Test@ing.com domain. .. .reate a one2wa trust relationship in which the child1.Test@ing.com domain trusts the contoso.com domain. .reate a one2wa relationship in which the child1.Test@ing.com domain trusts the child1.contoso.com domain. D. .reate a one2wa trust relationship in which the contoso.com domain trusts the child1.Test@ing.com domain. .reate a one2wa trust relationship in which the child1.contoso.com domain trusts the child1.Test@ing.com domain. 1ns/er& 3 +;planation& *sers in child-0test$ing0com need to access resources in contoso0com and child-0contoso0com0 Therefore, the contoso0com and child-0contoso0com domains need to trust the child-0test$ing0com domain0 4e can achie2e this y configuring t/o one8/ay trust relationships& one in /hich the contoso0com domain trusts the child-0TestKing0com domain and one in /hich the child-0contoso0com domain trusts the child-0TestKing0com domain0 Incorrect 1ns/ers& 1& The Test@ing user accounts are in the child1.test/ing.com domain, not the test/ing.com domain. Therefore, the contoso.com and child1.contoso.com domains need to trust the child1.test/ing.com domain. <& The Test@ing user accounts are in the child1.test/ing.com domain, not the test/ing.com domain. Therefore, the contoso.com and child1.contoso.com domains need to trust the child1.test/ing.com domain. C& The contoso.com and child1.contoso.com domains need to trust the child1.test/ing.com domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2-1 to -2-> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;- 2 19 Manage schema modifications.*2 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0 .our user account is a mem er of the ,chema 1dmins group0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains0 The functional le2el of the forest is 4indo/s ,er2er '5560 1 4indo/s ,er2er '556 domain controller named TestKing1 holds the schema master role0 1n application named 1pplication- creates additional schema classes0 .ou notice that this application created some classes that ha2e incorrect class names0 .ou need to correct the class names as Buic$ly as possi le0 4hat should you do: A. Deacti%ate the Application1 classes that ha%e the incorrect class names. $et the default securit permission for the 3%er one group for those schema classes to Den . 1. Deacti%ate the Application1 classes that ha%e the incorrect class names. .reate the Application1 classes with the correct class names. .. Rename the description of the Application1 classes to the correct class name. &nstruct the de%elopers of Application1 to change the code of the application so that the renamed schema classes can be used. D. &nstruct the de%elopers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the Acti%e Director $chema console. 1ns/er& < +;planation& 4e need to deacti2ate the 1pplication- classes that ha2e the incorrect class names0 This is ecause you cannot delete or rename a class0 4e can only deacti2ate the incorrect classes and recreate the classes /ith the correct class names0 +;tending the schema 8 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;F 2 !hen the set of classes and attributes in the base Acti%e Director schema do not meet

our needs, ou can eBtend the schema b modif ing or adding classes and attributes. Iou should onl eBtend the schema when absolutel necessar . The easiest wa to eBtend the schema is through the $chema Microsoft Management .onsole *MM.+ snap2in. Iou should alwa s de%elop and test our schema eBtensions in a test lab before mo%ing them to our production networ/. $chema eBtensions are not re%ersible. Attributes or classes cannot be remo%ed after creation. At best, the can be modified or deacti%ated. Domain controllers running !indows $er%er2""3 do not permit the deletion of classes or attributes, but the can be deacti%ated if the are no longer needed or if there was an error in the original definition. A deacti%ated class or attribute is considered defunct. A defunct &f our forest has been raised to the !indows $er%er2""3 functional le%el, ou can reuse the ob)ect identifier *go%erns&d and attribute&d %alues+, the ldapDispla ,ame, and the schema&dCU&D that were associated with the defunct class or attribute. This allows ou to change the ob)ect identifier associated with a particular class or attribute. The onl eBception to this is that an attribute used as a rdnAtt&d of a class continues to own its attribute&d, ldapDispla ,ame, and schema&dCuid %alues e%en after being deacti%ated *for eBample, those %alues cannot be reused+. &f our forest has been raised to the !indows $er%er2""3 functional le%el, ou can deacti%ate a class or attribute and then redefine it. Incorrect 1ns/ers& 1& &t is not necessar to den access to the classes after deacti%ating them. !e need to recreate the classes with the correct names. C& .hanging the description of a class doesnKt rename the class. &t is not possible to rename a class. 3& !e need to deacti%ate the classes that ha%e the incorrect class names. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter G, p. F"; %*+,TION NO& ' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;; 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 The domain contains a secure site and a main office site, as sho/n in the e;hi it0 1ll domain controllers are configured as sho/n in the follo/ing ta le0 3ri2e Contents . 1oot partition, s stem partition, Acti%e Director database log files D Acti%e Director database 3 (iles and folders The mother oard on T+,TKIN>' fails and T+,TKIN>' is ta$en offline0 One /ee$ later, an administrator connects to T+,TKIN>6 and sei!es the schema master role0 .ou need to access files on dri2e + on T+,TKIN>'0 .ou replace the mother oard on T+,TKIN>' and ring T+,TKIN>' online on an isolated su net0 .ou need to e a le to ring T+,TKIN>' ac$ into the secure site as Buic$ly as possi le in order to access the files0 4hat should you do: A. 5erform a full format of dri%e D on T3$T@&,C2. Transfer the schema master role to a domain controller in the Main'ffice site. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;G 2 Remo%e references to T3$T@&,C2 from Acti%e Director b using the ,tdsutil utilit and the AD$&3dit utilit on T3$T@&,C1. 1. 5erform a full format of dri%e . on T3$T@&,C2. Reinstall the operating s stem on T3$T@&,C2. Remo%e references to T3$T@&,C2 from Acti%e Director b using the ,tdsutil utilit and the AD$&3dit utilit on T3$T@&,C1. .. 5erform a full format of dri%e 3 on T3$T@&,C2. Run the dcpromo command on T3$T@&,C2. Transfer the schema master role to a domain controller in the Main'ffice site. Qoin T3$T@&,C2 to the domain. D. 5erform a full format of dri%e . on T3$T@&,C2. Transfer the schema master role to a domain controller in the Main'ffice site. Remo%e references to T3$T@&,C2 from Acti%e Director b using the ,tdsutil utilit and the AD$&3dut utilit on T3$T@&,C1. 1ns/er& <

+;planation& 4e ha2e sei!ed the schema master role from Test$ing' on Test$ing60 Therefore, /e donHt /ant to ring Test$ing' ac$ online /ith its old schema master role0 9a2ing t/o schema masters /ill cause pro lems in the forest0 To ring Test$ing' ac$ online, /e should format the C dri2e and reinstall the operating system0 4e should also HcleanH the 1cti2e 3irectory data ase y remo2ing references to T+,TKIN>' from 1cti2e 3irectory y using the Ntdsutil utility and the 13,I+dit utility on another domain controller0 Incorrect 1ns/ers& 1& !e need to reinstall the operating s stem, so we should format dri%e ., not dri%e D. C& (ormatting dri%e 3 will erase the data we want to access. 3& The schema master role has alread been transferred. !e need to reinstall the operating s stem after formatting dri%e .. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter G, p. F"; .9 Add or remo%e a U5, suffiB. *2 6uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;> 2 %*+,TION NO& .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com TestKing merges /ith a company named 1cme0 .ou need to create ne/ user accounts for all of the 1cme employees0 The e8mail address format for all users at 1cme is aliasNacme0com0 The users need to continue to use their e8mail addresses after the merger0 To decrease confusion, these users also need to e a le to use their e8mail addresses as their user logon names /hen logging on to the company net/or$0 .ou need to ensure that ne/ users can log on y using their e8mail addresses as their logon names0 .ou /ant to achie2e this goal y incurring the minimum cost and y using the minimum amount of administrati2e effort0 4hat should you do: A. .reate a new domain tree named acme.com in the test/ing.com forest. .reate user accounts for all of the users in the acme.com domain. 1. .reate a new forest named acme.com. .reate user accounts for all of the users in the acme.com domain. .onfigure a forest trust relationship between the two forests. .. .reate user accounts for all of the new users in the test/ing.com domain. .onfigure the e2mail addresses for all of the Acme users as aliasUacme.com. D. .onfigure acme.com as an additional user principal name *U5,+ suffiB for the test/ing.com forest. .onfigure each user account to use the acme.com U5, suffiB. 1ns/er& 3 +;planation& Iou can simplif the logon process for users b enabling U5, logon. !hen U5, logon is enabled, all users use the same U5, suffiB to log on to their domains. U5, names are comprised of the userKs logon name and the D,$ name of the domain. !hen ou enable U5, logon, usersK logon names remain the same e%en when their domains change. Iou might choose to enable U5, logon if9 1. Domain names in our enterprise are compleB and difficult to remember. 2. Users in our organi0ation might change domains as a result of domain consolidation or other organi0ational changes. 3. All domains in the forest are in nati%e mode. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1;= 2 -. User logon names are uni6ue within the forest. F. A global catalog ser%er is a%ailable to match the U5, to the correct domain account. Iou can use one U5, suffiB for all users in the forest. Incorrect 1ns/ers& 1, <& .reating a new domain tree or forest and recreating the user accounts for all of the users in the acme.com domain would re6uire eBcessi%e administrati%e effort. C& .reating new user accounts for all of the users in the acme.com domain would re6uire eBcessi%e administrati%e effort. Using the U5, logon feature would re6uire less administrati%e effort. Reference& M$ !hite 5aper, Designing an Authentication $trateg Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn

$hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. =F2; %*+,TION NO& ' .ou are the net/or$ administrator for TestKing Ltd0 The net/or$ consists of a single 4indo/s '556 1cti2e 3irectory domain named TestKing0internal0 The net/or$ includes '5 ser2ers running 4indo/s '556 ,er2er and D55 client computers running 4indo/s '555 Professional0 1ll ser2ers elong to the default computer container0 1ll client computers elong to an organi!ation unit ?O*@ named Clients0 1ll domain controllers elong to the default domain controller O*0 Name resolution and IP addressing are controlled y 3N,, 4IN,, and 39CP0 .ou need to ensure that the 3N, suffi; in the system properties of each client computer is set to TestKing0com0 4hat should you do: A. .reate a new Croup 5olic ob)ect and lin/ it to .lients. $et the configuration of the primar D,$ suffiB to Test@ing.com. 1. Modif the default domain polic . $et the configuration of the primar D,$ suffiB to Test@ing.com. .. &n the DA.5 scope options, define the D,$ domain name as Test@ing.internal. D. &n the DA.5 scope options, define the ,&$ domain name as Test@ing.internal. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G" 2 1ns/er& 1 +;planation& 4e need to ensure that the 3N, suffi; in the system properties of each client computer is set to TestKing0com0 The client computers are located in an organi!ation unit ?O*@ named Clients0 The easiest /ay to achie2e this is to configure a >PO to set the configuration of the primary 3N, suffi; to TestKing0com and lin$ the >PO to the Clients O*0 Incorrect 1ns/ers& <& The setting should appl to the clients onl . 4in/ing the C5' to the domain will appl the settings to all computers in the domain *including ser%ers and domain controllers+. C& The 6uestion doesnKt sa that the ser%ers ha%e static &5 addresses. &f the are configured to use DA.5, then we canKt use DA.5 to appl the D,$ suffiB setting because it will appl the settings to all computers in the domain *including ser%ers and domain controllers+. 3& An ,&$ domain is a UniBH4inuB domain. !e ha%e a !indows domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"2G 5art 29 Monitor Acti%e Director replication failures. Tools might include Replication Monitor, 3%ent ?iewer, and support tools. A9 Monitor Acti%e Director replication. *1 6uestion+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 TestKing has one office in 9ong Kong and another office in <eiCing0 +ach office is configured as an 1cti2e 3irectory site0 +ach site contains t/o domain controllers0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G1 2 The net/or$ is configured to display a legal notice on the computer screens of all users efore they log on to their client computers0 1t the reBuest of the legal department, you ma$e changes to the /ording of the notice y changing the settings in a >roup Policy o Cect ?>PO@0 The >PO is lin$ed to the domain0 The legal department reports that not all users are recei2ing the ne/ notice0 .ou disco2er that users in the <eiCing office recei2e the ne/ notice, ut users in the 9ong Kong office recei2e the old notice0 The pro lem continues for se2eral days0 .ou need to ensure that the ne/ notice appears correctly on all computers in the net/or$0 4hat should you do: A. .reate a new securit group that contains the computer accounts for all computers in the Aong @ong site. Crant permissions to this securit group to read and appl the C5'. 1. Temporaril assign one of the domain controllers in the Aong @ong site to the 1ei)ing site. !ait 2- hours, and then reassign the domain controller to the Aong @ong site.

.. (orce replication of Acti%e Director between the two sites. D. 4og on to one of the domain controllers in the Aong @ong site, and sei0e the infrastructure master role. 1ns/er& C +;planation& It loo$s li$e the >PO settings ha2e not een replicated to the 9ong Kong office as they are still recei2ing the old notice0 4e can manually force replication et/een the t/o sites to ensure that the 9ong Kong office recei2es the ne/ >PO settings0 Incorrect 1ns/ers& 1& The Aong @ong users still recei%e the old legal notice. Therefore, this is not a permissions problem on the group polic ob)ect. <& This is unnecessar an impractical. 3& This has nothing to do with the replication of the C5'. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1221 to 122-, F23 to F2=, F22F to F23G 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G2 2 19 Monitor (ile Replication ser%ice *(R$+ replication. *" 6uestions+ 5art 39 Restore Acti%e Director director ser%ices. A9 5erform an authoritati%e restore operation. *; 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0 The net/or$ consists of single 1cti2e 3irectory forest that contains t/o domains and four sites0 1ll ser2ers run 4indo/s ,er2er '5560 .ou are responsi le for administering domain controllers in one site0 .our site contains four domain controllers0 The hard dis$ that contains the 1cti2e 3irectory data ase fails on a domain controller named T+,TKIN>'0 .ou replace the failed dis$0 .ou need to reco2er T+,TKIN>'0 .ou need to achie2e this goal /ithout affecting e;isting 1cti2e 3irectory data0 4hat should you do: A. 5erform a nonauthoritati%e restoration of the Acti%e Director database. 1. 5erform an authoritati%e restoration of the Acti%e Director database. .. Use the ,tdsutil utilit to run the semantic database anal sis command. D. Use the ,tdsutil utilit to run the restore subtree command. 1ns/er& 1 +;planation9 The nonauthoritati%e restore is also called the normal restore method. This method should be selected when ou ha%e more than one domain controller on the networ/ and ou do not need to roll bac/ changes that ha%e been made to Acti%e Director . &n this method, when replication ta/es place between the restored domain controller and other domain controllers on the networ/, the restored domain controller recei%es updates from its replication partners. Iou ha%e four domain controllers in our site. Iou can simpl perform a non2authoritati%e restore of the Acti%e Director database. An changes to the Acti%e Director database since the data was bac/ed up will be replicated from another domain controller. Incorrect 1ns/ers& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G3 2 <& This is not necessar . This will o%erwrite the Acti%e Director database on the other domain controllers. The other domain controllers will ha%e the most recent copies of the Acti%e Director database. These changes can be replicated to the failed machine. C& Iou can use this process to generate reports on the number of records present in the Acti%e Director database, including deleted and phantom records. &t is not used to restore the Acti%e Director database. 3& !e need to restore the entire Acti%e Director database, not )ust a subtree of it. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1;9 2> %*+,TION NO& ' .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 Pass/ord resets are performed on user accounts on all ser2ers regularly throughout each day0 The 4indo/s ,er2er '556 computers named TestKing1, TestKing<, and TestKingC are configured as sho/n in the follo/ing ta le0 One 4ednesday morning, another net/or$ administrator in <oston connects to TestKingC and deletes an organi!ational unit ?O*@ named <oston*sers0 The change replicates to all sites in the forest0

*sers in <oston report that they can no longer log on to the net/or$0 .ou need to pro2ide the users in <oston /ith the a ility to log on to the net/or$ as soon as possi le0 .ou must also ensure that there is minimal disruption to the users in Toronto and ,an #rancisco0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G- 2 4hat should you do: A. Restore the 1ostonUsers 'U on Test@ingA from bac/up. Use the ,tdsutil utilit to mar/ the 1ostonUsers 'U as authoritati%e. Allow replication to ta/e place. 1. Restore the 1ostonUsers 'U on Test@ing1 from bac/up. Allow replication to ta/e place. .. Restore the ,tdsutil utilit to connect to Test@ingA. Use the metadata cleanup command to remo%e Test@ing. from Acti%e Director . (orce replication. D. Use the ,tdsutil utilit on Test@ing. to mar/ the domain conteBt as authoritati%e. (orce replication. 1ns/er& 1 +;planation& 4e need to restore the <oston*sers O*0 4e should restore it on TestKing1 ecause that domain controller has a more recent ac$up0 4e need to mar$ the <oston*sers O* as authoritati2e so that it gets replicated to the other domain controllers0 If /e didnHt mar$ the <oston*sers O* as authoritati2e, it /ould get deleted again at the ne;t 13 replication0 Incorrect 1ns/ers& <& !e need to mar/ the 1ostonUsers 'U as authoritati%e so that it gets replicated to the other domain controllers. &f we didnKt mar/ the 1ostonUsers 'U as authoritati%e, it would get deleted again at the neBt AD replication. C& !e need to restore the 1ostonUsers 'U. This wonKt restore the 'U. 3& !e need to restore the 1ostonUsers 'U. This wonKt restore the 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F1 %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consist of a single 1cti2e 3irectory domain named test$ing0com0 The domain name is test$ing0com0 The net/or$ contains three 4indo/s ,er2er '556 domain controllers0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GF 2 .ou are creating the reco2ery plan for the company0 1ccording to the e;isting ac$up plan, domain controllers are ac$ed up y using normal ac$ups each night0 The normal ac$ups of the domain controllers include the system state of each domain controller0 .our reco2ery plan must incorporate the follo/ing organi!ation reBuirements& 1. 1cti2e 3irectory o Cects that are accidentally or maliciously deleted must e reco2era le0 2. 1cti2e 3irectory must e restored to its most recent state of Buic$ly as possi le0 3. 1cti2e 3irectory data ase replication must e minimi!ed0 .ou need to create a plan to restore a deleted organi!ational unit ?O*@0 4hich t/o actions should you include in your plan: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Restart a domain controller in Director $er%ices Restore Mode. 1. Restart a domain controller in $afe Mode. .. Use the ,tdsutil to perform an authorati%e restore operation of the Acti%e Director database. D. Restore the s stem state b using the Alwa s replace the file on m computer option. 3. Use the ,tdsutil utilit to perform an authoritati%e restore operation of the appropriate subtree. 1ns/er& 1, + +;planation& If an O* gets deleted from the 1cti2e 3irectory, /e can restore it from a ac$up of the system state data0 3irectory ,er2ices Restore Mode is a sort of safe mode in /hich /e can oot a domain controller /ithout loading the 1cti2e 3irectory0 This /ill ena le us to restore all or part of the 1cti2e 3irectory data ase0 To ensure that the deleted 'U isnKt deleted again b replication from another domain controller, we must use the ,tdsutil utilit to mar/ the restored subtree as authoritati%e. Incorrect 1ns/ers& <& To restore part of the Acti%e Director , we must start a domain controller in Director $er%ices Restore Mode, not safe mode.

C& of it. 3& This will o%erwrite the eBisting Acti%e Director database. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G; 2 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F3 %*+,TION NO& ) .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain test$ing0com0 The net/or$ contains three 4indo/s ,er2er '556 domain controllers0 .ou are creating the reco2ery plan for TestKing0 1ccording to the e;isting ac$up plan, domain controllers are ac$ed up y using normal ac$ups each night0 The normal ac$ups of the domain controllers include the system state of each domain controller0 .our reco2ery plan must incorporate the follo/ing organi!ational reBuirements& 1. 1cti2e 3irectory o Cects that are accidentally or maliciously deleted must e reco2era le0 2. 1cti2e 3irectory must e restored to its most recent state as Buic$ly as possi le0 3. 1cti2e 3irectory data ase replication must e minimi!ed0 .ou need to create a plan to restore a deleted organi!ational unit ?O*@0 4hich t/o actions should you include in your plan: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Restart a domain controller in Director $er%ices Restore Mode. 1. Restart a domain controller in $afe Mode. .. Use the ,tdsutil utilit in $afe Mode. D. Restore the s stem state b using the Alwa s replace the file on m computer option. 3. Use the ,tdsutil to perform an authoritati%e restore operation of the appropriate subtree. 1ns/er& 1, + +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1GG 2 If an O* gets deleted from the 1cti2e 3irectory, /e can restore it from a ac$up of the system state data0 3irectory ,er2ices Restore Mode is a sort of safe mode in /hich /e can oot a domain controller /ithout loading the 1cti2e 3irectory0 This /ill ena le us to restore all or part of the 1cti2e 3irectory data ase0 To ensure that the deleted 'U isnKt deleted again b replication from another domain controller, we must use the ,tdsutil utilit to mar/ the restored subtree as authoritati%e. Incorrect 1ns/ers& <& To restore part of the Acti%e Director , we must start a domain controller in Director $er%ices Restore Mode, not safe mode. C& of it. 3& This will o%erwrite the eBisting Acti%e Director database. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F3 %*+,TION NO& ( .ou are a net/or$ administrator for TestKing0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1 help des$ user reports that a user o Cect /as accidentally deleted and the user can no longer log on to the domain and access resources0 .ou confirm that the user o Cect /as included in the most recent ac$up0 .ou need to ena le the user to log on to the domain0 .ou must ensure that the user retains access to resources0 4hat should you do: A. &nstall a new domain controller. &nstall Acti%e Director from media b using the most recent bac/up. Manuall initiate replication. 1. Decrease the garbage collection inter%al. 5erform a nonauthorati%e restoration of Acti%e Director b using the most recent bac/up. 4eading the wa in &T testing and certification tools, www.test/ing.com

2 1G> 2 .. 5erform a nonauthorati%e restoration of Acti%e Director b using the most recent bac/up. Authoritati%el restore the user ob)ect that was deleted. D. Re2create a user ob)ect that has the same user principal name *U5,+ as the user ob)ect that was deleted. Authoritati%el restore this user ob)ect. 1ns/er& C +;planation& If you inad2ertently delete or modify o Cects stored in the 1cti2e 3irectory directory ser2ice, and those o Cects are replicated or distri uted to other ser2ers, you /ill need to authoritati2ely restore those o Cects so they are replicated or distri uted to the other ser2ers0 If you do not authoritati2ely restore the o Cects, they /ill ne2er get replicated or distri uted to your other ser2ers ecause they /ill appear to e older than the o Cects currently on your other ser2ers0 *sing the Ntdsutil utility to mar$ o Cects for authoritati2e restore ensures that the data you /ant to restore gets replicated or distri uted throughout your organi!ation0 On the other hand, if your system dis$ has failed or the 1cti2e 3irectory data ase is corrupted, then you can simply restore the data nonauthoritati2ely /ithout using the Ntdsutil utility0 Acti%e Director gi%es networ/ users access to permitted resources an where on the networ/ using a single logon process. &t pro%ides networ/ administrators with an intuiti%e, hierarchical %iew of the networ/ and a single point of administration for all networ/ ob)ects. Acti%e director ser%ice data can be restored using one of three restore methods9 1. Primary restore 2. Normal ?nonauthoritati2e@ restore 3. 1uthoritati2e restore &n 1ac/up, a t pe of restore operation performed on an Acti%e Director domain controller in which the ob)ects in the restored director are treated as authoritati%e, replacing *through replication+ all eBisting copies of those ob)ects. !e need to restore the Acti%e Director database non2authoritati%el , and then from the restored cop of the database, we need to authoritati%el restore the user ob)ect. Incorrect 1ns/ers& 1& &t isnKt necessar to install a new domain controller. <& !e need to authoritati%el restore the user ob)ect, otherwise AD replication will delete the user ob)ect again. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1G= 2 3& .reating a new user account wonKt wor/ because the new user account will ha%e a different $&D from the deleted account. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1;9 2> %*+,TION NO& 7 .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 +ric /or$s in the sales department0 *ser o Cects for sales users are stored in an organi!ational unit ?O*@ named ,ales0 4hen +ric is transferred to another department, you delete +ricHs user account0 ,e2eral /ee$s later, +ric is transferred ac$ to the sales department0 .ou create a ne/ user accounts in the ,ales O* and grant the account access to sales resources0 4hen +ric attempts to open any of the -,555 files that he created efore he /as transferred, he recei2es the follo/ing error message0 =1ccess 3enied=0 9e reports that he recei2es this error message for all -,555 files in -(5 different locations0 .ou need to pro2ide +ric /ith access to files that he created oth efore his first transfer and after his return to the sales department, you must accomplish this tas$ /ithout affecting other users on the net/or$0 4hat should you do: A. Mo%e 3ricKs eBisting account to a new 'U. ,onauthoritati%el restore the 'U that contained 3ricKs pre%ious account. 1. ,onauthoritati%el restore 3ricKs old account. (orce Acti%e Director replication to occur. .. Authoritati%el restore 3ricKs old account. (orce Acti%e Director replication to occur. D. Rename 3ricKs eBisting account. Authoritati%el restore 3ricKs old account. 1ns/er& 3 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>" 2

1lthough /e ha2e created another account named +ric, +ric /ill not e a le to access any of his files0 This is ecause the ne/ H+ricH account has a different ,ecurity Identifier ?,I3@ to the pre2ious account0 It is therefore considered to e a different account0 4e could set permissions on the ne/ account, ut this /ould ta$e a long time0 It /ould e easier to restore a copy of +ricHs old account from ac$up0 To a2oid ha2e t/o accounts /ith the same name, /e should rename the e;isting account, efore restoring the pre2ious account0 Incorrect 1ns/ers& 1& !e donKt need to restore an entire 'U. !e can restore )ust 3ricKs pre%ious account. <& !e need an authoritati%e restore. 'therwise, the restored account would be deleted again at the neBt Acti%e Director replication. C& To a%oid ha%e two accounts with the same name, we should rename the eBisting account, before restoring the pre%ious account. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1;9 2>22= 19 5erform a nonauthoritati%e restore operation. *G 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The 1cti2e 3irectory data ase contains (55 M< of information0 TestKing has its main office in Mosco/ and a ranch office in Mins$0 The t/o offices are connected y a (78K ps 41N connection that is used only for 1cti2e 3irectory replication0 The Mosco/ office has )(5 users, and the Mins$ office has -( users0 The Mins$ office has a single 4indo/s ,er2er '556 domain controller and t/o 4indo/s ,er2er '556 file and print ser2ers0 The hard dis$ containing the operating system on the domain controller in Mins$ fails and cannot e reco2ered0 .ou need to re8esta lish a domain controller that contains a current copy of 1cti2e 3irectory in the Mins$ office0 .ou need to achie2e this goal as Buic$ly as possi le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>1 2 4hat should you do: A. Replace the hard dis/ on the domain controller. &nstall !indows $er%er 2""3 on the domain controller. &nstall Acti%e Director from restored bac/up files. 1. &nstall Acti%e Director on a file and print ser%er. (orce replication. .. &nstall Acti%e Director on a file and print ser%er from restored bac/up files. D. Replace the hard dis/ on the domain controller. &nstall !indows $er%er 2""3 on the domain controller. (orce replication. 1ns/er& C +;planation& 4e need to re8esta lish a domain controller in the Mins$ office as Buic$ly as possi le0 Therefore, /e should install 1cti2e 3irectory from restored ac$up files0 1ns/er 1 is the recommended ans/er, ut ans/er C is Buic$er0 4e can use the ne/ dcpromo "ad2 command to promote the 3C from a ac$up of the system state data of an e;isting domain controller0 The "ad2 s/itch is onl necessar when ou want to create a domain controller from restored bac/up files. &t is not re6uired when creating an additional domain controller o%er the networ/. (or additional domain controllers in an eBisting domain, ou ha%e the option of using the install from media feature, which is new in !indows $er%er2""3. &nstall from media allows ou to pre2populate Acti%e Director with $ stem $tate data bac/ed up from an eBisting domain controller. This bac/up can be present on local .D, D?D, or hard dis/ partition. Installing from media drastically reduces the time reBuired to install directory information y reducing the amount of data that is replicated o2er the net/or$0 &nstalling from media is most beneficial in large domains or for installing new domain controllers that are connected b a slow networ/ lin/. Incorrect 1ns/ers& 1& This would wor/ but answer . is 6uic/er. <& !e donKt want to replicate a F""M1 Acti%e Director database o%er a F;@bps !A, lin/. 3& !e donKt want to replicate a F""M1 Acti%e Director database o%er a F;@bps !A, lin/. Reference9

4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>2 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2G %*+,TION NO& ' .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com /ith t/o sites0 The 1cti2e 3irectory data ase is ac$ed up e2ery e2ening0 1 net/or$ administrator in ,ite- deletes an empty organi!ational unit ?O*@ named ProCects0 1t a out the same time, a net/or$ administrator in ,ite' mo2es '5 e;isting user accounts into the ProCects O*0 Later, the administrator in ,ite' disco2ers that the ProCects O* /as deleted from 1cti2e 3irectory0 9e cannot see the user accounts that he mo2ed into the O*0 .ou need to pro2ide an O* named ProCects and add the '5 user accounts to the ProCects O*0 The usersH access to net/or$ resources must not e affected y this process0 4hat should you do: A. 5erform an authoritati%e restore operation of the 5ro)ects 'U and the user accounts on a domain controller in $ite2. 1. 5erform a nonauthoritati%e restore operation of the 5ro)ects 'U and the user accounts on a domain controller in $ite2. .. .reate a new 'U named 5ro)ects. .reate 2" new user accounts that ha%e the same user principal name *U5,+ prefiB. Mo%e the user accounts into the new 5ro)ects 'U. D. .reate a new 'U named 5ro)ects. Mo%e the 2" user accounts from the 4ostAnd(ound container to the new 5ro)ects 'U. 1ns/er& 3 +;planation& .ou mo2ed the users to an O* that had Cust een deleted0 4hen you mo2e o Cects to an o Cect that is no longer there, the o Cects get mo2ed to the Lost1nd#ound container0 This means that /e ha2enHt lost the user accounts, so /e can Cust re8create the ProCects O* and mo2e the users from the Lost1nd#ound container to the ne/ O*0 Incorrect 1ns/ers& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>3 2 1& The user accounts ha%enKt been deleted, so we donKt need to restore them. <& The user accounts ha%enKt been deleted, so we donKt need to restore them. C& The user accounts ha%enKt been deleted, so we donKt need to recreate them. (urthermore, recreating the user accounts in this wa will not wor/ to restore the original accounts. The new accounts will be different accounts with different $&Ds *$ecurit &dentifiers+. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 3>23=, ==21"1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains three 4indo/s ,er2er '556 domain controllers0 1 domain controller named 3C'0test$ing0com fails ecause of a hard/are failure0 .ou decide not to re uild the domain controller0 9o/e2er, ecause se2eral applications refer to 3C'0test$ing0com y its Net<IO, name, you need to pro2ide a ne/ domain controller that has the same name0 .ou install a ne/ 4indo/s ,er2er '556 computer and name it 3C'0 .ou attempt to promote the ser2er to a domain controller in the test$ing0com domain0 The promotion fails and you recei2e the follo/ing error message0 .ou need to install a ne/ domain controller named 3C' in the test$ing0com domain0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>- 2 4hat should you do: A. Use the !&,$ administrati%e console to remo%e all !&,$ record for D.2.test/ing.com 1. Use the ,tdsutil utilit to remo%e the metadata associated with the D.2.test/ing.com domain controller ob)ect from Acti%e Director . .. Use Acti%e Director Users and .omputers to remo%e the D.2.test/ing.com domain controller computer account for the test/ing.com domain. D. Use the D,$ administrati%e console to remo%e all D,$ record that refer to

D.2.test/ing.com 1ns/er& < +;planation& !hen D.2 failed metadata associated with the D.2 remained in Acti%e Director . This metadata is indicating that D.2 alread eBists. !e must remo%e this metadata b using the ,tdsutil tool with the cleanup command. &t remo%es the defunct domain controllerKs identification and information from the director . Incorrect 1ns/ers& 1, 3& This is not a name resolution problem. !hen D.2 failed metadata associated with the D.2 remained in Acti%e Director . C& 'b)ects deleted from Acti%e Director remain there until the tombstonelifetime attribute has eBpired. This is ;" da s b default. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F1 %*+,TION NO& ) .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 TestKingHs /ritten security policy reBuires that all administrati2e pass/ords e changed e2ery 65 days0 .ou configure the domain security policy to enforce the /ritten security policy0 1 security audit re2eals that the pass/ord used to log on to domain controllers in 3irectory ,er2ices Restore mode is -5 months old0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>F 2 .ou need to ensure that all pass/ords are changed in accordance /ith the /ritten security policy0 .ou must accomplish this tas$ /ithout causing disruption to user access0 4hat should you do: A. Restart each domain controller in Director $er%ices Restore More. Use .omputer Management to reset the password for the Administrator account. 1. Use the ,tdsutil utilit to reset the password on each domain controller for Director $er%ices Restore Mode. .. .onfigure the Domain .ontroller $ecurit 5olic to enforce the written securit polic . D. Reset the Administrator password b using Acti%e Director Users and .omputers. 1ns/er& < +;planation& In 4indo/s ,er2er '556, you can use the Ntdsutil utility to modify the 3irectory ,er2ice Restore Mode 1dministrator pass/ord0 Incorrect 1ns/ers& 1& Restarting the domain controllers will cause a disruption in user access. C& The Domain .ontroller $ecurit 5olic is enforced when the domain controller is booted and can be refreshed at set inter%als. Aowe%er, the Director $er%ice Restore Mode Administrator password is a user account setting, not a computer account setting and should be enforced when t he user logs on. 3& Director $er%ice Restore Mode Administrator password cannot be set in Acti%e Director Users and .omputers. References& M$ @nowledgebase Article 322;G29 Aow to reset the Director $er%ice Restore Mode Administrator Account 5assword in !indows $er%er 2""3. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-= to 22F3 %*+,TION NO& ( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>; 2 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 1ll domain controllers run 4indo/s ,er2er '5560 1ll domain controllers are fully ac$ed up e2ery #riday e2ening at (&55 P0M0 The 3irectory ,er2ices o Cect is configured to ha2e the properties sho/n in the follo/ing ta le0 3irectory ,er2ices o Cect property ,etting garbage.oll5eriod 1F hours tombstone4ifetime F da s On Monday morning, a net/or$ administrator deletes se2eral domain user accounts0 On 4ednesday e2ening at (&55 P0M0, one of the domain controllers fails0 .ou plan to restore the directory data ase domain controller from ac$up0 .ou

need to ensure that 1cti2e 3irectory is not corrupted y the restoration process0 4hat should you do: A. &ncrease the garbage.oll5eriod setting b F. 1. Decrease the garbage.oll5eriod setting b F. .. &ncrease the tombstone4ifetime setting b F. D. Decrease the tombstone4ifetime setting b F. 1ns/er& C +;planation& The 8tombstone4ifetime8 attribute is the time a deleted ob)ect will remain in Acti%e Director before it is permanentl deleted. !e can use one of the Acti%e Director editing tools, such as Adsiedit.msc, 4dp.eBe, and AD$& $cripts, to change the 8tombstone4ifetime8 attribute. !e should set the 8tombstone4ifetime8 attribute to be older than the bac/up used to restore the Acti%e Director . Incorrect 1ns/ers& 1, <& The garbage.oll5eriod is the inter%al b which deleted ob)ects whose tombstone lifetime has eBpired are remo%ed from Acti%e Director . This does not affect the restoration process. 3& !e should set the 8tombstone4ifetime8 attribute to be older than the bac/up used to restore the Acti%e Director . 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>G 2 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1-9 3=2-" http9HHsupport.microsoft.comHdefault.aspB[scid\http9HHsupport.microsoft.com9>"HsupportH/bHarticlesH:21;H=H=3.A$5L %*+,TION NO& 7 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 The domain is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>> 2 Replication is scheduled to ta$e place once per day0 +ach ser2er is fully ac$ed up daily0 .ou connect to Test$ing- and create se2en logon scripts in the 3efault 3omain Policy >roup Policy o Cect ?>PO@ Three days later, an administrator in Tel 12i2 inad2ertently corrupts the scripts on Test$ing60 Ten minutes later, you successfully ma$e changes to one of the logon scripts on Test$ing-0 .ou need to ma$e the latest 2ersion of the logon scripts a2aila le to users in Tel 12i2 as soon as possi le0 4hat should you do: To ans/er, drag the action that you should perform first to the #irst 1ction o;0 Continue dragging actions to the corresponding num ered o;es until you list all reBuired actions in the correct order0 .ou might not need to use all num ered o;es0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1>= 2 1ns/er& +;planation& Iou want to get Test@ing3 bac/ up to the most current script %ersions that are stored in acti%e Director . Restoring the $ $?ol restores the scripts to the good %ersions that were bac/ed up in the pre%ious bac/up. After rebooting, changes in Acti%e Director since the last bac/up will be replicated to this ser%erKs Acti%e Director . Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 22-" to 22-1 %*+,TION NO& D 3R1> 3ROP 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=" 2 .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com that contains t/o 4indo/s ,er2er '556 domain controllers named TestKing- and TestKing'0 TestKing- runs 3N, for the domain0 <ac$ups of the system state are performed each night on each domain controller0 1 po/er surge damages oth domain controllers0 .ou replace the domain controllers /ith t/o ne/ computers and retrie2e the latest ac$up tapes0

.ou need to restore the 1cti2e 3irectory domain y using the ac$up tapes0 .ou /ant to restore name resolution ser2ices first0 4hat should you do: To ans/er, drag the action that should perform first to the #irst 1ction o; for each ser2er0 Continue dragging actions to the corresponding num ered o;es until you list all three reBuired actions to restore TestKing- and all three reBuired actions to restore TestKing'0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=1 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=2 2 1oth domain controllers need to be restored. The first thing to do on each new ser%er is to install !indows $er%er 2""3. To restore the $ stem $tate data on a domain controller, ou must first start our computer in a special startup option called Director $er%ices Restore Mode. This will allow ou to restore the $I$?'4 director and Acti%e Director ser%ice database. To access Director $er%ices Restore Mode, press (> during startup and select it from the list of startup options. 'n the first domain controller, we can do a primar restore of the $ stem $tate data as this will be the first domain controller on the networ/. 'n the second domain controller, we can do a non2authoritati%e restore of the s stem state data. This wa , an changes to the Acti%e Director on the first ser%er will be replicated to the second ser%er. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=3 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1;9 2> http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HenterpriseHproddocsHen2usHDefault.asp[url\H5art -9 Troubleshoot Acti%e Director . A9 Diagnose and resol%e issues related to Acti%e Director replication. *G 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 TestKing consists of a single 1cti2e 3irectory domain named test$ing0com TestKing has a main office and a ranch office0 The domain contains four domain controllers0 T/o domain controllers are located in the main office, and t/o domain controllers are located in the ranch office0 .ou create a >roup Policy o Cect ?>PO@ named 4P,oft and lin$ it to the domain0 .ou configure 4P,oft to assign a /ord processing application to the *ser Configuration section of the >PO0 *sers in the ranch office report that the application is not a2aila le to use0 *sers in the main office report that they can use the application0 .ou need to ensure that the users at the ranch office recei2e the 4ord processing application0 4hat should you do: A. $ nchroni0e the ,etlogon shared folder on both domain controllers in the branch office. 1. (orce replication between the domain controllers in the main office and the branch office. .. Run the gpresult command on the client computers in the branch office. D. Run the gpotool command on a client computer in the branch office. 1ns/er& < +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=- 2 4e ha2e created a >PO and lin$ed it to the domain0 The domain controllers /ill recei2e the ne/ group policy at the ne;t replication inter2al0 1lternati2ely, /e can force replication et/een the domain controllers in the main office and the ranch office y running the gpupdate "force command0 Incorrect 1ns/ers& 1& !e need to initiate AD replication between the main office and the branch office. C& The Cpresult command2line tool allows ou to create and displa an R$o5 6uer , which can be used to anal 0e the cumulati%e effects of C5's, through the command line. &t also pro%ides general information about the operating s stem, user, and computer. This will ha%e no effect as the domain controllers in the branch office ha%enKt recei%ed the new C5' et. 3& This will ha%e no effect as the domain controllers in the branch office ha%enKt recei%ed the new C5' et.

Reference& http9HHwww.microsoft.comHresourcesHdocumentationHwindowsHBpHallHproddocsHen2usHrefrgp.mspB Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-to 1"221, 112-, 112;, 1121= to 11222, 1=23 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith t/o sates0 The t/o sites are named Test$ingand Test$ing'0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing has t/o offices, and each office is configured as one of the sites0 1 '(78K ps leased line connects the t/o offices0 In addition, a site lin$ connects the t/o sites0 The site lin$ is configured to replicate during off8pea$ hours0 There are domain controllers in oth sites0 Test$ing- contains all of the operations master role holders0 .ou plan to create >roup Policy o Cects ?>PO@ for each site0 ,ome >POs /ill e used to resol2e potential support issues for a specific site, and you need to minimi!e any delay in the propagation of >POs0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=F 2 .ou need to ensure that >POs are applied to users in the appropriate site /ith minimal delay0 4hat should you do: A. .onfigure the Croup 5olic 'b)ect 3ditor and Acti%e Director Users and .omputers snap2ins to connect to the infrastructure master. 1. .onfigure the Croup 5olic and Acti%e Director snap2ins to connect to a domain controller in the site where the C5' must be applied. .. .reate a remote procedure call *R5.+ connection ob)ect between the two sites. D. .reate a C5' that disabled Croup 5olic slow lin/ detection. 4in/ the C5' to both sites. 1ns/er& < +;planation& Creating the >PO on a domain controller in a particular site /ill apply the >PO much Buic$er than if the >PO /ere created on a domain controller in a different site across a site lin$0 This is ecause no replication /ill need to occur for the settings to ta$e effect0 Incorrect 1ns/ers& 1& !e need to appl the C5's to the domain controllers in the site where the C5' is re6uired, not he infrastructure master. C, 3& !e need appl the C5' with minimal dela . The 6uic/est wa to appl the C5' is to appl it to the domain controller in the site where the C5' is re6uired. This can be done b configuring the Croup 5olic and Acti%e Director snap2in to connect to a domain controller in the site where the C5' must be applied. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"231 to 1"2-> %*+,TION NO& 6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=; 2 .ou are the administrator of the Test$ing company net/or$0 Test$ing has a main office and t/o ranch offices0 The ranch offices are named <ranch- and <ranch'0 +ach office is configured as an 1cti2e 3irectory site in the test$ing0com domain0 1ll ser2ers run 4indo/s ,er2er '556 and all client computers run 4indo/s GP Professional0 The t/o ranch offices are connected to the main office y '(7K ps 41N lin$s0 1 >roup Policy o Cect ?>PO@ lin$ed to the domain is configured to display a message /hen users log on their computers0 .ou change the /ording of the message to comply /ith ne/ company guidelines0 *sers in the main office and <ranchrecei2e the ne/ logon message0 9o/e2er, users in <ranch' still recei2e the old logon message0 .ou need to ensure that the ne/ logon message appears correctly on all computers in the net/or$0 4hat should you do: A. &n Acti%e Director Users and .omputers, create a new global securit group that contains the computer accounts for all computers in 1ranch2. Crant permissions to this securit group to read and appl the C5'. 1. .reate a new Croup 5olic 'b)ect *C5'+ lin/ed to the 1ranch2 site to displa the new logon message. .. (orce replication of Acti%e Director between the main office and 1ranch2.

