070-294 Actualtests Planning, Implementing, and Maintaining A Microsoft Windows Server 2003 Active Directory Infrastructure v10 10 07 305q

Exam : 070-294
Title : Planning, Implementing, and Maintaining

a Microsoft Windows Server 2003 AD Infrastructure
Ver : 10-10-07
070-294
QUESTION 1:
You work as the network administrator at Certkiller .com. All servers on the
Certkiller .com network run Windows Server 2003 after they have been upgraded
recently. All client computers run Windows XP Professional. Certkiller .com offices
are spread over several different buildings and comprise a workforce in excess of
3000 employees.
Certkiller .com contains a single Active Directory domain. Each of the different
buildings is configured as an Active Directory site that has at least two domain
controllers each, several servers and numerous client computers. However, the
Certkiller .com users are all complaining that it takes much longer for them to log