D. 4og on to one of the client computers in 1ranch2 and run the gpupdate command. 1ns/er& C +;planation& It appears that the >PO settings ha2enHt een replicated to <ranch' as they are still recei2ing the old notice0 4e need to force replication et/een the t/o sites to ensure that <ranch' recei2es the ne/ >PO settings0 Incorrect 1ns/ers& 1& The 1ranch2 users still recei%e the old logon message. Therefore, this is not a permissions problem on the group polic ob)ect. <& This is unnecessar . 3& This would refresh the C5' from a 1ranch2 domain controller. !e need to force replication to ensure that the 1ranch2 domain controllers ha%e the latest C5'. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=G 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2- to F2=, F22F %*+,TION NO& ) .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain and t/o 1cti2e 3irectory sites0 The sites are named Test$ing- and Test$ing'0 +ach site contains t/o 4indo/s ,er2er '556 domain controllers0 1ll client computers on the net/or$ run 4indo/s GP Professional0 1dministrators in Test$ing- manage all user and group administration on the net/or$0 One of the e;ecuti2es located in the office at Test$ing' reBuires access to a net/or$ shared folder named +;ecuti2e3ata0 This folder is located on a 4indo/s ,er2er '556 mem er ser2er at Test$ing'0 1n administrator in Test$ing- adds the e;ecuti2e to an 1cti2e 3irectory glo al group that has access to the +;ecuti2e3ata shared folder0 The e;ecuti2e restarts her computer and logs ac$ on to the domain0 One hour later, the e;ecuti2e still cannot access the shared folder0 Other users in the same group can access the shared folder0 .ou need to ensure that the e;ecuti2e has immediate access to the +;ecuti2e3ata shared folder0 4hat should you do: A. Modif the ,T($ permissions on the 3Becuti%eData shared folder on the !indows $er%er 2""3 member ser%er. 1. .onfigure one of the domain controllers in Test/ing2 as a global catalog ser%er. .. Use Replication Monitor to force replication between domain controllers in the two sites. D. Modif the share permissions on the 3Becuti%eData shared folder to gi%e the user account eBplicit permissions. 1ns/er& C +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1=> 2 The reason /hy the e;ecuti2e cannot access the folder is ecause replication did not yet occur0 Replication need to occur et/een Test$ing- and Test$ing' efore the e;ecuti2e can access the folder0 Incorrect 1ns/ers& 1, 3& This is not a permissions problem as other users can access the 3Becuti%eData shared folder. <& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. Aowe%er, this is a replication problem. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2- to F2>, F22F to F23G %*+,TION NO& ( .ou are the net/or$ administrator for TestKing, /hich is located in Ne/ .or$0 TestKing o/ns a company named Lucerne Pu lishing, /hich is located in London0 The TestKing net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domains0 TestKing opens a ne/ office in Cairo0 The structure of the 1cti2e 3irectory net/or$

after the addition of the Cairo office is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 1== 2 <oth site lin$s are configured to e transiti2e0 The site lin$s are configured as sho/n in the follo/ing ta le0 N.London LondonCairo .ost 2"" 1"" &nter%al 3" minutes -F minutes $chedule 119"" 5.M. 2 19"" A.M. UT. G9"" 5.M. 2 =9"" 5.M. UT. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"" 2 *sers in all three sites report that response times are unaccepta ly slo/ /hen crossing 41N connections to access information in other offices0 .ou disco2er that replication et/een ser2ers in N.,ite and Cairo,ite is happening throughout the day0 .ou need to ensure that usersH access to remote offices is not slo/ed as a result of replication traffic0 4hat should you do: A. Replace the current site lin/s with $MT52based site lin/s. 1. .reate a site lin/ bridge and include both site lin/s. .. .onfigure the cost on both site lin/s to be F"". D. .onfigure the schedule times to o%erlap. 1ns/er& 3 +;planation& Replication is occurring through out the day0 4e need to reconfigure the replication schedule to pre2ent this0 Incorrect 1ns/ers& 1& Replacing the lin/s with $MT52based lin/s wonKt reduce the replication traffic. <& A site lin/ bridge wonKt reduce the replication traffic. C& $ite lin/ costs are used when there are alternati%e paths between sites. Aowe%er, there are onl single paths in this scenario. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -2-=2-2F2, -2F> to -2F= %*+,TION NO& 7 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory domains /ith three sites0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing has offices in three cities and each office is configured as a separate site0 The net/or$ configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"1 2 The company has -,D(5 users in the Paris office, -,D(5 users in the Rome office, and '( users in the <onn office0 >lo al catalog ser2ers are configured in each site0 1utomatic site lin$ ridging is disa led0 1 /ritten company policy reBuires that no 41N connection e;ceed D5 percent pea$ utili!ation0 .ou e;amine the 41N connection et/een the Rome and Paris offices and disco2er that the utili!ation reaches E( percent during 1cti2e 3irectory replication0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"2 2 .ou need to reduce the 41N traffic associated /ith the 1cti2e 3irectory replication on the connection et/een the Rome and Paris offices0 .ou need to ensure that users in the Rome office can log on to the domain if a 41N connection fails0 4hat should you do: A. Decrease the replication inter%al on the site lin/ connecting the 5aris and Rome sites. 1. Remo%e the global catalog ser%er from the Rome office. 3nable uni%ersal group membership caching in the Rome site. .. 3nable slow lin/ detection in the Default Domain 5olic Croup 5olic ob)ect *C5'+ in the rome.test/ing.com domain. D. .onfigure a site lin/ bridge between the site lin/ that connects the Rome and 5aris sites and the site lin/ that connects the 5aris and 1onn sites. 1ns/er& < +;planation9 The Clobal .atalog *C.+ contains a full replica of all Acti%e Director

ob)ects in its host domain plus a partial replica of all director ob)ects in e%er domain in the forest. A C. contains information about all ob)ects in all domains in the forest, so finding information in the director does not re6uire unnecessar 6ueries across domains. A single 6uer to the C. produces the information about where the ob)ect can be found. &t pro%ides information about ob)ects that are located in other domains in the forest. Uni%ersal group membership caching allows a site that does not contain a global catalog ser%er to be configured to cache uni%ersal group memberships for users who log on to the domain controller in the site. This abilit allows a domain controller to process user logon re6uests without contacting a global catalog ser%er when a global catalog ser%er is una%ailable. The cache is refreshed periodicall as determined in the replication schedule. +;planation& 1& Reducing the replication inter%al will reduce the amount of data that must be replicated at a time. C, 3& 3nabling slow lin/ detection or configuring a site lin/ bridge will not reduce that amount of data that must be replicated at a time. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22F to F23F, F2F= to F2;> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"3 2 %*+,TION NO& D .ou are a net/or$ administrator for TestKing, /hich has fi2e regional offices and 6,555 ranch offices0 +ach ranch office contains -5 users0 <ranch offices are connected to the nearest regional office y a (78K ps 41N connection0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one domain for each regional office0 1ll ser2ers run 4indo/s ,er2er '5560 +ach ranch office contains one domain controller that is configured as an additional domain controller in the regional domain for the ranch office0 The site lin$ et/een each ranch office and the corresponding regional domain is configured to replicate e2ery 65 minutes0 *sers in the ranch office report that applications respond slo/ly /hen they access resources in the corresponding regional office0 .ou monitor the 41N connection that connects se2eral of the ranch offices and disco2er that utili!ation increases from 65 percent to more than E5 percent on a regular asis0 .ou need to impro2e the response time of applications /hen they access resources in the regional office0 .ou need to ensure that users can log on /ithout using cached credentials if the 41N connection fails0 4hat should you do: A. Remo%e Acti%e Director from the file and print ser%er in each branch office. 'n the site lin/ between each branch office and the corresponding regional office, increase the replication inter%al. 1. 3nable uni%ersal group membership caching in each branch office. .onfigure the site lin/ between each branch office and the corresponding regional office to be a%ailable onl during off2pea/ hours. .. .onfigure the domain controller in each branch office as a global catalog ser%er. D. 'n the site lin/ between each branch office and the corresponding regional office, decrease the replication inter%al. 1ns/er& 3 +;planation& Response times for that application are slo/ ecause replication traffic is too much0 3ecreasing the replication schedule /ill reduce the amount of replication traffic y allo/ing amounts of changes to e replicated0 Incorrect 1ns/ers& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"- 2 1& &ncreasing the replication inter%al will increase the amount of changes that must be replicated at a time. This might increase replication traffic. <& !e donKt want to use cached credentials. C& The global catalog is the central repositor of information about Acti%e Director ob)ects in a tree or forest. The domain controller that holds a cop of the global catalog is called a global catalog ser%er. The global catalog enables a user to log on to a networ/ b pro%iding uni%ersal group membership information to a domain controller when a logon process is initiated, and enables finding director information regardless of which domain in the forest actuall contains the data. &t does not control replication. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F2G to F2>

Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. --=2-F2, -F>, -F>2-F= 19 Diagnose and resol%e issues related to operations master role failure. *1 6uestion+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ contains three 4indo/s ,er2er '556 domain controllers named ,er2erTK-, ,er2erTK' and ,er2erTK60 ,er2erTK- holds the schema master role and the domain naming master role0 ,er2erTK' holds the relati2e I3 ?RI3@ master role0 ,er2erTK6 holds the P3C emulator master role and the infrastructure master role0 ,er2erTK' fails and cannot e restarted0 .ou log on to ,er2erTK6 as the administrator and sei!e the RI3 master role0 Later, ,er2erTK' is repaired and can e rought ac$ online0 .ou /ant ,er2erTK' to hold the RI3 master role again0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"F 2 A. Restart $er%erT@2 while it is connected to the networ/. Use the ,tdsutil utilit and sei0e the R&D master role. Reconnect $er%erT@2 to the networ/. 1. Restart $er%erT@2 while it is disconnected from the networ/. Use the ,tdsutil and sei0e the R&D master role. Reconnect $er%erT@2 to the networ/. .. Reinstall !indows $er%er 2""3 on $er%erT@2. Restore the s stem state from the most recent bac/up to $er%erT@2. Reconnect $er%erT@2 to the networ/. D. Reinstall !indows $er%er 2""3 on $er%erT@2. 5romote $er%erT@2 to become a domain controller. Transfer the R&D master role to $er%erT@2. 1ns/er& 3 +;planation& 1 domain controller /hose RI3 master role has een sei!ed can only e rought ac$ online y reinstalling 4indo/s ,er2er '5560 Incorrect 1ns/ers& 1& $er%erT@2 was the R&D master before it failed. That role was sei0ed to $er%erT@3. &f we restart $er%erT@2, there will be two R&D masters. (urthermore, we can onl sei0e a role if the domain controller that holds that role fails. <& !e cannot sei0e the R&D master role if $er%erT@2 is not connected to the networ/. (urthermore, we can onl sei0e a role if the domain controller that holds that role fails. C& $er%erT@2 was the R&D master before it failed. That role was sei0ed to $er%erT@3. Aowe%er, if we bring $er%erT@2 bac/ online, there will be two R&D masters. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F1G2F22 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -22>, -22= .9 Diagnose and resol%e issues related to the Acti%e Director database. *3 6uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"; 2 %*+,TION NO& .ou are a net/or$ administrator for 1cme0 1cme consists of t/o su sidiaries named Lit/are Inc0, and TestKing >m<h0 The net/or$ consists of a single 1cti2e 3irectory forest0 The functional le2el of the forest is 4indo/s ,er2er '5560 The forest contains a forest root domain named lit/areinc0com and an additional domain tree named test$ing0com, /hich contains t/o child domains0 1ll domain controllers run 4indo/s ,er2er '5560 The 3irectory ,er2ices o Cect is configured /ith the default property settings0 The forest contains '(5,555 o Cects that are changed freBuently0 .ou need to e a le to restore o Cects in one of the child domains in the test$ing0com domain tree from a three8month8old ac$up0 .ou need to ma$e a change to a 3irectory ,er2ices property on a domain controller in one of the domains in order to achie2e this goal0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a

complete solution0 Choose t/o@ A. Run the netdom command on a domain controller in test/ing.com. 1. Use the ,tdsutil utilit on a domain controller in litwareinc.com. .. Use the AD$&3dit utilit on a domain controller in test/ing.com. D. Run the ldp command on a domain controller in litwareince.com. 1ns/er& C, 3 +;planation& 4e need to edit a property of 1cti2e 3irectory0 4e can use a lo/ le2el editor, such as 1dsi+dit and ldp, to do this0 1dsi+dit is a Microsoft Management Console ?MMC@ snap8in that acts as a lo/8le2el editor for the 1cti2e 3irectory ser2ice0 It pro2ides a means to add, delete, and mo2e o Cects /ithin the 3irectory ,er2ices0 The attri utes of each o Cect can e 2ie/ed, changed, and deleted0 The ldp is a graphical tool that allo/s users to perform Light/eight 3irectory 1ccess Protocol ?L31P@ operations, such as connect, ind, search, modify, add, and delete, against any L31P8compati le directory, such as 1cti2e 3irectory0 L31P is an Internet8standard /ire protocol used y 1cti2e 3irectory0 Incorrect 1ns/ers& 1& ,etdom.eBe is a command line to manage !indows $er%er 2""3 domains and trust relationships. <& The ,tdsutil command2line utilit performs database maintenance and clean up. Aowe%er, it does not allow ou to add, mo%e, or delete ob)ects. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"G 2 Reference& http9HHsupport.microsoft.comHdefault.aspB[scid\http9HHsupport.microsoft.com9>"HsupportH/bHarticlesH:21;H=H=3.A$5LQill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 3211, -221 %*+,TION NO& ' .ou are the net/or$ administrator for 1cme0 1cme consists of t/o su sidiaries named TestKing and TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains0 The domain and site configuration is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"> 2 1 computer named 3C-0spain0test$ing0com is a domain controller in the spain0test$ing0com domain0 3C-0spain0test$ing0com is also a glo al catalog ser2er and the preferred ridgehead ser2er for ,pain,ite0 The 1cti2e 3irectory data ase on 3C-0spain0test$ing0com contains - >< of data0 The ,pain departments in TestKing are implementing an 1cti2e 3irectory8ena led application0 .ou e;pect si!e of the data ase on 3C-0spain0test$ing0com to increase y '55 M<0 1cti2e 3irectory stops responding on 3C-0spain0test$ing0com0 .ou disco2er that the hard dis$ has less then ( M< of space remaining0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2"= 2 .ou need to configure 3C-0spain0test$ing0com so that 1cti2e 3irectory can restart0 .ou also need to configure the ser2er so that additional space is a2aila le on the hard dis$ for the additional data that /ill e added to the 1cti2e 3irectory data ase0 4hat should you do: A. Delete all log files that are located in the ,TD$ folder. 1. &nstall another hard dis/ in D.1.spain.test/ing.com. Use the ,tdsutil utilit to mo%e the database to the new hard dis/. .. &nstall another hard dis/ in D.1.spain.test/ing.com. Use the ,tdsutil utilit to mo%e the transaction logs to the new hard dis/. D. .onfigure another ser%er in the site to operate as a preferred bridgehead ser%er. .onfigure D.1.spain.test/ing.com so that it no longer operates as a preferred bridgehead ser%er. 1ns/er& < +;planation& Mo2ing the 1cti2e 3irectory data ase to a ne/ hard dri2e /ill ensure that there is adeBuate hard dri2e space for the additional data that /ill e added to the 1cti2e 3irectory data ase0 .ou can do this y using the Ntdsutil tool /ith the files s/itch to mo2e the 1cti2e 3irectory data ase to the ne/ hard dri2e0 The Ntdsutil tool pro2ides management facilities for 1cti2e 3irectory0 .ou can use Ntdsutil to perform data ase maintenance of 1cti2e 3irectory, manage and control single master operations, and remo2e metadata left ehind y domain controllers that /ere remo2ed from the net/or$ /ithout eing properly uninstalled0 4hen used /ithy the files s/itch, Ntdsutil pro2ides commands for managing the directory

ser2ice data ase and log files0 To perform this operation ou will need to restart the Domain .ontroller in Director ser%ices restore mode. This operation can not be performed in normal mode because the database and log are in use in normal mode. Incorrect 1ns/ers& 1& 4og files are important for reco%er purposes. Iou should onl delete the log files once a bac/up of the database has been performed. (urthermore, the log files might no ta/e up the re6uired 2F" M1 that ou must ma/e pro%ision for. C& Iou could use the ,tdsutil tool with the files switch to mo%e the log files to the new hard dri%e. The log files might no ta/e up the re6uired 2F" M1 that ou must ma/e pro%ision for. This is therefore not the best answer. 3& The location of the bridgehead ser%er does not affect the si0e of the Acti%e Director database. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21" 2 Reference9 Da%id !atts L !ill !illis, !indows $er%er 2""3 Acti%e Director &nfrastructure 3Bam .ram 2 *3Bam G"22=-+9 :ue 5ublishing, &ndianapolis, 2""-, .hapter 1", Acti%e Director Maintenance. Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. G"G2G11 %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The 1cti2e 3irectory data ase is contained on a 4indo/s ,er2er '556 domain controller named Test$ing-0 The hard dis$ that contains the 1cti2e 3irectory data ase fails0 .ou restart Test$ing- in 3irectory ,er2ices Restore Mode0 4hen prompted to log on, you type administratorNsales0test$ing0com as your user name and enter your domain pass/ord0 .our logon attempt fails0 .ou need to log on to 3C- to complete the restore operation0 4hat should you do: A. T pe salesW administrator as our user name and enter our domain password. 1. T pe administrator as our user name and enter the password that was associated with the local administrator account before ou installed Acti%e Director . .. T pe administrator as our user name and enter our domain password. D. T pe administrator as our user name and enter the password that ou supplied during the installation of Acti%e Director . 1ns/er& 3 +;planation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 211 2 9 1ecause ou must alwa s log on to a !indows $er%er 2""3 computer before ou can use the operating s stem, a small %ersion of a local director ser%ice database *called a $AM database+ remains on the computer after it has been promoted to a D.. This database has a single account, the local administrator account. Thus ou need to use administrator as the user name and enter the password that was supplied during the Acti%e Director installation to be able to complete the restoration. Incorrect ans/ers& 19 This is not the local administrator account and furthermore, the 6uestion alread mentioned that the domain password does not allow ou to log on when restarting in the Director $er%ices Restore Mode. <9 Iou should ma/e use of the password that was supplied during the Acti%e Director installation and not the password of before the installation. C9 3ntering the domain password will not allow ou to complete the restoration process. The 6uestion does mention that the domain password does not allow ou to log on when restarting in the Director $er%ices Restore Mode. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 11, pp. G2", G312G-1 Topic 3, 5lanning and &mplementing User, .omputer, and Croup $trategies *23 :uestions+ 5art 19 5lan a distribution group strateg .*1 6uestion+ %*+,TION NO& -

.ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest0 The forest consists of -E 1cti2e 3irectory domains0 #ifteen of the domains contain 4indo/s ,er2er '556 domain controllers0 The functional le2el of all the domains is 4indo/s '555 nati2e0 The net/or$ consists of a single Microsoft +;change '555 ,er2er organi!ation0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 212 2 .ou need to create groups that can e used only to send e8mail messages to user accounts throughout TestKing0 .ou /ant to achie2e this goal y using the minimum amount of replication traffic and minimi!ing the si!e of the 1cti2e 3irectory data ase0 .ou need to create a plan for creating e8mail groups for TestKing0 4hat should you do: A. .reate global distribution groups in each domain. Ma/e the appropriate users from each domain members of the global distribution group in the same domain. .reate uni%ersal distribution groups. Ma/e the global distribution groups in each domain members of the uni%ersal distribution groups. 1. .reate global securit groups in each domain. Ma/e the appropriate users from each domain members of the securit group in the same domain. .reate uni%ersal securit groups. Ma/e the global securit groups in each domain members of the uni%ersal securit groups. .. .reate uni%ersal distribution groups. Ma/e the appropriate users from each domain members of a uni%ersal distribution group. D. .reate uni%ersal securit groups. Ma/e the appropriate users from each domain members of a uni%ersal securit group. 1ns/er& 1 +;planation& 4e can minimi!e replication traffic y placing the users into >lo al groups, and then place the >lo al groups into *ni2ersal groups0 In 1cti2e 3irectory, a *ni2ersal group lists all its mem ers0 If the *ni2ersal group contained user accounts, and a user account /as added or remo2ed, then the *ni2ersal group information /ould e replicated throughout the forest0 This is /hy placing user accounts directly into *ni2ersal groups are not recommended0 In addition, /e need to use 3istri ution groups for email groups0 Incorrect 1ns/ers& <& !e to use Distribution groups for email groups, not securit groups. C& !e should not place user accounts directl in Uni%ersal groups as we want to reduce replication traffic. 3& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 213 2 !e should not place user accounts directl in Uni%ersal groups as we want to reduce replication traffic. (urthermore, we to use Distribution groups for email groups, not securit groups. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. >9 $chema classes and attributes, M$ wor/shop 22"= 5art 29 5lan a securit group strateg .*; 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains 4indo/s ,er2er '556 print ser2ers and printer o Cects0 1 group named Printer,upport needs to e a le to manage the printers and print Bueues in the domain0 The Printer,upport group also needs to manage the printer o Cects in 1cti2e 3irectory0 The Printer,upport group does not need to perform any other tas$s0 .ou need to grant the Printer,upport group only the permissions that it needs0 4hich action or actions should you ta$e: ?Choose all that apply@ A. Ma/e the 5rinter$upport group a member of the 5rint 'perators group on each print ser%er. 1. Ma/e the 5rinter$upport group a member of the Aelp$er%icesCroup on each print ser%er. .. Ma/e the 5rinter$upport group a member of the 5ower Users group on each print ser%er.

D. Ma/e the 5rinter$upport group a member of the $er%er 'perators group in the 1uilt2in container. 3. Ma/e the 5rinter$upport group a member of the 5rint 'perators group in the 1uilt2in container. 1ns/er& + 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21- 2 +;planation& The uilt8in Print Operators group is responsi le for managing only the printers and print Bueues in the domain0 4e should thus add the Printer,upport group to the Print Operators group0 Incorrect 1ns/ers& 1& The 5rinter$upport group is responsible for managing onl the printers and print 6ueues in the domain. Therefore the should be granted permissions at the domain le%el. <& The Aelp$er%icesCroup allows administrators to set rights common to all sup2 port applications. 1 default, the group has onl one member, the account associated with Microsoft support applications, such as Microsoft Remote Assistance. Do not add users to this group, which is managed automaticall b the Aelp And $upport ser%ice. C& Ma/ing the 5rinter$upport group a member of the 5ower Users group would allow members of the 5rinter$upport group full control of the entire domain. 3& The $er%er 'perators group is responsible for managing all ser%ers. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. >9 -211 http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HstandardHproddocsHen2usHDefault.asp[url\H %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s '555 nati2e0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing is adding -( ne/ ser2ers to run a ne/ application0 TestKing is also adding an organi!ational unit ?O*@ named 1pplication to hold the ser2ers and other resources for the application0 The ser2er access team needs to e a le to grant 2arious types of access to the ser2ers0 The ser2er access team does not need to e a le to perform any other tas$s on the ser2ers0 .ou need to allo/ the ser2er access team to grant permissions for application ser2ers /ithout granting the team unnecessary permissions0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21F 2 4hat should you do: A. .reate a Restricted Croups Croup 5olic ob)ect *C5'+ to ma/e the ser%er access team a member of the 5ower Users group on each application ser%er. 4in/ the C5' to the Application 'U. 1. Crant the ser%er access team permission to modif computer ob)ects in the Application 'U. .. Ma/e the ser%er access team a member of the $er%er 'perators group. D. .reate Domain 4ocal securit groups that grant the appropriate access to the ser%ers. Crant the ser%er access team permission to modif the membership of the Domain 4ocal securit groups. 1ns/er& 3 +;planation& The ser2er access team needs to grant 2arious types of access to the ser2ers therefore /e need to place them in a security group0 This /ould need to e a domain local group Incorrect 1ns/ers& 1, C& This would pro%ide them with too much administrati%e control. <& The ser%er access team needs to grant access to the ser%ers, the do not need to modif the computer ob)ects for the Application 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"212, 1"21F to 1"21=, 1"22- to 1"22>. %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ structure is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21; 2 The functional le2el of oth forests is 4indo/s ,er2er '5560 1ll three domains are 1cti2e 3irectory domains0 3omain6 contains a computer named ,er2er-0 1 shared folder on ,er2er- is named

,hare-0 *sers in an organi!ational unit ?O*@ named 1ccounts in 3omain' need access to ,hare-0 9o/e2er, /hene2er the users in the 1ccounts O* attempt to connect to ,hare-, they recei2e an error message stating that access /as denied0 .ou need to ensure that users in the 1ccounts O* can connect to ,hare-0 4hat should you do: A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21G 2 .reate a uni%ersal distribution group in Domain2 that includes all users in the Accounts 'U. .reate a domain local securit group in Domain3. Crant access to WW$er%er1W$hare1 to the domain local securit group. Ma/e the uni%ersal distribution group a member of the domain local securit group. 1. .reate global securit group in Domain2 that includes all users in the Accounts 'U. .reate a domain local securit group in Domain3. Crant access to WW$er%er1W$hare1 to the domain local securit group. Ma/e the global securit group a member of the domain local securit group. .. .reate a shared folder in the Accounts 'U for WW$er%er1W$hare1. D. .reate a one2wa eBternal trust relationship in which Domain2 trusts Domain3. 1ns/er& < +;planations& &n this scenario, there is a forest trust between the two forests. The users in the Accounts 'U get an access denied error when tr ing to connect to share1 on the ser%er named ser%er1. This is a simple permissions problem. All we need to do is to assign the appropriate permissions to the accounts users to access share1. The recommended wa of assigning permissions is to create a domain local securit group and assign the group permissions to the resource, WWser%er1Wshare1 in this case. Then we need to group together the accounts users b adding the user accounts to a domain global securit group. !e then grant the permissions b adding the domain global group to the domain local group. Incorrect 1ns/ers& 1& This would wor/, but a uni%ersal group isnKt recommended. !e can use a global group in this case, so a uni%ersal group isnKt necessar . C& The shared folder is in another domain, so this solution wouldnKt wor/. 3& There is a forest trust between the two forests, so there is no need to create another trust relationship. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F;2F>, -"22-";, -"G %*+,TION NO& ) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21> 2 .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 .ou add eight ser2ers for a ne/ application0 .ou create an organi!ational unit ?O*@ named 1pplication to hold the ser2ers and other resources for the application0 *sers and groups in the domain /ill need 2aried permissions on the application ser2ers0 The mem ers of a glo al group named ,er2er 1ccess Team need to e a le to grant access to the ser2ers0 The ,er2er 1ccess Team group does not need to e a le to perform any other tas$s on the ser2ers0 .ou need to allo/ the ,er2er 1ccess Team group to grant permissions for the application ser2ers /ithout granting the ,er2er 1ccess Team group unnecessary permissions0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ for restricted groups. .onfigure the C5' to ma/e the $er%er Access Team group a member of the 5ower Users group on each application ser%er. 4in/ the C5' to the Application 'U. 1. Crant the $er%er Access Team group permissions to modif computer ob)ects in the Application 'U. .. Mo%e the $er%er Access Team group ob)ect into the Application 'U. D. .reate domain local groups that grant access to the application ser%ers. Crant the $er%er Access Team group permissions to modif the membership of the domain local groups. 1ns/er& 3 +;planation& The simplest /ay to do this is to create domain local groups /ith

2arious permissions to the application ser2ers0 #or e;ample, one group has read access, another group has read and /rite access and so on0 4e can then use the 3elegation of Control 4i!ard to grant the right to add or remo2e mem ers of the groups0 Incorrect 1ns/ers& 1& The 5ower Users group can perform man administrati%e tas/s on the ser%ers. This is more permission than necessar . <& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 21= 2 The donKt need to modif the computer ob)ects. This is more permission than necessar . C& This wonKt gi%e them the re6uired permissions. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"212, 1"21F to 1"21=, 1"22- to 1"22> %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains named test$ing0com, child-0test$ing0com, and child'0test$ing0com0 The functional le2el of the forest is 4indo/s '5560 <oth the child-0test$ing0com domain and the child'0test$ing0com domain contain user accounts of users in the accounting department0 1ll accounting users need to access resources in oth child domains0 .ou need to ensure that all accounting users can access the appropriate resources0 .ou /ant to restrict administrators in the child domains to managing the access reBuirements for user accounts in their domain0 .ou also /ant to minimi!e glo al catalog replication0 4hat should you do: A. .reate a global group named AllJAccounting in each child domain. Add all user accounts for accounting users in a domain to the AllJAccounting group for that domain. .reate a uni%ersal group in the test/ing.com domain. Add both AllJAccounting groups to the uni%ersal group. 1. .reate a global group named AllJAccounting in each child domain. Add all user accounts for accounting users in a domain to the AllJAccounting group for that domain. .reate a domain local group in the test/ing.com domain. Add both AllJAccounting groups to the domain local group. .. .reate a uni%ersal group in the test/ing.com domain. Add all user accounts for accounting users in both child domains to the uni%ersal group. D. .reate a domain local group in the test/ing.com domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22" 2 Add the user accounts for accounting users in both child domains to the domain local group. 1ns/er& 1 +;planation& The recommended practice for group mem ership is to use domain local groups to control access to resources and use glo al groups to organi!e similar groups of users0 The glo al groups can then e applied to the domain local groups as mem ers, allo/ing those users permissions to those resources0 >lo al groups can e added to uni2ersal groups /hich limits the effect that replication has on a net/or$ en2ironment0 Incorrect 1ns/ers& <, 3& A domain local group can ha%e members from an domain in the forest but can onl be assigned permissions to resources that are local to that domain. C& Iou should not place users into uni%ersal groups as this doesnKt reduce the amount of replication of ob)ects to the Clobal .atalog. &nstead, uni%ersal groups should be used to hold global groups with common re6uirements. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2- to -2F Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -221 to -223, -22; to -23" Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and

Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 13-213; %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains fi2e domains0 The functional le2el of the forest is 4indo/s '555 nati2e0 .ou ha2e not configured any uni2ersal groups in the forest0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 221 2 One domain is a child domain named usa0test$ing0com that contains t/o domain controllers and (5 client computers0 The functional le2el of the domain is 4indo/s ,er2er '5560 The net/or$ includes an 1cti2e 3irectory site named ,ite- that contains t/o domain controllers0 ,ite- represents a remote clinic, and the location changes e2ery fe/ months0 1ll of the computers in usa0test$ing0com are located in the remote clinic0 The single 41N connection that connects the remote clinic to the main net/or$ is often saturated or una2aila le0 ,ite- does not include any glo al catalog ser2ers0 .ou create se2eral ne/ user accounts on the domain controllers located in ,ite-0 .ou need to ensure that users in the remote clinic can al/ays Buic$ly and successfully log on to the domain0 4hat should you do: A. 3nable uni%ersal group membership caching in $ite1. 1. Add the A@3IJ4'.A4JMA.A&,3W$ stemW.urrent.ontrol$etW.ontrolW4saW&gnoreC.(ailures /e to the registr on both domain controllers in $ite1. .. Add the A@3IJ4'.A4JMA.A&,3W$ stemW.urrent.ontrol$etW.ontrolW4saW&gnoreC.(ailures /e to the registr on all global catalog ser%ers in the forest. D. Raise the functional le%el of the forest to !indows $er%er 2""3. 1ns/er& < +;planation& 4hen all domain controllers are at least 4indo/s '555 domain controllers and the domain is s/itched to 4indo/s '555 nati2e mode, the usage of uni2ersal groups0 4hen processing a logon reBuest for a user in a nati2e8mode domain, a domain controller sends a Buery to a glo al catalog ser2er to determine the userHs uni2ersal group mem erships0 ,ince you can e;plicitly deny a group access to a resource, complete $no/ledge of a userHs group mem erships is necessary to enforce access control correctly0 If a domain controller of a nati2e8mode domain cannot contact a glo al catalog ser2er to determine uni2ersal group mem ership /hen a user /ants to log on, the domain controller refuses the logon reBuest0 The following registr /e can be set so that the domain controller ignores the global catalog ser%er failure when eBpanding uni%ersal groups9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 222 2 A@3IJ4'.A4JMA.A&,3W$ stemW.urrent.ontrol$etW.ontrolW4saW&gnoreC.(ailures The domain controller still tries to connect to the global catalog ser%er, howe%er, and the timeout for that 6uer must eBpire. Incorrect 1ns/ers& 1& Uni%ersal group membership caching allows the domain controller to cache uni%ersal group membership information for users. This eliminates the need for a global catalog ser%er at e%er site in a domain, which minimi0es networ/ bandwidth usage because a domain controller does not need to replicate all of the ob)ects located in the forest. &t also reduces logon times because the authenticating domain controllers do not alwa s need to access a global catalog to obtain uni%ersal group membership information. Aowe%er, new user accounts would not be located on the global catalog until Acti%e Director replication occurs. C& A@3IJ4'.A4JMA.A&,3W$ stemW.urrent.ontrol$etW.ontrolW4saW&gnoreC.(ailures /e must be added to the registr the both domain controllers in $ite1, not the global catalog ser%ers. 3& Raising the functional le%el of the forest to !indows $er%er 2""3 wonKt sol%e the problem as !indows 2""" nati%e mode is sufficient. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 121G to 121>, F2-1 to F2-F, F2-> to F2F" Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn

$hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 31, F-3, F-G, FF"2FF2 5art 39 5lan a user authentication strateg . A9 5lan a smart card authentication strateg . *3 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 223 2 The company has users /ho /or$ in the main office and users /ho /or$ remotely y connecting to a ser2er running Routing and Remote 1ccess0 The companyHs /ritten security policy reBuires that administrators in the main office log on y using smart cards0 The /ritten security policy also reBuires that remote users use smart cards to access net/or$ resources0 No other users are reBuired to use smart cards0 .ou issue porta le computers that contain smart card readers to administrators and remote users0 .ou issue smart cards to administrators and remote users0 1dministrators and remote users report that they can log on /ithout using a smart card0 .ou need to ensure that only administrators are reBuired to use smart cards /hen /or$ing in the main office0 .ou must also ensure that remote users are reBuired to use smart cards /hen accessing net/or$ resources0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. &n the computer configuration settings of the Default Domain 5olic Croup 5olic ob)ect *C5'+, enable the &nteracti%e logon9 Re6uire smart card setting. 1. 'n the ser%er running Routing and Remote Access, select the 3Btensible authentication protocol *3A5+ chec/ boB and re6uire smart card authentication. .. &n the properties of each administrator account, select the $mart .ard Re6uired for &nteracti%e 4ogon chec/ boB. D. &n the computer configuration settings of the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, enable the &nteracti%e logon9 Re6uires smart card setting. 3. &n the properties of each user account that re6uires remote access, select the $mart .ard Re6uired for &nteracti%e 4ogon chec/ boB. 1ns/er& <, C +;planation& 4e can reBuire remote users to log on using smart cards only y configuring the RR1, ser2er that the remote users connect to reBuire smart card authentication0 !e can configure the administratorsK user accounts to re6uire smart cards for interacti%e logons. This setting is defined in the user properties in Acti%e Director Users and .omputers. Incorrect 1ns/ers& 1& This would re6uire that all users log on using a smart card. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22- 2 3& This would re6uire that users use a smart card to log on to onl the domain controllers. The administrators must use smart cards to log on to an machine in the domain. +& This would re6uire that the remote users log on using a smart card to an machine. The donKt need a smart card logon if the are using a machine in the office. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. G2= to G21". Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. ;FF %*+,TION NO& ' .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 Most of the client computers are located in the offices of indi2idual users0 ,ome client computers are located in pu licly accessi le locations0 The companyHs /ritten security policy includes the follo/ing reBuirements0 1. 1ll users must use smart cards to log on to a client computer0 2. *sers using the pu licly accessi le client computers must e logged off if the smart card is remo2ed from the smart card reader0 .ou configure all user accounts to reBuire smart cards for interacti2e logon0 .ou

create an organi!ational unit ?O*@ named Pu lic0 .ou need to ensure that the appropriate result occurs on each client computer /hen a smart card is remo2ed0 .ou must achie2e this goal /ithout affecting other computers0 4hat should you do: A. 5lace all computer accounts for the publicl accessible client computers in the 5ublic 'U. .reate a new Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 5ublic 'U. .onfigure the &nteracti%e 4ogon9 $mart card remo%al beha%ior setting to (orce 4ogoff. 1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22F 2 5lace the user accounts of all users who use the publicl accessible client computers in the 5ublic 'U. .reate a new Croup 5olic ob)ect *C5'+ and lin/ the C5' to the 5ublic 'U. .onfigure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce loggoff. .. 'n the Default Domain 5olic Croup 5olic ob)ect *C5'+, configure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce logoff. D. 'n the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+, configure the &nteracti%e logon9 $mart card remo%al beha%ior setting to (orce 4ogoff. 1ns/er& 1 +;planation& us to apply a group policy to the pu lic computers0 The Buestion states that users must e logged off if the smart card is remo2ed from the smart card reader0 There is a specific setting in group policy for this0 4e can configure the Interacti2e Logon& ,mart card remo2al eha2iour setting to #orce Logoff0 Incorrect 1ns/ers& <& This is a computer setting, not a user setting. C& This will force logoff all users in the domain. 'nl users of the public computers should be logged off when the remo%e their smart cards. 3& This will force logoff all users who log on to a domain controller. 'nl users of the public computers should be logged off when the remo%e their smart cards. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2to 1"212, 1"21F to 1"21=, 1"22- to 1"22> %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 +ach client computer runs either 4indo/s GP Professional or 4indo/s '555 Professional0 The company reBuires that all users log on y using smart cards0 .ou deploy Certificate ,er2ices and smart card readers0 .ou configure auto8enrollment to issue certificates to users0 *sers report that they cannot log on y using a smart card0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22; 2 .ou need to ensure that all users can log on y using a smart card0 4hat should you do: A. &n Acti%e Director Users and .omputers, configure all user accounts to re6uire a smart card for interacti%e logon. 1. .onfigure the domain securit polic to re6uire smart cards for interacti%e logon. .. Use the .ertificate $er%ices !eb site to enroll each user for a smart card certificate. D. Add a cop of the enterprise root certificate to the trusted root certification authorities store on each client computer. 1ns/er& C +;planation& 1lthough the Buestion says =you configure auto8enrollment to issue certificates to users=, it doesnHt say /hat types of certificates /ere auto8enrolled0 .ou can use the Certificate ,er2ices 4e site to enroll each user for a smart card certificate0 The recommended method for enrolling users for smart card2based certificates and /e s is through the $mart .ard 3nrollment station that is integrated with .ertificate $er%ices in !indows 2""" $er%er and !indows 2""" Ad%anced $er%er. Incorrect ans/ers& 1& This is not necessar . !ith this setting disabled, the users can log on using an method. <& This is not necessar . !ith this setting disabled, the users can log on using an method. 3& &n a single domain, the .ertificate Authorit would be trusted b the client computers

in the domain. Therefore, it is not necessar to add a cop of the enterprise root certificate to the trusted root certification authorities store on each client computer. Reference& Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. >>G 19 .reate a password polic for domain users. *2 6uestions+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22G 2 %*+,TION NO& .ou are the administrator of the TestKing company net/or$0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ includes '5 ser2ers running 4indo/s ,er2er '556 and )55 client computers running 4indo/s GP Professional0 1 ne/ /ritten security policy specifies the follo/ing account polices& 1. *ser accounts must e automatically loc$ed out in the e2ent of three consecuti2e failed logon attempts /ithin a 658minutes period0 2. Manual administrati2e action must e reBuired to unloc$ a user account0 .ou configure a >PO lin$ed to the domain /ith the follo/ing settings& 1. 1ccount loc$out threshold& 6 2. Reset account loc$out counter after 65 minutes0 .ou need to set the 1ccount loc$out duration so that manual administrati2e action must e reBuired to unloc$ a user account0 4hat setting should you use for the 1ccount loc$out duration: A. 2 1. 3 .. == D. === 3. " (. 31 1ns/er& + +;planation& The 1ccount loc$out duration security setting determines the num er of minutes a loc$ed8out account remains loc$ed out efore automatically ecoming unloc$ed0 The a2aila le range is from 5 minutes through EE,EEE minutes0 If you set the account loc$out duration to 5, the account /ill e loc$ed out until an administrator e;plicitly unloc$s it0 Incorrect 1ns/ers& 1& This will set the account loc/out duration to 2 minutes. <& This will set the account loc/out duration to 3 minutes. C& This will set the account loc/out duration to == minutes 3& This will set the account loc/out duration to === minutes 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22> 2 #& This will set the account loc/out duration to 31 minutes Reference& Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, p. 32-" %*+,TION NO& ' 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 TestKingHs /ritten security policy reBuires the follo/ing account polices& 1. *ser accounts must e automatically loc$ed out in the e2ent of three consecuti2e failed logon attempts /ithin a 658minutes period0 2. Manual administrati2e action must e reBuired to unloc$ a user account0 .ou need to configure the account polices for the domain to comply /ith the security reBuirements0 4hat should you do: To ans/er, drag the appropriate account policy setting or settings to the correct location or locations in the /or$ area0 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 22= 2 The Account loc/out duration securit setting determines the number of minutes a loc/ed2out account remains loc/ed out before automaticall becoming unloc/ed. The

a%ailable range is from " minutes through ==,=== minutes. &f ou set the account loc/out duration to ", the account will be loc/ed out until an administrator eBplicitl unloc/s it. The Account loc/out threshold securit setting determines the number of failed logon attempts that causes a user account to be loc/ed out. A loc/ed2out account cannot be used until it is reset b an administrator or until the loc/out duration for the account has eBpired. Iou can set a %alue between " and === failed logon attempts. &f ou set the %alue to ", the account will ne%er be loc/ed out. The Reset account loc/out counter after securit setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to " bad logon attempts. The a%ailable range is 1 minute to ==,=== minutes. Reference& Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, p. 32-" Microsoft 'fficial .urriculum 1FF>, Ad%anced Administration of Microsoft !indows 2""" 2 Module G9 Ad%anced Administration of User Accounts and Croups, pp. ;21". 5art -9 5lan an 'U structure. A9 Anal 0e the administrati%e re6uirements for an 'U. *" 6uestions+ 19 Anal 0e the Croup 5olic re6uirements for an 'U structure. *1 6uestion+ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23" 2 %*+,TION NO& .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s ,er2er '5560 The domain contains 4indo/s ,er2er '556 computers and 4indo/s GP Professional computers0 The domain consists of the containers sho/n in the e;hi it0 1ll production ser2er computer accounts are located in an organi!ational unit ?O*@ named ,er2ers0 1ll production client computer accounts are located in an O* named 3es$tops0 There are >roup Policy o Cects ?>POs@ lin$ed to the domain, to the ,er2ers O*, and to the 3es$top O*0 The company recently added ne/ reBuirements to its /ritten security policy0 ,ome of the ne/ reBuirements apply to all of the computers in the domain, some reBuirements apply to only ser2ers, and some reBuirements apply to only client computers0 .ou intend to implement the ne/ reBuirements y ma$ing modifications to the e;isting >POs0 .ou configure -5 ne/ 4indo/s GP Professional computers and ( ne/ 4indo/s ,er2er '556 computers in order to test the deployment of settings that comply /ith the ne/ security reBuirements y using >POs0 .ou use the >roup Policy Management Console ?>PMC@ to duplicate the e;isting >POs for use in testing0 .ou need to decide /here to place the test computer accounts in the domain0 .ou /ant to minimi!e the amount of administrati2e effort reBuired to conduct the test /hile minimi!ing the impact of the test on production computers0 .ou also /ant to a2oid lin$ing >POs to multiple containers0 4hat should you do: A. 5lace all test computer accounts in the test/ing.com container. 1. 5lace all test computer accounts in the .omputers container. .. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 231 2 5lace the test client computer accounts in the Des/tops 'U and the test ser%er computer accounts in the $er%ers 'U. D. .reate a child 'U under the Des/tops 'U for the test client computer accounts. .reate a child 'U under the $er%ers 'U for the test ser%er computer accounts. 3. .reate a new 'U named Test under the test/ing.com container. .reate a child 'U under the Test 'U to test client computer accounts. .reate a second child 'U under the Test 'U to test ser%er computer accounts. 1ns/er& + +;planation& To minimi!e the impact of the test on production computers, /e can create a test O* /ith child O*s for the ser2ers and the client computer accounts0 ,ettings that should apply to the ser2ers and client computers can e applied to the Test O*, and settings that should apply to the ser2ers or the client computers can e applied to the appropriate child O*s0 Incorrect 1ns/ers& 1& Iou cannot place computer accounts directl under the domain container. The must be in an 'U or in a built in container such as the .omputers container. <& !e need to separate the ser%ers and the client computers into different 'Us.

C& This solution would appl the new settings to eBisting production computers. 3& This could wor/ but ou would ha%e more group polic lin/s. (or eBample, the C5' settings that need to appl to the ser%ers and the client computers would need to be lin/ed to both 'Us. &t would easier to lin/ the C5' to a single parent 'U. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter F, p. -"> 5art F9 &mplement an 'U structure. A9 .reate an 'U.*2 6uestions+ %*+,TION NO& - 3R1> 3ROP 4eading the wa in &T testing and certification tools, www.test/ing.com 2 232 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The company contains se2eral departments0 One of these departments is sales0 1 group named ,ales 1dmin is responsi le for administering the sales department0 In addition, the sales department has t/o teams that are responsi le for daily support0 One of these teams supports the sales departmentHs user accounts0 The other team supports the sales departmentHs computers0 +ach department in TestKing has a specific set of >roup Policy o Cects ?>POs@0 The sales department has t/o additional sets of >POs0 One set of >POs is for user accounts0 The other set of >POs is for computers0 .ou need to configure the organi!ational unit ?O*@ structure to support the implementation of >POs and delegation of security for the sales department0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 9o/ should you configure the O* structure: To ans/er, drag the appropriate O* or O*s to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 233 2 1ns/er& +;planation& The ,ales O* has t/o additional >POs& one for *ser accounts and one for computer0 Therefore /e need a t/o le2el O* structure /ith the ,ales O* as the parent O* and the 1ccounts O* and Computers O* eing child O*s0 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& ' .ou are a mem er of the +nterprise 1dmins group in TestKingHs 4indo/s '556 net/or$0 The net/or$ consists of a single domain named TestKing0com0 The <onn office has its o/n organi!ational unit ?O*@ named <onn0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23- 2 .ou hire an employee named ,ophie as a L1N administrator for the <onn office0 ,ophie needs to create child O*s for the <onn O*0 ,he also needs to 2erify the e;istence of the O*s she creates0 .ou need to grant ,ophie the minimum permissions on the <onn O* so that she can accomplish these tas$s0 4hich permissions should you grant: A. Read All 5roperties, .reate 'rgani0ational Unit 'b)ect, !rite All 5roperties. 1. Read All 5roperties, 4ist .ontents, .reate 'rgani0ational Unit 'b)ects. .. 4ist .ontents, .reate All .hild 'b)ects. D. !rite All 5roperties, All 3Btended Rights. 1ns/er& <0 +;planation& The minimum permission reBuired to create O*s in the Create Organi!ational *nit O Cects permission0 To 2erify the O*s, she needs the Read and List permissions0 Incorrect 1ns/ers& 1& The write permission will allow a user to create or modif an ob)ect in the 'U. C& The .reate All .hild 'b)ects will allow a use to create an ob)ect in the 'U. 3& The write permission will allow a user to create or modif an ob)ect in the 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21> to =22", =223 to =22;

19 Delegate permissions for an 'U to a user or to a securit group. *; 6uestions+ %*+,TION NO& - 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 +ach department in TestKing has an organi!ational unit O* for all its resources and accounts0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23F 2 TestKing has a des$top support team that pro2ides support to all departments0 1 separate team creates >roup Policy o Cects ?>POs@ for the des$top support staff to use0 The >PO creation team is not allo/ed to lin$ the >PO to any departmental O*s0 The des$top support staff is allo/ed to use the >POs created y the >PO creation team /ith departmental O*s0 If mem ers of the des$top support staff need a >PO that does not e;ist, they can reBuest it, ut they are not allo/ed to create any >POs0 .ou need to ensure that the appropriate teams are granted the appropriate permissions0 4hat should you do: To ans/er, drag the appropriate action or actions to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23; 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23G 2 The C5' creation team must not lin/ the C5' to an departmental 'U. The des/top support staff must be able use the C5' but are not allowed to create an C5's themsel%es. Thus, the C5' creation team must be members of the Croup 5olic .reator 'wners group, and the des/top support staff must ha%e Allow 2 Read and Allow 2 !rite permissions to the g54in/ and g5'ptions attributes of the departmental 'Us. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23> 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 TestKing has one main office and -- ranch offices0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named <ranchOffices0 The <ranchOffices O* contains an O* for each of the -- ranch offices0 The net/or$ administrators /ho administer the ranch offices are mem ers of the <ranchOffice 1dmins glo al group0 .ou delegate full control of all child o Cects in the <ranchOffices O* to the <ranchOffice 1dmins group0 TestKingHs /ritten security policy states the follo/ing reBuirements& 1. Mem ers of the <ranchOffice 1dmins group must ha2e the right to modify the assignment of >roup Policy o Cects ?>POs@ for the indi2idual ranch office O*s0 2. Mem ers of the <ranchOffice 1dmins group must not e a le to loc$ the inheritance of >POs at the indi2idual ranch office O*s0 3. Mem ers of the <ranchOffice 1dmins group must not e a le to modify any >PO settings at the <ranchOffices O* le2el0 .ou need to configure the delegation of the administration of >POs as defined y the /ritten security policy0 .ou must also ensure that you do not remo2e more permissions than is necessary from the <ranchOffice 1dmins group0 4hat should you do: A. Modif the permissions granted to the 1ranch'ffice Admins group so that the group is denied permission to write the g5'ptions attribute at the 1ranch'ffices 'U le%el. .onfigure the permission to appl to the 1ranch'ffices 'U and all child ob)ects. 1. Modif the permissions granted to the 1ranch'ffice Admins group so that the group is granted permission to read and write the g5'ptions attribute at the 1ranch'ffices 'U le%el. .onfigure the permission to appl to child ob)ects of the 1ranch'ffices 'U onl . .. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 23= 2 &n the Croup 5olic Management .onsole *C5M.+, remo%e the 1ranch'ffice Admins

group from the 5ermissions tab for the 1ranch'ffices 'U. Add the 1ranch'ffice Admins group to the 4in/C5's permission in the Delegation tab for the 1ranch'ffices 'U. .onfigure the permissions to appl the 1ranch'ffice Admins container onl . D. &n the Croup 5olic Management .onsole *C5M.+, remo%e the 1ranch'ffice Admins group from the 5ermissions tab for the 1ranch'ffices 'U. Add the 1ranch'ffice Admins group to the 4in/C5's permission in the Delegation tab for the 1ranch'ffices 'U. .onfigure the permissions to appl the 1ranch'ffice Admins container and all child containers. 1ns/er& 1 +;planation& 4e need to restrict the administrati2e a ilities of the <ranchOffice 1dmins group at the <ranch le2el0 The gPOptions attri ute indicates /hether the <loc$ Policy Inheritance option of a domain or O* is ena led0 3enying the <ranchOffice 1dmins group permissions to this attri ute /ill pre2ent them from eing a le to loc$ the inheritance of >POs at the indi2idual ranch office O*s0 Incorrect 1ns/ers& <& !e must den the 1ranch'ffice Admins group permissions to the g5'ptions attribute. C, 3& The 1ranch'ffice Admins group must be able to administrate at the branch le%el. !e should not remo%e them from the Delegation tab for the 1ranch'ffices 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"2-" to 1"2-1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 *ser and group o Cects for the sales department are located in an organi!ational unit ?O*@ named ,ales0 Peter and Mary are administrators for TestKing0 Peter is responsi le for managing ,ales user o Cects0 Mary is responsi le for managing ,ales group o Cects0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-" 2 .ou need to delegate Peter and Mary control o2er only the o Cects for /hich they are responsi le0 4hat should you do: A. &n the $ales 'U, create two new 'Us. ,ame one 'U $alesUsers and place all user ob)ects for the sales department in this 'U. ,ame the other 'U $alesCroups and place all group ob)ects for the sales department in this 'U. Crant 5eter and Mar full control o%er the $ales 'U. 1. 'n the $ales 'U, grant 5eter the right to manage user ob)ects. 'n the $ales 'U, grant Mar the right to manage group ob)ects. .. &n the $ales 'U, create a new 'U. ,ame this 'U $alesCroups. 5lace all $ales groups in the $alesCroups 'U. Crant 5eter the right to manage all ob)ects in the $ales 'U. Crant Mar the right to manage all ob)ects in the $alesCroups 'U. D. 'n the $ales 'U, den 5eter the right to manage group ob)ects. 'n the $ales 'U, den Mar the right to manage user ob)ects. 1ns/er& < +;planation& 4e can assign users the right to manage certain o Cects in an O*0 This /ould e the easiest solution0 Incorrect 1ns/ers& 1& Cranting 5eter and Mar full control o%er the $ales 'U would allow them control o%er all ob)ects in the $ales 'U. C& Through &nheritance, 5eter will be able to control all ob)ects in the $ales 'U and in its child 'U. 3& The right to manage ob)ects in an 'U must be assigned eBplicitl . Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21> to =22", =223 to =22; 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-1 2 %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The rele2ant portion of the organi!ational unit ?O*@ structure is sho/n in the e;hi it0

TestKingHs sales di2ision consists of an inside sales department, a mo ile sales department, and a telemar$eting department0 *ser o Cects for users in these departments are stored in the Inside, Mo ile, and Telemar$et O*s respecti2ely0 *ser o Cects for all Cunior managers and senior managers are stored in the Managers O*0 TestKing decides to train Cunior managers to perform asic administrati2e tas$s0 Funior managers are responsi le for ena ling and disa ling accounts for all sales users e;cept Cunior managers and senior managers0 .ou need to ena le Cunior managers to perform the assigned administrati2e tas$s0 .ou must not affect any e;isting permissions0 4hat should you do: A. 'n the Managers 'U, bloc/ the inheritance of permissions. .op all eBisting permissions. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-2 2 'n the $ales 'U, grant )unior managers the permission to enable and disable accounts. 1. 'n the &nside, Mobile, and Telemar/et 'Us, bloc/ the inheritance of permissions. .op all eBisting permissions. 'n the $ales 'U, grant )unior managers the permission to enable and disable accounts. .. 'n the Managers 'U, bloc/ the inheritance of permissions. Remo%e all eBisting permissions. 'n the $ales 'U, grant )unior managers the permission to enable and disable accounts. D. 'n the $ales 'U, bloc/ the inheritance of permissions. .op all eBisting permissions. 'n the $ales 'U, grant )unior managers the permissions to enable and disable accounts. 1ns/er& 1 +;planation& .ou /ant to set the policy on a higher O* ?parent@ than the three target child O*s /here you /ant administration0 #or Cunior managers to e a le to perform administrati2e tas$s on only the three target O*s and not the managers O* /e ha2e to <loc$ the inheritance of the Policy at the managers O*0 .ou also /ant to preser2e permissions that /ere inherited efore setting the loc$ so copying all permissions /ould satisfy that reBuirement0 Incorrect 1ns/ers& <& Qunior managers must be able to perform administrati%e tas/s on onl the &nside, Mobile, and Telemar/et 'Us and not the managers 'U. Therefore we ha%e to 1loc/ the inheritance of the 5olic on the Managers 'U, not on the &nside, Mobile, and Telemar/et 'Us. C& Iou want to preser%e permissions that were inherited before ou bloc/ed inheritance to the Managers 'U. Therefore ou need to cop the permissions to the Managers 'U. 3& Iou need to bloc/ inheritance at the child 'U, not the parent 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21> to =22", =223 to =22; %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-3 2 The companyHs /ritten domain administration policy reBuires that help des$ employees must ha2e the a ility to reset pass/ords0 The help des$ employees must e a le to reset pass/ords for all user accounts e;cept for mem ers of the 3omain glo al group and mem ers of the +;ecuti2e glo al group0 The help des$ employees must not ha2e any other administrati2e rights in the domain0 1ll mem ers of the 3omain 1dmins group are located in an organi!ational unit ?O*@ named 1dminsO*0 1ll mem ers of the +;ecuti2es group are located in an O* named +;ecuti2eO*0 1ll other user accounts are located in an O* named +mployeesO*0 The rele2ant portion of the O* design for the domain is sho/n in the e;hi it0 .ou need to configure the permissions for the help des$ employees as defined y the /ritten domain administration policy0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-- 2 4hat should you do: A. Assign the Aelp Des/ global group the right to reset passwords in the 'U named 3mplo ees'U. 1. Assign the Aelp Des/ global group the right to manage user accounts in the 'U named AllUsers'U. 1loc/ the inheritance of permissions at the 'U named Admins'U and the

'U named 3Becuti%e'U. .. Assign the Aelp Des/ global group the right to reset passwords in the 'U named AllUsers'U. D. Assign the Aelp Des/ global group the right to manage user accounts at the domain le%el. Den the help des/ emplo ees the right to reset passwords in the 'U named Admins'U and the 'U named 3Becuti%e'U. 1ns/er& 1 +;planation& The user accounts that the 9elp 3es$ group need to reset pass/ords for are located in an O* named +mployeesO*0 4e can simply delegate the =Reset Pass/ords= permission on the +mployeesO*0 Incorrect 1ns/ers& <& The right to manage user accounts will enable the Aelp Des/ group to do more than )ust reset the passwords. C& The AllUsers'U contains all user accounts. This would enable the Aelp Des/ group to reset passwords on all user accounts including the domain admins and eBecuti%es. 3& The right to manage user accounts will enable the Aelp Des/ group to do more than )ust reset the passwords. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F;2F>, -"22-";, -"G %*+,TION NO& 7 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains named test$ing0com, usa0test$ing0com, and europe0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-F 2 The help des$ department is responsi le for resetting pass/ords for all user accounts in the forest e;cept for accounts that ha2e administrati2e pri2ileges0 There is an organi!ational unit ?O*@ named CorpL*sers in each domain that contains the user accounts in that domain0 1ll of the user accounts that ha2e administrati2e pri2ileges are in the default *sers container in each domain0 There is a uni2ersal group named 93L*sers in the test$ing0com domain0 1ll user accounts for the help des$ department users are mem ers of the 93L*sers group0 .ou need to delegate the reBuired authority for resetting pass/ords to the users in the help des$ department0 #or /hich 1cti2e 3irectory component or components should you delegate control: To ans/er, select the appropriate component or components in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-; 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-G 2 !e need to delegate the re6uired authorit for resetting passwords for the .orpJUsers 'U to the ADJUsers uni%ersal group. The .orpJUsers 'U in each domain contains the users that the help des/ staff need to reset passwords for. The ADJUsers uni%ersal group contains the help des/ staff and is %isible to all domains in the forest. Reference& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-> 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -">2-11 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 .9 Mo%e ob)ects within an 'U hierarch . *2 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll ser2ers that are not domain controllers, are located in an organi!ational unit ?O*@ named ,er2ers0 1ll user accounts are located in an O* named 1ccounts0

The health insurance department has ser2ers that store the medical records of customers0 These records ser2ers contain information that must e closely monitored0 1 non8Microsoft auditing tool is installed on the records ser2ers to monitor that information0 1ccess to the auditing information is a2aila le only to a small num er of local user accounts on each record ser2er0 #or legal reasons, the health insurance department needs to change its account loc$out and pass/ord settings for the local user accounts on records ser2ers0 .ou need to ensure that the records ser2ers adhere to the security reBuirements0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 4hat should you do: A. .reate a new domain under the test/ing.com domain. Ma/e the records ser%ers members of the new domain. .reate a Croup 5olic ob)ect *C5'+ that contains the account loc/out and password settings. 4in/ the C5' to the new domain. 1. .reate a new domain under the test/ing.com domain. Ma/e the health insurance user accounts members of the new domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2-= 2 .reate a Croup 5olic ob)ect *C5'+ that contains the account loc/out and password settings. 4in/ the C5' to the new domain. .. .reate a new 'U under the $er%ers 'U. Ma/e the records ser%ers members of the new 'U. .reate a Croup 5olic ob)ect *C5'+ that contains the account loc/out and password settings. 4in/ the C5' to the new 'U. D. .reate a new 'U under the Accounts 'U. Ma/e the health insurance user accounts members of the new 'U. .reate a Croup 5olic ob)ect *C5'+ that contains the account loc/out and password settings. 4in/ the C5' to the new 'U. 1ns/er& C +;planation& 4e need to mo2e the records ser2ers to a ne/ O* to that /e can easily apply settings to them y using a >PO0 1ccount loc$out and pass/ord settings for domain user accounts must e applied at domain le2el0 9o/e2er, for this Buestion, /e need to configure the account loc$out and pass/ord settings for the local user accounts0 4e can do this y lin$ing a >PO to an O* containing the records ser2ers0 Incorrect 1ns/ers& 1& &t is not necessar to create a new domain because we need to configure settings for local user accounts, not domain user accounts. <& &t is not necessar to create a new domain because we need to configure settings for local user accounts, not domain user accounts. 3& !e need to configure the account loc/out and password settings for the local user accounts. The local user accounts are not ob)ects in Acti%e Director and so cannot be mo%ed to an 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, 1"22" %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains ','(5 user accounts0 +ach user account has the appropriate permissions for resource access0 1ll user accounts are in the *sers container0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F" 2 TestKing has fi2e departments0 To support TestKingHs structure, you must place the e;isting user accounts in organi!ational units ?O*s@ arranged y department0 .ou create fi2e O*s in the domain, /ith one O* for each department0 The human resources manager sends you a file in the comma8separated 2alue ?C,V@ file format0 The C,V file lists each userHs full name, account logon name, and department0 .ou e;pect to recei2e C,V files containing ne/ and updated information e2ery t/o /ee$s0 .ou need to place the user accounts in the correct O*s0 .ou must not ma$e changes that reBuire the permissions on resources to e changed0 .ou must deploy the changes in the minimum amount of time and y changing the minimum amount of administrati2e effort0 4hat should you do: A. .reate a script that reads the .$? file and uses AD$& to mo%e user accounts to the correct 'Us.

1. .reate a script that reads the .$? file and updates the Department attribute of each user account to the name of the correct 'U. .. .reate a securit group for each department. Mo%e the securit group ob)ects to the correct 'Us. Ma/e each user account a member of the securit group for the userKs department. D. &n Acti%e Director Users and .omputers, create a new user account for each user in the correct 'U, then delete the corresponding user ob)ect in the Users container. 3. &n Acti%e Director Users and .omputers, select all of the user accounts from one department and mo%e them to the correct 'U. Repeat this process for each of the other departments. 1ns/er& 1 +;planation& Creating a script to automate the updates and mo2es is the easiest /ay to handle the administrati2e tas$s on an ongoing asis0 Incorrect 1ns/ers& <& The department attribute is an information attribute. &t doesnKt represent the 'U. Thus ensuring that the department attribute is correct wonKt more the accounts to the appropriate 'U. C, 3, +& This could wor/ but would re6uire much more administrati%e effort. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F1 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 3212, G21G Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;=12;=2, 12;1212;2 Topic -, 5lanning and &mplementing Croup 5olic *;= :uestions+ 5art 19 5lan Croup 5olic strateg . A9 5lan a Croup 5olic strateg b using Resultant $et of 5olic *R$o5+ 5lanning mode. *" 6uestions+ 19 5lan a strateg for configuring the user en%ironment b using Croup 5olic . *> 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named test$ing0com0 Organi!ational units ?O*s@ in the domain are configured as sho/n in the 3omain ,tructure e;hi it0 The eBhibit shows the following 'U structure9 2 &T Users 'U2 2 2222222 $er%ice Des/ $taff 'U. 2 2222222 Domain Admins 'U. 1ll client computers run 4indo/s GP Professional0 1ll client computer accounts are located in the TestKing Computers O*0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F2 2 .our user account is a mem er of the 3omain 1dmins security group0 1ll user accounts that are mem ers of the 3omain 1dmins security group are located in the 3omain 1dmins O*0 1ll ser2ice des$ users ha2e user accounts that are mem ers of the ,r23es$>rp security group0 1ll accounts that are mem ers of this group are located in the ,er2ice 3es$ ,taff O*0 .ou use the >roup Policy Management Console ?>PMC@ to create a >roup Policy o Cect ?>PO@ named Install 1dmin Tools0 .ou configure the >PO as follo/s& 1. In the >PO, create a soft/are installation pac$age that assigns the 4indo/s ,er2er '556 1dministration Tools Pac$ ?adminpa$0msi@ to users0 2. Lin$ the >PO to the IT *sers O*0 3. Remo2e the 1uthenticated *sers uilt8in group from the list of users and groups that /ere delegated permissions for the >PO0 -. 1ssign the ,r23es$>rp security the 1llo/ 8 Read permission for >PO0 ,er2ice des$ users report that the administrati2e tools needed for their Co are not installed0 .ou use the >PMC to e;amine the history of >roup Policy application for one of the affected users0 The rele2ant results are sho/n in the >PMC e;hi it0 JJMI,,IN>JJ .ou also disco2er that /hen you log on to a computer normally used y a ser2ice

des$ user, the administrati2e tools are automatically a2aila le for you0 .ou need to ensure that administrati2e tools can also e installed y >roup Policy for all users /ith accounts in the IT *sers O*, /ithout increasing the administrati2e pri2ileges of any users0 4hat should you do: A. 4in/ the &nstall Admin Tools C5' to the $er%ice Des/ $taff 'U. Mo%e the computer accounts for computers used b ser%ice des/ users to the $er%ice Des/ $taff 'U. 1. .hange the securit filtering on the &nstall Admin Tools C5' to grant the $r%Des/Crp securit group the abilit to appl the C5'. .. Mo%e the $r%Des/Crp securit group to the Domain Admins 'U. D. Modif the C5' to assign the Administration Tools 5ac/ to computers instead of to users. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F3 2 1ns/er& < +;planation& .ou need to assign the 1llo/ 8 1pply >roup Policy permission, not Cust the 1llo/ 8 Read permission, to the ,r23es$>rp group0 Incorrect 1ns/ers& 1& 4in/ing the &nstall Admin Tools C5' to the $er%ice Des/ $taff 'U on its own wonKt help. The $r%Des/Crp would still onl ha%e Allow 2 Read permissions. C& Ma/ing the $r%Des/Crp a member of the Domain Admins 'U would gi%e them too much permissions. 3& The C5' should appl to users not computers because we are controlling application based on user groups. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 Three security groups named 1ccounts, Processors, and Management are located in an organi!ational unit ?O*@ named 1ccounting0 1ll of the user accounts that elong these three groups are also in the 1ccounting O*0 .ou create a >roup Policy o Cect ?>PO@ and lin$ it to the 1ccounting O*0 .ou configure the >PO to disa le the display options under the *ser Configuration section of the >PO0 .ou need to achie2e the follo/ing goals& 1. .ou need to ensure that the >PO applies to all user accounts that are mem ers of the Processors group0 2. .ou need to pre2ent the >PO from applying to any user account that is a mem er of the 1ccountants group0 3. .ou need to pre2ent the >PO from applying to any user account that is a mem er of the Management group, unless the user account is also a mem er of the Processors group0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F- 2 4hat should you do: A. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Accountants and Management securit groups the Den 2 Read and the Den 2 Appl Croup 5olic permissions. Modif the DA.4 of the C5' to assign the users who are in both the Accountants and Management securit groups the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. 1. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Accountants and Management securit groups the Den 2 Read and the Den 2 Appl Croup 5olic permissions. .reate a new securit group named MiBed that contains all the user accounts from the 5rocessors group and the specific user accounts from the Management group to which ou want the C5' to appl . Modif the DA.4 of the C5' to assign the MiBed securit group the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. .. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Accountants securit group the Den 2 Read and the Den 2 Appl Croup 5olic permissions. Modif the DA.4 settings of the C5' to remo%e the Authenticated Users special group. Modif the DA.4 settings of the C5' to add the 5rocessors group and assign the Allow 2

Read and the Allow 2 Appl Croup 5olic permissions. D. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Accountants securit group the Den 2 Read and the Allow 2 Appl Croup 5olic permissions. Modif the DA.4 settings of the C5' to assign the Management securit group the Den 2 Read and the Den 2 Appl Croup 5olic permissions. 1ns/er& C +;planation& .ou need to pre2ent the >PO from applying to any user account that is a mem er of the 1ccountants group0 4e can achie2e this y modifying the discretionary access control list ?31CL@ settings of the >PO to assign the 1ccountants security group the 3eny 8 Read and the 3eny 8 1pply >roup Policy permissions0 4e need to remo2e the authenticated users group so that the policy doesnHt apply to anyone that isnHt a mem er of any of the three groups0 Iou need to ensure that the C5' applies to all user accounts that are members of the 5rocessors group. !e can achie%e this b modif ing the DA.4 settings of the C5' to add the 5rocessors group and assign the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FF 2 Iou need to pre%ent the C5' from appl ing to an user account that is a member of the Management group, unless the user account is also a member of the 5rocessors group. The Management group isnKt listed in the DA.4. Therefore, no user in the Management group will recei%e the C5'. Management users will onl recei%e the C5' if the are also a member of the 5rocessors group, because the 5rocessors group ha%e the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. Incorrect 1ns/ers& 1, <, 3& Assigning the Management securit groups the Den 2 Read and the Den 2 Appl Croup 5olic permissions will pre%ent the members that are members of both the Management and 5rocessors group from recei%ing the C5'. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll user accounts for the research and de2elopment department are located in an organi!ational unit ?O*@ named P<*sers0 1 >roup Policy o Cect ?>PO@ named *serRights is lin$ed to the domain0 The follo/ing user settings are ena led in the *serRights >PO& 1. Prohi it user configuration of offline files0 2. Remo2e 1dd or Remo2e Programs0 3. Remo2e 3isplay in Control Panel0 .ou need to allo/ all users in the P<*sers O* to remo2e programs y using 1dd or Remo2e Programs in Control Panel0 The other policy settings must continue to apply0 4hat should you do: A. 3nable the 1loc/ 5olic &nheritance setting on the 51Users 'U. 1. .reate a new C5' that disables the Remo%e Add or Remo%e 5rograms setting. 4in/ the C5' to the 51Users 'U. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F; 2 .. Assign the user accounts in the 51Users 'U the Den 2 Appl Croup 5olic permission for the UserRights C5'. D. Assign the user accounts in the 51Users 'U the Den 2 !rite C5lin/ permission for the 51Users 'U. 1ns/er& < +;planation& 1 >PO lin$ed to an O* /ill o2erride the settings from a >PO lin$ed to the domain0 Therefore, /e can create a >PO the disa les the Remo2e 1dd or Remo2e Programs setting and lin$ it to the P<*sers O*0 Incorrect 1ns/ers& 1& The 6uestion states that the other settings from the domain C5' must appl . Therefore, we cannot bloc/ polic inheritance. C& The 6uestion states that the other settings from the domain C5' must appl . Den ing the users the Appl Croup 5olic permission will pre%ent the settings from the domain C5' from being applied. 3& This setting has no effect on the application of the C5's. Reference9

Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"223 to 1"22%*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a ,ingle 1cti2e 3irectory domain named test$ing0com /ith three sites0 There is a domain controller at each site0 1ll ser2ers run 4indo/s ,er2er '5560 +ach client computer runs either 4indo/s '555 Professional or 4indo/s GP Professional0 The IT staff is organi!ed into four groups0 The IT staff /or$s at the three different sites0 The computers for the IT staff must e configured y using scripts0 The script or scripts must run differently ased on /hich site the IT staff user is logging on to and /hich of the four groups the IT staff user is a mem er of0 .ou need to ensure that the correct logon script is applied to the IT staff users ased on group mem ership and site location0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2FG 2 A. .reate four Croup 5olic ob)ects *C5's+. .reate a script in each C5' that corresponds to one of the four groups. 4in/ the four new C5's to all three sites. Crant each group permissions to appl onl the C5' that was created for the group. 1. .reate a single script that performs the appropriate configuration based on the userKs group membership. 5lace the script in the ,etlogon shared folders on the domain controllers. .. .onfigure a Croup 5olic ob)ect *C5'+ with a startup script that configures computers based on &T staff group. 4in/ the C5' to the three sites. D. .reate a script that configures the computers based on &T staff group membership and site. .reate and lin/ a C5' to the Domain .ontrollers 'U to run the script. 1ns/er& 1 +;planation& The easiest /ay to filter /hich users or computers a >PO should apply to is to set permissions on the >PO0 1 user or computer needs the 1llo/ 8 Read and 1pply >roup Policy permissions in order to apply the >PO0 In this Buestion, /e ha2e four groups, each /ith different reBuirements0 <y creating four different >POs and lin$ing them to each of the three sites, /e can manage /ho recei2es the >PO y configuring the permissions on the >POs0 Incorrect 1ns/ers& <& The script needs to be lin/ed to an Acti%e Director container. C& &tKs easier to use C5' permissions to determine which users or computers should recei%e a C5'. 3& &tKs easier to use C5' permissions to determine which users or computers should recei%e a C5'. (urthermore, the C5' is lin/ed to the wrong container in this answer. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& ( 9OT,POT 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F> 2 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domains0 1ll ser2ers run 4indo/s ,er2er '5560 The domains and organi!ational units ?O*s@ are structured as sho/n in the /or$ area0 *sers in the research department ha2e user accounts in the research0test$ing0com domain0 1ll other user accounts and resources are in the test$ing0com domain0 1ll domain controllers are in the 3omain Controllers O* of their respecti2e domain0 No other computer or user accounts are in the 3omain Controllers O*s0 1 /ritten company policy reBuires that all users /or$ing in the research department must use comple; pass/ords of at least nine characters in length0 The /ritten policy states that no other users are to ha2e pass/ord restrictions0 1ll affected users ha2e user accounts in an O* named Research *sers in the research0test$ing0com domain0 .ou create a >roup Policy o Cect ?>PO@ that contains the reBuired settings0 .ou need to ensure that these settings affect the users in the research department, and that the settings do not affect any other domain users or local accounts0 4here should you lin$ the >PO: To ans/er, select the appropriate location or locations in the /or$ area0

4eading the wa in &T testing and certification tools, www.test/ing.com 2 2F= 2 1ns/er& +;planation& ,elect the research0test$ing0com domain0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;" 2 5assword restrictions for domain user accounts must alwa s be set at domain le%el. 5assword policies applied at 'U le%el will onl appl to local user accounts. &n this scenario, research.test/ing.com contains onl research users so appl ing the polic at the domain le%el will not affect an other others. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"231 to 1"2-4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;1 2 %*+,TION NO& 7 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The company restricts all users so that they can use only authori!ed applications0 1ll domain users are authori!ed to use the Microsoft Office suite of applications0 Mem ers of a security group named CRM *sers are also authori!ed to use a customer relationship management ?CRM@ application0 .ou configure >roup Policy o Cects ?>POs@ as sho/n in the e;hi it0 The Office 1pplications >PO has only the Microsoft Office applications listed as allo/ed applications0 The CRM 1pplication >PO has only the CRM application listed as an allo/ed application0 The CRM 1pplication >PO has security settings so that it applies only to mem ers of the CRM *sers security group0 *sers /ho are mem ers of the CRM *sers security group report that they cannot run the CRM application0 .ou need to reconfigure the domain to meet the follo/ing reBuirements& 1. 1ll users must e a le to run the Microsoft Office applications0 2. Mem ers of the CRM *sers security group must e a le to run the CRM application0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;2 2 3. 1ll users must e pre2ented from running unauthori!ed soft/are0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .onfigure the Default Domain 5olic C5' so that the .RM application is published to the members of the .5M Users securit group. 1. Disable the ,o '%erride setting for the .RM Application C5'. 4ea%e the .RM Application C5' lin/ed to the domain. .. Reorder the C5's so that the .RM Application C5' is higher in the list than the 'ffice Application C5'. D. .reate a new 'U. Mo%e the user accounts for all members of the .RM Users securit group into this 'U. 4in/ the .RM Application C5' to this 'U. 3nable the 1loc/ 5olic inheritance setting for this 'U. Unlin/ the .RM Application C5' from the domain. 3. Add the Microsoft 'ffice applications to the list of allowed applications in the .RM Application C5'. 1ns/er& C, + +;planation& The Office 1pplication >PO is set to no o2erride0 This is pre2enting the CRM 1pplication >PO from eing applied0 4e should ma$e the CRM 1pplication apply efore the Office 1pplication and ma$e the Microsoft applications an allo/a le application on the CRM 1pplication list0 No/ the CRM 1pplication /ill e applied ut only to mem ers of the CRM *sers security group0 These users /ill also get the Office applications ecause that is no/ in the CRM 1pplications >PO0 The users that are not mem ers of the CRM *sers security group /onHt get any of the settings of the CRM 1pplications >PO, therefore itHs no o2erride setting is irrele2ant to them0 The Office 1pplications /ill e applied for these users0 Note& !e added the Microsoft 'ffice applications to the .RM Applications C5' because the .RM Applications are set to no o%erride. Therefore the 'ffice Applications will not appl to the .RM Users securit group. 1ut the 'ffice applications are now in the .RM Applications C5' so it no longer matters that the 'ffice Applications C5' is

not applied for the .RM Users securit group. Incorrect 1ns/ers& 1& The 'ffice Application C5' is set to no o%erride. This is pre%enting the .RM Application C5' from being applied. <& The 'ffice Application C5' is set to no o%erride. This is pre%enting the .RM Application C5' from being applied. Therefore, disabling the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;3 2 ,o '%erride setting for the .RM Application C5' wonKt accomplish an thing. 3& $impl mo%ing the .RM Application before the 'ffice Application and ma/ing the Microsoft applications an allowable application on the .RM Application list would re6uire less administrati%e effort. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22" to 1"221, 112;, 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 .ou are testing >roup Policy o Cects ?>POs@ on an organi!ational unit ?O*@ named Test0 The Test O* contains a 4indo/s GP Professional client computer that you use as a test computer0 The domain contains a group named ,ecurity0 .ou create a ne/ >PO and configure the Computer Configuration section to grant the ,ecurity group the Change the system time user right0 .ou log on to the test computer and disco2er that the setting you set through the >PO is not in effect0 .ou need to apply the >PO settings immediately0 4hat should you do: A. 4og off the test computer and log on again. 1. 4og off the test computer. .reate a test user account in the Test 'U and then log on as the test user account. .. 'n the test computer, run the gpresult command. D. 'n the test computer, run the gpupdate Hforce command. 1ns/er& 3 +;planation& >POs are applied /hen users log on and /hen the computer is ooted up0 >POs are set to reapply refreshed at a gi2en inter2al0 9o/e2er, you can use the gpupdate "force command to apply the >PO immediately /ith out ha2ing to re oot the computer0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;- 2 Incorrect 1ns/ers& 1, <& The computer configuration settings are applied when the computer boots, not at log on. C& The Cpresult command2line tool allows ou to create and displa an R$o5 6uer , which can be used to anal 0e the cumulati%e effects of C5's, through the command line. &t also pro%ides general information about the operating s stem, user, and computer. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21F to 1"21G, 1"2--, 112-, 112;, 1121= to 11222 www.microsoft.comHtechnetHtree%iewHdefault.asp[url\H technetHprodtechnolHwinBpproHproddocsHrefrC5.asp %*+,TION NO& A .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll file ser2ers ha2e computer accounts in an organi!ational unit ?O*@ named Company,er2ers0 1ll users ha2e user accounts in an O* named Company*sers0 #or all users and administrators, the My 3ocuments folder is redirected to a shared folder on a file ser2er named TestKing-0 The company /ants to limit the amount of dis$ space that can e used y each user0 +ach user must e allo/ed to use a ma;imum of ' >< of storage on TestKing-0 .ou need to limit dis$ space usage on TestKing- to ' >< per user0 1dministrators must not ha2e these limits0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan Users 'U. &n the C5', enable dis/ 6uotas. 1. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan Users 'U. &n the C5',

enable a si0e limit on user profiles .. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;F 2 .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan $er%ers 'U. &n the C5', enable dis/ 6uotas. D. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan $er%ers 'U. &n the C5', enable a default cache si0e for offline files. 1ns/er& < +;planation& To pre2ent users, computers, and groups from creating an unlimited num er of o Cects in 1cti2e 3irectory, 4indo/s ,er2er '556 has added Buotas0 1cti2e 3irectory Buotas are used to limit ho/ many o Cects are o/ned in a particular directory partition0 4hile Buotas can e applied to almost e2ery user, computer, and group, 3omain 1dministrators and +nterprise 1dministrators are e;empted from these limits0 The Buotas that are used to limit the a ility of a user, computer, or group from creating too many o Cects in 1cti2e 3irectory should not e confused /ith dis$ Buotas, /hich are also a2aila le on 4indo/s ,er2er '556 ser2ers ?regardless of the functionality le2el eing used@0 The new Acti%e Director 6uotas *not to be confused with dis/ 6uotas+ are defined as the number of ob)ects that can be owned b a gi%en user in a gi%en director partition. Domain Admins and 3nterprise Administrators are eBempt from the 6uota, and the do not appl at all to the schema partition. Replicated operations do not count toward the command2line tools, including dsadd, dsmod, dsget, and ds6uer . ,o graphical interface eBists for 6uota administration. Dis/ 6uotas can be used to limit the amount of hard dis/ space that can be used on a %olume thatKs formatted in ,T($. The ,T($ file s stem is more ad%anced than other file s stems such as (AT or (AT32, which can also be used to format %olumes. 1 using dis/ 6uotas on an ,T($ %olume, administrators can pre%ent users from filling up the hard dis/ with an unlimited number of files. Incorrect ans/ers& 19 Ma/ing use of dis/ 6uotas will not ha%e the desired effect. C9 The .ompan $er%ers 'U is the wrong organi0ational unit to lin/ the C5' to. 39 (irst, this is the wrong to lin/ the newl created C5' to this particular organi0ational unit and furthermore, the C5' should not be one of enabling a default cache si0e for offline files. Reference& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;; 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1, p. ;= L .hapter -, p. 2F" .9 5lan a strateg for configuring the computer en%ironment b using Croup 5olic . *1G 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 .ou use a >roup Policy o Cect ?>PO@ to change the default storage location of the My 3ocuments folder for all user accounts0 The >PO redirects the My 3ocuments folder to II,+RV+R-I*,+R#IL+,IO*,+RN1M+O0 The Redirect the folder ac$ to the local user profile location /hen policy is remo2ed option is selected0 The net/or$ does not use roaming user profiles0 The My 3ocuments folders of se2eral users are 2ery large and consume too much dis$ space on ,er2er-0 1s a result, users report slo/ response times for shared files0 .ou need to ensure that the My 3ocuments folder for each user is stored and maintained on the userHs client computer0 .ou must not affect any other policies0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .hange the redirection setting in the C5' to ,ot configured. Run the gpupdate command on $er%er1. 1. .hange the redirection setting in the C5' to ,ot .onfigured. &nclude an Bcop command in each userKs logon script to mo%e the files. .. .op all settings in the C5' eBcept the redirection setting to a new C5'. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;G 2 Delete the eBisting C5'.

D. &n the C5', change the specified path to ZU$3R5R'(&43ZWM Documents. 3. .onfigure all shared folders on $er%er1 to automaticall ma/e all files a%ailable offline. After the files are cached on the client computer, delete the files from the ser%er. 1ns/er& 1, 3 +;planation& There is no roaming profile so /e can remo2e the redirection setting0 The gpupdate /ill ensure that the altered >PO is applied immediately0 Incorrect 1ns/ers& <& The Bcop command will cop the files from $er%er1 to the local computer. This will consume networ/ bandwidth. &t is thus not the best answer. C& !e donKt need to create a new C5', )ust change the one setting. +& The files will still be stored on $er%er1 but will be a%ailable for use on the local computer when the computer is disconnected from the networ/. This wonKt ensure that the files are stored on the local computer. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1122> to 112-> %*+,TION NO& ' 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The user accounts for support staff users are located in an organi!ational unit ?O*@ named ,upport0 1ll other user accounts are located in an O* named *ser1ccounts0 1s TestKing e;pands, user accounts for users other than support staff might e created in O*s other than the *ser1ccounts O*0 1 /ritten TestKing policy states that all users, including support staff, must comply /ith the follo/ing rules& 1. *sers are not allo/ed to use offline files0 2. Only support staff employees are allo/ed to edit the registry0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;> 2 The /ritten policy also states that any changes to these rules must e applied to the entire company as Buic$ly as possi le0 .ou need to enforce the /ritten TestKing policy y using the minimum amount of administrati2e effort0 4hich action or actions should you ta$e, and /here should you ta$e the action or actions: To ans/er, drag the appropriate action or actions to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2;= 2 1ns/er& +;planation& All users, including support staff, are not allowed to use offline files and onl support staff emplo ees are allowed to edit the registr . 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G" 2 This means we need an 'U at the domain le%el that disables the registr editing tools, and one that pre%ents the use of offline tools. These C5's will ensure that all users, including support staff, are not allowed to use offline files. &t will also disable the use of registr editing tools for all users. Therefore, we need another C5' that allows the use of the registr editing tools for the $upport 'U. C5's are applied at the domain le%el before the 'U le%el so the C5' applied at the 'U le%el will o%erride the C5' applied at the domain le%el. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing that has a main office and many small ranch offices0 TestKingHs net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The domain has an organi!ational unit ?O*@ for each ranch office0 >roup Policy o Cects ?>POs@ lin$ed to these O*s are used to configure TestKing resources0 *nder each ranch officeHs O*, there is an O* named *ser1ccounts that contains user accounts and an O* named 4or$stations that contains client computer accounts0 1 single administrati2e user at each ranch office pro2ides des$top

support and administration for the ranch office0 The num er of support calls for the ranch office administrators recently increased ecause users are ma$ing configuration changes to their computers0 .ou need to restrict des$top features and administrati2e tools for all users e;cept the administrati2e user in each ranch office0 .ou create a >PO that applies the des$top restrictions0 4hat else should you do: A. 4in/ the C5' to each branch officeKs !or/stations 'U. .reate an 'U underneath each branch officeKs !or/stations 'U and mo%e the administrati%e userKs computer accounts into the new 'U. 1loc/ C5's from appl ing to the new 'U. 1. 4in/ the C5' to each branch officeKs UserAccounts 'U. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G1 2 .reate an 'U underneath each branch officeKs UserAccounts 'U and mo%e the administrati%e userKs account into the new 'U. 1loc/ C5's from appl ing to the new 'U. .. 4in/ the C5' to each branch officeKs wor/stations 'U. (ilter the C5' on the administrati%e userKs computer for each branch office, so that the computer does not appl the new C5'. D. 4in/ the C5' to each branch officeKs UserAccounts 'U. (ilter the C5' on the administrati%e userKs account for each branch office, so that the user accounts does not appl to the new C5'. 1ns/er& 3 +;planation& 4e need to restrict des$top features and administrati2e tools for all users other than the administrati2e user in each ranch office0 4e ha2e already created a >PO that applies the des$top restrictions0 4e no/ need to lin$ the >PO to each ranch officeHs *ser1ccounts O* /hich contains all user accounts for the ranch0 4e can ensure that this >PO doesnHt apply to the administrator y assigning the 3eny 81pply >roup policy to the administrator account in each ranch0 Incorrect 1ns/ers& 1, C& The C5' must be lin/ed to the users not the computers. <& $impl assigning the Den 2Appl Croup polic to the administrator account will ensure that the administrator canKt ha%e the C5' settings. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains one domain controller0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 TestKing uses >roup Policy o Cects ?>POs@ to configure user and computer settings0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G2 2 The 1cti2e 3irectory data ase and the ,.,VOL shared folder are stored on separate hard dis$s0 The hard dis$ containing the ,.,VOL folder fails0 ,ome >roup Policy settings are still applied, ut ne/ users do not recei2e the >roup Policy settings0 .ou replace the failed dis$0 .ou disco2er that there are no 2alid ac$ups of the ,.,VOL folder0 .ou ha2e a list of >*I3s and friendly names for each >PO0 On the ne/ dis$, you create a ne/ shared folder named ,.,VOL in the same location as the pre2ious ,.,VOL folder0 .ou need to configure the net/or$ so that the user and computer settings /ill e applied to all users0 4hich three courses of action should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose three@ A. &n the $I$?'4 folder, create a folder named test/ing.com. &n the test/ing.com folder, create a folder named 5olicies. 1. &n the $I$?'4 folder, create a folder named $ stem $tate. &n the $ stem $tate folder, create a folder named 5olicies. .. &n the 5olicies folder, create a folder for each C5'. ,ame the folders b using the friendl name of each C5'. &n the folder for each C5', create a folder named MA.A&,3 and a folder named U$3R. D. &n the 5olicies folder, create a folder for each C5'. ,ame the folders b using the CU&D of each C5'.

&n the folder for each C5', create a folder named MA.A&,3 and a folder named U$3R. 3. Use Acti%e Director Users and .omputers to open each C5'. .lose each C5' without changing an settings. (. Use Acti%e Director Users and .omputers to open each C5'. .hange at least one setting in each C5' before closing it. 1ns/er& 1, 3, # +;planation9 A globall uni6ue identifier *CU&D+ is a 12>2bit heBadecimal number that is guaranteed to be uni6ue within the enterprise. CU&Ds are assigned to ob)ects when the ob)ects are created. The CU&D ne%er changes, e%en if ou mo%e or rename the ob)ect. A CU&D is uni6ue across all domains, meaning that ou can mo%e ob)ects from domain to domain and the will still ha%e a uni6ue identifier. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G3 2 3nsure the integrit of the computerKs Croup 5olic b performing one of the following9 *i+ &f ou authoritati%el restored the entire Acti%e Director database, cop the $ s%ol director on the alternate location o%er the eBisting one after the $ s%ol share is published. *ii+ &f ou authoritati%el restored specific Acti%e Director ob)ects, cop onl the polic folders *identified b the CU&D+ corresponding to the restored polic ob)ects from the alternate location after the $ s%ol share is published. Then, cop them o%er the eBisting ones. !hen authoritati%el restoring either the entire Acti%e Director database or selected ob)ects, it is important that ou cop the $ s%ol and polic data from the alternate location after the $ s%ol share is published. &f the computer is in a replicated domain, it ma ta/e se%eral minutes before the $ s%ol share is published because it needs to s nchroni0e with its replication partners. &f all computers in the domain are authoritati%el restored and restarted at the same time, then each will be waiting *indefinitel + to s nchroni0e with each other. &n this case, restore one of the domain nonauthoritati%el . Thus options A, D and ( will ensure that all settings will be applied to all users in the gi%en circumstances. Incorrect ans/ers& <9 The folder that should be created should be test/ing.com and not s stem state folder C9 Ma/ing use of the friendl name of each C5' will not ha%e the desired effect. +9 Iou need to change at least one setting in each C5' before closing it. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 19 32, 39 F2 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The organi!ational unit ?O*@ structure is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G- 2 The #ile ,er2ers O* su tree contains '5 file and print ser2ers0 1ll of TestKingHs user accounts are in the *ser 1ccounts O* su tree0 TestKing uses >roup Policy o Cects ?>POs@ lin$ed to the O*s /ithin the *ser 1ccounts O* su tree to configure the usersH en2ironment0 These >POs are configured to install des$top utilities for all user accounts0 The des$top utilities are for use on only client computers0 .ou are responsi le for planning and implementing the >roup Policy infrastructure for TestKing0com0 TestKing /ants to apply a ne/ >PO named ,er2er,ecurity to the '5 file and print ser2ers0 The ,er2er,ecurity >PO includes computer configuration settings and user configuration settings0 These settings /ill e used to secure the file and print ser2ers0 .ou plan to apply the ,er2er,ecurity >PO to the #ile ,er2ers O*0 .ou need to ensure that the des$top utilities are not installed on the ser2ers /hen users log on to the net/or$0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GF 2 A. Crant the file and print ser%ers permissions to lin/ C5's at the (ile $er%ers 'U. 1. .onfigure the $er%er$ecurit C5' to enable the 4oopbac/ polic . .. .onfigure a shutdown script that refreshes the computer configuration settings for the file and print ser%ers. D. Appl the $er%er$ecurit C5' at the site le%el rather than at the 'U le%el. 1ns/er& < +;planation& .ou donHt /ant the userHs settings applying the 3es$top utilities so you must also configure the Replace Mode0 .ou do not /ant the users settings applied at all in this case0 If user settings /ere allo/ed to apply, then the 3es$top utilities /ould get installed0 In some cases, this processing order may not e appropriate ?for

e;ample, /hen you do not /ant applications that ha2e een assigned or pu lished to the users in their O* to e installed /hile they are logged on to the computers in some specific O*@0 Incorrect 1ns/ers& 1& This is not possible. C& $hutdown scripts are applied when the computer shuts down. This wonKt pre%ent the user settings from being applied when a user logs on to the computer. 3& This wonKt pre%ent the user settings from being applied when a user logs on. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"223, 1"23; %*+,TION NO& 7 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 TestKing operates a call center in /hich '55 users use 4indo/s GP Professional computers to access e8mail, TestKingHs intranet, and a data ase application0 1ll client computers are configured identically0 The call center users do not use computers outside of the call center0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G; 2 1 /ritten TestKing policy states that call center users are not allo/ed to install or run additional applications or to change the des$top settings on their computers0 .ou need to pre2ent call center users from changing the configuration of the call center computers0 .our solution must not restrict users in other parts of TestKing from ma$ing changes to computers outside the call center0 4hat should you do: A. 5lace all of the computer accounts for call center computers in an organi0ational unit *'U+ named .all .enter .omputers. .reate a Croup 5olic ob)ect *C5'+ that includes the appropriate restrictions in the User .onfiguration section. 4in/ the C5' to the .all .enter .omputers 'U. 1. 5lace all of the user accounts for call center users in an organi0ational unit *'U+ named .all .enter Users. .reate a Croup 5olic ob)ect *C5'+ that includes the appropriate restrictions in the User .onfiguration section. 4in/ the C5' to the .all .enter Users 'U. .. 5lace all of the user accounts for call center users in a securit group named .all .enter Users. .hange the default user rights assignment on the call center computers so that the .all .enter Users group has onl the Allow log on locall right. D. 5lace all of the user accounts for call center users in a securit group named .all .enter Users. .onfigure these accounts so that all users use a common roaming profile stored on a file ser%er. Assigns the .all .enter Users group the Allow 2 (ull .ontrol permission for the roaming profile folder. 1ns/er& < +;planation& To restrict call center users from running certain applications and changing their des$tops, /e need to configure the reBuired restrictions in a >PO and ha2e it applied to all call center users0 This can e achie2ed y placing all call center users in an O* and applying the >PO to that O*0 Incorrect 1ns/ers& 1& The C5' should appl to the users, not the computers. C& !e need to restrict the users from running additional applications or changing their 3& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2GG 2 A roaming profile will not pre%ent users from running unauthori0ed applications. (urthermore, granting Allow 2 (ull .ontrol permission for the roaming profile folder would allow them to change their des/top settings. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"2-" to 1"2-1 %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a

single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The company decides to ma$e fi2e 4indo/s GP Professional computers a2aila le in a pu lic area for use y 2isitors0 These computers are to e used only for ro/sing pu lic 4e sites, 1 4e ro/ser is the only application that /ill e run on these computers0 .ou ma$e these computers mem ers of the 1cti2e 3irectory domain0 .ou create a ne/ organi!ational unit ?O*@ named Restricted Computers and place the fi2e computer accounts in this O*0 .ou configure these computers to automatically log on a user named Restricted *ser each time the computer is started0 The Restricted *ser account does not ha2e administrati2e rights on the computer or on the domain0 .ou need to configure the fi2e computers so that they can access pu lic 4e sites ut cannot run other applications0 The restrictions must not affect other users or computers on the net/or$0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the domain. .onfigure the user settings in the C5' to allow onl &nternet 3Bplorer to run. .onfigure the computer settings in the C5' to enable loopbac/ mode. 1. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the Restricted .omputers 'U. .onfigure the user settings in the C5' to allow onl &nternet 3Bplorer to run. .onfigure the C5' to appl onl to the Restricted User account. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G> 2 .. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the Restricted .omputers 'U. .onfigure the C5' to contain a Restricted Croups polic that places all users in the local Cuests group of each of the fi%e !indows <5 5rofessional computers. D. .reate a Croup 5olic ob)ect *C5'+ and lin/ it to the domain. .onfigure the user settings in the C5' to allow onl &nternet 3Bplorer to run. .onfigure the C5' to appl onl to the Restricted User account. 3. .reate a Croup 5olic ob)ect *C5'+ and lin/ to the Restricted .omputer 'U. .onfigure the user settings in the C5' to allow onl &nternet 3Bplorer to run. .onfigure the computer settings in the C5' to enable loopbac/ mode. 1ns/er& 3, + +;planation& The computers are configured to automatically log on the Restricted *ser account each time the computers start0 4e can configure a >PO to allo/ only Internet +;plorer to run0 4e can lin$ the >PO to the domain and use security permissions to ensure that the policy applies only to the Restricted *ser account0 This /ill ensure that the >PO only affects the restricted computers0 The restricted computers are in the Restricted .omputers 'U. Therefore, another solution would be to lin/ the C5' to the Restricted .omputers 'U, thus ensuring that no other computers are affected b the C5'. Although the &nternet 3Bplorer settings are in the user part of a C5', and this solution applies the C5' to computers *not users+, we can appl the user settings to the Restricted User account b using loopbac/ mode. (or loopbac/ processing, ou can choose whether to replace or merge user2specific polic . The replace mode replaces all of a userKs normal polic settings with those defined in the user configuration of the C5's that appl to the computer ob)ect *the loopbac/ settings+. Merge mode merges the userKs normal polic settings and the loopbac/ settings. &n the case where a polic item in the userKs normal polic conflicts with the loopbac/ settings, the loopbac/ settings are applied. Incorrect 1ns/ers& 1& &f we appl the C5' to the domain and use loopbac/ mode, the settings will appl to all the computers in the domain. !e should restrict the C5' to onl the Restricted .omputers. <& !e would need to use loopbac/ mode to appl the C5' to the Restricted Users. This ensures that users recei%e their polic regardless of the machine the use to log in. C& The computers are configured to log on the Restricted Users account, not the guest account. &n !indows $er%er 2""3, the guest account is disabled b default. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2G= 2 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, p. G>%*+,TION NO& A 9OT,POT .ou are a net/or$ administrator for TestKing that operates a call center0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers are mem ers of the domain0 Computers in the call center are configured y a >roup Policy o Cect ?>PO@ to ha2e

a common, restricted des$top0 1ll computers in the call center ha2e accounts in an organi!ational unit ?O*@ named Call Center Computers0 Non8management users ha2e user accounts in an O* named CallCenter,taff0 Managers ha2e user accounts in an O* named Management*sers0 .ou lin$ a >PO to the Call Center Computers O*0 The current settings of the >PO are sho/n in the /or$ area0 1ny user logging on to these computers recei2es the restricted des$top0 Currently, a manager /ho logs on to a computer in the call center is presented /ith the restricted des$top0 The restricted des$tops pre2ent managers from performing management tas$s0 .ou need to ensure that any manager logging on to a computer in the call center recei2es a normal, unrestricted des$top0 4hich >PO setting should you change: To ans/er, select the appropriate setting in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>" 2 1ns/er& +;planation& ,elect =Registry policy processing& 3isa led= The .all .enter computers 'U ha%e a C5' lin/ed to it that will ensure that an user logging on to these computers will recei%e a restricted des/top. Access control entries are set in the registr . Aowe%er, if managers are to perform managerial tas/s then the do not need to be hampered with a restricted des/top if ou enable the registr polic processing setting. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 -= %*+,TION NO& E 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>1 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll file ser2ers ha2e computer accounts in an organi!ational unit ?O*@ named Company,er2ers0 1ll users ha2e user accounts in an O* named Company*sers0 #or all users and administrators, the My 3ocuments folder is redirected to a shared folder on a file ser2er named TestKing-0 The company /ants to limit the amount of dis$ space that can e used y each user0 +ach user must e allo/ed to use a ma;imum of ' >< of storage on ,er2er-0 .ou need to limit dis$ space usage on ,er2er- to ' >< per user0 1dministrators must not ha2e these limits0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan Users 'U. &n the C5', enable dis/ 6uotas. 1. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan Users 'U. &n the C5', enable a si0e limit on user profiles .. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan $er%ers 'U. &n the C5', enable dis/ 6uotas. D. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the .ompan $er%ers 'U. &n the C5', enable a default cache si0e for offline files. 1ns/er& < +;planation& To pre2ent users, computers, and groups from creating an unlimited num er of o Cects in 1cti2e 3irectory, 4indo/s ,er2er '556 has added Buotas0 1cti2e 3irectory Buotas are used to limit ho/ many o Cects are o/ned in a particular directory partition0 4hile Buotas can e applied to almost e2ery user, computer, and group, 3omain 1dministrators and +nterprise 1dministrators are e;empted from these limits0 The Buotas that are used to limit the a ility of a user, computer, or group from creating too many o Cects in 1cti2e 3irectory should not e confused /ith dis$ Buotas, /hich are also a2aila le on 4indo/s ,er2er '556 ser2ers ?regardless of the functionality le2el eing used@0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>2 2 The new Acti%e Director 6uotas *not to be confused with dis/ 6uotas+ are defined as the number of ob)ects that can be owned b a gi%en user in a gi%en director partition. Domain Admins and 3nterprise Administrators are eBempt from the 6uota, and the do not appl at all to the schema partition. Replicated operations do not count toward the command2line tools, including dsadd, dsmod, dsget, and ds6uer . ,o graphical interface eBists for 6uota administration. Dis/ 6uotas can be used to limit the amount of hard dis/ space that can be used on a

%olume thatKs formatted in ,T($. The ,T($ file s stem is more ad%anced than other file s stems such as (AT or (AT32, which can also be used to format %olumes. 1 using dis/ 6uotas on an ,T($ %olume, administrators can pre%ent users from filling up the hard dis/ with an unlimited number of files. Incorrect ans/ers& 19 Ma/ing use of dis/ 6uotas will not ha%e the desired effect. C9 The .ompan $er%ers 'U is the wrong organi0ational unit to lin/ the C5' to. 39 (irst, this is the wrong to lin/ the newl created C5' to this particular organi0ational unit and furthermore, the C5' should not be one of enabling a default cache si0e for offline files. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1, p. ;= L .hapter -, p. 2F" %*+,TION NO& -5 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named 1ccounting0 1 user named Tess /or$s in the accounting department0 1 user account for Tess is located in the 1ccounting O*0 .ou create three >roup Policy o Cects ?>POs@ and lin$ them to the 1ccounting O*0 The three polices are sho/n in the 1ccounting Properties e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>3 2 .ou run Resultant ,et of Policy ?R,oP@ in logging mode for TessHs user account0 The results for the policies that apply to TessHs user account are sho/n in the R,oP ,ettings e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>- 2 .ou need to ensure that the 3es$top ta and the ,creen ,a2er ta are disa led0 4hat should you do: A. Mo%e the Aide $creen $a%er disabled C5' higher in the priorit list in the Croup 5olic 'b)ect 4in/s area of the Accounting 5roperties dialog boB. 1. Mo%e the Aide $creen $a%er disabled C5' lower in the priorit list in the Croup 5olic 'b)ect 4in/s area of the Accounting 5roperties dialog boB. .. Disable the 1loc/ 5olic inheritance setting on the Accounting 'U. D. .lic/ the 'ptions button in the Accounting 5roperties dialog boB and enable the ,o '%erride setting on the Aide des/top tab C5'. 1ns/er& < +;planation& The 3es$top ta is hidden, so /e Cust need to hide the ,creen ,a2er ta 0 4ith the current settings, the 9ide ,creen ,a2er +na led policy is applied first0 It is then o2er/ritten y the 9ide ,creen ,a2er 3isa led policy0 The result eing that the ,creen ,a2er ta is no longer hidden0 4e can rectify this y mo2ing the 9ide ,creen ,a2er disa led >PO lo/er in the priority list in the >roup Policy O Cect Lin$s area of the 1ccounting Properties dialog o;0 This /ill mean that that the 9ide ,creen ,a2er 3isa led policy is applied first and is then o2er/ritten y the 9ide ,creen ,a2er +na led policy0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>F 2 Incorrect 1ns/ers& 1& The Aide $creen $a%er disabled C5' is alread higher in the priorit list than the Aide $creen $a%er 3nabled C5'. &t needs to be lower. C& The problem is caused b the 'U policies. Unbloc/ing inheritance wonKt affect the 'U policies. 3& This wonKt affect the policies applied at this 'U le%el. This would onl affect child 'Us if the eBisted. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1123 to 11223 %*+,TION NO& -.ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll computers are mem ers of the domain0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The net/or$ contains des$top client computers and porta le client computers0 The

porta le computers include oth laptop computers and ta let computers0 Client computer accounts are located in 2arious organi!ational units ?O*s@ organi!ed y department and di2ision, along /ith des$top computer accounts0 1 /ritten company policy reBuires that no porta le computer is to e left unattended and logged on to the net/or$, unless protected y a pass/ord0 *sers are not allo/ed to o2erride this reBuirement0 This reBuirement does not apply to des$top computers ecause those computers are located in secured offices0 .ou need to configure your net/or$ so that porta le computers comply /ith the /ritten reBuirement0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ that specifies a logon script. 4in/ this C5' to the domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>; 2 .onfigure the logon script to read the 'eninfo.info file for manufacturer and model information, and set the screen sa%er properties if the manufacturer and model number indicates one of the portable computers. 1. .reate a Croup 5olic ob)ect *C5'+ that specified a logon script. 4in/ this C5' to the domain. .onfigure the logon script to ma/e a !M& 6uer for manufacturer information and update the userKs profile information in Acti%e Director if the user is using a portable computer. .. .reate a Croup 5olic ob)ect *C5'+ that specifies a password2protected screen sa%er. 4in/ this C5' to the domain. Use a !M& filter to 6uer for the hardware chassis t pe information to ensure that the C5' applies onl to the portable computers. D. .reate a Croup 5olic ob)ect *C5'+ that specified a password2protected screen sa%er. 4in/ this C5' to the domain. Use a !M& filter to 6uer for the specific edition of !indows <5 5rofessional installed on the computer to ensure that the C5' applies onl to the portable computers. 1ns/er& C +;planation& 4e can use a 4MI filter to Buery for the hard/are chassis type information to ensure that the >PO applies only to the porta le computers0 Incorrect 1ns/ers& 1& This is a %er difficult and impractical wa of doing it. <& Updating the user profile would not achie%e an thing. 3& The des/tops would probabl ha%e the same %ersion of <5 as the laptops. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22" to 1"221, 112; %*+,TION NO& -' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run either 4indo/s GP Professional or 4indo/s '555 Professional0 1ll client computer accounts are located in an organi!ational unit ?O*@ named 4or$station0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>G 2 1 /ritten company policy states that the 4indo/s '555 Professional computers must not use offline folders0 .ou create a >roup Policy o Cect ?>PO@ to enforce this reBuirement0 The settings in the >PO e;ist for oth 4indo/s '555 Professional computers and 4indo/s GP Professional computers0 .ou need to configure the >PO to apply only to 4indo/s '555 Professional computers0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .reate a !M& filter that will appl the C5' to computers that are running !indows 2""" 5rofessional. 1. .reate a !M& filter that will appl the C5' to computers that are not running !indows <5 5rofessional. .. .reate two 'Us under the !or/station 'U. 5lace the computer accounts for the !indows <5 5rofessional computers in one 'U, and place the computer accounts for the !indows 2""" 5rofessional computers in the other 'U. 4in/ the C5' to the !or/station 'U. D. .reate a group that includes the !indows <5 5rofessional computers. Assign the group the Den 2 Ceneral Resultant $et of 5olic *4ogging+ permission.

3. .reate a group that includes the !indows 2""" 5rofessional computers. Assign the group the Dent 2 Appl Croup 5olic permission. 1ns/er& 1, < +;planation& 4MI filters are ignored y 4indo/s '555 clients ut not y 4indo/s GP clients0 Thus, the 4indo/s GP clients /ill e2aluate the filter to see if the >PO should apply to them or not, /hile the 4indo/s '555 clients /ill Cust apply the >PO /ithout e2aluating the 4MI filter0 Incorrect 1ns/ers& C& This loo/s li/e a good idea. Aowe%er, appl ing the C5' to the !or/station 'U will *b inheritance+ appl the C5' to the two child 'Us. 3& This wonKt pre%ent the application of the C5'. +& This answer is close, but incorrect. This will pre%ent the C5' appl ing to the !indows 2""" clients. &f the group contained the !indows <5 clients, then it would wor/. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>> 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22" to 1"221, 112; %*+,TION NO& -6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The follo/ing ta le sho/s the types and Buantities of 4indo/s ,er2er '556 4e and data ase ser2ers in the domain0 ,er2er type %uantity ,onproduction test !eb ser%er 2 ,onproducation test database ser%er 2 5roduction !eb ser%er 1" 5roduction database ser%er 1" The computer accounts for the 4e and data ase ser2ers are located in the default Computers container0 The domain also includes many organi!ational units ?O*@ that contain other computer accounts0 TestKing plans to use >roup Policy o Cects ?>PO@ to centrally apply security settings to the 4e and data ase ser2er computers0 The settings need to e applied as follo/s& 1. ,ome security settings need to apply to all 4e and data ase ser2ers0 2. ,ome security settings need to apply to the nonproduction ser2ers only0 3. ,ome security settings need to apply to the production ser2ers only and must not e o2erridden0 -. Other security settings need to apply to specific ser2er types only0 .ou need to create an organi!ational unit ?O*@ structure to support the >PO reBuirements0 .ou /ant to create as fe/ >POs and lin$s as possi le /hile using only the default security permissions for >PO lin$s0 .ou also /ant to limit the num er JJJmissingJJJ 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2>= 2 A. .reate two top2le%el 'Us named !eb and Database under the domain. .reate two child 'Us named ,onproduction and 5roduction under both the !eb 'U and the Database 'U. 1. .reate two top2le%el 'Us named ,onproduction and 5roduction under the domain. .reate two child 'Us named !eb and Database under both the ,onproduction 'U and the 5roduction 'U. .. .reate a top2le%el 'U named $er%ers under the domain. .reate two child 'Us named !eb and Database under the $er%ers 'U. .reate two child 'Us named ,onproduction and 5roduction under both the !eb 'U and the Database 'U. D. .reate a top2le%el 'U named $er%ers under the domain. .reate two child 'Us named ,onproduction and 5roduction under the $er%ers 'U. .reate two child 'Us named !eb and Database under both the ,onproduction 'U and the 5roduction 'U. 1ns/er& 3 +;planation& 4e need some setting to apply to all /e ser2ers and data ase ser2ers, and then /e need some settings that apply only to the nonproduction ser2ers and some settings that apply only to the production ser2ers 8 settings that are applied to the production ser2ers must not e o2er/ritten0 In addition, /e ha2e other settings that apply to different ser2er types0 The other settings thus apply only to the ser2er

types0 contains production ser%ers and non production ser%ers, and a bottom le%el that contains ser%er t pes *one for web ser%ers and one for database ser%ers+. Incorrect 1ns/ers& 1, <& The top le%el 'U should contain all ser%ers. C& The ser%er t pes 'U must be at the lowest le%el because the other settings would appl onl to them and should not be inherited. &nheritance is from parent to child. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. ;23 to ;2=, ;21; to ;223 %*+,TION NO& -) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=" 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains named test$ing0com, te;as0test$ing0com, and da$ota0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 <oth te;as0test$ing0com and da$ota0test$ing0com contain employee user accounts, client computer accounts, and resource ser2er computer accounts0 The domain named test$ing0com contains only administrati2e user accounts and computer accounts for t/o domain controllers0 +ach resource ser2er computer pro2ides a single ser2ice of file ser2er, print ser2er, 4e ser2er, or data ase ser2er0 TestKing plans to use >roup Policy o Cects ?>POs@ to centrally apply security settings to resource ser2er computers0 ,ome security settings need to apply to all resource ser2ers and must not e o2erridden0 Other security settings need to apply to specific ser2er roles only0 .ou need to create an organi!ational unit ?O*@ structure to support the >PO reBuirements0 .ou /ant to create as fe/ >POs and lin$s as possi le0 4hat should you do: A. .reate a top2le%el 'U for each ser%er role under the test/ing.com domain. .reate a top2le%el 'U named $er%ers under the teBas.test/ing.com domain. .reate a top2le%el 'U named $er%ers under the da/ota.test/ing.com domain. 1. .reate a top2le%el 'U named $er%ers under the teBas.test/ing.com domain. .reate a child 'U for each ser%er role under the $er%ers 'U. .reate a top2le%el 'U named $er%ers under the Da/ota.test/ing.com domain. .reate a child 'U for each ser%er role under the $er%ers 'U. .. .reate a top2le%el 'U named $er%ers under the test/ing.com domain. .reate a child 'U for each ser%er role under the $er%ers 'U. D. .reate a top2le%el 'U for each ser%er role under the teBas.test/ing.com domain. .reate a top2le%el 'U for each ser%er role under the da/ota.test/ing.com domain. 1ns/er& < +;planation& 4ith a top8le2el O* named ,er2ers, /e can apply group policies to all the resource ser2ers0 4ith child O*s for each ser2er role, /e can apply group policies to indi2idual ser2er roles0 T/o domains ha2e resource ser2ers, da$ota0test$ing0com and te;as0test$ing0com0 4e need to create the O* structure in each of these t/o domains0 Incorrect 1ns/ers& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=1 2 1& !e need an 'U for each ser%er role in da/ota.test/ing.com and teBas.test/ing.com, because the resource ser%ers are in those domains. C& !e need a top le%el 'U for all the resource ser%ers in da/ota.test/ing.com and teBas.test/ing.com, so we can appl group policies to all the ser%ers. 3& !e need a top le%el 'U for all the resource ser%ers in da/ota.test/ing.com and teBas.test/ing.com, so we can appl group policies to all the ser%ers. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -";, -">2-11, FG;2F>%*+,TION NO& -( .ou are the administrator of the TestKing company net/or$0 The net/or$ consists of a single 1cti2e 3irectory domain test$ing0com0 The net/or$ includes (5 ser2ers running 4indo/s ,er2er '556 and -555 client computers running 4indo/s GP Professional0 1ll client computers are in an organisational unit ?O*@ named Clients0 1ll ser2er

computers are in an organisational unit ?O*@ named ,er2ers0 .ou disco2er that most of the ser2ers are running the ,MTP ser2ice and the Telnet ser2ice0 These ser2ices are not reBuired and should e disa led0 4hat is the easiest /ay to ensure that the ser2ices are al/ays disa led on the ser2ers: A. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to appl a logon script that disables the unnecessar ser%ices. 4in/ the C5' to the $er%ers 'U. 1. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ and import the Aisecws.inf securit template. 4in/ the C5' to the $er%ers 'U. .. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to set the startup t pe of the unnecessar ser%ices to Disabled. 4in/ the C5' to the $er%ers 'U. D. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to appl a startup script to stop the unnecessar ser%ices. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=2 2 4in/ the C5' to the $er%ers 'U. 1ns/er& C +;planation& The ser2ers ha2e een mo2ed to an O*0 This ma$es it easy for us to configure the ser2ers using a group policy0 4e can simply assign a group policy to the ,er2ers O* to disa le the ser2ices0 Incorrect 1ns/ers& 1& The logon script would onl run when someone logs on to the ser%ers. &tKs li/el that the ser%ers will be running with no one logged in. <& The Aisecws.inf securit template is designed for wor/stations, not ser%ers. 3& The startup script would onl run when the ser%ers are restarted. A group polic would be refreshed at regular inter%als. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 139 >F2>; %*+,TION NO& -7 +;hi it 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=3 2 .ou are a net/or$ administrator for TestKing0com0 The user accounts for all ser2ice des$ users are mem ers of a glo al group named ,er2ice 3es$ and are located in ,er2ice3es$ O*0 1 >PO named 1dmin Tools assigns the 4indo/s ,er2er '556 1dministration Tools Pac$ to users0 .ou lin$ the >PO to the 1dministrators O*0 The administrati2e tools are not installed on the client computers used y the ser2ice des$ users0 These users reBuire the administrati2e tools0 .ou use the >roup Policy Management Console ?>PMC@ to e;amine ho/ the >roup Policy is applied to the ,er2ice3es$ O*0 .ou disco2er that the inheritance of >POs is loc$ed for the ,er2ice3es$ O*0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=- 2 .ou need to ensure that the administrati2e tools are installed on the client computers used y the ser2ice des$ users0 .ou also need to ensure that the client computers used y the ser2ice des$ users are not modified in any other /ay0 4hat should you do: A. 4in/ the Admin Tools C5' to the $er%iceDes/ 'U. 1. 4in/ the Admin Tools C5' to the domain. .. .onfigure the Admin Tools C5' to appl to the $er%ice Des/ global group. D. .reate a new C5' that assigns the !indows $er%er 2""3 Administration Tools 5ac/ to computers. 4in/ the new C5' to the $er%iceDes/ 'U. 1ns/er& 1 +;planation9 The 6uestion stated that 1loc/ 5olic &nheritance is enabled for the $er%iceDes/ 'U. Ci%en the eBhibit that shows the 'U structure of Test@ing and also that the Admin Tools C5' is lin/ed to the Administrators 'U, ou should then lin/ the Admin Tools C5' to the $er%iceDes/ 'U to ensure that administrati%e tools are also installed on the $er%iceDes/ 'Us client computers without changing the client computers in an other wa . Incorrect ans/ers& <9 That C5' should be lin/ed to the $er%iceDes/ 'U and not the domain. &f lin/ed to the domain then it will appl to unnecessar computers as well. The 6uestion states that the

administrati%e tools installed should be used b the ser%ice des/ usersK client computers and that these computers should not be modified in an other wa . C9 A global group can contain accounts and groups from the domain in which it is created, and be assigned permissions to resources in an domain in a tree or forest. 1ecause it onl applies to the domain in which itKs created, this t pe of group is commonl used to organi0e accounts that ha%e similar access re6uirements. Aa%ing the Admin Tools C5' onl applied to the $er%ice Des/ global group would not necessaril ha%e the desired effect then. 39 There is no need to create a new C5' since there is alread a C5' called Admin Tools that ser%es the same purpose. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =9 1>21= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=F 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 2, p. 13%*+,TION NO& -D .ou are the net/or$ administrator for TestKing0 The net/or$ consists of t/o 1cti2e 3irectory forests, each consisting of a single domain0 The functional le2el of oth forests is 4indo/s ,er2er '5560 One forest is used for testing and the other forest is used for production0 The test forest contains a single domain controller0 .ou are using the test forest to test >roup Policy o Cects ?>POs@ that manage administrati2e templates efore they are implemented in the production forests0 This testing includes changes to the 3efault 3omain Policy >PO and the 3efault 3omain Controllers Policy >PO0 .ou need to e a le to restore the 3efault 3omain Policy and 3efault 3omain Controllers Policy >POs for the test domain to the settings used in the production forest0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Run the dcgpofiB Hboth command in the test domain. 1. 1ac/ up the Default Domain 5olic and Default Domain .ontrollers 5olic C5's from the production domain b using the Croup 5olic Management .onsole *C5M.+. .. &mport the Default Domain 5olic and Default Domain .ontrollers 5olic C5's into the test domain b using the Croup 5olic Management .onsole *C5M.+ and a migration table. D. 1ac/ up the original CptTmpl.inf files for the Default Domain 5olic and Default Domain .ontrollers 5olic C5's from the production forests. 3. Restore the bac/ed up CpTmpl.inf files to the test domain. (. &ncrement the %ersion in the Cpt.ini files for the Default Domain 5olic and Default Domain .ontrollers 5olic C5's. 1ns/er& <, C +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=; 2 4e can use the >roup Policy Management Console ?>PMC@ to ac$ up the >POs from the production domain and import them into the test la 0 The >PMC lets administrators manage >roup Policy for multiple domains and sites /ithin one or more forests, all in a simplified user interface ?*I@ /ith drag8and8drop support0 9ighlights include ne/ functionality such as ac$up, restore, import, copy, and reporting of >roup Policy o Cects ?>POs@0 These operations are fully scripta le, /hich lets administrators customi!e and automate management0 !hen we do the restore process, we need to restore both policies Domain and D.$. Therefore, for the D.Ks we will need to use a migration table, to migrate the securit principals. &f we install C5M. in the default path we need to eBecute from .9W5rogram (ilesWC5M.W$cripts The script9 .reateMigrationTable.wsf. This script .reates migration tables that can be edited and used to map paths and securit principals to new %alues when importing and cop ing C5's across domains. Incorrect ans/ers& 19 The DcgpofiB command restores Croup 5olic 'b)ects *C5's+ to the state the where in when initiall installed. 1 restoring these C5's to their original states, an changes

that were made to them are lost. This is not what is re6uired in this scenario. 39 There is no need to bac/up files for the Default Domain 5olic and the Default Domain .ontrollers 5olic C5' from the production forest. This will result in unnecessar administrati%e effort. +9 $ince the test domain is used to test the settings and what is needed is to appl these settings to the production domain then all that is necessar is to bac/ up the Default Domain 5olic and Default Domain .ontrollers 5olic C5's from the production domain b using the Croup 5olic Management .onsole *C5M.+ and then to import it into the test domain. #9 This option will result in too much administrati%e effort being applied when all that is needed is to bac/ up the Default Domain 5olic and Default Domain .ontrollers 5olic C5's from the production domain b using the Croup 5olic Management .onsole *C5M.+ and then to import it into the test domain. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1, p. -; M$ !hite 5aper9 Migrating C5's Across Domains with C5M. http9HHwww.microsoft.comHwindowsser%er2""3HdocsHMigC5's.doc 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=G 2 5art 29 .onfigure the user en%ironment b using Croup 5olic . A9 Distribute software b using Croup 5olic . *12 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 There is an organi!ational unit ?O*@ named 3ocProcessing0 The 3ocProcessing O* contains user accounts for users in the document processing department0 .ou create a >roup Policy o Cect ?>PO@ and lin$ it to the 3ocProcessing O*0 .ou configure the >PO to pu lish a graphics application0 ,ome of the users in the document processing department report that the application is not a2aila le from the ,tart menu, and other users report that the graphics application /as installed successfully after they dou le8clic$ed a graphics application document0 .ou need to ensure that all users in the 3ocProcessing O* can successfully run the graphics application0 4hat should you do: A. &nstruct users who report a problem to run the gpupdate command on their computers. 1. &nstruct users who report a problem to install the application b using Add or Remo%e 5rograms in .ontrol 5anel. .. Run the Resultant $et of 5olic *R$o5+ tool on the domain controllers on the networ/. D. Run the gpresult command on each client computer and domain controller on the networ/. 1ns/er& < +;planation& .ou ha2e pu lished the applications to users0 This setting ma$es the application a2aila le for users to install0 In order to install a pu lished application, users need to use the 1dd or Remo2e Programs applet in Control Panel, /hich includes a list of all pu lished applications that are a2aila le for them to install0 Users in the document processing department report that the application is not a%ailable from the ,tart menu0 &t wonKt be a%ailable in the start menu because the application was published, not assigned. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2=> 2 Incorrect 1ns/ers& 1& This will refresh the group polic . &t wonKt ma/e the application a%ailable in the start menu. C& This will displa the resultant polic . &t wonKt ma/e the application a%ailable in the start menu. 3& This will displa the resultant polic . &t wonKt ma/e the application a%ailable in the start menu. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1>9 1F %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1n organi!ational unit ?O*@ named ,ales contains t/o child O*s named 1ccounts Paya le and 1ccounts Recei2a le0

.ou need to deploy an accounting application to all user accounts in the ,ales and 1ccounts Recei2a le O*s0 .ou do not /ant to deploy the application to the user accounts in the 1ccounts Paya le O*0 In addition, you ha2e a graphics application that you need to deploy to all user accounts in the 1ccounts Paya le O* only0 .ou need to configure your >roup Policy o Cect ?>PO@ structure to achie2e these goals0 4hat should you do: A. .reate a C5' named $oftware Distribution and lin/ it to the $ales 'U. .onfigure the C5' to deplo both the accounting and the graphics applications. 3nable the ,o '%erride setting on the C5'. 'n the Accounts 5a able 'U, enable the 1loc/ 5olic inheritance setting. 1. .reate a C5' named $oftware Distribution and lin/ it to the $ales 'U. .onfigure the C5' to deplo both the accounting and the graphics applications. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Authenticated Users group the Den 2 Read and the Den 2 Appl Croup 5olic permissions. .. .reate a C5' named Craphics and lin/ it to the $ales 'U. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 2== 2 .onfigure the C5' to deplo the graphics application. .reate a C5' named Accounting $oftware and lin/ it to the Accounts 5a able 'U. .onfigure the C5' to deplo the accounting application. 'n the Accounts 5a able 'U, enable the 1loc/ 5olic inheritance setting. D. .reate a C5' named Accounting $oftware and lin/ it to the $ales 'U. .onfigure the C5' to deplo the accounting application. .reate a C5' named Craphics and lin/ it to the Accounts 5a able 'U. .onfigure the C5' to deplo the graphics application. 'n the Accounts 5a able 'U, enable the 1loc/ 5olic inheritance setting. 1ns/er& 3 +;planation& 4e need to deploy an accounting application to all user accounts in the ,ales and 1ccounts Recei2a le O*s ut not to the user accounts in the 1ccounts Paya le O*0 Instead /e /ant to deploy a graphics application to all user accounts in the 1ccounts Paya le O*0 This means we need two C5's9 one C5' that deplo s the accounting application to the arenKt concerned about the Accounts Recei%able 'U because that 'U is a child 'U of the $ales 'U so it will get the settings applied at the parent 'U. The Accounts 5a able 'U is also a child 'U of the $ales 'U so we must pre%ent it from getting the accounts application form the $ales 'U b setting the Accounts 5a able 'U to 1loc/ 5olic &nheritance. Incorrect 1ns/ers& 1, <, C& The graphics application must be deplo ed onl to the Accounts 5a able 'U. Therefore we should appl it to the Accounts 5a able 'U and not the $ales 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& 6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"" 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional and are mem ers of the domain0 Only designated IT support staff ha2e administrati2e rights on client computers0 TestKing reBuires all client computers to run anti2irus soft/are0 TestKing licenses an anti2irus application that is installed on a file ser2er named Test$ing-0 1n unattended installation can e performed on each client computer y running the setup command from a shared folder on Test$ing-0 ,e2eral users report that /hen they attempt to install the anti2irus application, they recei2e the follo/ing error message& =.ou do not ha2e sufficient pri2ileges on this computer to perform this action0= .ou 2erify that the anti2irus application is not installed on any client computers0 .ou need to ensure that all client computers ha2e the anti2irus application installed0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the domain. Use the C5' to launch a login script that runs the setup command to install the anti%irus

application if it is not currentl installed. &nstruct all users to restart their client computers. 1. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the domain. Use the C5' to launch a startup script that runs the setup command to install the anti%irus application if it is not currentl installed. &nstruct all users to restart their client computers. .. .reate a batch file that runs the setup command. $end this batch file in an e2mail message to all users. &nstruct all users to run this batch file. D. Use Remote Assistance to run the setup command on each client computer. 1ns/er& < +;planation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"1 2 9 Croup 5olic is the component within Acti%e Director that enables director 2based change and configuration management of user and computer settings, including securit and user data. Use Croup 5olic to define configurations for groups of users and computers. !ith Croup 5olic , ou can specif polic settings for registr 2based policies, securit , software installation, scripts, folder redirection, remote installation ser%ices, and 'b)ect 3ditor. 'n the other hand, Croup 5olic 'b)ect *C5'+ is a collection of Croup 5olic settings. C5's are essentiall the documents created b the Croup 5olic 'b)ect 3ditor. C5's are stored at the domain le%el, and the affect users and computers contained in sites, domains, and organi0ational units *'Us+. &n addition, each computer has eBactl one group of settings stored locall , called the local Croup 5olic 'b)ect. Ma/ing use of a C5' that is lin/ed to the domain to launch a startup script that runs the setup command to install the anti%irus application and instructing all users to restart their computers, will represent the least administrati%e effort to ensure that all client computers ha%e the application installed. Incorrect ans/ers& 19 This option describes the correct procedure that is needed, but it sa s to launch a login script, this is not what is re6uired. Iou need to launch a startup script to run the setup command to install the application. C9 The creation of batch file and e2mailing it to all users telling them to install the batch file is not what is re6uired in this case. 39 There is no need to ma/e use of Remote Assistance since this option will also accomplish the tas/, but with much more administrati%e effort than is necessar . Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 221= to 222%*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"2 2 .ou use a >roup Policy o Cect ?>PO@ to distri ute an application to users0 The application is contained in an 0msi file that is stored in a shared folder0 *sers report that they do not ha2e the application installed0 .ou 2erify that the >PO successfully installed the application on your computer0 On the client computers, you see the error message sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"3 2 .ou need to ensure that users can install the application0 4hat should you do: A. .onfigure the default pac/age location in the C5' to be the networ/ path to the application. 1. .onfigure the !indows &nstaller ser%ice on each client computer to start as a member of the Domain Admins group. .. .reate a C5' to enable the Alwa s install with ele%ated pri%ileges setting. D. Assign the users the Allow 2 Read permission for the .msi file. 1ns/er& 3 +;planation& To assign the application to users, the users need at least 1llo/ 8 Read permission to the msi file0 Incorrect 1ns/ers& 1, <& .onfiguring the pac/age location or the !indows &nstaller ser%ice wonKt help if the

users donKt ha%e Allow 2Read permissions. C& Users need the Allow 2 Read permission to the msi file. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"2-" to 1"2-1 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll client computers run 4indo/s GP Professional0 1ll user accounts for the sales department users are located in an organi!ational unit ?O*@ named ,ales0 The client computers are located in the default Computers container0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"- 2 1ll users in the sales department reBuire a sales application to e installed on their client computers0 .ou create a ne/ >roup Policy o Cect ?>PO@0 .ou create a soft/are installation pac$age and use the >PO to assign the pac$age to computers0 .ou lin$ the >PO to the ,ales O*0 *sers in the sales department report that the application is not installed on any client computers0 .ou need to install the application on all client computers in the sales department0 .ou need to ensure that the application is installed only on the client computers used y users in the sales department0 4hat should you do: A. Modif the C5' to specif that !indows &nstaller pac/ages will be installed b using ele%ated permissions. 1. Modif the C5' so that the application is assigned to user accounts. .. 3nable loopbac/ processing for the C5'. D. 4in/ the C5' to the .omputers container. 1ns/er& < +;planation& 1pplications should either e pu lished or assigned0 Incorrect 1ns/ers& 1& !e need to assign or publish the application. $pecif ing the pac/ages to be installed b using ele%ated permissions will not wor/. C& 4oop bac/ processing is not re6uired. 3& !e need to assign or publish the application. $impl lin/ing the C5' wonKt wor/. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 .ou use >roup Policy o Cects ?>POs@ to distri ute soft/are0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"F 2 TestKing uses t/o different applications to 2ie/ graphics0 *sers are allo/ed to choose /hich program they /ill use ased on the features and formats they reBuire0 Only the users are allo/ed to decide /hich of these t/o applications /ill e installed0 .ou need to configure the >POs to install either graphics application ased on the userHs choice0 4hat should you do: A. 5ublish both applications with file eBtension acti%ation. 1. 5ublish both applications without file eBtension acti%ation. .. Assign both applications to install on demand. D. Assign both applications to complete a full installation. 1ns/er& < +;planation& .ou can pu lish applications to users, ma$ing the application a2aila le for users to install0 To install a pu lished application, users can use 1dd or Remo2e Programs in Control Panel, /hich includes a list of all pu lished applications that are a2aila le for them to install0 Incorrect 1ns/ers& 1& 'nl one application will install when a file is opened. The users wonKt ha%e the choice. C& The applications should be published, not assigned. 3& This doesnKt ma/e sense.

Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221" %*+,TION NO& D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"; 2 .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 +mployees use client computers and also use Remote 3es$top to connect to a terminal ser2er named TK-0 1ll users in TestKing ha2e user accounts in an organi!ational unit ?O*@ named Company *sers0 1ll users recei2e applications that are assigned to their user accounts y >roup Policy o Cects ?>POs@ lin$ed to the Company *sers O*0 The >POs use security filtering to control /hich security groups recei2e /hich applications0 *sers report that /hen using TK-, their assigned applications are not a2aila le0 .ou need to configure your net/or$ so that the applications are a2aila le to users /hen they connect to TK-0 .ou need to ensure that users cannot run any application that is not currently assigned to them0 4hat should you do: A. Reconfigure the C5's containing software installation pac/ages so that the software installation pac/ages are published to users. 1. Reconfigure the C5's containing software installation pac/ages so that assigned software installation pac/ages are automaticall installed at logon. .. &nstall all re6uired software on T@1. Use ,T($ permissions to control which securit groups can access which applications. D. 4in/ the C5's containing software installation pac/ages to the domain, not to an 'U. 1ns/er& C +;planation& 4hen an application is assigned to a user, it is not a2aila le if the user connects to a Terminal ,er2er using a Remote 3es$top Connection0 The only /ay to ma$e the applications a2aila le on a Terminal ,er2er is to manually install the applications on the ser2er0 4e can use NT#, permissions to ensure that only the appropriate users are a le to use the application0 Incorrect 1ns/ers& 1& &t doesnKt matter if the applications are published or assigned. The will not be a%ailable on a Terminal $er%er. <& The software will be installed on the usersK client computers, but not the Terminal $er%er. 3& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"G 2 The applications are assigned to users, not computers. The users recei%e the C5's, so lin/ing the C5' to the domain wonKt ma/e an difference. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& A M*LTIPL+ 9OT,POT .ou are the Net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll domain controllers run 4indo/s ,er2er '5560 The user accounts for the processing department are located in an Organi!ational *nit ?O*@ named processing0 .ou need to deploy an application to all users in the processing department0 .ou create a >roup Policy O Cect ?>PO@ and lin$ it to the processing O*0 .ou place the 0msi file for the application in a shared folder on the net/or$0 .ou configure the *ser Configuration section of the >PO to deploy the application0 .ou need to ensure that the application is immediately ready for use /hen a user logs on to a client computer0 .ou also need to pre2ent any user from continuing to use the application if the userHs user account is mo2ed to another O*0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"> 2 1ns/er& +;planation& $elect the following chec/ boBes9 1. Assigned. 2. Uninstall this application when it falls out of the scope of management.

3. &nstall this application at logon. -. 1asic 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3"= 2 !e need to assign the application to the users and select the 8&nstall this application at logon8 option to ensure that the application is immediatel read for use when a user logs on to a client computer. To pre%ent an user from continuing to use the application if the userKs user account is mo%ed to another 'U, we need to select the 8Uninstall this application when it falls out of the scope of management8 option. The 81asic8 option ensures that the application installs with minimal *or no+ user inter%ention. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31" 2 %*+,TION NO& E .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 *ser accounts for users in the finance department are in an organi!ational unit ?O*@ named #inance0 .ou use >roup Policy o Cects ?>POs@ to manage these user accounts0 *sers in the finance department need a ne/ application installed on their computers0 ,e2eral of these users 2olunteer to e pilot users to test the application efore it is deployed throughout the department0 .ou configure a >PO to install the application0 .ou create a group named Pilot*sers in the #inance O*0 .ou ma$e the pilot usersH user accounts mem ers of the Pilot*sers group0 The pilot usersH user accounts are also in the #inance O*0 .ou need to allo/ only the pilot users to test the application0 4hat should you do: A. Assign the 5ilotUsers group the Allow 2 Read and the Allow 2 !rite permissions for the g54in/ propert of the (inance 'U. 1. Assign the 5ilotUsers group the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions for the C5'. Remo%e the Authenticated Users groupKs permissions to appl the C5'. .. Assign the 5ilotUsers group the Allow 2 Cenerate Resultant $et of 5olic *4ogging+ permissions for the (inance 'U. D. Assign the 5ilotUsers group the Allow 2 Cenerate Resultant $et of 5olic *5lanning+ permission for the (inance 'U. 1ns/er& < +;planation& 4e need to install the application for the pilot users only0 4e can do this y assigning the Pilot*sers group the 1llo/ 8 Read and the 1llo/ 8 1pply >roup Policy permissions for the >PO0 To pre2ent the >PO applying to the other finance users, /e need to remo2e the 1uthenticated *sers groupHs permissions to apply the >PO0 Incorrect 1ns/ers& 1& !e need to assign permissions to appl the group polic , not lin/ the polic . 4eading the wa in &T testing and certification tools, www.test/ing.com 2 311 2 C& This will allow the 5ilotUsers group to run R$o5 in logging mode. &t wonKt configure the C5' to appl to )ust the pilot users. 3& This will allow the 5ilotUsers group to run R$o5 in planning mode. &t wonKt configure the C5' to appl to )ust the pilot users. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -">2-11 %*+,TION NO& -5 .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll mem er ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll client computer accounts in the domain are located in an organi!ational unit ?O*@ named 4or$stations0 .ou need to distri ute a ne/ application to all client computers on the net/or$0 .ou create a >roup Policy o Cect ?>PO@ that includes the application pac$age in the

soft/are installation settings of the Computer Configuration section of the >PO0 .ou assign the >PO to the 4or$stations O*0 ,e2eral days later, users report that the ne/ application is still not installed on their client computers0 .ou need to ensure that the application is installed on all client computers0 4hat should you do: A. &nstruct users to restart their client computers. 1. &nstruct users to run !indows Update on their client computers. .. &nstruct users to force a refresh of the computer polic settings on their client computers. D. &nstruct users to force a refresh of the user polic settings on their client computers. 1ns/er& 1 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 312 2 4hen an application is assigned to a computer, the soft/are is deployed /hen it is safe to do so ?that is, /hen the operating system files are closed@0 This generally means that the soft/are /ill e installed /hen the computer starts up, /hich ensures that the applications are deployed prior to any user logging on0 #or this scenario, /e need to tell the users to restart their client computers0 Incorrect 1ns/ers& <& !indows Update is used to update the operating s stem with the latest securit patches etc. C& Iou applied the polic se%eral da s ago. The client computers should ha%e the C5' b now. 3& The setting isnKt in the user section of the group polic . Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1", p. ;-; %*+,TION NO& -.ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1 >roup Policy o Cect ?>PO@ named ,oft/are Restrictions pre2ents users from running unauthori!ed applications0 This restriction does not apply to users /ho are local administrators on their client computers0 3e2elopers at the company create a ne/ application for internal users0 1n administrator installs the application on a num er of computers y running the ,etup0e;e file supplied y the de2elopers0 9o/e2er, /hen users try to run the ne/ application, they report that they cannot do so0 .ou need to ensure that all users can run the ne/ application0 .ou also need to ensure that unauthori!ed applications cannot run0 4hat should you do: A. &nstall the application on computers that re6uire its use. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 313 2 .reate a !M& filter on the $oftware Restrictions C5' that detects where the software is installed and pre%ents the C5' from being applied. 1. .reate a securit group that contains all users who need to use the application. Modif the securit settings on the $oftware Restrictions C5' so that its effects are b passed for members of this group. .. .reate a hash %alue for the applicationKs eBecutable code file, and re%ise the $oftware Restrictions C5' to allow eBecutable code files that match the hash %alue to run. D. Repac/age the application as an .msi pac/age and use a new C5' to assign the pac/age to the computers that re6uire the application. 1ns/er& C +;planation& 4e ha2e a soft/are restrictions policy that only allo/s authorised applications to run0 The ne/ application isnHt authorised, so /e need to authorise it y creating a hash 2alue of the program file and modify the soft/are restrictions policy to permit the users to run the application0 Incorrect 1ns/ers& 1& The C5' pre%ents users running unauthori0ed software. Therefore, this C5' must be applied at all times 2 we cannot use a !M& filter to pre%ent the application of the C5'. <& The C5' pre%ents users running unauthori0ed software. Therefore, this C5' must be applied at all times 2 we cannot use securit filtering to pre%ent the application of the C5' to the users who re6uire access to the new application.

3& !indows clients support setup.eBe files. As long as the setup.eBe file is written correctl , the users would be able to use the application. The users in this scenario cannot run the program because the software restrictions group polic is pre%enting them running the application. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1", p. ;-G M$ /nowledge 1ase Article : 32-"3; A'! T'9 Use $oftware Restriction 5olicies in !indows $er%er 2""3 %*+,TION NO& -' .ou are the Net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 The domain contains 655 user accounts and 6'( computer accounts0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31- 2 3ifferent users on the net/or$ need different applications ased on the department in /hich they /or$0 1ll of these applications are pac$aged as 0msi files0 Many of the applications are updated e2ery year0 .ou recei2e many support calls from users /ho need to ha2e applications reinstalled ecause of damaged installations0 The company decides that the cost of installing and maintaining these many applications is too high0 .ou need to implement a technology that /ill ena le you to lo/er the cost of deploying user applications /hile minimi!ing user do/n time0 4hat should you do: A. .onfigure Croup 5olic 'b)ects *C5's+ to assign applications to user accounts. 1. &nstall ser%ers running Remote &nstallation $er%ices on the networ/. .. 5lace a ser%er running $oftware Update $er%ices *$U$+ on the networ/ and configure a C5' to enable updates for all client computers. D. &nstall Microsoft 'perations Manager and enable $,M5 on the client computers. 1ns/er& 1 +;planation& .ou can use the ,oft/are Installation e;tension of >roup Policy to centrally manage soft/are distri ution in your organi!ation0 .ou can assign and pu lish soft/are for groups of users and computers using this e;tension0 !hen ou assign applications to users or computers, the applications are automaticall installed on their computers at logon *for user2assigned applications+ or startup *for computer2assigned applications.+ !hen assigning applications to users, the default beha%ior is that the application will be ad%ertised to the computer the neBt time the user logs on. This means that the application shortcut appears on the $tart menu, and the registr is updated with information about the application, including the location of the application pac/age and the location of the source files for the installation. !ith this ad%ertisement information on the userKs computer, the application is installed the first time the user tries to use the application. &n addition to this default beha%ior, !indows<5 5rofessional and !indows $er%er2""3 clients support an option to full install the pac/age at logon, as an alternati%e to installation upon first use. ,ote that if this option is set, it is ignored b computers running !indows2""", which will alwa s ad%ertise user2assigned applications. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31F 2 !hen assigning applications to computers, the application is installed the neBt time the computer boots up. Applications assigned to computers are not ad%ertised, but are installed with the default set of features configured for the pac/age. Assigning applications through Croup 5olic re6uires that the application setup is authored as a !indows &nstaller *.msi+ pac/age. Incorrect ans/ers& <9 &nstalling ser%ers that runs Remote &nstallation $er%ices will contribute to downtime on the networ/. The 6uestion pertinentl states to minimi0e downtime. C9 This is not a matter of running updates on the networ/ for all the client computers to recei%e updates. The 6uestion states that full applications needs to be reinstalled and this is conceptuall different from running updates. 39 3nabling $,M5 on the client computers will not accomplish the tas/ at hand. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1"9 12 19 Automaticall enroll user certificates b using Croup 5olic . *2 6uestions+ %*+,TION NO& .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er

'5560 .ou configure a certification authority ?C1@ to issue smart card authentication certificates0 *sers /ho ha2e administrati2e responsi ilities are reBuired to ha2e t/o accounts0 One account is for general computer use0 The other account is an administrati2e account that has administrati2e pri2ileges and is used only /hen performing administrati2e tas$s0 .ou decide to deploy smart cards to all users in TestKing0com0 .ou issue one smart card to each user for general computer use0 .ou enroll each user for a smart card authentication certificate0 .ou need to plan smart card access for users /ho ha2e administrati2e responsi ilities0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31; 2 4hat should you do: A. &ssue an additional smart card to users who ha%e administrati%e responsibilities. 3nroll each userKs administrati%e account for a smart card authentication certificate. &nstruct users to use this card when logging on to perform administrati%e tas/s. 1. 3nroll each userKs administrati%e account for a smart card authentication certificate. !hen prompted, store the certificate on the eBisting smart card. &nstruct users to use this card when logging on to perform all tas/s. .. .onfigure Croup 5olic to autoenroll administrati%e users for certificates. &nstruct these users to log on b using their nonadministrati%e accounts. D. &ssue a master card to users who ha%e administrati%e responsibilities. &nstruct users to use this card when logging on to perform administrati%e tas/s. 1ns/er& < +;planation& It is possi le to store multiple certificates on a smart card0 The user can select an account /hen he"she logs on0 Incorrect 1ns/ers& 1& &t is not necessar to issue additional smart cards. A single smart card can store multiple certificates. C& This answer wonKt wor/. The users need to log on using their administrati%e accounts to do administrati%e wor/. A certificate needs to be created for the administrati%e account and stored on a smart card. 3& &t is not necessar to issue additional smart cards. A single smart card can store multiple certificates. (urthermore, this answer seems to suggest ha%ing multiple smart cards with a single 8master8 certificate mapped to a single 8master8 administrati%e account. Reference& Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA "23G" .hapter 12, pp. >=> .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter 11 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 3, pp. 1-21> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31G 2 %*+,TION NO& ' .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 .ou install Certificate ,er2ices and configure an offline root certification authority ?C1@0 .ou also configure an enterprise su ordinate C1 in the domain0 +mployees in the mar$eting department use a pu lic $ey infrastructure ?PKI@ ena led application to store secure mar$eting data0 +mployees reBuire a certificate that supports client authentication to gain access to this application0 *ser o Cects for employees in the mar$eting department are stored in an organi!ational unit ?O*@ named Mar$eting0 .ou create a >roup Policy o Cect ?>PO@ that configures users for autoenrollment, and you lin$ the >PO to the Mar$eting O*0 .ou create a duplicate of the *ser certificate template named +mployee and assign permission to allo/ autoenrollment for users in the mar$eting department0 .ou configure the +mployee template to prompt the user during enrolment0 1n employee in the mar$eting department named 3a2id Lind erg reports that

/hen he attempts to use the mar$eting application, he recei2es a message stating that he does not ha2e a client authentication certificate0 3a2id is una le to use the mar$eting application0 .ou e;amine 3a2id Lind ergHs user o Cect, sho/n in the e;hi it0 JJMI,,IN>JJ .ou need to ensure that 3a2id can use the mar$eting application0 4hat should you do: A. 3dit Da%id 4indbergKs user ob)ect to include an e2mail address. 1. Add Da%id 4indbergKs user ob)ect to the .ert 5ublishers domain local group. .. 'n Da%id 4indbergKs computer, use the !eb enrolment tool to connect to the subordinate .A and download a cop of the subordinate .AKs certificate. D. 'n Da%id 4indbergKs computer, use the !eb enrolment tool to connect to the subordinate .A and download the most recent certificate re%ocation list *.R4+. 1ns/er& 3 +;planation 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31> 2 9 .As can re%o/e as well as issue certificates. After a certificate is re%o/ed, it needs to be published to a .R4 distribution point. .lients chec/ the .R4 periodicall before the can trust a certificate. (ollowing this reasoning it could be that his certificate could ha%e been re%o/ed. To ma/e sure that he can use the mar/eting application he should ma/e use of the !eb enrolment tool to connect to the subordinate .A and download the latest .R4. Incorrect ans/ers& 19 This is probabl a case of a re%o/ed .A and editing 4indbergKs user ob)ect to include an e2mail address will not address the issue at hand. <9 This will not ensure that Da%id will be able to ma/e use of the mar/eting application. C matter of downloading the latest .R4 from the subordinate .A. Reference& Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder, and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter 12, p. ="= .9 Redirect folders b using Croup 5olic . *2 6uestions+ %*+,TION NO& - M*LTIPL+ 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll client computers run 4indo/s GP Professional0 1 /ritten TestKing policy reBuires all documents created y the legal department to e sa2ed to a shared folder named My3ocs on a file ser2er named #ile,-0 The /ritten policy also states that each user in the legal department must ha2e a uniBue folder in /hich to store the userHs documents0 The user accounts for all users in the legal department are in an organi!ational unit ?O*@ named Legal0 The users elong to 2arious 1cti2e 3irectory groups0 .ou create a ne/ >roup Policy o Cect ?>PO@ and lin$ it to the Legal O*0 In the >PO, you open the properties of the #older Redirection setting for My 3ocuments folder0 The dialog o; is sho/n in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 31= 2 .ou need to configure folder redirection y using the minimum amount of administrati2e effort0 9o/ should you configure the folder redirection settings: To ans/er, configure the appropriate option or options in the dialog o;0 1ns/er& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32" 2 +;planation& ,elect =<asic 8 Redirect e2eryoneHs folder to the same location=0 ,elect =Create a folder for each user under the root path=0 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1122> to 112-> %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith t/o sites0 The t/o sites are named Test$ingand Test$ing'0 TestKing has t/o offices, and each office is configured as one of the sites0 1ll ser2ers run 4indo/s ,er2er '5560

The t/o offices are connected y a '(78K ps leased line0 In addition, Test$ing- and Test$ing' are connected y a site lin$0 Test$ing- has -,555 users and Test$ing' has -( users0 There are no domain controllers in Test$ing'0 .ou create a >roup Policy o Cect ?>PO@ to redirect the My 3ocuments folder0 .ou lin$ the >PO to the domain0 *sers in Test$ing- ha2e their folders redirected successfully, ut users in Test$ing' do not0 .ou need to ensure that users in Test$ing' ha2e their folders redirected0 4hat should you do: A. .ombine Test/ing1 and Test/ing2 into a single site. 1. 3nable loopbac/ processing in Merge mode in the C5'. .. Remo%e the lin/ for the C5' from the domain. 4in/ the C5' to Test/ing1 and to Test/ing2. D. .reate a new C5' that disables Croup 5olic slow lin/ detection. 4in/ the new C5' to Test/ing2. 1ns/er& 3 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 321 2 The users in TestKing' recei2e their >POs from domain controllers in TestKing-0 The and/idth of the lin$ et/een the t/o sites is less than (55K ps /hich is the Hslo/ lin$H threshold0 Therefore, if slo/ lin$ detection is ena led, the policy /onHt apply0 To apply the policy to users in TestKing', /e need to disa le slo/ lin$ detection0 Incorrect 1ns/ers& 1& .ombining the two sites will ma/e administration more compleB. <& Merge mode merges the userKs normal polic settings and the loopbac/ settings. This is not rele%ant to this scenario. C& 4in/ing the C5' at the 'U le%el wonKt accomplish an thing because the C5' is applied to the domain alread . Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1122> to 112-> D9 .onfigure user securit settings b using Croup 5olic . *1" 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 +ach client computer runs 4indo/s NT 4or$station )05, 4indo/s '555 Professional, or 4indo/s GP Professional0 The computer accounts for all client computers are located in an organi!ational unit ?O*@ named CompanyComputers0 1ll user accounts are located in an O* named TestKing*sers0 TestKing has a /ritten policy that reBuires a logon anner to e presented to all users /hen they log on to any client computer on the net/or$0 The anner must display a /arning a out unauthori!ed use of the computer0 .ou need to ensure /hen a user logs on to a client computer0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 322 2 A. .reate a Croup 5olic ob)ect *C5'+ that includes the appropriate settings in the interacti%e logon section. 4in/ the C5' to the domain. 1. .reate a script that presents the re6uired warning. .reate a Croup 5olic ob)ect *C5'+ that will cause the script to run during the startup process. 4in/ the C5' to Test@ingUsers 'U. .. .reate a s stem polic file named ,tconfig.pol that includes the appropriate settings. 5lace a cop of this file in the appropriate folder on the domain controller. D. .reate a batch file named AutoeBec.bat that presents the re6uired warning. .op the file to root folder on the s stem partition of all computers affected b the polic . 1ns/er& 1, C +;planation& 4e need to configure a >PO to display the logon message that /ill apply to the 4indo/s '555 and 4indo/s GP clients0 4e need to configure a system policy to display the logon message that /ill apply to the 4indo/s NT clients0 This polic is created with $ stem policies and the $ stem 5olic 3ditor, $ stem policies are used b networ/ administrators to configure and control indi%idual users and their computers. Administrators use 5'43D&T.3<3 to set !indows ,T profiles that are either

networ/2 or user2based. Using this application, ou can create policies, which are either local or networ/2dri%en, that can affect Registr settings for both hardware and users. The file created to appl the polic is named ,T.onfig.pol. Incorrect 1ns/ers& <, 3& $cripts and AutoeBec.bat is processed at startup rather than at logon. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"23 to 1"212, 1"21; to 1"22" %*+,TION NO& ' 3R1> 3ROP 4eading the wa in &T testing and certification tools, www.test/ing.com 2 323 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ also consists of t/o sites named Test$ing- and Test$ing'0 +ach site contains domain controllers0 1n organi!ational unit ?O*@ named 1ccounting contains t/o child O*s named 1ccounts Paya le and 1ccounts Recei2a le0 1ll user accounts for users in the accounting department are located in these three O*s0 *ser accounts in the 1ccounting O* need to ha2e pass/ord lengths of at least eight characters0 .ou need to ensure that users in the 1ccounting O*, the 1ccounts Recei2a le O*, and the 1ccounts Paya le O* cannot modify their screen sa2ers0 In addition, you need to ensure that users in the 1ccounts Paya le O* cannot change their des$top /allpaper0 1nother administrator creates the four >roup Policy o Cects ?>POs@ listed in the follo/ing ta le0 Name >PO section Policy ,etting C5'1 User .onfiguration 5re%ent changing wallpaper Disabled C5'2 .omputer .onfiguration Minimum password length e6uals > characters 3nabled C5'3 User .onfiguration $creen $a%er Disabled C5'- User .onfiguration 5re%ent changing wallpaper 3nabled .ou need to decide /here to lin$ the appropriate >POs to each O*0 4here should you lin$ the >POs: To ans/er, drag each appropriate >PO to the correct location or locations in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32- 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32F 2 1ns/er& +;planation& !e need to ensure that user accounts in the Accounting 'U ha%e password lengths of at least eight characters. !e can accomplish this b appl ing C5'2 at the domain le%el. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32; 2 ,eBt we need to ensure that users in the Accounting 'U, the Accounts Recei%able 'U, and the Accounts 5a able 'U cannot modif their screen sa%ers. !e can accomplish this b appl ing C5'3 at the Accounting 'U because the Accounts Recei%able 'U and the Accounts 5a able 'U is child 'Us of the Accounting 'U. (inall , we must ensure that users in the Accounts 5a able 'U cannot change their des/top wallpaper. !e can accomplish this b appl ing C5'- at the Accounts 5a able 'U. !e would use C5'- rather than C5'1 because the setting is 5re%ent changing wallpaper. This must be enabled. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"2-1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named 1ccounting0

1 user named Marie /or$s in the accounting department0 1 user account for Marie is located in the 1ccounting O*0 .ou create a >roup Policy o Cect ?>PO@ and lin$ it to the 1ccounting O*0 .ou configure the >PO to reBuire comple; pass/ords0 Marie reports that the policy is not in effect0 .ou run Resultant ,et of Policy ?R,oP@ in logging mode for MarieHs user account0 The results for the pass/ord policies are sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32G 2 .ou need to ensure that the comple; pass/ord policy is applied to the 1ccounting O*0 4hat should you do: A. 3nable the 1loc/ 5olic inheritance setting on the Accounting 'U. 1. Modif the Default Domain 5olic C5' to enforce compleB passwords. .. Run the gpupdate command on MarieKs client computer. D. Disable the User .onfiguration section of the C5' lin/ed to the Accounting 'U. 1ns/er& < +;planation& The e;hi it sho/s that the Pass/ord must meet comple;ity reBuirements setting is disa led0 4e need to ena le this setting0 Incorrect 1ns/ers& 1, 3& The 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32> 2 5assword must meet compleBit re6uirements setting is applied b the Default Domain 5olic C5'. &t is not applied at the Accounting 'U. C& The Cpresult command2line tool allows ou to create and displa an R$o5 6uer , which can be used to anal 0e the cumulati%e effects of C5's, through the command line. &t also pro%ides general information about the operating s stem, user, and computer. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2> to 1"21F %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain that contains four domain controllers0 1ll ser2ers run 4indo/s ,er2er '5560 1ll user accounts are located in an organi!ational unit ?O*@ named TestKing*sers0 1 /ritten TestKing policy reBuires all users to use strong pass/ords0 *ser pass/ords must contain a mi;ture of letters, num ers, or special characters0 Pass/ords must e at least -5 characters long0 Pass/ords must e changed at least e2ery 75 days, and the ne/ pass/ord cannot e the same as the old one0 To enforce this reBuirement, you create a >roup Policy o Cect ?>PO@ named Pass/ord Policies and lin$ the >PO to the TestKing*sers O*0 The setting in the Pass/ord Policy section of the Pass/ord Policies >PO are sho/n in the e;hi it0 .ou disco2er that users are creating simple pass/ords that do not meet the comple;ity reBuirements0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 32= 2 .ou need to ensure that TestKingHs pass/ord reBuirements are enforced0 4hat should you do: A. 4in/ the 5assword 5olicies C5' to the Domain .ontrollers 'U. Ma/e it the first C5' in the list. 1. .onfigure the properties of the 5assword 5olicies C5' so that it cannot be o%erridden. .. Delete the 5assword 5olicies C5'. 3dit the Default Domain 5olic C5' to include the settings from the 5assword 5olic section of the 5assword 5olicies C5'. D. Delete the 5assword 5olicies C5'. 3dit the Default Domain .ontrollers 5olic C5' to include the settings from the 5assword 5olic section of the 5assword 5olicies C5'. 1ns/er& C +;planation& Changes in ,ecurity Policies such as a pass/ord policy can only affect the user if applied at the 3omain Le2el using the 3efault 3omain Policy0 ,ecurity Policies that affect computers can e applied at the O* le2el as /ell as at the 3omain Le2el0 Incorrect 1ns/ers& 1& This C5' is applied to the Domain .ontrollers 'U and would thus affect the policies set on a Domain .ontroller. <& The password polices are set on a Users 'U and not a computers 'U.

C& This answer is nearl the same as A eBcept that ou delete and recreate the C5'. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of as ingle 1cti2e 3irectory forest that contains an empty root domain named test$ing0com and a child domain named research0test$ing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33" 2 .ou need to implement secure pass/ord protection for the accounts located in the research0test$ing0com domain0 4hat should you do: A. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ of the research.test/ing.com domain to enable the 5assword must meet compleBit re6uirements polic . 1. .onfigure the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+ of the research.test/ing.com domain to enable the 5assword must meet compleBit re6uirements polic . .. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ of the test/ing.com domain to enable the 5assword must meet compleBit re6uirements polic . 3nable the ,o '%erride setting on the C5'. D. .onfigure the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+ of the test/ing.com domain to enable the 5assword must meet compleBit re6uirements polic . 3nable the ,o '%erride setting on the C5'. 1ns/er& 1 +;planation& >POs are applied at the le2el at /hich they are lin$ed0 The pass/ord policy must e configured at the domain le2el if it is to e applied to the domain0 Therefore /e must lin$ the >PO at the domain le2el0 Incorrect 1ns/ers& <& The password polic must be configured at the domain le%el, i.e., test/ing.com and not research.test/ing.com. C& !e donKt need the ,o '%erride setting if the C5' is applied at the domain le%el. 3& The C5' must be configured at the domain not the domain controller. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-1 to 1"2-2 %*+,TION NO& 7 4eading the wa in &T testing and certification tools, www.test/ing.com 2 331 2 .ou are the net/or$ administrator for TestKing, a company that has a single office0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com and a single site0 1ll ser2ers run 4indo/s ,er2er '5560 1ll file and print ser2ers and application ser2ers are located in an organi!ational unit ?O*@ named ,er2ers0 1 ser2er support team handles daily support issues for the file and print ser2ers and application ser2ers0 1ll of the ser2er support teamHs user accounts are located in the O* named ,,T0 .ou are responsi le for managing security for TestKingHs ser2ers0 .ou create a group named ,er2er,upport that includes all the user accounts of the ser2er support team0 .ou need to ensure that mem ers of the ser2er support team can log on locally to only the file and print ser2ers and the application ser2ers0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ to grant the $er%er$upport group the Allow log on locall user right. 4in/ the C5' to the $$T 'U. 1. .reate a Croup 5olic ob)ect *C5'+ to grant the $er%er$upport group the Allow log on locall user right. 4in/ the C5' to the $er%ers 'U. .. Assign the $er%er$upport group the Allow 2 (ull .ontrol permission for the $er%ers 'U. D. Assign the $er%er$upport group the Allow 2 (ull .ontrol permission for the .omputers container. 1ns/er& < +;planation& 1ll file and print ser2ers and application ser2ers are located in an

organi!ational unit ?O*@ named ,er2ers0 Therefore, /e can simply a >roup Policy o Cect ?>PO@ to grant the ,er2er,upport group the 1llo/ log on locally user right and lin$ the >PO to the ,er2ers O*0 Incorrect 1ns/ers& 1& The C5' needs to be lin/ed to the 'U containing the computer accounts for the ser%ers. C& This would allow the $er%er$upport group to create ob)ects in the 'U, and to modif the permission on eBisting ob)ects. This is more KpermissionK than necessar . 3& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 332 2 This would allow the $er%er$upport group to create ob)ects in the computers container, and to modif the permission on eBisting ob)ects. This would ha%e no effect on the ser%ers because the are in a separate 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ contains -5 domain controllers and (5 ser2ers in application ser2er roles0 1ll ser2ers run 4indo/s ,er2er '5560 The application ser2ers are configured /ith custom security settings that are specific to their roles as application ser2ers0 1pplication ser2ers are reBuired to audit account logon e2ents, o Cect access e2ents, and system e2ents0 1pplication ser2ers are reBuired to ha2e pass/ords that meet comple;ity reBuirements, to enforce pass/ord history, and to enforce pass/ord aging0 1pplication ser2ers must also e protected against man8in8the8middle attac$s during authentication0 .ou need to deploy and refresh the custom security settings on a routine asis0 .ou also need to e a le to 2erify the custom security settings during audits0 4hat should you do: A. .reate a custom securit template and appl it b using Croup 5olic . 1. .reate a custom &5$ec polic and assign it b using Croup 5olic . .. .reate and appl a custom Administrati%e Template. D. .reate a custom application ser%er image and deplo it b using R&$. 1ns/er& 1 +;planation& The easiest /ay to deploy multiple security settings to a 4indo/s '556 computer is to create a security template /ith all the reBuired settings and import the settings into a group policy0 4e can also use secedit to analyse the current security settings to 2erify that the reBuired security settings are in place0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 333 2 Incorrect 1ns/ers& <& An &5$ec polic will not configure the re6uired auditing polic . C& !e need a securit template, not an administrati%e template. 3& This will create multiple identical machines. !e cannot use R&$ images in this scenario. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 132FG to 132;; %*+,TION NO& A .ou are the net/or$ administrator for TestKing0com0 The company has a main office and si; ranch offices0 +ach ranch office employs fe/er than -( users0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com configured as a single site0 1ll ser2ers run 4indo/s ,er2er '5560 3omain controllers are located in the main office0 1ll ranch offices are connected to the main office y 41N connections0 1ll users are reBuired to change their pass/ord e2ery -5 days0 They are further restricted from reusing a pass/ord until after they ha2e used fi2e different pass/ords0 .ou disco2er that users in the ranch office can log on y using recently e;pired pass/ords and access local resources during a 41N connection failure that lasts for ') hours or longer0 .ou need to ensure that users can log on to the domain only y using a current pass/ord0 4hat should you do: A. 3nable uni%ersal group membership caching in the site.

1. &nstruct all users to log on b using their principal names *U5,s+. .. &n Acti%e Director Users and .omputers, re6uire all users to change their passwords to the neBt time the log on to the domain. D. .onfigure the Default Domain 5olic Croup 5olic ob)ect *C5'+ to pre%ent logon attempts that use cached credentials. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33- 2 1ns/er& 3 +;planation& 4hen the client computers are una le to contact a domain controller at the main office, the users are eing logged on using Hcached credentialsH0 This means that the client computer remem ers that the user successfully authenticated /ith the domain controller recently, so the client computer assumes it is o$ to log the user on again after failing to contact a domain controller0 4e can disa le this eha2iour using a group policy0 Incorrect 1ns/ers& 1& 3nabling uni%ersal group caching wonKt pre%ent the logons. <& This wonKt pre%ent the usersK abilit to log on. C& This wonKt pre%ent the usersK abilit to log on. Reference& Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, p. F21= Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, 2""-, p. F2-1 Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F211 %*+,TION NO& E .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll the user accounts, groups, and application ser2ers of the human resources ?9R@ department are located in an organi!ational unit ?O*@ named 9R0 The managers in the 9R department need access to the application ser2ers to perform administrati2e tas$s0 1 local group named 9RManagers e;ists on each application ser2er0 The 9RManagers local groups supply the permissions that the 9R managers reBuire0 #or security reasons, the company /ants user accounts for managers in the 9R department to e the only mem ers of the 9RManagers groups0 .ou need to ensure that mem ership of the 9RManagers group in each application ser2er is as secure as possi le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33F 2 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ that configures restricted groups for each ARManagers group. 4in/ the C5' to the AR 'U. 1. .reate a new 'U for application ser%ers under the AR 'U, and mo%e the ser%ers to the new 'U. 1loc/ permissions inheritance at the new 'U. .. .reate a uni%ersal group named ARManagers and ma/e the user accounts for AR managers members of that group. Ma/e the ARManagers uni%ersal group a member of the ARManagers local group on each application ser%er. D. .reate a script that adds the user accounts for managers in the AR department to the ARManagers local groups. .onfigure the script to act as the startup and shutdown script for the application ser%ers. 1ns/er& 1 +;planation9 Ci%en the organi0ation structure of the compan and the securit concerns, the wa to ensure htat membership of the ARManagers group in each application ser%ers is as secure as possible, ou need to place restrictions on the group membership b creating a C5' that configures resticted groups for each ARManagers group and lin/ this C5' to the AR 'U. Incorrect ans/ers& <9 There is no need to create a new organi0ational unit and appl ing the bloc/ permissions inheritance at the new 'U when all that is necessar is to create a C5' that configures restricted groups for each ARManagers group and lin/ing this C5' to the AR 'U. C9 Uni%ersal securit groups are most often used to assign permissions to related

resources in multiple domains. A uni%ersal securit group has the following characteristics9 *i+ 'pen membership 2 Iou can add members from an domain in the forest. *ii+ Access to resources in an domain 2 Iou can use a uni%ersal group to assign permissions to gain access to resources that are located in an domain in the forest. *iii+ A%ailable onl in domains with a domain functional le%el set to !indows 2""" nati%e or !indows $er%er 2""3 Uni%ersal securit groups are not a%ailable in domains with the domain functional le%el set to !indows 2""" miBed. This is not secure enough for the purposes of this 6uestion. 3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33; 2 9 The Membership rules for local groups include the following9 *i+ 4ocal groups can contain local user accounts from the computer where ou create the local group. *ii+ 4ocal groups cannot be members of an other group.This option are thus not a %iable option in the light of the securit concerns and the nature of the ARManagers group. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. >9 ; %*+,TION NO& -5 3R1> 3ROP .ou are the net/or$ administrator for 1cme0 The company consists of t/o su sidiaries named Lit/are Inc0, and TestKing0 Lit/are, Inc0, has an office in Los 1lamos0 TestKing has t/o offices, one in Ne/ 3elhi and the other in <erlin0 The net/or$ consists of t/o 1cti2e 3irectory forests0 1 forest trust relationship e;ists et/een the t/o forests0 One forest contains one domain named Los1lamos0lit/areinc0com0 The other forest contains t/o domains named Ne/3elhi0test$ing0com and <erlin0test$ing0com0 1ll three offices are connected y t/o -'A8K ps connections0 1ll ser2ers run 4indo/s ,er2er '5560 The net/or$ uses roaming profiles and >roup Policy o Cects ?>POs@0 Occasionally, users need to /or$ at an office other than their usual office0 *sers must ha2e the same des$top, no matter /here they log on to the net/or$0 .ou need to ensure that the userHs profile and the >PO settings that apply to the userHs account /ill apply /here2er the user logs on to the net/or$0 4hat should you do: To ans/er, drag the appropriate configuration or configurations to the correct policy or policies in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33G 2 1ns/er& +;planation& The 6uestion states that when a user logs on in the other forest to the one where his user account resides, the user MU$T ha%e his des/top settings and group polic settings. The first setting, 8!ait for remote user profile8 should be enabled so that the client computer waits to load the remote profile, no matter how long it ta/es. To enable the roaming profiles and group polic settings to appl to the user across a forest lin/, we should enable the third setting, 8Allow .ross2(orest User 5olic and User Roaming 5rofiles8. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33> 2 !e need to pre%ent the speed of the lin/ affecting the policies that are applied. Aowe%er, we canKt do this b simpl disabling the slow lin/ detection, because a disabled slow lin/ detection polic will use a default setting of F12@bps *our lin/ is slower than that, so some group polic settings wonKt appl +. !e need to enable the polic and enter a connection speed of ". This disables the setting in such a wa that all group policies will be applied across the slow lin/, no matter how long the ta/e to load. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, p. F>> 5art 39 Deplo a computer en%ironment b using Croup 5olic . A9 Distribute software applications b using Croup 5olic . *1" 6uestions+ %*+,TION NO& - 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com 4indo/s ,er2er '556 domain controllers are located in t/o sites named Test$ing- and Test$ing'0 The domain contains an organi!ational unit ?O*@ named 1ccounting0 The user accounts for users in the accounting department are located in the 1ccounting O*0 *sers in the accounting department can log on to any client computer0 .ou need to deploy an anti2irus application to all computers on the net/or$ /ithout

user inter2ention0 .ou also need to deploy a special accounting application to user accounts in the 1ccounting O* /ithout user inter2ention0 The accounting application must e a2aila le to users in the accounting department regardless of /hich computer they are using0 .ou need to minimi!e the num er of >PO lin$s0 .ou create the >roup Policy o Cects ?>POs@ listed in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 33= 2 Name >PO section Policy setting C5'1 .omputer .onfiguration Assign the anti%irus application C5'2 User .onfiguration Assign the anti%irus application C5'3 .omputer .onfiguration Assign the accounting application C5'- User .onfiguration Assign the accounting application C5'F User .onfiguration 5ublish the anti%irus application C5'; User .onfiguration 5ublish the accounting application 4here should you lin$ the >POs: To ans/er, drag the appropriate >PO or >POs to the correct domain component or components in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-" 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-1 2 !e need to appl the anti%irus application to all computers on the networ/. This means we should configure .omputer .onfiguration section of the C5' to assign the anti%irus application and lin/ the C5' at the Domain le%el. Applications can onl be assigned to computers the cannot be published to computers. The onl C5' that meets this is C5'1. !e also need to appl an accounting application to user accounts in the Accounting 'U without user inter%ention. The accounting application must be a%ailable to users in the accounting department regardless of which computer the are using. This means the applications must become part of the users des/top or start menu. $o we should configure User .onfiguration section of the C5' to assign the accounting application and lin/ the C5' at the 'U le%el. The onl C5' that meets this is C5'4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-2 2 Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& ' 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll user accounts in your domain are located in an organi!ational unit ?O*@ named *ser 1ccounts0 *ser accounts are separated into t/o types& accounts for users /ho use porta le computers and accounts for users /ho use des$top computers0 The accounts for the users /ho use porta le computers are in an O* named Porta le, and the accounts for the users /ho use des$top computers are in an O* named 3es$top0 The O* structure is sho/n in the /or$ area0 *sers /ho use porta le computers often tra2el /ith them, ut they do not connect to the net/or$ /hen they are out of the office0 .ou need to install an application on all client computers0 *sers must e a le to run the application e2en if the client computer is not connected to the net/or$0 .ou need to perform the installation in a /ay that reduces net/or$ load on the installation source0 1ll soft/are installed y using a >roup Policy o Cect ?>PO@ must reBuire as little support as possi le0 .ou need to configure >roup Policy to install the application0 .ou also need to lin$ any >PO to the appropriate O*0 4hat should you do: To ans/er, drag the appropriate action or actions for a >PO to perform to the correct O* or O*s in the /or$ area0

4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-3 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-- 2 The application must be installed on all client computers. Aowe%er, some computers are portable computers. !e therefore should not appl the C5' at the domain le%el but at the 'U le%el because we can onl ha%e the application installed on the portable computers when users log on to the networ/ from the portable computers. 'nce installed, this application must be a%ailable e%en when users arenKt connected to the networ/, therefore we need to assign and not publish the application. 1ecause we appl the C5' at the 'U le%el, des/top users can be treated differentl . To reduce networ/ load on the installation source we can configure the C5' for the Des/top 'U to install the application on demand rather than at log on. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-F 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain /ith a single site0 1ll client computers in the domain run 4indo/s GP Professional0 The rele2ant portion of the organi!ational unit ?O*@ structure is sho/n in the O* structure e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-; 2 The user accounts for all managers are located in Managers O*0 .ou need to deploy a ne/ application0 .ou create a ne/ >roup Policy o Cect ?>PO@ that assigns the 0msi application pac$age to user accounts0 .ou lin$ the >PO to the domain0 .ou configure the permissions on the >PO as sho/n in the ,ecurity ,ettings e;hi it0 .ou then remo2e the 1uthenticated *sers uilt8in group from the permissions on the >PO0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-G 2 The application pac$age is installed on the client computers of all users /ho are not managers0 Managers indicate that they /ant to ha2e the application installed as /ell0 .ou need to configure the >PO so that the application is installed on the managerHs computers0 4hat should you do: A. Modif the permissions on the C5' b selecting the Allow 2 Appl Croup 5olic permission chec/ boB for the Managers global group. 1. Modif the permissions on the C5' b clearing the Den 2 Appl Croup 5olic permission chec/ boB for the Managers global group. .. Remo%e the lin/ between the C5' and the domain. 4in/ the C5' to Managers 'U. D. Remo%e the lin/ between the C5' and the domain. 4in/ the C5' to the site that contains the domain controller. 1ns/er& 1 +;planation& The Managers group has 3eny 8 1pply >roup Policy permission0 This pre2ents them from ha2ing the >PO applied to them0 4e should assign them the 1llo/ 8 1pply >roup Policy permission0 Incorrect 1ns/ers& <& The Allow 2 Appl Croup 5olic permission needs to be eBplicitl granted. Thus, clearing the Den 2 Appl Croup 5olic permission chec/ boB wonKt do. C, 3& The Managers group has Den 2 Appl Croup 5olic permission. This pre%ents them from ha%ing the C5' applied to them and is not dependant on which container the C5' is lin/ed to. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& ) 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-> 2

.ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain0 The domain includes an organi!ational unit ?O*@ named Terminal,er2ers and a glo al group named 1ccounting0 The Terminal,er2ers O* contains all of the 4indo/s ,er2er '556 computer accounts running Terminal ,er2ices0 Mem ers of the 1ccounting group connect to terminal ser2ers to access their soft/are applications0 .ou create a >roup Policy o Cect ?>PO@ and lin$ it to the Terminal,er2ers O*0 .ou configure the >PO to pu lish a soft/are installation pac$age that installs the most recent ta; application0 *sers in the 1ccounting group report that the ne/ ta; application is not installed on any of the terminal ser2ers0 .ou log on to one of the ser2ers running Terminal ,er2ices and attempt to use 1dd or Remo2e Programs in Control Panel0 4hen you select 1dd Ne/ Program, you recei2e the follo/ing message& =1pplications are not a2aila le to install from the net/or$ in this mode0= .ou need to ensure that the ne/ ta; application is installed on the computers running Terminal ,er2ices0 4hat should you do: A. Modif the C5' and configure the software installation pac/age to be assigned under the .omputer .onfiguration section of the C5' under $oftware $ettings. 1. Modif the C5' and configure the software installation pac/age to be assigned under the User .onfiguration section of the C5' under $oftware $ettings. .. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the Authenticated Users group the Den 2 Read and the Allow 2 Appl Croup 5olic permissions. D. Modif the discretionar access control list *DA.4+ settings of the C5' to assign the computer accounts in the Terminal$er%ers 'U the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. 1ns/er& 1 +;planation& In order for the ,oft/are application to e a2aila le through a Terminal ,ession, the soft/are application must e installed on the ser2er itself0 &f the C5' assigns the software installation pac/age under user configuration the software will not get installed onto the Terminal $er%er. Incorrect 1ns/ers& <& !e need the application applied to the computer not the user. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3-= 2 C, 3& This doesnKt ma/e sense. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1, 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& ( .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers are 4indo/s GP Professional computers that are mem ers of the domain0 TestKing /ants to install a ne/ application on only the computers /here it is reBuired0 9o/e2er, once installed on a particular computer, the application can e used y any user logged on to that computer0 The application is installed y using a 4indo/s Installer pac$age0 .ou copy the 0msi file to a shared folder on a file ser2er0 The shared folder is configured so that mem ers of the 3omain 1dmins group ha2e the 1llo/ 8 #ull Control permission, and no other permissions are granted0 TestKing /ants to automate installation as much as possi le0 *sers must not e a le install unauthori!ed copies of the application0 .ou need to ensure that the application /ill e deployed in accordance /ith TestKingHs reBuirements0 .ou create a security group and assign this group the 1llo/ 8 Read permission for the shared folder that contains the 0msi file0 4hich t/o additional courses of action should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Ma/e all users of the application members of the securit group. 1. Ma/e all unauthori0ed computers members of the securit group. .. .reate a Croup 5olic ob)ect *C5'+ that assigns the application to users. 4in/ the C5' to the domain. $et permissions on the C5' so that it applies onl to the securit group ou created. D. .reate a Croup 5olic ob)ect *C5'+ that publishes the application to users. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F" 2

4in/ the C5' to the domain. $et permissions on the C5' so that it applies onl to the securit group ou created. 3. .reate a Croup 5olic ob)ect *C5'+ that assigns the application to computers. 4in/ the C5' to the domain. $et permissions on the C5' so that it applies onl to the securit group ou created. 1ns/er& 1, C +;planation9 A securit group is a collection of users who ha%e specific rights and permissions to resources. Rather than gi%ing rights to perform certain tas/s to indi%idual users, and then setting permissions as to what resources that user can access, the rights and permissions are applied to the group. An users who are members of the group then ac6uire this same le%el of securit access. &n doing so, collections of users are handled as a single unit, rather than as indi%iduals. Thus to ensure that ou accomplish the tas/ at hand and sta ing within the re6uirements of the compan , ou should ma/e all users of this particular application members of a securit group and then create a C5' that will assign the application to these users. 'b%iousl ou need to lin/ the C5' to the domain and then set the rele%ant permissions to appl to onl the newl created securit group. Incorrect 1ns/ers& <& &f we created a securit group that contains all unauthori0ed computers, we would need to appl the Den 2 Appl Croup 5olic permission to that securit group. The latter is not one of the options. 3& !e need to assign the application to users, not publish it. Assigned applications appear on the userKs des/top, or start menu, which is part of the user profile. This means that the application will not be a%ailable to other users who log on to the computer. +& Assigning the application to computers would be wrong since it is users that ou need to ta/e into account and it could be that users ha%e roaming profiles which might cause them to use all computers besides their own as well. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 2, pp. 1312133 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F1 2 %*+,TION NO& 7 .ou are the administrator of the TestKing company net/or$0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ includes '5 ser2ers running 4indo/s ,er2er '556 and )55 client computers running 4indo/s GP Professional0 1ll client computers are in -' organisational units ?O*@ organised y company department0 1ll mem er ser2er computer accounts are in an organisational unit ?O*@ named ,er2ers0 1ll user accounts are in an organisational unit ?O*@ named +mployees0 .ou need to install an application on all client computers in the domain0 The application must not e installed on any ser2ers0 .ou need to configure the net/or$ to install the application as reBuired, /ithout affecting any e;isting policies or settings0 4hat should you do: A. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to assign the application to the computers. 4in/ this C5' to the domain. .onfigure the Domain .ontrollers 'U and the $er%ers 'U to bloc/ polic inheritance. 1. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to assign the application to the computers. 4in/ this C5' to the domain. .onfigure permissions on the C5' so that all ser%ers and domain controller accounts are denied the permissions to read and appl the C5'. .. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to assign the application to the users. 4in/ this C5' to the domain. .onfigure the Domain .ontrollers 'U and the $er%ers 'U to bloc/ polic inheritance. D. Use gpedit.msc to create a Croup 5olic ob)ect *C5'+ to assign the application to the users. 4in/ this C5' to the domain. .onfigure permissions on the C5' so that all ser%er and domain controller accounts are denied the permissions to read and appl the C5'. 1ns/er& < +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F2 2 The soft/are can e installed on all the client computers, ut not the domain

controllers or mem er ser2ers0 <ecause the client computers are in -' O*s, it /ould e easier to lin$ the >PO at the domain le2el0 The O*s containing the client computers /ould then inherit the >PO settings0 To pre%ent the C5' appl ing to the domain controllers and ser%ers, we can simpl den the permissions to read and appl the C5' for the domain controller and ser%er computer accounts. Incorrect 1ns/ers& 1& &t is li/el that some domain le%el policies should appl to the domain controllers and the ser%ers. Therefore, bloc/ing polic inheritance isnKt recommended. C& &t is li/el that some domain le%el policies should appl to the domain controllers and the ser%ers. Therefore, bloc/ing polic inheritance isnKt recommended. 3& This wonKt stop the software being installed on the ser%ers, because the software installation would be defined in the user section of the group polic . Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& D 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 .ou are planning the implementation of ne/ >roup Policy o Cects ?>POs@0 The accounting department and the research department each has its o/n organi!ational unit ?O*@0 The accounting department includes the accounts paya le ?1P@ department and the accounts recei2a le ?1R@ department0 The 1ccounting O* contains an 1P O* and an 1R O*0 *ser accounts are in the 1ccounting, 1P, 1R, and Research O*s0 The accounting department has an accounting application that must e installed on the computers that are used y users in the accounting department0 .ou /ant to a2oid installing the accounting application on the computers of any other users0 .ou plan to create a >PO named ,oft/are to install the accounting application0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F3 2 The research department user accounts must ha2e pass/ords that are at least eight characters in length and most e changed e2ery 65 days0 There are no specific pass/ord reBuirements for any other users in the contoso0com domain0 .ou plan to create a >PO named Pass/ord to configure the minimum pass/ord length and pass/ord age0 .ou need to decide the correct locations for placing the Pass/ord >PO and the ,oft/are >PO, /hile minimi!ing the time it ta$es for any user to log on to the domain0 4here should you lin$ the Pass/ord >PO and the ,oft/are >PO: To ans/er, drag the appropriate >PO or >POs to the correct location or locations in the /or$ area0 If oth polices need to e lin$ed to the same location, use the source la elled <oth >POs0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F- 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FF 2 The accounting department has an accounting application that must be installed on the computers that are used b users in the accounting department. Iou want to a%oid installing the accounting application on the computers of an other users. Iou plan to create a C5' named $oftware to install the accounting application. The software C5' can be applied to the Accounting 'U. This C5' will also appl to the A5 and AR 'Us *which also contain accounts users+. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F; 2 The research department user accounts must ha%e passwords that are at least eight characters in length and most be changed e%er 3" da s. There are no specific password re6uirements for an other users in the test/ing.com domain. Iou plan to create a C5' named 5assword to configure the minimum password length and password age. 5assword policies for domain user accounts must be applied at the domain le%el. The policies will ha%e no effect on domain user accounts if the are applied at an other le%el. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223

to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& A .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The functional le2el of the domain is 4indo/s '555 mi;ed0 The domain includes an organi!ational unit ?O*@ named Mar$eting0 Computer accounts for client computers in the mar$eting department are located in the Mar$eting O*0 +ach client computer runs 4indo/s NT 4or$station )05, 4indo/s '555 Professional, or 4indo/s GP Professional0 .ou need to automatically deploy a ne/ soft/are pac$age to all 4indo/s '555 Professional client computers in the Mar$eting O*0 .ou create a >roup Policy o Cect ?>PO@ and lin$ it to the Mar$eting O*0 4hat else should you do: A. .onfigure the C5' to assign the software pac/age under the .omputer .onfiguration section, under $oftware $ettings. Modif the discretionar access control list *DA.4+ of the C5' to assign the Authenticated Users group the Allow 2 Read and the Den 2 Appl Croup 5olic permissions. 1. .onfigure the C5' to assign the software pac/age under the .omputer .onfiguration section, under $oftware $ettings. .onfigure a !M& filter to include !indows 2""" 5rofessional. .. .onfigure the C5' to assign the software pac/age under the .omputer .onfiguration section, under $oftware $ettings. Disable .omputer .onfiguration settings on the C5'. D. .onfigure the C5' to publish the software pac/age under the User .onfiguration section, under $oftware $ettings. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3FG 2 Modif the discretionar access control list *DA.4+ of the C5' to assign onl the !indows 2""" 5rofessional computer accounts the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. 1ns/er& < +;planation& This Buestion is tric$y ecause 4indo/s '555 clients cannot process 4MI filters0 They /ill ignore the filters and install the soft/are0 9o/e2er, the 4indo/s GP clients /ill process the 4MI filter and so /ill not install the soft/are0 The NT clients /ill not process the group policy at all, and so /ill not install the soft/are0 This fulfils the reBuirements in the Buestion0 Incorrect 1ns/ers& 1& This will den the group polic , so the polic will not appl to an one. C& This will disable the part of the C5' with the re6uired settings. Therefore, the software wonKt install on an computers. 3& The software needs to be assigned to the computers, not the users. This answer could wor/ if the software was assigned under the .omputer .onfiguration section, but itKs an impractical wa of doing it. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22" to 1"221, 112; %*+,TION NO& E 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The net/or$ contains -5 file ser2ers running 4indo/s ,er2er '5560 1ll the file ser2ers are located in an organi!ational unit ?O*@ named TK0 .ou disco2er that a 2irus is infecting files on the file ser2ers0 .ou locate an anti2irus application that /ill remo2e the 2irus and install a patch that pre2ents the 2irus from re8infecting the ser2ers0 The application and its updates are a2aila le as 0msi files0 The file ser2ers must remain a2aila le ecause users are currently using the file ser2ers for critical processes0 .ou need to ensure that the file ser2ers are protected from 2iruses0 .ou /ant to accomplish this tas$ y using the minimum mount of administrati2e effort0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F> 2 4hich action or actions should you ta$e to achie2e this goal: To ans/er, drag the action that you should perform first to the #irst 1ction o;0 Continue dragging actions to the corresponding num ered o;es until you list all reBuired actions in the correct order0 .ou might not need to use all num ered o;es0 1ns/er& +;planation&

#irst action& 4og on interacti%el and install the .msi file on each ser%er. !hen assigning applications to computers, the application is installed the neBt time the computer boots up. Applications assigned to computers are not ad%ertised, but are installed with the default set of features configured for the pac/age. The 6uestion states that the file ser2ers must remain a2aila le ecause users are currently using the file ser2ers for critical processes0 (or this reason, we cannot use a group polic to assign the software *we cannot reboot the computers+. Therefore, we must manuall install the software on the computers. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3F= 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& -5 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll ser2ers that are not domain controllers ha2e computer accounts in an organi!ational unit ?O*@ named 1pplication,er2ers0 Client computers ha2e computer accounts in -( O*s organi!ed y department0 1ll users ha2e user accounts in an O* named Company*sers0 TestKing /ants all users to ha2e Microsoft 4ord a2aila le on their client computers0 TestKing does not /ant to install 4ord on domain controller or other ser2ers0 .ou need to configure the net/or$ to install the application as reBuired, /ithout affecting any e;isting policies or settings0 4hat should you do: A. .reate a Croup 5olic ob)ect *C5'+ configured with Microsoft !ord listed in the software installation section of the computer settings. 4in/ this C5' to the domain. .onfigure the Domain .ontrollers 'U and the Application$er%ers 'U to bloc/ polic inheritance. 1. .reate a Croup 5olic ob)ect *C5'+ configured with Microsoft !ord listed in the software installation section of the computer settings. 4in/ this C5' to the domain. .onfigure permissions on the C5' so that all ser%ers and domain controller accounts are denied the permissions to read and appl the C5'. .. .reate a Croup 5olic ob)ect *C5'+ configured with Microsoft !ord listed in the software installation section of the user settings. 4in/ this C5' to the domain. .onfigure the Domain .ontrollers 'U and the Application$er%ers 'U to bloc/ polic inheritance. D. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;" 2 .reate a Croup 5olic ob)ect *C5'+ configured with Microsoft !ord listed in the software installation section of the user settings. 4in/ this C5' to the domain. .onfigure permissions on the C5' so that all ser%er and domain controller accounts are denied the permissions to read and appl the C5'. 1ns/er& < +;planation& The soft/are can e installed on all the client computers, ut not the domain controllers or application ser2ers0 <ecause the client computers are in -( O*s, it /ould e easier to lin$ the >PO at the domain le2el0 The O*s containing the client computers /ould then inherit the >PO settings0 To pre%ent the C5' appl ing to the domain controllers and ser%ers, we can simpl den the read and appl C5' permission for the domain controller and ser%er computer accounts. Incorrect 1ns/ers& 1& &t is li/el that some domain le%el policies should appl to the domain controllers and the ser%ers. Therefore, bloc/ing polic inheritance isnKt recommended. C& &t is li/el that some domain le%el policies should appl to the domain controllers and the ser%ers. Therefore, bloc/ing polic inheritance isnKt recommended. 3& This wonKt stop the software being installed on the ser%ers, because the software installation would be defined in the user section of the group polic . Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and

Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;""2;"Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 12213 to 1222> 19 Automaticall enroll computer certificates b using Croup 5olic . *1 6uestion+ %*+,TION NO& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;1 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 One of the domain controllers is configured as a su ordinate enterprise certification authority ?C1@0 TestKing also has an offline root C10 1ll client computers run 4indo/s GP Professional0 TestKing does usiness /ith a distri utor named Coho Vineyard0 *sers at TestKing freBuently access secured 4e sites at Coho Vineyard0 These sites are secured y using certificates issued y an enterprise C1 at Coho Vineyard0 *sers at TestKing report that they recei2e security alerts from the 4e ro/ser /hene2er they try to access secured 4e sites at Coho Vineyard0 *sers can access the sites after they ac$no/ledge the /arnings, ut many choose to cancel the operation in order to e sure that the net/or$ is secure0 .ou need to configure the TestKing net/or$ to pre2ent these security alerts from appearing /hen accessing the secured 4e sites at Coho Vineyard0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. 'btain a cop of the .oho ?ine ard root certificate from .oho ?ine ard. 1. &ssue a certificate to the .oho ?ine ard !eb ser%er from the Test@ing enterprise .A. .. &mport the certificate into the Trusted Root .ertification Authorities section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. D. 5lace the .oho ?ine ard secured !eb sites in the list of trusted sites in the &nternet 3Bplorer Maintenance section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. 1ns/er& 1, C +;planation& The certificate is issue y another entity, /e need to trust the certificates issued y that entity0 To do this /e need to place a copy of the certificate in Trusted Root Certification 1uthorities section of the 3efault 3omain Policy >roup Policy o Cect ?>PO@0 Incorrect 1ns/ers& <& There is alread a certificate issued b the .oho%in ards .A. we do not need to issue another certificate. 3& The &nternet 3Bplorer Maintenance section of the Default Domain 5olic Croup 5olic ob)ect is not responsible for maintaining certificates. &t is used to administer and customi0e &nternet 3Bplorer on !indows $er%er 2""3 computers. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;2 2 Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. -;"2-;-, -G"2-G3. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 132= .9 .onfigure computer securit settings b using Croup 5olic . *G 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain includes an organi!ational unit ?O*@ named Processing0 There are -55 computer accounts in the Processing O*0 .ou create a >roup Policy o Cect ?>PO@ named Net/or$,ecurity and lin$ it to the domain0 .ou configure Net/or$,ecurity to ena le security settings through the Computer Configuration section of the >roup Policy settings0 .ou need to ensure that Net/or$,ecurity /ill apply only to the computers in the Processing O*0 .ou need to minimi!e the num er of >PO lin$s0 4hat should you do: A. 4in/ ,etwor/$ecurit to the 5rocessing 'U. Disable the User .onfiguration section of ,etwor/$ecurit . 1. 4in/ ,etwor/$ecurit to the 5rocessing 'U. Remo%e the lin/ from ,etwor/$ecurit to the domain. .. Modif the discretionar control list *DA.4+ for ,etwor/$ecurit to assign all

computer accounts on the 5rocessing 'U the Allow 2 Read and the Allow 2 $uppl Croup 5olic permissions. D. Modif the discretionar access control list *DA.4+ for ,etwor/$ecurit to assign the Authenticated Users group the Den 2 Appl Croup 5olic permission and to assign all of the computer accounts in the 5rocessing 'U the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;3 2 1ns/er& < +;planation& 4e need to ensure that the Net/or$,ecurity >PO is applied to the domain0 4e should lin$ the Net/or$,ecurity >PO to the Processing O*, not the domain0 Incorrect 1ns/ers& 1& 4in/ing the ,etwor/$ecurit C5' to the 5rocessing 'U wonKt wor/ if the ,etwor/$ecurit C5' is still lin/ed to the domain. !e need to also remo%e the lin/ to the domain. C, 3& The ,etwor/$ecurit C5' is lin/ed to the domain and is thus applied to all computers. Assigning all computer accounts on the 5rocessing 'U the Allow 2 Read and the Allow 2 $uppl Croup 5olic permissions wonKt stop the C5' from appl ing to all computers in the domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 %*+,TION NO& ' 9OT,POT .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit named 1ccounting0 The 1ccounting O* contains oth user accounts and computer accounts0 .ou create a >roup Policy o Cect ?>PO@ named Custom 13M Template and lin$ it to the 1ccounting O*0 .ou need to apply specific security8related registry entries to all of the computer accounts in the 1ccounting O*0 .ou create an 13M template named Custom,ecurity,ettings that includes the security8related registry entries0 .ou need to import the Custom,ecurity,ettings template into the Custom 13M Template >PO so that you can ena le the ne/ policy settings in the Custom,ecurity,ettings template0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;- 2 4here should you import the Custom,ecurity,ettings template: To ans/er, select the appropriate section of the >PO in the dialog o;0 1ns/er& +;planation& ,elect =,ecurity ,ettings= under Computer Configuration0 To import the .ustom$ecurit $ettings securit template into the .ustom ADM Template C5', in the console where ou manage local or non2local Croup 5olic settings, clic/ the .ustom ADM Template C5' to which ou want to import the securit template. Then, in the console tree, right2clic/ $ecurit $ettings, and then clic/ &mport 5olic . &n the &mport 5olic (rom dialog boB, clic/ the .ustom$ecurit $ettings securit template ou want to import, and then clic/ 'pen. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;F 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 132FG to 132;F, 132;F2132;; %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll computer accounts for the client computers are located in an organi!ational unit ?O*@ named 4or$stations0 TestKingHs /ritten security policy states the follo/ing reBuirements& 1. *sers must e mem ers of the local Po/er *sers group on all client computers0 2. *sers must not e mem ers of the local 1dministrators group on any client computers0 3. *sers must not ha2e any administrati2e rights to mem er ser2ers or domain controllers in the domain0 -. The Po/er *sers group mem ership cannot e modified y mem ers of the local

1dministrators group on any client computer0 .ou need to pro2ide automatic assignments of reBuired group mem erships for the users on the client computers0 4hat should you do: A. .reate a logon script that adds the Domain Users group to the local 5ower Users group when the user logs on. 4in/ the logon script to the !or/stations 'U. 1. .reate a startup script that adds the Domain Users group to the local 5ower Users group when the client computer starts. 4in/ the startup script to the !or/station 'U. .. .reate a new Croup 5olic ob)ect *C5'+ named C5'1. .onfigure the Restricted Croups option in C5'1 to add the Domain Users group to the 5ower Users group. 4in/ C5'1 to the !or/station 'U. D. .reate a new Croup 5olic ob)ect *C5'+ named C5'1. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;; 2 .onfigure the Restricted Croups option in C5'1 to add the Domain Users group to the 5ower Users group. 4in/ C5'1 to the domain. 1ns/er& C +;planation& 4e need to mo2e all users to the Po/er users group0 4e can do this y using the Restricted >roups option of a >PO to add the 3omain *sers group to the Po/er *sers group0 Restricted >roups ensures that group mem erships are set as specified0 >roups and users not specified in Restricted >roups are remo2ed from the group0 In addition, the re2erse mem ership configuration option ensures that each restricted group is a mem er of only those groups specified in the Mem er Of column0 This >PO must e lin$ed to all client computers as users must not ha2e any administrati2e rights to mem er ser2ers or domain controllers in the domain0 The client computers are in the 4or$stations O*0 Incorrect 1ns/ers& 1, <& Using the Restricted Croups option would be a better solution than using logon scripts or startup scripts. 3& !e should lin/ the C5' the !or/stations 'U, not the domain as it should onl be applied to client computes and not ser%er computers. 4in/ing the C5' to the domain will result in the C5' being applied to client computers as well as to ser%er computers. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1, 132; to 132G %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers that are not domain controllers are located in an organi!ational unit ?O*@ named ,er2ers0 The security department is responsi le for defining security reBuirements for ser2ers0 .ou are responsi le for configuring TestKingHs ser2ers0 The security department pro2ides you /ith security settings that you must apply to ne/ and e;isting ser2ers that are not domain controllers0 .ou configure a 4indo/s ,er2er '556 computer named Test$ing- /ith these settings0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;G 2 .ou need to apply the security settings in compliance /ith the security departmentHs reBuirements0 4hat should you do: A. 3Bport the securit settings for Test/ing1. &mport the settings to a Croup 5olic ob)ect *C5'+ lin/ed to the $er%ers 'U. 1. .reate a script b running the netsh dump command on Test/ing1. .reate a Croup 5olic ob)ect *C5'+, lin/ to the C5' to the $er%ers 'U, and configure the C5' to appl the script as a startup script. .. .onfigure $ nchroni0ation Manager on Test/ing1 to perform a s nchroni0ation tas/ dail . D. 3Bport the securit settings for Test/ing1. .onfigure (ile Replication ser%ice *(R$+ to cop the .ini file to the s stemroot on each ser%er. 1ns/er& 1 +;planation& .ou need to apply the settings to all ser2ers that are not domain controllers0 1ll these ser2ers are in the ,er2ers O* and you ha2e applied the security settings to Test$ing-0 1ll you need to do no/ is e;port the settings to a

custom template and import to a >PO that is lin$ed to the ,er2ers O*0 Incorrect 1ns/ers& <& The netsh dump command dumps the networ/ configuration to a file, not the securit settings. C& !e need to appl the securit settings to the other ser%ers. This canKt be accomplished b s nchroni0ing. 3& .op ing the eBported file to the s stemroot of each ser%er will not appl the settings to the ser%er. !e need to appl it through a C5'. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1, 132FG to 132;2 %*+,TION NO& ( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;> 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named Research0 1ll users /ho ha2e user accounts in the Research O* use porta le computers that run 4indo/s GP Professional0 .ou create a >roup Policy o Cect ?>PO@ named Po/erManagement and lin$ it to the Research O*0 .ou configure the Po/erManagement >PO to ena le the Prompt for pass/ord on resume from hi ernate "suspend policy0 1 user named ,andra has a user account in the Research O*0 ,andra reports that she is not prompted for a pass/ord /hen her computer resumes hi ernation0 .ou need to ensure that ,andra immediately has pass/ord protection for her porta le computer /hen resuming from hi ernation mode0 4hat should you do: A. &nstruct $andra to run the gpupdate command from her computer. 1. &nstruct $andra to run the gpresult command from her computer. .. &nstruct $andra to send a Remote Assistance in%itation to ou. Ta/e control of $andraKs compute and run the secedit Hanal 0e command. D. &nstruct $andra to send a Remote Assistance in%itation to ou. Ta/e control of $andraKs computer and run the gpresult command. 1ns/er& 1 +;planation& 1lthough the >PO has een configured, some laptops may ha2e not een online to e updated /ith the >PO policy or there could ha2e een net/or$ connecti2ity pro lems that pre2ented some laptops from getting the policy0 1ll pro lems aside, ,andraHs laptop should get the update at the ne;t >PO refresh inter2al or ,andra can get refresh immediately y running the gpupdate command form her computer0 Incorrect 1ns/ers& <, 3& The Cpresult command2line tool allows ou to create and displa an R$o5 6uer , which can be used to anal 0e the cumulati%e effects of C5's, through the command line. &t also pro%ides general information about the operating s stem, user, and computer. C& The secedit command has been replaced b gpupdate in !indows $er%er 2""3. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3;= 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-to 1"221, 112-, 112;, 1121= to 11222 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, p. G=G %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 +ach client computer runs either 4indo/s '555 Professional or 4indo/s GP Professional0 1ll des$top computers ha2e computer accounts in an organi!ational unit ?O*@ named Test$ing3es$tops, and all porta le computers ha2e computer accounts in an O* named Test$ingPorta les0 1ll employees ha2e user accounts in an O* named Test$ing*sers0 1 /ritten TestKing policy reBuires that different +ncrypting #ile ,ystem ?+#,@ policies e applied to porta le computers and to des$top computers0 In addition, policy settings in the 3efault 3omain Policy >roup Policy o Cect ?>PO@ must apply to all computers0

.ou create t/o ne/ >POs named 3es$top+#,Policy and Porta le+#,Policy to e applied to des$top computers and porta le computers, respecti2ely0 .ou configure each >PO to contain the policy settings reBuired y the /ritten TestKing policy0 .ou need to ensure that the /ritten TestKing policy is enforced0 4hich t/o courses of action should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. 4in/ the Des/top3($5olic C5' to the Test/ingDes/tops 'U. 4in/ the 5ortable3($5olic C5' to the Test@ing 5ortables 'U. 1. &n the Default Domain 5olic C5', assign the Domain Users securit group the Den 2 (ull .ontrol permission. Assign the Domain Admins securit group the Allow 2 (ull .ontrol permission. .. 4in/ the Des/top3($5olic C5' and the 5ortable3($5olic to the domain. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G" 2 .onfigure the Test/ingDes/tops 'U and the Test/ing5ortables 'U to bloc/ Croup 5olic inheritance. D. 3nable the ,o '%erride setting for the Default Domain 5olic C5', the Des/top3($5olic C5', and the 5ortable3($5olic 'U. 1ns/er& 1, 3 +;planation& .ou /ant the 3efault 3omain Policy settings to apply to all computers, so you must configure the No O2erride, or else lo/er >PO settings /ith the <loc$ Policy Inheritance /ill negate the particular policy from a o2e0 1lso the same is true for the O* le2el >PO, that are configured0 1ny lo/er >POs configured on child O*s /ith <loc$ Policy inheritance /ill negate policy from a higher le2el set >PO policy0 Incorrect 1ns/ers& <& The C5' must be applied based to computer t pe, not user group. C& 4ower C5' settings with the 1loc/ 5olic &nheritance will negate the particular polic from abo%e. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"22", 1"2-" to 1"2-1 %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 One of the domain controllers is configured as an enterprise root certification authority ?C1@0 1ll client computers run 4indo/s GP Professional0 TestKing uses IP,ec to secure communications et/een computers in TestKing and computers at other companies0 These IP,ec connections reBuire computer certificates0 .our IP,ec policies reBuire e2ery computer to e a le to ma$e an IP,ec connection /hen connecting to other computers0 .ou need to configure the net/or$ so that all computers can ma$e IP,ec connections0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G1 2 A. &n the computer settings section of the Default Domain 5olic Croup 5olic ob)ect *C5'+, configure the domain members to alwa s digitall encr pt or sign secure channel data. 1. .reate a new automatic certificate re6uest in the computer settings section of the Default Domain 5olic Croup 5olic ob)ect *C5'+, .. 'btain a new computer certificate from a public .A. &mport a cop of this certificate into the Trusted Root .ertification Authorities section of the Default Domain 5olic Croup 5olic ob)ect *C5'+. D. &ssue a new computer certificate from our enterprise .A. 5lace a cop if this certificate on an internal !eb page. &nstruct users to install this certificate in their trusted certificate store the first time the need to ma/e an &5$ec connection. 1ns/er& 3 +;planation9 3nterprise .As is integrated into the Acti%e Director director ser%ice. The use certificate templates, publish their certificates and .R4s to Acti%e Director , and use the information in the Acti%e Director database to appro%e or den certificate enrollment re6uests automaticall . 1ecause the clients of an enterprise .A must ha%e access to Acti%e Director to recei%e certificates, enterprise .As are not suitable for issuing certificates to clients outside the enterprise. 3nterprise .As re6uires and uses Acti%e Director to issue certificates, often automaticall . A, &5$ec connection comprises of two modes9 Main mode and :uic/ mode. Main Mode is the first part of an &5$ec connection. &n Main Mode, each computer

authenticates to the other and then &@3 is used to calculate the master /e . All other /e s are generated from the master /e . An &@3 securit association *$A+ is created o%er which :uic/ Mode can be negotiated. :uic/ Mode is the second phase of &5$ec. &n :uic/ Mode, agreement is reached for the encr ption, integrit algorithms, and other polic settings. Two $As are created, one incoming and one outgoing. Incorrect ans/ers& 19 Alwa s digitall encr pting or signing secure channel data does not necessaril ensure the abilit to ma/e &5$ec connections. <9 An automatic certificate re6uest in the computer settings section of the Default Domain C5' is not the solution. C9 'btaining a new certificate from a public .A is not going to ensure that all computers will ha%e the abilit to ma/e &5$ec connections. !hat is needed is to ha%e a new computer certificate issued from our enterprise .A which should be installed on usersK trusted certificate store. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G2 2 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p.119 >> Qames .hellis, 5aul RobichauB, and Matthew $helt0, M.$AHM.$39 !indows $er%er 2""3 ,etwor/ &nfrastructure &mplementation, Management, and Maintenance $tud Cuide, $ beB &nc., Alameda, 2""-, p. 119 1F Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, p. ;12 Topic F, Managing and Maintaining Croup 5olic *2:uestions+ 5art 19 Troubleshoot issues related to Croup 5olic application deplo ment. Tools might include R$o5 and the gpresult command.*G 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 *ser accounts are configured as local administrators so that users can install soft/are0 1 des$top support team supports end users0 The des$top support teamHs user accounts are all mem ers of a group named ,upport0 .ou create a soft/are restriction policy that only pre2ents users from running registry editing tools y file hash rule0 .ou apply the policy to all user accounts in the domains0 The des$top support team reports that /hen they attempt to run registry editing tools, they recei2e the follo/ing error message& =4indo/s cannot open this program ecause it has een pre2ented y a soft/are restriction policy0 #or more information, open +2ent Vie/er or contact your system administrator=0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G3 2 .ou need to ensure that only the des$top support team can run registry editing tools0 4hat should you do: A. .onfigure the software restriction policies to be enforced for all users eBcept local administrators. 1. Ma/e users members of the 5ower Users group instead of the Administrators group. .. Use a logon script to cop the registr editing tools to the root of dri%e .. Assign the Domain Admins group the Allow 2 Read permission for the registr editing tools in the new location. D. (ilter the software restriction polic to pre%ent the $upport group from appl ing the polic . 1ns/er& 3 +;planation& 4e can pre2ent the soft/are restriction policy from applying to the support group y simply assigning the support group the 3eny 8 Read and"or the 3eny 8 1pply group policy permission0 Incorrect ans/ers& 1& The users are local administrators. The polic must appl to the local administrators. <& The polic applies to all users. &t will still appl to the support group. .hanging the local users group membership will ha%e no effect on the polic .

C& The software restriction polic is using a hash rule to pre%ent the use of the registr editing tools. &t doesnKt matter where the tools are located, the still wonKt run. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, pp. F=12F=3 %*+,TION NO& ' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G- 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains 4indo/s ,er2er '556 computers and 4indo/s GP Professional client computers0 The domain contains t/o organi!ational units ?O*s@ named ,ales and Mar$eting0 <oth O*s ha2e multiple >roup Policy O Cects ?>POs@ lin$ed to them0 The ,ales O* needs to e mo2ed under the Mar$eting O*0 .ou need to find out /hich o Cects in the ,ales O* are ad2ersely affected y >POs lin$ed to the Mar$eting O*0 .ou need to achie2e this goal /ithout disruption to users0 4hat should you do: A. Use Resultant $et of 5olic *R$o5+ in logging mode for the Mar/eting 'U. Re%iew the polic results for the users in the 'U. 1. Use Resultant $et of 5olic *R$o5+ in logging mode for the $ales 'U. Re%iew the polic results for the users in the 'U. .. Use Resultant $et of 5olic *R$o5+ in planning mode for the Mar/eting 'U. .hoose the $ales 'U to simulate polic settings. D. Use Resultant $et of 5olic *R$o5+ in planning mode for the $ales 'U. .hoose the Mar/eting 'U to simulate polic settings. 1ns/er& 3 +;planation& 4e need to 2ie/ the effecti2e group policy /ithout actually applying the group policy and disrupting the users0 #or this, /e can use R,oP in planning mode0 In this mode, you can determine ho/ policy settings are applied to a target, and then analy!e the results efore deploying a change to >roup Policy0 &n logging mode, ou can assess which polic settings ha%e been applied or failed to appl to a particular target *users or computers in Acti%e Director +. Croup 5olic client2side eBtensions ha%e a !M& interface that writes information */nown as logging mode data+ about their polic settings to a .&M'M database. Iou can use the R$o5 user interface to 6uer the .&M'M database for polic information Incorrect 1ns/ers& 1& !e need to use planning mode, not logging mode. <& !e need to use planning mode, not logging mode. C& !e need to test the effects of appl ing the Mar/eting 'U policies to the $ales 'U, not %ica %ersa. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GF 2 Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, p. F=1 M$ @nowledge 1ase article 3232G;9 A'! T'9 &nstall and Use R$o5 in !indows $er%er 2""3 $er%er Aelp9 R$o5 o%er%iew %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com that contains one domain controller0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The company uses >roup Policy o Cects ?>POs@ to configure user and computer settings0 1 ne/ user named 3r0 King reports that his 4indo/s des$top is different from others in the company and that he does not ha2e access to the same applications as other users0 .ou disco2er that none of the user settings from any >POs are in effect in 3r0 KingHs computer after 3r0 King logs on0 .ou instruct 3r0 King to run the gpresult command, and he reports that he recei2es the follo/ing error message& =IN#O& The group policy o Cect does not e;ist=0 .ou run the gpotool command on the domain controller and recei2e the output sho/n in the e;hi it0

4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G; 2 .ou need to ensure that >roup Policy settings can e applied correctly0 4hat should you do: A. Run the gpupdate Hforce command on the domain controller. 1. Run the gpupdate Hforce command on Dr. @ingKs computer. .. Restore the s stem state on the domain controller from a %alid bac/up. D. Restore the bac/up state on Dr. @ingKs computer from a %alid bac/up. 1ns/er& C +;planation& 4e can see from the e;hi it that there is a pro lem /ith the group policy0 It seems to ha2e ecome corrupted0 To restore the group policy, /eHll need to restore the system state data on a domain controller0 Incorrect 1ns/ers& 1, <& The 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3GG 2 corrupt. 3& The C5' resides on the domain controller, not on the local computer. Reference& Microsoft @nowledge 1ase Article 2 21;3F=9 Troubleshooting Croup 5olic Application 5roblems. Microsoft @nowledge 1ase Article 2 2F">-29 Troubleshooting Croup 5olic Application 5roblems. Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1123, 1121= to 11222 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;2"2;2; %*+,TION NO& ) .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com 1ll client computers run 4indo/s GP Professional0 TestKingHs main office is located in Cape To/n0 .ou are a net/or$ administrator at TestKingHs ranch office in Nairo i0 .ou create a >roup Policy o Cect ?>PO@ that redirects the ,tart menu for users in the Nairo i ranch office to a shared folder on a file ser2er0 ,er2er user in Nairo i report that many of the programs that they normally use are missing from their ,tart menus0 The programs /ere a2aila le on the ,tart menu the pre2ious day, ut did not appear /hen the users logged on today0 .ou log on to one of the client computers0 1ll of the reBuired programs appear on the ,tart menu0 .ou 2erify that users can access the shared folder on the ser2er0 .ou need to find out /hy the ,tart menu changed for these users0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G> 2 A. &n the Croup 5olic Management .onsole *C5M.+, select the file ser%er that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant $et of 5olic *R$o5+ in planning mode. 1. &n the Croup 5olic Management .onsole *C5M.+, select one of the affected user accounts and run Resultant $et of 5olic *R$o5+ in logging mode. .. 'n one of the affected client computers, run the gpresult command. D. 'n one of the affected client computers, run the gpupdate command. 3. 'n one of the affected client computers, run the secedit command. 1ns/er& <, C +;planation& 4e need to 2ie/ the effecti2e group policy settings for the users or the computers that the users are using0 4e can use gpresult of R,oP0 >presult displays >roup Policy settings and Resultant ,et of Policy ?R,oP@ for a user or a computer0 R$o5 pro%ides details about all polic settings that are configured b an Administrator, including Administrati%e Templates, (older Redirection, &nternet 3Bplorer Maintenance, $ecurit $ettings, $cripts, and Croup 5olic $oftware &nstallation. Incorrect 1ns/ers& 1& !e need to test the effecti%e polic from a userKs computer, not the file ser%er. 3& Cpupdate is the tool used to refresh the polic settings in !indows <5 and !indows $er%er 2""3. +& $ecedit is the tool used to refresh the polic in !indows 2""" professional and ser%er

editions. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1123, 1121= to 11222 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;2"2;2; %*+,TION NO& ( 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3G= 2 .ou are the administrator of the TestKing company net/or$0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 The net/or$ includes -5 ser2ers running 4indo/s ,er2er '556 and (55 client computers running 4indo/s GP Professional0 .ou create a >roup Policy o Cect ?>PO@ that redirects the ,tart menu for users to a shared folder on a file ser2er0 ,ome users report that many of the programs that they normally use are missing from their ,tart menus0 .ou log on to a client computer named Client-0 1ll of the reBuired programs appear on the ,tart menu0 The users are a le to connect to the shared folder0 .ou suspect that changes made to one of more >POs are causing the pro lem0 .ou need to find out /hy some ,tart menu items are not appearing for some users0 4hat should you do: A. 'n the file ser%er that hosts the shared folder, run the gpresult command. 1. 'n one of the affected client computers, run the gpresult command. .. 'n one of the affected client computers, run the gpupdate command. D. 'n one of the affected client computers, run the secedit command. 1ns/er& < +;planation& <ecause you can apply o2erlapping le2els of policies to any computer or user, the >roup Policy feature generates a resulting set of policies at logon0 >presult displays the resulting set of policies that /ere enforced on the computer for the specified user at logon0 Incorrect 1ns/ers& 1& !e need to run the gpresult command on one of the affected client computers, not the ser%er that hosts the shared folder. C& The gpudate command refreshes the group policies applied to a computer or user. !e need to use the gpresult command to determine the result of all the policies that appl to the computer. 3& The secedit command is the command line %ersion of the $ecurit .onfiguration and Anal sis utilit . This has nothing to do with the effects of group policies. Reference& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>" 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. ;2"2;2; %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0 1ll ser2ers run 4indo/s ,er2er '5560 .ou configure a aseline security template <aseline0inf0 ,e2eral operations groups are responsi le for creating templates containing settings that satisfy operational reBuirements0 .ou recei2e the templates sho/n in the follo/ing ta le0 Operations group Template name 1pplies to (ile and 5rint Test@ing(ile.inf (ile ser%ers Database Test@ingD1.inf Database ser%ers $ecurit Test@ing$ec.inf All resource ser%ers The operations groups agree that in the case of conflicting settings, the priority order listed in the follo/ing ta le esta lishes the resultants setting0 Template Priority Test@ing$ec.inf 1 1aseline.inf 2 $pecific ser%er role template 3 .ou need to create one or more >roup Policy o Cects ?>POs@ to implement the security settings0 .ou /ant to minimi!e the amount of administrati2e effort reBuired /hen changes are reBuested y the 2arious operations groups0

4hat should you do: A. .reate a C5' and import the following templates in the following order9 1aseline.inf, Test@ing$ec.inf. .reate a C5' for each ser%er role and import onl the specific template for that role into each respecti%e C5'. 1. .reate a C5' and import the following templates in the following order9 Test@ing$ec.inf, 1aseline.inf. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>1 2 .reate a C5' for each ser%er role and import onl the specific template for that role into each respecti%e C5'. .. .reate a C5' for each ser%er role and import the following templates in the following order9 1aseline.inf, specific ser%er role template, Test@ing$ec.inf. D. .reate a C5' and import the following templates in the following order9 Test@ing$ec.inf, Test@ingD1.inf, Test@ing(ile.inf, 1aseline.inf. 1ns/er& 1 +;planation& 4indo/s ,er2er '556 processes >POs from the ottom of the list to the top of the list, /ith the topmost >PO ha2ing the final authority0 <ecause policies contained in >POs /ill, y default, o2er/rite policies of pre2iously applied, /e /ould need to import the <aseline0inf efore the TestKing,ec0inf template0 Incorrect 1ns/ers& <& 1ecause policies contained in C5's will, b default, o%erwrite policies of pre%iousl C, 3& 1ecause we need to import templates specific to each of two ser%er roles, we need a separate C5' for each ser%er role. Reference& Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, .hapter F %*+,TION NO& D .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of t/o 1cti2e 3irectory forests0 +ach forest contains a single domain0 1ll ser2ers run 4indo/s ,er2er '5560 One forest is used for testing and the other forest is used for production0 The test forest contains a single domain controller0 The test forest is used to test >roup Policy o Cects ?>POs@0 .ou are testing 75 >POs in the test en2ironment that /ill e deployed in the production en2ironment0 .ou assign the Testuser account in the test forest the 3eny 8 1pply >roup Policy permission0 Logging on to the test forest ta$es longer than /ould e accepta le in the production forest0 .ou must reduce logon times in the test forest0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>2 2 4hat should you do: A. Assign the Testuser account the Den 2 Read permission for unused C5's. 1. Assign the Testuser account the Den 2 !rite gpo4in/ permission for the domain. .. .reate a C5' to enable the ,egati%e D. Disco%er .ache $etting, specif the setting to be ;" seconds, and appl it to the client computers. D. .reate a C5' to enable the Croup 5olic refresh inter%al for computers setting, specif the update rate to be 12" minutes, and appl it to the client computers. 1ns/er& 1 +;planation& >roup Policy is still processed ut not applied /hen the 3eny 8 1pply >roup Policy permission is assigned0 The 3eny 8 Read permission /ill ensure that the >PO is not processed0 This /ill impro2e logon times0 Incorrect 1ns/ers& <& There is not !rite gpo4in/ permission. C& The ,egati%e D. Disco%er .ache $etting specifies the amount of time the D. locator retains that a domain controller could not be found in a domain. !hen a subse6uent attempt to locate the domain controller occurs within the time set in this setting, D. Disco%er immediatel fails, without attempting to find the domain controller. 3& $etting the group polic refresh inter%al wonKt pre%ent the C5' from being processed at logon. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22", 1"2-" to 1"2-1 5art 29 Maintain installed software b using Croup 5olic . A9 Distribute updates to software distributed b Croup 5olic . *- 6uestions+

%*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>3 2 1ll user accounts for users in the engineering department are located in an organi!ational unit ?O*@ named +ngineering0 These usersH client computers are all located in an O* named +ngineering4or$stations, /hich is a child O* of the +ngineering O*0 1ll users in the engineering department are mem ers of a glo al group named +ngineers0 .ou create a >roup Policy o Cect ?>PO@ that assigns a soft/are installation pac$age to users in the +ngineering O*0 To comply /ith the licensing reBuirements for the application, the application must e uninstalled from a userHs computer /hen that user is mo2ed out of the +ngineering O*0 1 user named Lisa is transferred out of the engineering department0 The user account for Lisa is mo2ed into an O* named Research0 Lisa reports that the application is still installed on her computer0 .ou must ensure that that the application is automatically uninstalled from LisaHs computer0 The application must remain on the computers of all users /ho are still in the +ngineering O*0 4hat should you do: A. Mo%e 4isaKs user account bac/ into the 3ngineering 'U. .onfigure the software installation pac/age so that the software is uninstalled when 4isaKs user account falls out of the scope of management. 3nsure that 4isa logs on to the networ/. Mo%e 4isaKs user account bac/ into the Research 'U. 1. Mo%e 4isaKs user account bac/ into the 3ngineering 'U. Modif the C5' so that the software installation pac/age is remo%ed. 3nsure that 4isa logs on to the networ/. Mo%e 4isaKs user account bac/ to the Research 'U. .. Mo%e the client computer ob)ect for 4isaKs computer out of the 3ngineering!or/stations 'U. D. Remo%e 4isa from the 3ngineers global group. 1ns/er& 1 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>- 2 The *ninstall The 1pplications 4hen They #all Out Of The ,cope Of Management option can e used to remo2e the application if it no longer applies to users or computers0 9o/e2er, the application must first apply to the user or computer0 Therefore /e should mo2e LisaHs user account ac$ into the +ngineering O* so that the application applies to her again and Lisa must log on to the net/or$ for the >PO to apply0 Then /e can mo2e LisaHs user account ac$ into the Research O*0 The application /ill no longer apply to Lisa and /ill e uninstalled0 Incorrect 1ns/ers& <& Modif ing the C5' so that the software installation pac/age is remo%ed will result in the application being remo%ed for all users in the 3ngineering 'U. C& computer is irrele%ant. 3& The C5' is applied at the 'U. The 3ngineers global group is not in the 3ngineering 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 1221; to 1222" %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 .ou deploy an application y using a >roup Policy o Cect ?>PO@ that pu lishes an 0msi file0 *sers report some insta ilities in the application that cause data loss0 The soft/are 2endor releases a patch that fi;es the pro lem0 The patch is released as an 0msp file0 .ou need to ensure that users do not lose data /hen running the application0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .op the .msp file to the folder where the application source files eBist. 1. .reate a .0ap file for the patch and deplo the .0ap file. 4eading the wa in &T testing and certification tools, www.test/ing.com

2 3>F 2 .. Rename the .msp file to an .mst file. D. Appl the patch to the application source files. 3. Redeplo the C5' that installs the application. 1ns/er& 3, + +;planation& Patches in the 0msp format must e allied to the source files /hich are then applied to the appropriate container y redeploying the >PO that installs the application0 Incorrect 1ns/ers& 1& The patch file must be applied to the source files, merel cop ing it to the source folder wonKt wor/. <, C& The patch is released as an .msp file. There is no need to repac/age it as a .0ap file, which is not as fleBible as a .msp file, or a .mst file. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 122>, 223- to 1223= %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 .ou are responsi le for planning the deployment and configuration of applications y using >roup Policy o Cects ?>POs@0 .our net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll user accounts are located in an organi!ational unit ?O*@ named 1ccounts0 1ll client computers run 4indo/s GP Professional and are located in an O* named 4or$stations0 1ll managers in the company need to use a management application0 This application is sent y a hyperlin$ contained in an e8mail message to the users /ho reBuire it0 The managers need this application regardless of the computer that they are using at any gi2en time0 1 soft/are update for the application is no/ a2aila le0 .ou need to update the application on all computers that ha2e the application installed0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>; 2 4hat should you do: A. .onfigure a C5' to install the software update b using a !M& filter. 4in/ the C5' to the Accounts 'U. 1. .onfigure a C5' that re6uires the installation of the software update. 4in/ the C5' to the !or/stations 'U. .. .reate a .0ap file for the software update, and configure a C5' to install the .0ap file. 4in/ the C5' to the Accounts 'U. D. .onfigure a C5' to enable automatic updates and to install the software update. 4in/ the C5' to the !or/stations 'U. 1ns/er& < +;planation& Configuring a >PO that reBuires the installation of the soft/are update and lin$ing that >PO to the 4or$stations O* /ill install the update only on /or$stations on /hich the application is installed0 If the application is not installed, the update /ill not e installed0 Incorrect 1ns/ers& 1& !M& filtering can be used to restrict the C5' scope to certain groups. C& The manager re6uires the application regardless of what computer he uses. !e should therefore lin/ the C5' to the computer container. 3& Automatic updates can onl be configured for !indows Updates, not for applications. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"22" to 1"221, 112;, 1223 to 1221", 12213 to 1222>, 1223- to 1223= %*+,TION NO& ) .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a singe 1cti2e 3irectory domain0 1ll ser2ers run 4indo/s ,er2er '55560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>G 2 .ou create a >roup Policy o Cect ?>PO@ to pu lish an 0msi file that installs a graphics application0 The company appro2e the use of a ne/ graphics application to replace the old graphics application0 The ne/ application is installed y using an 0msi file0 Current users can continue to use the old application, or they can start using the ne/ application /hene2er they choose0 To pre2ent support issues, oth applications must not e installed at the same time0 .ou need to configure the user accounts so that users can migrate to the ne/

application0 4hat should you do: A. .reate a new C5' to publish the new application. .onfigure the lin/ for the new C5' to ha%e a higher priorit than the C5' that installs the old application. 1. .reate a new C5' to assign the new application. Disable the C5' that installed the old application. .. .reate a new C5' to publish the new application. .onfigure the C5' to upgrade and replace the eBisting application with the new application, but do not ma/e it a re6uirement. D. .op the .msi file for the new application to the same location as the .msi file for the old application. 1ns/er& C +;planation& 4e need to pu lish the application rather than assign it0 If /e assigned it, the ne/ application /ill automatically install0 The users must e a le to use the old application if they /ant to0 Pu lishing the application /ill gi2e the users the choice0 They can install the ne/ application y using the 1dd"Remo2e Programs control panel applet0 To pre2ent users running the old 2ersion and the ne/ 2ersion, /e can configure the pu lished application to replace the old 2ersion0 Incorrect 1ns/ers& 1& This will not cause the new application to replace the old application when it is installed. <& &f we assigned it, the new application will automaticall install. The users must be able to use the old application if the want to. 3& This will not install the new application or replace the old one. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>> 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1223 to 1221", 12213 to 1222>, 1223- to 1223= 19 .onfigure automatic updates for networ/ clients b using Croup 5olic . *- 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional /ith the most recent ser2ice pac$0 1ll client computers ha2e computer accounts in an organi!ational unit ?O*@ named Test$ingComputers0 TestKing reBuires all computers to e $ept up8to8date /ith ser2ice pac$s and hotfi;es from Microsoft0 1dministrators /ill manually update ser2ers as reBuired0 .ou need to configure the net/or$ so that client computers are automatically updated as ne/ critical updates are issued0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the domain. .onfigure the C5' so that client computers automaticall download and install updates from Microsoft update ser%ers from the &nternet. 1. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the Test/ing.omputers 'U. .onfigure the C5' so that client computers automaticall download and install updates from Microsoft update ser%ers from the &nternet. .. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the domain. .onfigure the C5' so that client computers automaticall download and install updates from an internal ser%er on which ou install and configure $oftware Update $er%ices. D. .reate a Croup 5olic ob)ect *C5'+ lin/ed to the Test/ing.omputers 'U. .onfigure the C5' so that client computers automaticall download and install updates from an internal ser%er on which ou install and configure $oftware Update $er%ices. 1ns/er& <, 3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3>= 2 +;planation& To ensure that computers do/nload and install the updates, /e must configure a >PO to do/nload and apply the updates either from the Microsoft updates ser2er, or from the internal ser2er on /hich you install and configure ,oft/are *pdate ,er2ices0 The >PO must apply to only client computers as administrators /ill manually update ser2er computers as reBuired0 1ll client computers are in the Test$ingComputers O* therefore /e should lin$ the >PO to the O*0 Incorrect 1ns/ers& 1, C& The C5' must appl onl to client computers as the administrators will manuall

update ser%er computers as re6uired. Therefore the C5' should be lin/ed to the Test/ing.omputers 'U and not the domain. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21- to =21; %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 TestKing consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll computer accounts for the client computers are located in an organi!ational unit ?O*@ named Computer 1ccounts0 1ll user accounts are located in an O* named *ser 1ccounts0 ,oft/are *pdate ,er2ices ?,*,@ is installed on your net/or$0 The ,*, infrastructure is sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=" 2 *pdates that are deployed must not cause any conflicts or errors on the client computers0 .ou need to configure the client computers to do/nload appro2ed updates from the correct ser2er0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. .reate a Croup 5olic ob)ect *C5'+ to set the default pac/age location to be the internal interface of the firewall. 1. .reate a Croup 5olic ob)ect *C5'+ to set the default pac/age location to be the child $U$ ser%er. .. .reate a Croup 5olic ob)ect *C5'+ to set the update ser%ice location to be the child $U$ ser%er. D. .reate a Croup 5olic ob)ect *C5'+ to set the update ser%ice location to be the Microsoft !indows Update ser%er. 3. 4in/ the Croup 5olic ob)ect *C5'+ to the User Accounts 'U. (. 4in/ the Croup 5olic ob)ect *C5'+ to the .omputer Accounts 'U. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=1 2 1ns/er& C, # +;planation& .ou /ill need to specify the child ,*, ser2er and to lin$ the policy to the computer accounts O*0 Only appro2ed updates can e do/nloaded and installed from the child ,*, ser2er0 Incorrect 1ns/ers& 1, <& !e should use the update pac/age not the default pac/age. 3& 'nl appro%ed updates must be downloaded. $pecif ing the Microsoft !indows Update ser%er will mean that all updates will be downloaded. +& Updates are applied tot the computer, not the user account. Reference& Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, pp. =21- to =21; %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain controllers are located in three 1cti2e 3irectory sites0 The domain contains an organi!ational unit ?O*@ named Mar$eting0 The Mar$eting O* contains t/o child O*s named ,ales and Research0 .ou need to disa le the 4indo/s *pdate ser2ice on all computers in the domain, /ith the e;ception of computers in the ,ales O*0 .ou /ant to use the minimum num er of >roup Policy o Cect ?>POs@0 4hat should you do: A. .reate a C5' and lin/ it to the domain. .onfigure the C5' to disable !indows Update under the User .onfiguration section of the C5'. 'n the $ales 'U, enable the 1loc/ 5olic inheritance setting. 1. .reate a C5' and lin/ it to the domain. .onfigure the C5' to disable !indows Update under the User .onfiguration section of the C5'. 3nable the ,o '%erride setting on the C5'.

.. .reate a C5' and lin/ it to all three Acti%e Director sites. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=2 2 .onfigure the C5' to disable !indows Update under the User .onfiguration section of the C5'. 'n the $ales 'U, enable the 1loc/ 5olic inheritance setting. D. .reate a C5' and lin/ it to all three Acti%e Director sites. .onfigure the C5' to disable !indows Update under the User .onfiguration section of the C5'. 3nable the ,o '%erride setting on the C5'. 1ns/er& 1 +;planation& .ou /ant to 4indo/s update to run only on computers in the ,ales O*0 To do this you must create t/o >POs& one for the domain and one for the ,ales O*0 Configure the domain >PO to disa le 4indo/s *pdate and loc$ policy inheritance on the >PO for the ,ales O*0 4indo/s *pdate is ena led y default so loc$ing inheritance /ill ensure that it is still applied to the ,ales O*0 Incorrect 1ns/ers& <& The no o%erride option on the domain C5' will ensure that the settings in the domain C5' are not bloc/ed at the lower le%el C5's. This will mean that !indows Update is disabled for the entire domain. C& This will wor/ but creating a C5' at the domain le%el to disable !indows Update would re6uire less administrati%e effort. This is thus not the best option. 3& .reating a C5' at the domain le%el to disable !indows Update would re6uire less administrati%e effort. Also, the no o%erride option on the Acti%e Director sites will ensure that the settings in the domain C5' are not bloc/ed at the lower le%el C5's. This will mean that !indows Update is disabled for all the sites. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-" to 1"2-1 %*+,TION NO& ) .ou are a net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain test$ing0com0 The net/or$ contains 4e ser2ers that run 4indo/s ,er2er '5560 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=3 2 .ou use ,ysprep to create a aseline image for 4e ser2ers0 .ou instruct a technician to install 4indo/s ,er2er '556 on '5 ne/ 4e ser2ers y using the aseline image0 1 ne/ ser2ice pac$ is su seBuently released0 .ou need to install the ne/ ser2ice pac$ on all 4e ser2ers0 .ou /ant to achie2e this goal y using the minimum amount of administrati2e effort0 4hat should you do: A. .op the ser%ice pac/ installation files to a shared folder. &nstall the ser%ice pac/ on each !eb ser%er from the shared folder. 1. .reate an organi0ational unit *'U+ named !eb ser%ers. .reate a Croup 5olic ob)ect *C5'+ to assign the ser%ice pac/ pac/age to users. 4in/ the C5' to the !eb $er%ers 'U. Mo%e the !eb ser%ers into the !eb $er%ers 'U. .. .reate an organi0ational unit *'U+ named !eb $er%ers. .reate a Croup 5olic ob)ect *C5'+ to assign the ser%ice pac/ pac/age to computers. 4in/ the C5' to the !eb $er%ers 'U. Mo%e the !eb ser%ers into the !eb $er%ers 'U. D. .reate a .mdlines.tBt file for use with the baseline $ sprep image in order to run the ser%ice pac/ pac/age. 1ns/er& C +;planation& 1 ser2ice pac$ is a soft/are update pac$age pro2ided y Microsoft for one of its products0 1 ser2ice pac$ contains a collection of fi;es and enhancements pac$aged into a single self8installing archi2e file0 To distribute a ser%ice pac/, create a shared folder and either eBtract the ser%ice pac/ to that folder or cop the contents of the ser%ice pac/ .D to the folder. Then, using the Acti%e Director Users And .omputers snap2in, create or select an eBisting C5'. .lic/ 3dit and the Croup 5olic 'b)ect 3ditor console appears, focused on the selected C5'. 3Bpand the .omputer .onfigurationW$oftware $ettings node. Right2clic/ $oftware &nstallation and choose ,ew, then 5ac/age. 3nter the path to the ser%ice pac/Ks Update.msi file. 1e certain to use a U,. format *for eBample, WW$er%erW$hare+ and not a local %olume path, such as Dri%e9W5ath. &n the Deplo $oftware dialog boB, select Assigned. .lose the Croup 5olic 'b)ect 3ditor console. .omputers within the scope of the C5'2in the site, domain, or 'U branch to which the polic is lin/ed2automaticall

deplo the ser%ice pac/ at the neBt startup. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=- 2 Iou can create a baseline securit configuration in a C5' directl , or import a securit template into a C5'. 4in/ the baseline securit C5' to 'Us in which member ser%ersK computer ob)ects eBist. Incorrect 1ns/ers& 1& &nstalling the ser%ice pac/ on each ser%er would re6uire a lot of administrati%e effort. <& $er%ice pac/s must be applied to the computers not the users. 3& $er%ice pac/s can be applied without running the $ sprep image. Reference& .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, Clossar . Dan Aolme and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it *3Bam G"22="+9 Managing and Maintaining a Microsoft !indows $er%er 2""3 3n%ironment, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter = Dan Aolme, and 'rin Thomas, M.$AHM.$3 $elf25aced Training @it9 Upgrading Iour .ertification to Microsoft !indows $er%er 2""39 Managing, Maintaining, 5lanning, and &mplementing a Microsoft !indows $er%er 2""3 en%ironment9 3Bams G"22=2 and G"22=;, Microsoft 5ress, Redmond, !ashington, 2""-, .hapter =. 5art 39 Troubleshoot the application of Croup 5olic securit settings. Tools might include R$o5 and the gpresult command.*= 6uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named Terminal,er2ers0 .ou create t/o >roup Policy o Cects ?>POs@ named Test$ing,ettings and ,ecurity,ettings and lin$ them to the domain0 .ou then create another >PO named T,L,ettings and lin$ it to the Terminal,er2ers O*0 *sers report that /hen they run Internet +;plorer on a terminal ser2er, they cannot access appro2ed 4e sites0 *sers did not encounter any pro lems /ith running Internet +;plorer on the terminal ser2ers efore the >POs /ere created and lin$ed0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=F 2 .ou need to find out /hich >PO is the cause of the pro lem0 4hat should you do: A. 4og on to a terminal ser%er and run the secedit Hanal 0e command. 1. 4og on to a domain controller and run the 6uer termser%er command. .. 4og on to a domain controller and run Resultant $et of 5olic *R$o5+ in planning mode against the client computers. D. 4og on to a domain controller and run Resultant $et of 5olic *R$o5+ in logging mode against a terminal ser%er. 1ns/er& 3 +;planation9 Use R$o5 in logging mode to %iew the actual polic settings for a user on a computer. Iou can use R$o5 in logging mode to disco%er which polic settings are actuall in effect for a particular user or computer, and find the specific C5's that applied those settings. Iou can also use the presult.eBe command2line tool to generate R$o5 logging data in a teBt format. $ince the C5's ha%e been applied to the Terminal$er%ers 'U, ou should run R$o5 in logging mode against a terminal ser%er. Incorrect 1ns/ers& 1& The secedit Hanal 0e command allows ou to anal 0e the securit settings on a computer b comparing them against the baseline settings in a database. &t is not used to troubleshoot C5' application. <& The 6uer termser%er command displa s a list of all terminal ser%ers on the networ/. C& Use the Resultant $et of 5olic *R$o5+ tool in planning mode to see the effects of group polic settings prior to implementation. Aowe%er, the C5's ha%e been applied to the Terminal$er%ers 'U, not the client computers. !e should run R$o5 against the terminal ser%ers. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, pp. ;2=, ;31 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1123 to 11224eading the wa in &T testing and certification tools, www.test/ing.com

2 3=; 2 %*+,TION NO& ' .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain includes a 4indo/s ,er2er '556 computer that runs Terminal ,er2ices0 The terminal ser2er has a computer account in an organi!ational unit ?O*@ named Terminal ,er2ers0 1 >roup Policy o Cect ?>PO@ named T, ,ettings is lin$ed to the Terminal ,er2ers O*0 This >PO is configured /ith settings that must apply /hen users are logged on to the terminal ser2er0 The company /ants users to ha2e their normal settings /hen connected to the terminal ser2er, e;cept settings that conflicts /ith the settings in the T, ,ettings >PO0 .ou disco2er that /hen users are logged on to the terminal ser2er, they recei2e only the settings from the T, ,ettings >PO, /ithout any of their o/n settings0 .ou use the >roup Policy Management Console ?>PMC@ to e;amine the configuration of the T, ,ettings >PO0 The rele2ant portion of the configuration is sho/n in the e;hi it0 JJJJMI,,IN>JJJJ .ou need to ensure that policy settings apply properly to users logging on the terminal ser2er0 4hat should you do: A. 3nable the 1loc/ 5olic inheritance setting for the Terminal $er%ers 'U. 1. Disable the ,o '%erride setting for the T$ $ettings C5'. .. Modif the T$ $ettings C5' to use loopbac/ processing in Merge mode. D. Disable the 'nl allow local profiles setting in the T$ $ettings C5'. 1ns/er& < +;planation9 Croup policies set to ,o '%erride cannot be bloc/ed. This is part of the problem. Therefore ou should disable the ,o '%erride setting for the T$ settings C5' in order to ensure that polic settings appl properl to users logging on the terminal ser%er. Incorrect 1ns/ers& 1& 3nabling the 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=G 2 1loc/ 5olic inheritance setting for the Terminal $er%ers 'U will pre%ent the application of C5's higher in the hierarch from being inherited b the Terminal $er%ers 'U. Thus, onl the T$ $ettings C5' will be applied. C& 4oopbac/ is a new Croup 5olic setting that pro%ides alternati%es to the default method of obtaining the ordered list of C5's whose user configuration settings affect a user. 1 default, a userKs settings come from a C5' list that depends on the userKs location in Acti%e Director . 4oopbac/ operates in replace mode or merge mode. &n merge mode, user settings that do not conflict with computer settings are applied. &f there is a conflict between the two, the computer settings o%erride the user settings. 3& The 'nl allow local profiles is a new Croup 5olic option that permits a computer to ignore user settings in roaming profiles. 1 default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer. &f the ha%e pre%iousl logged on to this computer, the roaming profile is merged with the local profile. !hen the users log off this computer, the local cop of their profile, including an changes the ha%e made, is merged with the ser%er cop of their profile. &f the 'nl allow local profiles setting is enabled, the user recei%es a local profile, rather than the roaming profile. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F>2, F=" Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"21; to 1"21G, 1"21= to 1"22" http9HHwww.microsoft.comHresourcesHdocumentationH!indows$er%H2""3HallHdeplo guideHen2usHDefault.asp[url\H %*+,TION NO& 6 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 1ll users ha2e user accounts in an organi!ational unit ?O*@ named Company*sers0 The Company*sers O* is configured as sho/n in the e;hi it0 JJJMI,,IN>JJJ 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3=> 2 .ou disco2er that no >roup Policy settings are eing applied to most users /hen they log on to client computers in the domain0 4hen administrators log on, they recei2e the appropriate >roup Policy settings0 .ou e;amine the e2ent log on one of

the client computers0 .ou find the error message sho/n in the +2ent Properties e;hi it& JJJMI,,IN>JJJ .ou need to correct the pro lem in the net/or$ so that >roup Policy settings are applied for all users0 4hat should you do: A. Assign the $I$T3M account the Allow 2 (ull .ontrol permission for child ob)ects in the .ompan Users 'U. 1. Assign the Authenticated Users group the Allow 2 Read, the Allow 2 Read All 5roperties, and the Allow 2 4ist .ontents permissions for the .ompan Users 'U. .. Assign the 3%er one group the Allow 2 Read and the Allow 2 Appl Croup 5olic permissions for the Default Domain .ontrollers 5olic Croup 5olic ob)ect *C5'+. D. Assign the Domain Users group the Allow 2 (ull .ontrol permission for the Default Domain 5olic Croup 5olic ob)ect *C5'+. 1ns/er& C +;planation9 The Read permission allows the %iewing of ob)ects and associated ob)ect attributes, the ob)ect owner, and Acti%e Director permissions. ,ote that the Appl Croup 5olic permission is not a%ailable for the local C5'. The policies in a non2local C5' appl onl to users who ha%e Read and Appl Croup 5olic permissions for the C5' set to Allow. 'n computers running !indows $er%er 2""3, the 3%er one group members include Authenticated Users and Domain Cuests. 'n computers running earlier %ersions of the operating s stem, members include Authenticated Users and Domain Cuests, plus Anon mous 4ogon. Default Domain .ontrollers 5olic C5' is lin/ed to the Domain .on2trollers 'U, and it generall affects onl domain controllers, because computer accounts for domain controllers are /ept eBclusi%el in the Domain .ontrollers 'U. Incorrect ans/ers& 1, 39 Croups or users that ha%e been granted (ull .ontrol permission for a folder can delete files and subfolders within that folder, regardless of the permissions protecting the files and subfolders. This is not what is re6uired. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 3== 2 <9 These permissions will not correct the problem that is being eBperiences. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. =9 1> %*+,TION NO& ) .ou are the net/or$ administrator for TestKing >m<h0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The 1cti2e 3irectory structure is sho/n in the 1cti2e 3irectory e;hi it0 The companyHs /ritten policy states that users in the manufacturing department are gi2en only restricted access to settings and applications on their computers0 The /ritten policy also states that this limitation does not apply to mem ers of a security group named Managers0 .ou create a >roup Policy o Cect ?>PO@ named Restricted ,ettings and lin$ the >PO to the domain0 This >PO contains the policy settings reBuired y the /ritten company policy0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"" 2 .ou disco2er that the restricted settings apply to all users0 .ou e;amine the Restricted ,ettings >PO y using the >roup Policy Management Console ?>PMC@0 The rele2ant information is sho/n in the >PMC e;hi it0 .ou need to configure the net/or$ so that the /ritten policy is enforced correctly0 4hich t/o actions should you ta$e: ?+ach correct ans/er presents part of the solution0 Choose t/o@ A. Unlin/ the Restricted $ettings C5' from the domain. 4in/ it to the Manufacturing organi0ational unit *'U+. 1. Unlin/ the Restricted $ettings C5' from the domain. 4in/ it to the .ompan Users organi0ational unit *'U+. .. Assign the Authenticated Users group to the Den 2 Appl Croup 5olic permission for the Restricted $ettings C5'. D. Assign the Managers group the Den 2 Appl Croup 5olic permission for the Restricted $ettings C5'. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"1 2 1ns/er& 1, 3

+;planation& The Buestion states that the restricted settings should apply to users in the Manufacturing O*0 The policy is currently lin$ed to the domain /hich is /hy it is eing applied to all users in the domain0 4e should unlin$ the policy from the domain and lin$ it to the Manufacturing organi!ational unit ?O*@0 Members of the Managers group should not recei%e the settings from the 'U. !e can fulfil this re6uirement b assigning the Managers group the Den 2 Appl Croup 5olic permission for the Restricted $ettings C5'. Incorrect 1ns/ers& <& The restricted settings should appl to users in the Manufacturing 'U, not the .ompan Users 'U. C& This would pre%ent the polic appl ing to all users. The polic should appl to users in the Manufacturing 'U. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-1, 1"2-2, 1"22" to 1"221 %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 +;cept for IT staff, users are not local administrators on client computers0 TestKing o tains a ne/ application for order processing0 This application must e installed on each client computer0 The application is contained in an 0msi file0 .ou copy the 0msi file to a shared folder on a file ser2er0 .ou assign the 1uthenticated *sers group the 1llo/ 8 Read permissions for the shared folder0 To deploy the application, you instruct users to dou le8clic$ the 0msi file in the shared folder0 4hen users attempt to install the application, they recei2e an error message, and setup fails0 .ou need to configure the net/or$ so that the application can e installed successfully0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"2 2 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution0 Choose t/o@ A. Modif the Default Domain 5olic Croup 5olic ob)ect *C5'+ and assign the new application to all client computers. 1. Crant the users the permissions re6uired to create temporar files in the shared folder that contains the .msi file. .. Modif the Default Domain 5olic Croup 5olic ob)ect *C5'+ and disable the 5rohibit User &nstalls setting in the !indows &nstaller section of the computer settings. D. Modif the Default Domain 5olic Croup 5olic ob)ect *C5'+ and enable the Alwa s install with ele%ated pri%ileges setting in the !indows &nstaller section of the computer settings. 1ns/er& 1, 3 +;planation& The soft/are installation fails ecause the users donHt ha2e the necessary permissions to install the soft/are0 4e can sol2e this pro lem y either assigning the application to the users in a group policy, or y using a group policy to ena le the 1l/ays install /ith ele2ated pri2ileges setting in the 4indo/s Installer section of the computer settings0 Incorrect 1ns/ers& <& Users donKt ha%e the necessar permissions to install the software. Cranting users permissions to create temporar files in the shared folder wonKt o%ercome this problem. C& !e need to enable the Alwa s install with ele%ated pri%ileges setting rather than disable the 5rohibit User &nstalls setting. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1", p. ;F; Croup polic help9 $tep2b 2$tep Cuide to $oftware &nstallation and Maintenance http9HHwww.microsoft.comHwindows2"""HtechinfoHplanningHmanagementHswinstall.asp %*+,TION NO& 7 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"3 2 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named ,ales0 .ou create three >roup Policy o Cects ?>POs@ that ha2e four configuration settings, as sho/n in the follo/ing ta le0

Location >PO name >PO configuration ,etting Domain $creen$a%er Aide $creen $a%er tab Disabled $ales 'U Displa and !allpaper Aide $creen $a%er tab 3nabled $ales 'U Displa and !allpaper $et Acti%e Des/top !allpaper to c9W!&,,TWwebWwallpaperWbliss.)pg 3nabled $ales 'U !allpaper $et Acti%e Des/top !allpaper to c9W!&,,TWwebWwallpaperWautumn.)pg 3nabled The ,creen,a2er >PO has the No O2erride setting ena led0 The ,ales O* has the <loc$ Policy inheritance setting ena led0 The priority for >POs lin$ed to the ,ales O* specifies first priority for the 3isplay and 4allpaper >PO and second priority for the 4allpaper >PO0 #or user accounts in the ,ales O*, you /ant the ,creen ,a2er ta to e hidden and the des$top /allpaper to e 1utumn0Cpg0 .ou log on to a test computer y using a user account from the ,ales O*, ut you do not recei2e the settings you /anted0 .ou need to configure the settings to hide the ,creen ,a2er ta and set the des$top /allpaper to 1utumn0Cpg for the user accounts in the ,ales O*0 .ou /ant to a2oid affecting user accounts in other O*s0 4hat should you do: A. 3nable the ,o '%erride setting for the Displa and !allpaper C5'. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"- 2 1. Disable the ,o '%erride setting on the $creen$a%er C5'. Reorder the !allpaper C5' to be first in the list. .. .reate a C5' and lin/ it to the Default2(irst2$ite2,ame. .onfigure the C5' to set the Acti%e Des/top !allpaper to c9W!&,,TWwebWwallpaperWautumn.)pg. D. Disable the 1loc/ 5olic inheritance setting on the $ales 'U. .hange the Displa and !allpaper C5' to set the Acti%e Des/top !allpaper to c9W!&,,TWwebWwallpaperWautumn.)pg. 1ns/er& < +;planation& The No O2erride setting on the ,creensa2er >PO is causing all computers in the domain to display the ,creensa2er ta 0 4e /ant to hide the screensa2er ta for the ,ales O*, so /eHll ha2e to remo2e the No O2erride settings from the ,creensa2er >PO0 This /ill ena le the ,creensa2er >PO settings to e o2er/ritten y >POs applied further do/n the order0 1 configuring the !allpaper C5' to be first in the list, we are gi%ing it a higher priorit than the Displa and !allpaper C5'. This means that the !allpaper C5' settings will o%erwrite the Displa and !allpaper C5' settings, thus setting the wallpaper to Autumn.)pg. Incorrect 1ns/ers& 1& The $creen sa%er settings in the Displa and !allpaper C5' is in effect because the $creen$a%er setting, which doesnKt hide the $creensa%er tab, is set to ,o '%erride. Thus subse6uent C5's cannot o%erride this setting. 3nabling the ,o '%erride setting for the Displa and !allpaper C5' wonKt result in it being applied. C& A C5' lin/ed to the $ite is applied first and will be o%erwritten b subse6uent C5's applied at the lower le%els. 3& Croup policies set to 1loc/ 5olic inheritance setting on the $ales 'U does not affect the $creen$a%er C5'. This is part of the problem. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"23 to 1"212, 1"21; to 1"22"

%*+,TION NO& D 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"F 2 +;hi it, 1cti2e 3irectory +;hi it, >PMC ,andra reports that the Run command does not appear on her ,tart menu, e2en though she is in the O* named 1dministration0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"; 2 .ou disco2er that the 3efault 3omain Policy >PO is remo2ing the Run command from ,andraHs ,tart menu0 There is also a >PO named 1dministati2e,ettings lin$ed to the 1dministration O* that has the =Remo2e Menu from ,tart Menu= setting disa led0 To in2estigate the pro lem, you use the >roup Policy Management Console ?>MPC@0 The rele2ant information is sho/n in the e;hi it0 .ou need to correct the application of policy settings so that the accounts in the 1dministrati2e O* recei2e the settings from the >PO lin$ed to that O*0 .ou need to accomplish this tas$ /ithout affecting any other policies0 4hat should you do: A. Disable the ,o '%erride setting in the Default Domain 5olic C5'. 1. Disable the user configuration setting in the Default Domain 5olic C5'. .. 3nable the 1loc/ 5olic inheritance setting for the Administrati%e 'U. D. 3nable the ,o '%erride setting for the Administrati%e$ettings C5'. 3. 4in/ the Administrati%e$ettings C5' to the domain instead of the Administration 'U. Modif the securit settings so that the C5' applies to accounts contained in the Administrati%e 'U. 1ns/er& 1 +;planation& The Default Domain 5olic C5' is lin/ed to the domain, and it affects all users and computers in the domain *including computers that are domain controllers+ through Croup 5olic inheritance. Iou thus need to disable the ,o '%erride setting in this Default Domain 5olic C5' if ou want to correct the application of polic settings appropriatel without affecting an other policies. Incorrect ans/ers& <9 Disabling use configuration setting is not going to correct the application of polic settings in the Administrati%e 'U. C9 The 6uestion states that ou should correct the application of polic settings therefore, we cannot bloc/ polic inheritance. 39 Croup policies set to ,o '%erride cannot be bloc/ed. This is part of the problem. +9 This option will affect the other policies and the 6uestion clearl states that ou should correct the application of the polic settings without affecting the other policies. Reference9 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"G 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 1"9 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. F>2, F=" %*+,TION NO& A .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain includes an O* named 1ccounting0 The user accounts for all users in the accounting department are in the 1ccounting O*0 .ou create a >PO and lin$ it to 1ccounting0 .ou configure the >PO to display the company logo as the des$top /allpaper for all clients computers in the 1ccounting O*0 The users in the accounting department report that they do not see the company logo as the des$top /allpaper0 .ou suspect that a policy that has higher precedence is conflicting /ith the one you recently created0 .ou need to find out /hy the des$top /allpaper is not applying the client computer0 4hat are t/o possi le /ays to achie2e this goal: ?+ach correct ans/er presents a complete solution, choose t/o@0 A. Use Resultant $et of 5olic *R$'5+ in planning mode. 3Bpand the Administrator Templates and %iew the state of the Acti%e Des/top !allpaper. 1. Use Resultant $et of 5olic *R$'5+ in logging mode. 3Bpand the Administrator Templates and %iew the properties of the Acti%e Des/top !allpaper. .. Run the gpupdate HTarget9 User command from our computer.

D. Run the gpresult HR command on a computer in the accounting department. 1ns/er& <, 30 +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"> 2 4e need to 2ie/ the effecti2e group policy settings for the users or the computers that the users are using0 4e can use gpresult or R,oP0 The gpresult command displays >roup Policy settings and Resultant ,et of Policy ?R,oP@ for a user or a computer0Resultant ,et of Policy ?R,oP@ is an addition to >roup Policy pro2ides details a out all policy settings that are configured y an 1dministrator, including 1dministrati2e Templates, #older Redirection, Internet +;plorer Maintenance, ,ecurity ,ettings, ,cripts, and >roup Policy ,oft/are Installation0 R$o5 consists of two modes9 5lanning mode and logging mode. !ith planning mode, ou can simulate the effect of polic settings that ou want to appl to a computer and user. 4ogging mode reports the eBisting polic settings for a computer and user that are currentl logged on. &ncorrect answers9 A9 Running R$o5 in planning mode will simulate the effect of polic settings that ou want to appl to a computer and user. This does not allow ou to see the eBisting polic settings for that computer or user. .9 The gpupdate command will refresh a new polic that needs to be applied immediatel . This is not what is re6uired. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 119 F %*+,TION NO& E .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains an organi!ational unit ?O*@ named Research0 1ll users /ho ha2e user accounts in the Research O* use porta le computers that run 4indo/s GP Professional0 .ou create a >roup Policy o Cect ?>PO@ named Po/erManagement and lin$ it to the Research O*0 .ou configure the Po/erManagement >PO to ena le the Prompt for pass/ord on resume from hi ernate "suspend policy0 1 user named Tess has a user account in the Research O*0 Tess reports that she is not prompted for a pass/ord /hen her computer resumes hi ernation0 .ou need to ensure that Tess immediately has pass/ord protection for her porta le computer /hen resuming from hi ernation mode0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -"= 2 4hat should you do: A. &nstruct Tess to run the gpupdate command from her computer. 1. &nstruct Tess to run the gpresult command from her computer. .. &nstruct Tess to send a Remote Assistance in%itation to ou. Ta/e control of TessKs compute and run the secedit Hanal 0e command. D. &nstruct Tess to send a Remote Assistance in%itation to ou. Ta/e control of TessKs computer and run the gpresult command. 1ns/er& 1 +;planation& 1lthough the >PO has een configured, some laptops may ha2e not een online to e updated /ith the >PO policy or there could ha2e een net/or$ connecti2ity pro lems that pre2ented some laptops from getting the policy0 1ll pro lems aside, TessHs laptop should get the update at the ne;t >PO refresh inter2al or Tess can get refresh immediately y running the gpupdate command from her computer0 Incorrect ans/ers& <9 The gpresult command will ield a teBt report of the resultant set of polic , i.e. the polic that is alread applied. Iou rather want to enforce a new C5' and that can be done through the use of the gpupdate command that enforces a C5' without ha%ing to restart the computer. C9 This command is usuall utili0ed when anal 0ing s stem securit on a large number of computers. This will not ensure that Tess will ha%e immediate password protection for her portable computer when resuming from hibernation mode. $he needs to ha%e the C5' updated on her computer. 39 This would be the wrong command to use *see 1 eBplanation+. (irst sending Remote Assistance in%itation is not an immediate process as is re6uired b the 6uestion. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L

D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter =, p. ;23 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 1"2-to 1"221, 112-, 112;, 1121= to 11222 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1" 2 Topic ;, $imulations *1- :uestions+ Note9 Answers to the unanswered 6uestions will be pro%ided shortl . (irst customer, if an , faster than us in pro%iding answers will recei%e credit for each answer pro%ided. $end our suggestions to feedbac/Utest/ing.com . %*+,TION NO& - ,IM*L1TION .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 1ll client computer accounts for the sales department reside in an organi!ational unit ?O*@ named ,ales Computers0 1ll user accounts for sales department employees reside in an O* named ,ales +mployees0 1 local file named 1ppl0msi is located in the C&I,oft/are folder0 .ou deploy and configure a ne/ soft/are restriction policy >roup Policy o Cect ?>PO@0 *sers report that they cannot start 1ppl0msi, /hen they are logged on to computers in the sales department0 .ou need to ensure that sales department users are not a le to run 1pp-0msi, regardless of its location or if it is renamed0 .ou also need to ensure that 9R department users are a le to run 1pp-0msi0 .ou should not create or modify any >PO lin$s0 .our solution must e completed y using the fe/est possi le settings0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -11 2 1ns/er& Need e;hi it to see O* structure and to see /here the policies are applied0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -12 2 It loo$s li$e the policy is applied to the sales computers0 4e need a certificate rule to pre2ent ,ales users using the application0 %*+,TION NO& ',IM*L1TION .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 .ou are responsi le for managing the department ser2ers in an organi!ational unit ?O*@ named 3epartments0 The net/or$ contains 4indo/s GP Professional client computers, 4indo/s E( client computers, and se2eral 4indo/s ,er2er '556 mem er ser2ers0 The ser2ers in an O* named ,ales ,er2ers must e a le to communicate /ith all client computers /ith the most secure authentication protocol possi le0 1ll remaining mem er ser2ers in the 3epartments O* must use the most secure authentication protocols e2en if they lose the a ility to communicate /ith some client computers0 .ou need to accomplish these configurations y using as fe/ settings as possi le0 .ou do not /ant to create any additional >PO lin$s0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -13 2 1ns/er& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1- 2 %*+,TION NO& 6,IM*L1TION .ou are the net/or$ administrator for your company, /hich is named Contoso, Ltd0 The net/or$ consists of a single 1cti2e 3irectory forest0 Contoso, Ltd0, acBuires another company, /hich is named TestKing0com0 TestKing0com0, has its o/n IT staff /ho /ill manage the TestKing, user accounts and resource security0 TestKing0com, does not ha2e an 1cti2e 3irectory domain, ut a domain must e created 1dministrators from Contoso, Ltd0, /ill ha2e administrati2e access in a TestKing domain only if they are gi2en permission y a TestKing0 .ou need to create the first domain controller for the ne/ test$ing0com domain0 1 3N, !one for the test$ing0com domain has already een created0 .ou should not change any default configurations unless there is a specified technical reBuirement The pass/ord for the contoso0com 1dministrator account and the test$ing0com 1dministrator account is PNss/ord0 4hat should you do:

1ns/er& 4e need to create a ne/ domain controller for a ne/ domain in a ne/ forest0 If /e selected a ne/ domain in the e;isting forest, mem ers of the +nterprise admins group /ould e a le to administer the ne/ domain0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1F 2 $tep b1. Clic$ ,tart P Run and type& dcpromo to start the 1cti2e 3irectory installation /i!ard and clic$ Ne;t0 $tep b2. Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1; 2 $tep b3. 1ccept the default option of =3omain controller for a ne/ domain= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1G 2 $tep b-. 1ccept the default option of =3omain in a ne/ forest= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1> 2 $tep bF. +nter the domain name test$ing0com and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -1= 2 $tep b;. 1ccept the default Net<IO, name and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2" 2 $tep bG. 1ccept the default options and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -21 2 $tep b>. 1ccept the default option and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -22 2 $tep b=. 1ccept the default option and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -23 2 $tep b1". +nter the pass/ord of PNss/ord0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2- 2 $tep b11. Clic$ Ne;t at the summary screen to start the 1cti2e 3irectory installation0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2F 2 $tep b12. Clic$ #inish /hen 1cti2e 3irectory is installed0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2; 2 %*+,TION NO& ),IM*L1TION .ou are the domain administrator for your companyHs 1cti2e 3irectory domain0 The domain contains four sites, /hich are named 3en2er, <eiCing, Chicago, and Toronto0 ,ite lin$s reflect the 41N connecti2ity et/een the physical site locations .ou need to ensure that the follo/ing goals are achie2ed& 1. 3omain controllers at one site do not replicate /ith domain controllers at another site, unless direct 41N connecti2ity e;ists et/een those sites0 2. 1t least one ser2er in the Toronto site is configured to e a glo al catalog ser2er0 Replication should e configured so that the follo/ing goals are achie2ed& 1. 1ll site lin$s from the Toronto site are configured to ha2e a cost of (50 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2G 2 2. Other site lin$s must ha2e a cost of -(50 4hat should you do: 1ns/er& Need the e;hi it to see the site lin$s and site lin$ ridges0 4e donHt ha2e the e;hi it to sho/ the e;act site lin$s and site lin$ ridges that e;ist,

ut /e can still sho/ /hat needs to e done0 To ans/er this Buestion, /eHll assume that Toronto is lin$ed to all other sites and that 3en2er and Chicago ha2e a direct lin$ et/een them0 The first reBuirement of the Buestion states that domain controllers at one site must not replicate /ith domain controllers at another site, unless direct 41N connecti2ity e;ists et/een those sites0 To do this, /e need to delete any site lin$ ridges that e;ist0 ,tep M-0 In 1cti2e 3irectory ,ites and ,er2ices, e;pand Inter8,ite Transports and clic$ the IP folder to display the ,ite Lin$s and ,ite Lin$ <ridges0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2> 2 $tep b2. Right clic$ on each of the ,ite Lin$ <ridges and select 3elete0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -2= 2 $tep b3. Clic$ .es and repeat for any other ,ite Lin$ <ridges0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3" 2 The second re6uirement of the 6uestion states that at least one ser%er in the Toronto site is configured to be a global catalog ser%er. ,tep M-0 In 1cti2e 3irectory ,ites and ,er2ices, e;pand the Toronto site, e;pand the ,er2ers container, e;pand a ser2er, right clic$ on NT3, ,ettings and clic$ properties0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -31 2 $tep b2. Chec$ the >lo al Catalog chec$ o; and clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -32 2 The third re6uirement of the 6uestion states that all site lin/s from Toronto are configured to ha%e a cost of F" and other site lin/s must ha%e a cost of 1F". ,tep M-0 In 1cti2e 3irectory ,ites and ,er2ices, e;pand Inter8,ite Transports and clic$ the IP folder to display the ,ite Lin$s0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -33 2 $tep b2. 3ou le clic$ a site lin$ to display itHs Properties dialog o;0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3- 2 $tep b3. +nter the appropriate cost& (5 for all site lin$s from Toronto and -(5 for all other site lin$s then clic$ o$0 Repeat as necessary until all site lin$s ha2e een configured0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3F 2 %*+,TION NO& (,IM*L1TION .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ,ales users are located in the ,ales +mployees organi!ational unit ?O*@0 .ou need to deploy t/o applications named 1ppl and 1pp' y using >roup Policy o Cects ?>POs@, 1ppl and 1pp' are located on theII,er2er6 I,oft/are share0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3; 2 1. 1ppl must e deployed to all computers in all departments 2. 1ppl must not e installed on domain controllers 3. 1pp' must e deployed to only ,ales users0 -. 1pp' must e installed at the ne;t logon .ou need to ensure that the applications are correctly deployed0 No ne/ >PO lin$s should e created0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3G 2 1ns/er& Need e;hi it to see O* structure and to see /here the policies are applied0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3> 2 The >POs that /e need to modify /ill depend on the O* structure0 The first

reBuirement of the Buestion states that 1pp- must e deployed to all computers in all departments0 If there are departmental O*s in a 3epartments top le2el O*, then that /ould e the >PO /e need to configure0 ,tep M-0 In >roup Policy +ditor, e;pand Computer Configuration the ,oft/are ,ettings0 Right clic$ on =,oft/are installation=, select Ne/ P Pac$age0 $tep b2. <ro/se to IIser2er6Isoft/are, select 1pp-0msi and clic$ Open0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -3= 2 $tep b3. Clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --" 2 The Buestion states that 1pp' must e deployed to only ,ales users and installed at ne;t logon0 To do this, /e need to assign 1pp' in the *sers section of the ,ales *sers O* >PO0 ,tep M-0 In >roup Policy +ditor, e;pand Computer Configuration the ,oft/are ,ettings0 Right clic$ on =,oft/are installation=, select Ne/ P Pac$age0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --1 2 $tep b2. <ro/se to IIser2er6Isoft/areIapp'0msi and select Open0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --2 2 $tep b3. ,elect 1d2anced0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --3 2 ,tep M)0 On the 3eployment ta , select =1ssigned= as the deployment type and chec$ the =Install this application at logon= chec$ o; then clic$ O$0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --- 2 %*+,TION NO& 7,IM*L1TION .ou are the net/or$ administrator for your company, /hich is named Contoso, Ltd0 .our user name is 1dministrator, and your user pass/ord is pNss/ord0 The net/or$ consists of a single 1cti2e 3irectory forest named contoso0com0 Contoso, Ltd0, acBuires another company, /hich is named TestKing0com0 TestKing0com0, has its o/n IT staff /ho /ill manage the TestKing, user accounts and resource security0 TestKing0com0, does not ha2e an 1cti2e 3irectory domain, ut a domain must e created0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --F 2 The Contoso, Ltd0, domain and the ne/ TestKing0com0, domain must share a common 1cti2e 3irectory schema0 The ne/ domain for TestKing0com, must e named test$ing0com0 .ou need to create the first domain controller for the ne/ test$ing0com domain on ,er2er-0 3N, should e installed automatically0 .ou should not change any default configurations unless there is a specified technical reBuirement0 4hat should you do: 1ns/er& The Buestion states that the Contoso, Ltd0, domain and the ne/ TestKing0com0, domain must share a common 1cti2e 3irectory schema0 This means that /e must create a ne/ domain in the e;isting forest0 $tep b1. Clic$ ,tart P Run and type& dcpromo to start the 1cti2e 3irectory installation /i!ard and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --; 2 $tep b2. Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --G 2 $tep b3. 1ccept the default option of =3omain controller for a ne/ domain= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --> 2

$tep b-. ,elect =3omain tree in an e;isting forest= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 --= 2 $tep bF. +nter the username of administrator, the pass/ord of pNss/ord and the domain Contoso0com then clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F" 2 $tep b;. +nter the domain name test$ing0com and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F1 2 $tep bG. 1ccept the default Net<IO, name and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F2 2 $tep b>. 1ccept the default log locations and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F3 2 $tep b=. 1ccept the default ,ys2ol location and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F- 2 $tep b1". ,elect the option to install and configure 3N, automatically and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FF 2 $tep b11. 1ccept the default option and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F; 2 $tep b12. The Buestion doesnHt state /hat the Restore Mode pass/ord should e so I ha2e entered pNss/ord as the pass/ord0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -FG 2 $tep b13. 1t the summary screen, clic$ Ne;t to start the 1cti2e 3irectory installation0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F> 2 $tep b1-. Clic$ #inish /hen 1cti2e 3irectory is installed0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -F= 2 %*+,TION NO& D,IM*L1TION .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 The company has a main office and t/o ranch offices0 3ue to a recent reorgani!ation /ithin the company, your 1cti2e 3irectory ,ite topology no longer reflects the current net/or$ infrastructure as sho/n in the follo/ing e;hi it0 ? JJJMI,,IN>JJJ@ .ou need to modify the 1cti2e 3irectory site and su nets topology to reflect the current net/or$ infrastructure0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;" 2 1ns/er& Need e;hi it0 %*+,TION NO& A ,IM*L1TION .ou are the domain administrator for your companyHs 1cti2e 3irectory domain named contoso0com0 The domain contains four organi!ational units ?O*s@ named +ast, +ast,ales, 4est, and 4est,ales0 The user account for*ser- is currently located in the +ast,ales O*0 There are currently se2eral >roup Policy o Cects ?>POs@ used to deploy settings as sho/n in the follo/ing ta le& Organi!ational *nit ?O*@ Name of Lin$ed >PO +ast >PO-, >PO'

+ast,ales 4est >PO6, >PO) 4eat,ales >PO( .ou need to ensure that& 1. >POl and >P5' are applied to o Cects /ithin the +ast,ales O*0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;1 2 2. >P56, >P5), and >PO( are applied to o Cects /ithin the 4est,ales O*0 3. Only >P56, >P5), and >PO( should e applied to *ser-0 .ou do not ha2e permissions to manage or modify >PO lin$s0 .ou need to reorgani!e the appropriate o Cects /ithin 1cti2e 3irectory to achie2e these goals0 4hat should you do: 1ns/er& >POl and >PO' must e applied to o Cects /ithin the +ast,ales O*0 To do this, mo2e the +ast,ales O* into the +ast O*0 >PO6, >PO), and >PO( must e applied to o Cects /ithin the 4est,ales O*0 To do this, mo2e the 4est,ales O* into the 4est O*0 Only >PO6, >PO), and >PO( should e applied to *ser-0 To do this, mo2e the *ser- user account from the +ast,ales O* into the 4est,ales O*0 %*+,TION NO& E,IM*L1TION .ou are the net/or$ administrator for Contoso, Ltd0 .our user name is 1dministrator, and your user pass/ord is PNss/ord0 The net/or$ consists of a single 1cti2e 3irectory forest0 Contoso, Ltd0, acBuires another company, /hich is named TestKing0com0 TestKing0com, does not currently ha2e an 1cti2e 3irectory domain0 The Contoso, Ltd0, domain, /hich is named contoso0com, and the ne/ TestKing0com, domain, /hich is named test$ing0com, must share a common 1cti2e 3irectory schema0 .ou need to create the first domain controller for test$ing0com on ,er2er-0 The #%3N of the domain must e test$ing0contoso0com0 The pass/ord for the TestKing0com, 1dministrator account is PNss/ord0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;2 2 4hat should you do: 1ns/er& The #%3N for the test$ing domain should e test$ing0contoso0com0 Therefore, the test$ing domain should e a su domain of the Contoso0com domain0 $tep b1. Clic$ ,tart P Run and type& dcpromo to start the 1cti2e 3irectory installation /i!ard and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;3 2 $tep b2. Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;- 2 $tep b3. 1ccept the default option of =3omain controller for a ne/ domain= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;F 2 $tep b-. ,elect =Child domain in an e;isting domain tree= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;; 2 $tep bF. +nter the username of administrator, the pass/ord of PNss/ord and the domain Contoso0com then clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;G 2 $tep b;. +nter contoso0com for the parent domain and test$ing for the child domain and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;> 2 $tep bG. 1ccept the default Net<IO, name and clic$ Ne;t0

4eading the wa in &T testing and certification tools, www.test/ing.com 2 -;= 2 $tep b>. 1ccept the default log locations and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G" 2 $tep b=. 1ccept the default ,ys2ol location and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G1 2 $tep b1". Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G2 2 $tep b11. 1ccept the default option and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G3 2 $tep b12. The Buestion doesnHt state /hat the Restore Mode pass/ord should e so I ha2e entered PNss/ord as the pass/ord0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G- 2 $tep b13. 1t the summary screen, clic$ Ne;t to start the 1cti2e 3irectory installation0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GF 2 $tep b1-. Clic$ #inish /hen 1cti2e 3irectory is installed0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G; 2 %*+,TION NO& -5 ,IM*L1TION .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named TestKing0com0 The net/or$ contains a 4indo/s ,er2er '556 computer named TestKing60 .ou need to deploy a ne/ application named 1pplication -0 1pplication - must e a2aila le on the ,tart menu for any user that logs on to a computer in the ,ales Computers O*0 The application installation pac$age is named 1pp-0msi0 The pac$age is located on TestKing6 in a shared folder named ,oft/are0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -GG 2 .ou need to configure a >roup Policy o Cect ?>PO@ named >PO- to deploy 1pplication -0 The administrator of the >POs /ill lin$ >POl to the appropriate organi!ational unit ?O*@ after you configure it0 .ou should not create additional >POs or >PO lin$s0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G> 2 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -G= 2 1ns/er& 4e need to assign 1pp- in the Computer Configuration section of >PO-0 ,tep M-0 In >roup Policy Management, right clic$ on the >POs folder and select =Ne/=0 +nter the name >PO- and clic$ OK0 ,tep M'0 Right clic$ on >PO- and select +dit to open >roup Policy +ditor0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->" 2 $tep b3. In >roup Policy +ditor, e;pand Computer Configuration the ,oft/are ,ettings0 Right clic$ on =,oft/are installation=, select Ne/ P Pac$age0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->1 2 $tep b-. <ro/se to IIser2er6Isoft/are, select 1pp-0msi and clic$ Open0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->2 2 $tep bF.

Clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->3 2 %*+,TION NO& --,IM*L1TION .ou are the net/or$ administrator for TestKing0com, The net/or$ consists of a single 1cti2e 3irectory domain 1ll client computer accounts for the sales department reside in the organi!ational unit ?O*@ named ,ales Computers0 1ll user accounts for sales department employees reside in the O* named ,ales +mployees0 These >roup Policy o Cects ?>POs@ are already lin$ed to some of the O*s0 .ou need to loc$ do/n the des$tops for only the users in the sales department0 The des$top security settings that you need to ena le must meet the follo/ing reBuirements& 1. 3o not allo/ users to access Control Panel 2. 3o not allo/ users to access Net/or$ Connections from the ,tart menu 3. +nsure that the My Computer icon does not appear on the des$top -. +nsure that any changes made to the des$top do not remain /hen users log off .ou must configure the des$top security settings /ithout creating additional >POs or >PO lin$s0 .ou /ant to minimi!e the num er of >PO settings you configure0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->- 2 1ns/er& 4e need to modify the >PO that applies to the ,ales +mployees O*0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->F 2 $tep b1. In >roup Policy Management, right clic$ the ,ales +mployees O* >PO and select =+dit= to open >roup Policy +ditor0 $tep b2. The first reBuirement of the Buestion is& 3o not allo/ users to access Control Panel0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->; 2 +;pand *ser Configuration P 1dministrati2e Templates and clic$ the Control Panel #older0 $tep b3. 3ou le clic$ =Prohi it access to the Control Panel=, select +na led and clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->G 2 $tep b-. The second reBuirement of the Buestion states& 3o not allo/ users to access Net/or$ Connections from the ,tart menu0 In >roup Policy +ditor, clic$ the =,tart Menu and Tas$ ar= folder0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->> 2 $tep bF. 3ou le clic$ =Remo2e Net/or$ Connections from ,tart Menu=, select +na led and clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 ->= 2 $tep b;. The third reBuirement of the Buestion states& +nsure that the My Computer icon does not appear on the des$top0 In >roup Policy +ditor, clic$ the =3es$top= folder0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=" 2 $tep bG. 3ou le clic$ =Remo2e My Computer icon on the des$top=, select +na led and clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=1 2 $tep b>. The fourth reBuirement of the Buestion states& +nsure that any changes made to the des$top do not remain /hen users log off0 The option /e need to configure is also under the =3es$top= folder0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=2 2

$tep b=. 3ou le clic$ =3onHt sa2e settings at e;it=, select +na led and clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=3 2 %*+,TION NO& -',IM*L1TION .ou are the domain administrator for your companyHs 1cti2e 3irectory domain0 The domain contains a domain glo al security group named Pass/ord1dmins and an organi!ational unit ?O*@ named ,ales0 .ou need to ensure that all mem ers of the Pass/ord1dmins group ha2e the a ility to reset pass/ords on user o Cects contained in the ,ales O* and force the pass/ord change to e in effect /hen the user ne;t logs onto the net/or$0 .ou /ant to accomplish this tas$ y assigning the least amount of administrati2e rights0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=- 2 4hat should you do: 1ns/er& 4e can delegate the appropriate permissions using the 3elegation of Control /i!ard in 1cti2e 3irectory *sers and Computers0 $tep b1. In 1cti2e 3irectory *sers and Computers, right clic$ the ,ales O* and select 3elegate Control to start the 3elegation of Control /i!ard0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=F 2 $tep b2. Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=; 2 $tep b3. Clic$ 1dd to add the group /eHll e delegating control to0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=G 2 $tep b-. Type HPass/ord1dminsH and clic$ o$0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -=> 2 ,tep M(0 Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 -== 2 ,tep M70 Tic$ =Reset user pass/ords and force pass/ord change at ne;t logon= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"" 2 $tep bG. Clic$ #inish0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"1 2 %*+,TION NO& -6 ,IM*L1TION .ou are the administrator of an 1cti2e 3irectory forest that contains a single domain named test$ing0com0 1ll domain controllers in the domain run 4indo/s ,er2er '5560 The pass/ord for the test$ing0com 1dministrator account is PNss/ord0 .ou need to configure the test$ing0com domain so that it can later e renamed to fa ri$am0com0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"2 2 1ns/er& To e a le to rename a domain, /e need to raise the forest functional le2el to 4indo/s ,er2er '5560 To raise the functional le2el of the forest to 4indo/s ,er2er '556, the functional le2el of all the domains in the forest must e 4indo/s ,er2er '5560 This forest contains only one domain so /eHll raise the domain functional le2el then raise the forest functional le2el0 $tep b1. Open 1cti2e 3irectory 3omains and Trusts0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"3 2

$tep b2. Right clic$ on the test$ing0com domain and select =Raise 3omain #unctional Le2el=0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"- 2 $tep b3. ,elect 4indo/s ,er2er '556 from the drop8do/n o; and clic$ Raise0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"F 2 $tep b-. Clic$ OK0 ,tep M(0 Clic$ OK0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"; 2 $tep bF. No/ that /e ha2e raised the 3omain #unctional Le2el, /e can raise the #orest #unctional Le2el0 In 1cti2e 3irectory 3omains and Trusts, right clic$ the 1cti2e 3irectory 3omains and Trusts icon and select =Raise #orest #unctional Le2el=0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"G 2 $tep b;. ,elect 4indo/s ,er2er '556 from the drop8do/n o;0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"> 2 $tep bG. Clic$ O$0 ,tep MA0 Clic$ O$0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F"= 2 %*+,TION NO& -),IM*L1TION .ou are the domain administrator for your company, /hich is named Contoso, Ltd0 The companyHs net/or$ consists of an 1cti2e 3irectory forest named contoso0com0 Contoso, Ltd0, has a di2ision named TestKing0com0 The net/or$ for the TestKing0com0, di2ision consists of a forest named test$ing0com0 1 t/o8/ay forest trust e;ists et/een test$ing0com and contoso0com0 TestKing0com0, is sold to another company0 The forest trust /ith test$ing0com is no longer necessary, and access must not e allo/ed et/een the test$ing0com and contoso0com forests0 Contoso, Ltd0, acBuires a ne/ company named Lit/are, Inc0 The net/or$ for Lit/are, Inc0, runs a *NIG Ker eros V(05 realm named lit/areinc0com0 *sers in contoso0com and lit/areinc0com need to access resources0 .ou need to configure the trusts in contoso0com to meet the usiness needs0 4hat should you do: 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1" 2 1ns/er& 4e need to remo2e the e;isting t/o8/ay forest trust et/een TestKing0com and #a ri$am0com0 Then /e need to create a t/o8/ay trust et/een TestKing0com and lit/areinc0com0 $tep b1. Open 1cti2e 3irectory 3omains and Trusts0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F11 2 $tep b2. Right clic$ on test$ing0com and select Properties0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F12 2 $tep b3. On the =Trusts= ta , select =#a ri$am= and clic$ Remo2e0 Repeat for oth the outgoing trusts and the incoming trusts0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F13 2 $tep b-. Clic$ the =Ne/ Trust= utton to start the Ne/ Trust 4i!ard0 4eading the wa in &T testing and certification tools, www.test/ing.com

2 F1- 2 $tep bF. Clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1F 2 $tep b;. +nter the name lit/areinc0com and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1; 2 $tep bG. ,elect Realm Trust and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1G 2 $tep b>. The Buestion doesnHt state /hether the trust should e transiti2e or nontransiti2e0 If the 4indo/s forest only has one domain, it /onHt ma$e any difference so lea2e the default option of Nontransiti2e and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1> 2 $tep b=. ,elect =T/o8/ay= and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F1= 2 $tep b1". +nter a pass/ord and clic$ Ne;t0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2" 2 $tep b11. Clic$ Ne;t at the confirmation o;0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F21 2 $tep b12. Clic$ #inish0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F22 2 Topic G, Miscellaneous :uestions *1G :uestions+ %*+,TION NO& .ou are the net/or$ administrator for TestKing0com0 TestKing has offices in Ne/ .or$, Copenhagen, and 1n$ara0 The net/or$ consists of a single 1cti2e 3irectory domain and three sites0 The sites are named N.site, Cop,ite, and 1n$,ite0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F23 2 TestKing is adding a ne/ di2ision at the Ne/ .or$ office for pu lishing fiction oo$s0 .ou create a ne/ organi!ational unit ?O*@ named #iction for the fiction di2ision0 .ou add a ne/ net/or$ segment and su net for the fiction di2ision0 .ou plan to place ne/ 4indo/s GP Professional computers for the fiction di2ision in the ne/ su net0 .ou also plan to add a ne/ domain controller to N.,ite0 .ou need to ensure that users in the fiction di2ision use the domain controllers in the Ne/ .or$ office /hen logging on to the net/or$0 4hat should you do: A. Decrease the metric for the default gatewa on the new !indows <5 5rofessional computers. 1. .reate a new subnet ob)ect for the new subnet. Add the new subnet ob)ect to ,I$ite. .. .onfigure the location attribute for the new !indows <5 5rofessional computers to be ,I$ite. D. Mo%e the domain controller ob)ects for the domain controllers in the ,ew Ior/ office to the (iction 'U. 1ns/er& < +;planation& $ubnets can be associated with a site b using subnet ob)ects. This will ensure that users on a particular subnet log on to a domain controller in a particular site. Incorrect 1ns/ers& 1& This wonKt accomplish an thing. C& The location attribute is for information onl . &t will not lin/ the computer to the site. 3& This will gi%e the administrators of the (iction 'U control o%er the domain controllers in the ,ew Ior/ office. &t wonKt ensure that the users on the new subnet logon to the domain controller in the ,ew Ior/ office. Reference&

Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 29 2G23" Designing a Microsoft !indows $er%er 2""3 Acti%e Director and ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. F2> 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2- 2 %*+,TION NO& ' .ou are a consultant for se2eral different companies0 .ou design the security policies for the computers running 4indo/s '556 ,er2er and 4indo/s '555 Professional in your customersH net/or$s0 .ou use these security policies to configure a ser2er named ,er2er-0 .ou /ant to deploy the security configuration on ,er2er- to computers in your customerHs net/or$s y using the least amount of administrati2e effort0 4hat should you do first: A. .reate a Croup 5olic 'b)ect *C5'+ that configures the securit settings for all computers to match the settings on $er%er1, and then lin/ the C5' to the domain. 3Bport the console list to a file. 1. &n the $ecurit .onfiguration and Anal sis snap2in, anal 0e $er%er1 and eBport the securit template in a file. .. &n the $ stem &nformation snap2in, sa%e the s stem summar as a s stem information file. D. &n the $ecurit Templates snap2in, eBport the console list to a file. 1ns/er& < +;planation& 4e can use the ,ecurity Configuration and 1nalysis snap8in to e;port all the security settings from a computer to a template file0 This /ill ena le us to apply the same security settings to other computers0 4e can apply the template to other computers either y using the ,ecurity Configuration and 1nalysis snap8in ?for single computers@ or y importing the template into a group policy o Cect ?for multiple computers@0 Incorrect 1ns/ers& 1& Iou ha%e alread manuall configured the settings on $er%er1. &t would be 6uic/er to eBport them to a template file, rather than manuall enter the settings into a C5'. C& The s stem summar does not contain the securit settings. 3& The console list does not contain the securit settings. Reference& .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 132FG to 132;F, 132G"2132>". 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2F 2 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. 132FG to 132;F, 132G"2132>" %*+,TION NO& 6 .ou are a net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 The domain contains three sites named MainOffice, +astCoast, and 4estCoast0 +ach site contains four domain controllers and -55 client computers0 One ser2er in the +astCoast site is named TestKing-0 1ll 3N, ser2ers contain 1cti2e 3irectory8integrated !ones0 Other administrators report that they cannot connect to TestKing- /hen attempting to perform 1cti2e 3irectory administration0 They report they can perform these tas$s locally at TestKing-0 .ou 2erify that ,er2er- is operational and that file and print resources are accessi le y using the host name0 .ou need to ensure that administrators can perform 1cti2e 3irectory administration on TestKing- /ithout reBuiring physical access to the ser2er0 4hat should you do: A. 'n $er%er1, force registration of D,$ hosts *A+ resource records. 1. 'n $er%er1, restart the ,et 4ogon ser%ice. .. &nstall D,$ on Test@ing1. D. .onfigure Test@ing as a local bridgehead ser%er for the 3ast.oast site. 1ns/er& < +;planation& TestKing- is a domain controller0 4e $no/ this ecause administrators are trying to perform 1cti2e 3irectory administration on TestKing-0 #ile and print resources on TestKing- are accessi le y using the host name0 This means that the 1 records are present in 3N,0 The pro lem in this Buestion is that the ,RV records are missing0 4e need to restore the ,RV in 3N,0 The ,et 4ogon ser%ice on a domain controller registers the D,$ resource records

re6uired for the domain controller to be located in the networ/ e%er 2- hours. To initiate the registration performed b ,et 4ogon ser%ice manuall , ou can restart the ,et 4ogon ser%ice. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2; 2 Incorrect 1ns/ers& 1& (ile and print resources on Test@ing1 are accessible b using the host name. This means that the A records are present in D,$. C& &t is not necessar to install D,$ on Test@ing1. 3& Test@ing1 does not need to be a bridgehead ser%er to enable the administrators to access it. Reference& .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 12 %*+,TION NO& ) .ou are the net/or$ administrator for Contoso, Ltd0 The net/or$ consists of a single 1cti2e 3irectory forest0 The functional le2el of the forest is 4indo/s ,er2er '5560 The forest root domain is contoso0com0 Contoso, Ltd0, recently merged /ith another company named TestKing, /hose net/or$ consists of a single 1cti2e 3irectory forest0 The functional le2el of the TestKing forest is 4indo/s ,er2er '5560 The forest root domain for TestKing is test$ing0com0 .ou need to create a forest trust relationship et/een the t/o forests0 +ach company has dedicated connections to the Internet0 .ou need to configure 3N, to support the forest trust relationship0 .ou /ant to maintain Internet name resolution capa ility for each companyHs net/or$0 4hat should you do: A. .onfigure the contoso.com D,$ ser%ers to forward to the test/ing.com D,$ ser%ers. .onfigure the test/ing.com D,$ ser%ers to forward to the contoso.com D,$ ser%ers. 1. .onfigure conditional forwarding of test/ing.com on the contoso.com D,$ ser%ers to the test/ing.com D,$ ser%ers. .onfigure conditional forwarding of contoso.com on the test/ing.com D,$ ser%ers to the contoso.com D,$ ser%ers. .. .onfigure a standard primar 0one for test/ing.com on one of the contoso.com D,$ ser%ers. .onfigure a standard primar 0one for contoso.com on one of the test/ing.com D,$ ser%ers. D. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2G 2 .onfigure an Acti%e Director 2integrated 0one for test/ing.com on the contoso.com D,$ ser%ers. .onfigure an Acti%e Director 2integrated 0one for contoso.com on the test/ing.com D,$ ser%ers. 1ns/er& < +;planation& 1 conditional for/arder is a 3N, ser2er on a net/or$ that is used to for/ard 3N, Bueries according to the 3N, domain name in the Buery0 #or e;ample, a 3N, ser2er can e configured to for/ard all the Bueries it recei2es for names ending /ith /idgets0e;ample0com to the IP address of a specific 3N, ser2er or to the IP addresses of multiple 3N, ser2ers0 Incorrect 1ns/ers& 1& !e donKt want A44 resolution re6uests to be forwarded to the other D,$ ser%ers. C& !e canKt host primar 0ones on multiple ser%ers. 3& !e canKt host Acti%e Director integrates 0ones on D,$ ser%ers in different forests. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2F>, -2;1 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. >2=, -;"2-;Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, pp. 3;G23;= %*+,TION NO& ( .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains three domains0 +ach domain contains

domain controllers that run 4indo/s '555 ,er2er and domain controllers that run 4indo/s ,er2er '5560 The 3N, ,er2er ser2ice is installed on all domain controllers0 1ll client computers run 4indo/s GP Professional0 .ou need to add an additional 3N, !one that is hosted on at least one 3N, ser2er on each domain0 .ou /ant to configure the !one to allo/ secure updates only0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2> 2 4hat should you do: A. .onfigure the new 0one on D,$ ser%ers in the root domain. .onfigure stub 0ones that refer to D,$ ser%ers in another two domains. 1. .onfigure the new 0one as a primar 0one on one D,$ ser%er. .onfigure other D,$ ser%ers in the three domains as secondar ser%ers for this 0one. 3nable the D,$ $ecurit 3Btensions *D,$$3.+ protocol. .. .onfigure the new 0one as an Acti%e Director 2integrated 0one on D,$ ser%ers in the three domains. $tore the 0one data in the D,$ director partition named DomainD,$Rones. D. .onfigure the new 0one as an Acti%e Director 2integrated 0one on D,$ ser%ers in the three domains. $tore the 0one data in the D,$ director partition named (orestD,$Rones. 1ns/er& 3 +;planation& To ena le secure updates, /e need an 1cti2e 3irectory integrated !one0 To replicate to the 3N, ser2ers in the other domains, the !one must e installed on a 4indo/s '556 domain controller in each domain0 3uring the configuration of the !one, you can select the option to replicate the !one information directory partition named #orest3N,Qones0 Incorrect 1ns/ers& 1& !e need Acti%e Director integrated 0ones, not stub 0ones. <& $econdar 0ones are not writeable and so cannot accept updates. C& &f we store the 0one data in the D,$ director partition named DomainD,$Rones, it will onl be replicated in a single domain, not the entire forest. Reference9 Q. .. Mac/in, &an Mc4ean, M.$AHM.$3 self2paced training /it *eBam G"22=1+9 &mplementing, Managing, and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. F22F, ;222 %*+,TION NO& 7 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains one domain named test$ing0com0 .ou need to deploy a ne/ domain named N10test$ing0com as a child domain of test$ing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F2= 2 .ou install a ne/ stand8alone 4indo/s ,er2er '556 computer named TK-0 .ou plan to ma$e TK- the first domain controller in the N10test$ing0com domain0 .ou configure TK- /ith a static IP configuration0 .ou run the 1cti2e 3irectory Installation 4i!ard on TK-0 The /i!ard prompts you for the net/or$ credentials to use to Coin the N10test$ing0com domain to test$ing0com0 .ou recei2e an error message stating that a domain controller in the test$ing0com domain cannot e located0 .ou need to e a le to promote TK- to a domain controller as the first domain controller of the child domain in the e;isting forest0 4hat should you do: A. .onfigure the client !&,$ settings on T@1 to use a !&,$ ser%er that contains entries for the test/ing.com domain controllers. 1. .onfigure the client D,$ settings on T@1 to use a D,$ ser%er that is authoritati%e for the test/ing.com domain. .. .onfigure the D,$ $er%er ser%ice on T@1 to ha%e a 0one for ,A.test/ing.com. D. .onfigure T@1 to be a member ser%er in the test/ing.com domain. 1ns/er& < +;planation& This is typically the effect of a 3N, pro lem ecause the client ?in this case a mem er ser2er@ canHt locate the ,RV records of a domain0 The process needs to contact the D,$ ser%er that is authoritati%e for the parent domain that ou want to ma/e a child domain in. (irst, in the Acti%e Director installation wi0ard, ou specif the D,$ name of the Acti%e Director domain for which ou are promoting the ser%er to become a domain controller. 4ater in the installation process, the wi0ard tests for the following9 1ased on its T.5H&5 client configuration, it chec/s to see whether a preferred D,$ ser%er is configured. &f a preferred D,$ ser%er is a%ailable, it 6ueries to find the primar

authoritati%e ser%er for the D,$ domain ou specified earlier in the wi0ard. &t then tests to see whether the authoritati%e primar ser%er can support and accept d namic updates as described in the D,$ d namic update protocol. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3" 2 &f, at this point in the process, a supporting D,$ ser%er cannot be located to accept updates for the specified D,$ domain name ou are using with Acti%e Director , ou are pro%ided with the option to install the D,$ $er%er ser%ice. Incorrect 1ns/ers& 1& !&,$ is used for name resolution for down le%el clients. T@1 is a !indows $er%er 2""3 computer. C& ,A.test/ing.com does not et eBist. 3& !e want to install T@1 as a domain controller for the na.test/ing.com domain. Ma/ing T@1 a member ser%er would me demoting the ser%er and then promoting it again al a later point. This does not ma/e sense. Reference& .raig Rac/er, M.$3 $elf25aced Training @it *3Bam G"22=3+9 5lanning and Maintaining a Microsoft !indows $er%er 2""3 ,etwor/ &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. -9 ; Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, pp. -2; to -2=, -21G %*+,TION NO& D .ou are the net/or$ administrator for 1cme0 The net/or$ consists of a single 1cti2e 3irectory forest root domain named acme0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 1 4indo/s ,er2er '556 domain controller named 3C-0acme0com is the 1cti2e 3irectory8integrated 3N, ser2er for acme0com0 1ll ser2ers and client computers in the acme0com domain use 3C-0acme0com as their 3N, ser2er for name resolution0 1cme acBuires a company named TestKing0 The TestKing net/or$ consists of a single 1cti2e 3irectory forest root domain named test$ing0com0 The functional le2el of this domain is 4indo/s ,er2er '5560 1 4indo/s ,er2er '556 domain controller named 3C-0test$ing0com is the 1cti2e 3irectory8integrated 3N, ser2er for test$ing0com0 1ll ser2ers and client computers in the test$ing0com domain use 3C-0test$ing0com as their 3N, ser2er for name resolution0 .ou create a t/o8/ay forest trust relationship /ith forest8/ide authentication et/een acme0com and test$ing0com0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F31 2 .ou need to ensure that all users in oth companies can log on to oth forest root domains0 .ou need to achie2e this goal /ithout ad2ersely affecting Internet access0 4hat should you do: A. $et the $tub Rone as the 0one t pe for the acme.com domain on D.1.acme.com and for the test/ing.com domain on D.1.test/ing.com. 1. $elect the Do not use recursion for this domain chec/ boB on D.1.test/ing.com and on D.1.acme.com. .. Add the full 6ualified domain name *(:D,+ and the &5 address of D.1.test/ing.com to the Root hints list in D.1.acme.com. Add the (:D, and the &5 address of D.1.acme.com to the Root hints list on D.1.test/ing.com. D. .onfigure conditional forwarding on D.1.acme.com to forward all re6uests for resources in the test/ing.com domain to D.1.test/ing.com. .onfigure conditional forwarding on D.1.test/ing.com to forward all re6uests for resources in the acme.com domain to D.1.acme.com. 1ns/er& 3 +;planation& To log on to a computer in acme0com /ith a user account in test$ing0com, the acme0com 3N, ser2er needs to e a le to locate a domain controller in test$ing0com to authenticate the login0 .ou can use Conditional for/arding /hich ena les a 3N, ser2er to for/ard 3N, Bueries ased on the 3N, domain name in the Buery0 Conditional for/arding in 4indo/s ,er2er '556 3N, eliminates the need for secondary !ones y configuring 3N, ser2ers to for/ard Bueries to different ser2ers ased on the domain name0 Incorrect 1ns/ers& 1& A stub 0one is a cop of a 0one containing onl those resource records necessar to identif the authoritati%e D,$ ser%ers for the master 0one <& Recursion is the process of a D,$ ser%er 6uer ing other D,$ ser%ers on behalf of an original 6uer ing client. &f recursion is disabled, the client performs iterati%e 6ueries b

using root hint referrals from the D,$ ser%er. &teration refers to the process of a D,$ client ma/ing repeated 6ueries to different D,$ ser%ers. C& Root hints is a list of preliminar resource records used b the D,$ ser%ice to locate ser%ers authoritati%e for the root of the D,$ domain namespace tree. Reference9 Mar/ Minasi, .hrista Anderson, Michele 1e%eridge, ..A. .allahan L 4isa Qustice, Mastering !indows $er%er 2""3, $ beB &nc. Alameda, 2""3, pp. -F1 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F32 2 %*+,TION NO& A .ou are the security analyst for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The perimeter net/or$ contains an application ser2er, /hich is accessi le to e;ternal users0 .ou 2ie/ the logs on your intrusion8detection system ?I3,@ and on the router and disco2er that 2ery large num ers of TCP ,.N pac$ets are eing sent to the application ser2er0 The application ser2er is responding /ith ,.N81CK pac$ets to se2eral different IP addresses, ut is not recei2ing 1CK responses0 .ou note that all incoming ,.N pac$ets appear to e originating from IP addresses located /ithin the perimeter net/or$Hs su net address range0 No computers in your perimeter net/or$ are configured /ith these IP addresses0 The router logs sho/ that these pac$ets are originating from locations on the Internet0 .ou need to pre2ent this type of attac$ from occurring until a patch is made a2aila le from the application 2endor0 <ecause of udget constraints, you cannot add any ne/ hard/are or soft/are to the net/or$0 .our solution cannot ad2ersely affect legitimate traffic to the application ser2er0 4hat should you do: A. Relocate the application ser%er to the compan intranet. .onfigure the firewall to allow inbound and outbound traffic on the ports and protocols used b the application. 1. .onfigure networ/ ingress filters on the router to drop pac/ets that ha%e local addresses but that appear to originate from outside the compan networ/. .. .reate access control lists *A.4s+ and pac/et filters on the router to allow perimeter networ/ access to onl authori0ed users and to drop all other pac/ets originating from the &nternet. D. .onfigure the &D$ on the perimeter networ/ with a response rule that sends a remote shutdown command to the application ser%er in the e%ent of a similar denial2of2ser%ice attac/. 1ns/er& < +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F33 2 In an ideal /orld, each router /ould e configured /ith ingress filters that /ould drop pac$ets arri2ing from =internal= net/or$s /hose source address /as not a mem er of the set of net/or$ addresses that this router ser2es0 The maCority of routers could e so configured0 These ingress filters should e reBuired as part of a =good neigh or policy0= Ingress filters /ould not totally eliminate denial of ser2ice attac$s ut could greatly reduce such attac$s0 1n attac$er could still spoof an address /ithin a local su net, ut that /ould permit ac$8trac$ing the pac$ets to the source su net0 Incorrect 1ns/ers& 1& There is no firewall mentioned in the 6uestion. C& This option could also wor/, but it in%ol%es eBtra administration. 3& the application ser%er8 and this option would. Reference& Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, .hapter11, p. G>3 http9HHsecurit response.s mantec.comHa%centerHsecurit HcontentH="11.html %*+,TION NO& E .ou are the net/or$ administrator for TestKing0 .ou need to test a ne/ application0 The application reBuires ' processors and ' >< of R1M0 The application also reBuires shared folders and installation of soft/are on client computers0 .ou install the application on a 4indo/s ,er2er '556 4e +dition computer and install the application on '5 test client computers0

.ou then disco2er that only some of the client computers can connect and run the application0 .ou turn off some computers and disco2er that the computer that failed to open the application can no/ run the application0 .ou need to identify the cause of the failure and update your test plan0 4hat should you do: A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3- 2 &ncrease the maBimum number of wor/er processes to 2" for the default application pool 1. Use addHremo%e programs to add the application ser%er windows component .. .hange the application pool to identif the local ser%ice for the default application pool D. .hange the test ser%er '$ to !indow $er%er 2""3 $tandard 3dition or 3nterprise 1ns/er& 3 +;planation& 1lthough 4indo/s ,er2er '556 4e +dition supports up to '>< of for the application0 Therefore, /e need to install 4indo/ ,er2er '556 ,tandard +dition or +nterprise +dition to support enough R1M0 Incorrect 1ns/ers& 1, C& 3dition reser%es 1C1 for the operating s stem so onl 1C1 of RAM is a%ailable for the application. $o, changing the application pool wonKt resol%e this problem. <& The application ser%er component includes &&$ and A$5. These would be part of the default installation on a !eb $er%er. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 1, p. GF %*+,TION NO& -5 .ou are the net/or$ admin for lit/are inc0 The companyHs /ritten security policy reBuires that you maintain a copy of all pri2ate $eys issued y TestKingHs enterprise root C1 .ou create a duplicate of the user template named +mployee and configure the template as sho/n in the +mployee Properties e;hi it& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3F 2 .ou configure the C1 to archi2e pri2ate $eys y using a Key Reco2ery 1gent Certificate0 .ou create a test user account named Peter and reBuest a ne/ employee certificate0 .ou issue the certificate to Peter0 .ou reinstall the O, on your test computer and attempt to reco2er PeterHs pri2ate $ey0 .our attempt fails and generates the follo/ing error message& C&I certutil 8>et$ey Cert*til& 8 >etKeycommand failed Cert*til& Cannot find o Cect or property0 .ou need to ensure that future attempts to reco2er pri2ate $eys associated /ith +mployee certificates succeed 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3; 2 4hat should you do: A. Using Croup 5olic , deplo a cop of the /e reco%er agent certificate to all client computers. 1. &n the 3mplo ee template, select the Archi%e sub)ectKs encr ption pri%ate /e chec/ boB. .. &n the emplo ee template, select the Allow pri%ate /e to be eBported chec/ boB. D. Run the certutil 2 dspublish command to publish the @e Reco%er Agent certificate to Acti%e Director . 1ns/er& C +;planation& The ReBuest 9andling ta has options including minimum $ey si!e and certificate purpose0 The certificate purpose can e encryption, signature, or signature and encryption0 There is also an option to allo/ the e;port of the pri2ate $ey0 Incorrect 1ns/ers& 1& @e reco%er is deplo ed %ia the .ertificate $er%ices <& Iou are attempting to reco%er the /e , not archi%e it 3& This option will not wor/ since the certutil command is not responding positi%el . Reference& Martin Crasdal, 4aura 3. Aunter, Michael .ross, 4aura Aunter, Debra 4ittle)ohn $hinder,

and Dr. Thomas !. $hinder, 5lanning and Maintaining a !indows $er%er 2""3 ,etwor/ &nfrastructure9 3Bam G"22=3 $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, &nc., Roc/land, MA, 2""-, .hapter 12 %*+,TION NO& -.ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '556, and all client computers run 4indo/s GP Professional0 In a test la that contains a separate forest, you de2elop and test a >roup Policy o Cect ?>PO@ that you need to apply to all computers and users in the domain0 .ou need to implement the ne/ >PO on the net/or$0 .ou /ant to accomplish this tas$ y using the minimum amount of administrati2e effort0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3G 2 4hat should you do: A. Use a Distributed (ile $ stem *D($+ to replicate the C5' information in the $I$?'4 shared folder from the test lab to the domain. 1. Use the Croup 5olic Management .onsole *C5M.+ to bac/ up the C5' from the test lab and import it into the domain. .. .op the Croup 5olic Template *C5T+ files in the $I$?'4 shared folder from the test lab to the domain. D. Use Acti%e Director Users and .omputers to create a new C5' lin/ed to the domain. &n the new C5', include all of the settings that eBist in the C5' in the test lab. 1ns/er& < +;planation& The >PMC lets administrators manage >roup Policy for multiple domains and sites /ithin one or more forests, all in a simplified user interface ?*I@ /ith drag8and8drop support0 9ighlights include ne/ functionality such as ac$up, restore, import, copy, and reporting of >roup Policy o Cects ?>POs@0 These operations are fully scripta le, /hich lets administrators customi!e and automate management0 !e can use the Croup 5olic Management .onsole *C5M.+ to bac/ up the C5' from the test lab and import it into the domain. Incorrect ans/ers& 19 D($ allows ou to redirect specific folders li/e M Documents out to a high2a%ailabilit networ/ location where each userKs files can be bac/ed up and protected. This is not what is desired. C9 This option is not the wa to implement a new C5' on a networ/. 39 This is one wa of implementing the C5' but with much more administrati%e effort than is necessar . Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter -, pp. 32>, 3;1 M$ !hite 5aper9 Migrating C5's Across Domains with C5M. http9HHwww.microsoft.comHwindowsser%er2""3HdocsHMigC5's.doc %*+,TION NO& -' 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3> 2 .ou are the net/or$ administrator for TestKing0 1ll 4e ser2ers on the net/or$ run 4indo/s '555 ,er2er0 The 4e ser2ers run se2eral applications, including a colla orati2e 4e 8 ased application that uses 1,P0N+T and 4e 3istri uted 1uthoring and Versioning ?4e 31V@0 .ou plan to migrate the 4e ser2ers to 4indo/s ,er2er '5560 .ou use the Configure .our ,er2er 4i!ard to configure a 4indo/s ,er2er '556 computer as an application ser2er, and you ena le 1,P0N+T in the process0 .ou install the 4e 8 ased application on the ser2er0 *sers no/ report that /hen they attempt to access the colla orati2e 4e 8 ased application, they recei2e the error message sho/n in the e;hi it0 .ou need to ena le the colla orati2e 4e 8 ased application to function on 4indo/s ,er2er '556 /hile maintaining 4e ser2er security0 4hat should you do: A. Use &&$ Manager to disable anon mous access. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F3= 2 1. Use &&$ Manager to allow the !ebDA? !eb ser%ice eBtension and to allow AttpeBt.dll.

.. Use &&$ Manager to grant the users of the !eb2based application permissions for the default !eb site. D. Use &&$ Manager to allow the Acti%e $er%er 5ages !eb ser%ice eBtension and to allow Asp.dll. 1ns/er& 3 +;planation& <y default, /hen Internet Information ,er2ices ?II,@ is installed on any 2ersion of the Microsoft 4indo/s ,er2er '556 family, II, only ser2es static content ?9TML@0 4hen you reBuest dynamic content, such as 1cti2e ,er2er Pages ?1,P@ or 1,P0N+T pages, you recei2e one of the follo/ing error messages& ATT5 3rror -"- 2 (ile ,ot (ound 2or2 ATT5 3rror -"-2 (ile or Director not found To permit &&$ to ser%e other t pes of content, the administrator must unloc/ this content in the !eb ser%ice eBtensions node in the &&$ management console. To do this, either enable a pre2eBisting !eb ser%ice eBtension or add a new !eb ser%ice eBtension. Incorrect 1ns/ers& 1& This is not a permissions problem. Iou can run A$5 content with anon mous access enabled if ou want to. <& !ebda% is used to access files o%er http. &t is not re6uired to run A$5 content. C& This is not a permissions problem. A permissions problem would return a different error message. Reference& Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 3 %*+,TION NO& -6 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-" 2 .ou are a systems engineer for TestKing0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 1ll ser2ers run 4indo/s ,er2er '5560 1ll client computers run 4indo/s GP Professional0 The net/or$ contains '5 ser2ers that run Terminal ,er2ices0 1ll user producti2ity applications are hosted on these ser2ers0 ,e2eral of these applications are legacy applications that reBuire users to control the file system and application registry settings0 Currently, Terminal ,er2ices is configured to allo/ administrators to remotely 2ie/ and control usersH Terminal ,er2ices sessions for support and training purposes0 The managers of the human resources and finance departments inform you that confidential information /as compromised /hen administrati2e personnel 2ie/ed user sessions /ithout the $no/ledge or permission of the users0 The managers direct you to change the Terminal ,er2ices configuration to ensure that administrators can ne2er 2ie/ or control a userHs session /ithout the userHs permission0 .ou modify the 3efault 3omain Policy >roup Policy o Cect ?>PO@ as sho/n in the e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-1 2 .ou attempt to esta lish remote control of userHs Terminal ,er2ices session and find out that you can do so /ithout the userHs permission0 .ou need to configure Terminal ,er2ices to reBuire the usersH permission efore an administrator can remotely 2ie/ or control the session0 .ou need to accomplish this tas$ as Buic$ly as possi le and y using the minimum amount of administrati2e effort0 .our configuration must also automatically apply to any ne/ terminal ser2ers that are installed in the net/or$0 4hat should you do: A. 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-2 2 &n the .omputer .onfiguration section of the Default Domain 5olic C5', disable the Users can connect remotel using Terminal $er%ices option. 1. &n the .omputer .onfiguration section of the Default Domain 5olic C5', enable the $ets rules for remote control of Terminal $er%ices user sessions option and specif (ull .ontrol with userKs permission. .. &n the Terminal $er%ices .onfiguration tool, select the Use remote control with the following settings option and select the Re6uire userKs permission chec/ boB. D. &n the Terminal $er%ices .onfiguration tool, set the 5ermission compatibilit option to (ull $ecurit . &n the connection properties, remote the Allow 2 (ull .ontrol permission from the Administrators group. 1ns/er& <

+;planation9 Croup policies are collections of user and computer configuration settings that can be lin/ed to computers, sites, domains, and 'Us to specif the beha%ior of usersK des/tops. The Default Domain 5olic C5' is lin/ed to the domain, and it affects all users and computers in the domain *including computers that are domain controllers+ through Croup 5olic inheritance. Thus to re6uire that an administrator can remotel control or %iew the session and appl it to all new terminal ser%ers that are installed on the networ/ with the least amount of administrati%e effort, ou should enable the $ets rules for remote control of Terminal $er%ices user sessions with the (ull .ontrol with userKs permission setting in the Default Domain 5olic C5'. Incorrect ans/ers& 19 The .omputer configuration section of the Default Domain 5olic C5' is the correct location to be configured. Aowe%er, disabling the Users can connect remotel using Terminal $er%ices is not the correct setting. C9 This option will re6uire more than is necessar administrati%e effort. 39 There is no need to configure the Terminal $er%ices .onfiguration tool and its settings since all that is re6uired is to enable the $ets rules for remote control of Terminal $er%ices user sessions with the (ull .ontrol with userKs permission setting in the Default Domain 5olic C5'. Reference9 Qill $pealman, @urt Audson L Melissa .raft, M.$3 $elf25aced Training @it *3Bam Acti%e Director &nfrastructure, Microsoft 5ress, Redmond, !ashington, 2""-, p. 19 -3 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-3 2 Michael .ross, Qeffer A. Martin, Todd A. !alls, Martin Crasdal, Debra 4ittle)ohn $hinder L Dr. Thomas !. $hinder, M.$39 3Bam G"22=-9 5lanning, &mplementing, and Maintaining a !indows $er%er 2""3 Acti%e Director &nfrastructure $tud Cuide L D?D Training $ stem, $ ngress 5ublishing, Roc/land, MA, 2""3, .hapter 2, pp. 122212; L .hapter =, pp. ;2>2;3" %*+,TION NO& -) .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory forest that contains t/o domains named test$ing0com and na0test$ing0com0 The functional le2el of the forest is 4indo/s ,er2er '5560 Test$ing merges /ith a company named Test/orld0 The Test/orld net/or$ also consists of a single 1cti2e 3irectory forest0 The forest contains t/o domains named test/orld0com and sa0test/orld0com0 The functional le2el of oth domains is 4indo/s '555 nati2e0 1ll domain controllers in the forest run 4indo/s '555 ,er2er0 *sers in the na0test$ing0com domain and the sa0test/orld0com domain must e a le to easily share information0 The data is located on 4indo/s ,er2er '556 mem er ser2ers in oth domains0 .ou need to configure the trust relationships et/een the domains so that the users can easily share the information0 .ou /ant to achie2e this goal y using the minimum amount of administrati2e effort0 4hat should you do: A. .reate a two2wa forest trust relationship between the test/ing.com domain and the testworld.com domain. 1. .reate a one2wa eBternal trust relationship in which the na.test/ing.com domain trusts the sa.testworld.com domain. .reate another one2wa eBternal trust relationship in which the sa.testworld.com domain trusts the na.test/ing.com domain. .. .reate a one2wa eBternal trust relationship in which the na.test/ing.com domain trusts the testworld.com domain. .reate another one2wa eBternal trust relationship in which the sa.testworld.com domain trusts the test/ing.com domain. D. .reate a one2wa eBternal trust relationship in which the testworld.com domain trusts the na.test/ing.com domain. .reate another one2wa eBternal trust relationship in which the test/ing.com domain trusts the sa.testworld.com domain 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-- 2 1ns/er& < %*+,TION NO& -( 3R1> 3ROP .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory domain named test$ing0com0 4indo/s ,er2er '556 domain controllers are located in t/o sites named Test$ing- and Test$ing'0 The domain contains an organi!ational unit ?O*@ named 1ccounting0 The user accounts for users in the accounting department are located in the 1ccounting O*0 *sers in the accounting department can log on to any client computer0 .ou need to deploy an anti2irus application to all computers on the net/or$ /ithout user inter2ention0 .ou also need to deploy a special accounting application to user accounts in the 1ccounting O* /ithout user inter2ention0 The accounting

application must e a2aila le to users in the accounting department regardless of /hich computer they are using0 .ou need to minimi!e the num er of >PO lin$s0 .ou create the >roup Policy o Cects ?>POs@ listed in the follo/ing ta le0 4here should you lin$ the >POs: To ans/er, drag the appropriate >PO or >POs to the correct domain component or components in the /or$ area0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-F 2 1ns/er& +;planation& 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-; 2 %*+,TION NO& -7 .ou are the net/or$ administrator for TestKing0com0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain named test$ing0com0 Organi!ational units ?O*s@ in the domain are configured as sho/n in the 3omain ,tructure e;hi it0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-G 2 1ll client computers run 4indo/s GP Professional0 1ll client computer accounts are located in the TestKing Computers O*0 .our user account is a mem er of the 3omain 1dmins security group0 1ll user accounts that are mem ers of the 3omain 1dmins security group are located in the 3omain 1dmins O*0 1ll ser2ice des$ users ha2e user accounts that are mem ers of the ,r23es$>rp security group0 1ll accounts that are mem ers of this group are located in the ,er2ice 3es$ ,taff O*0 .ou use the >roup Policy Management Console ?>PMC@ to create a >roup Policy o Cect ?>PO@ named Install 1dmin Tools0 .ou configure the >PO as follo/s& 1. In the >PO, create a soft/are installation pac$age that assigns the 4indo/s ,er2er '556 1dministration Tools Pac$ ?adminpa$0msi@ to users0 2. Lin$ the >PO to the IT *sers O*0 3. Remo2e the 1uthenticated *sers uilt8in group from the list of users and groups that /ere delegated permissions for the >PO0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-> 2 -. 1ssign the ,r23es$>rp security the 1llo/ 8 Read permission for >PO0 ,er2ice des$ users report that the administrati2e tools needed for their Co are not installed0 .ou use the >PMC to e;amine the history of >roup Policy application for one of the affected users0 The rele2ant results are sho/n in the >PMC e;hi it0 .ou also disco2er that /hen you log on to a computer normally used y a ser2ice des$ user, the administrati2e tools are automatically a2aila le for you0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 F-= 2 .ou need to ensure that administrati2e tools can also e installed y >roup Policy for all users /ith accounts in the IT *sers O*, /ithout increasing the administrati2e pri2ileges of any users0 4hat should you do: A. 4in/ the &nstall Admin Tools C5' to the $er%ice Des/ $taff 'U. Mo%e the computer accounts for computers used b ser%ice des/ users to the $er%ice Des/ $taff 'U. 1. .hange the securit filtering on the &nstall Admin Tools C5' to grant the $r%Des/Crp securit group the abilit to appl the C5'. .. Mo%e the $r%Des/Crp securit group to the Domain Admins 'U. D. Modif the C5' to assign the Administration Tools 5ac/ to computers instead of to users. 1ns/er& < %*+,TION NO& -D .ou are the net/or$ administrator for TestKing0 The net/or$ consists of a single 1cti2e 3irectory forest that contains a single domain0 1ll domain controllers run 4indo/s ,er2er '5560 1 /ritten company policy reBuires an application named ThirdParty1pp to e a2aila le to all users on a 2oluntary asis0 .ou create a >roup Policy O Cect ?>PO@ named 1pp3eploy to pu lish an 0msi pac$age for ThirdParty1pp to all users in the domain0 .ou lin$ 1pp3eploy to the domain0 1n upgrade to the e;isting 0msi pac$age named ThirdParty*ppgrade ecomes a2aila le0 .ou need to upgrade all currently installed copies of ThirdParty1pp0 .ou

do not /ant to install ThirdParty*pgrade on computers that do not ha2e ThirdParty1pp installed0 .ou create a ne/ >PO named 1pp*pgrade and configure it to pu lish ThirdParty*pgrade to all users in the domain0 The settings for each >PO are sho/n in the follo/ing ta le0 4eading the wa in &T testing and certification tools, www.test/ing.com 2 FF" 2 ,etting 1pp3eploy ,etting 1pp*pgrade ,etting 1uto8install this application y file e;tension acti2ation +na led Not configured *ninstall this application /hen it falls out of the scope of management Not configured +na led 3o not display this pac$age in the 1dd"Remo2e Programs control panel Not configured +na led .ou configure the soft/are installation upgrade properties for the 1pp*pgrade >PO so that it is not a reBuired upgrade for e;isting pac$ages0 .ou lin$ the 1pp*pgrade >PO to the domain0 T/o days later, you disco2er that none of the client computers in the net/or$ are running the upgraded 2ersion of ThirdParty1pp0 .ou need to ensure the ThirdParty*pgrade is applied to all computers in the domain that ha2e the application installed as soon as possi le0 4hat should you do: A. .onfigure the software installation deplo ment properties for AppUpgrade so that the application will not be uninstalled when the user accounts fall out of the scope of management. 1. .onfigure the software installation deplo ment properties for AppUpgrade to displa the pac/age in Add or Remo%e 5rograms in .ontrol 5anel. .. .onfigure the software installation deplo ment properties for AppUpgrade to auto2install the application b file eBtension acti%ation. D. .onfigure the software installation upgrade properties for AppUpgrade to re6uire the upgrade for eBisting pac/ages. 1ns/er& 3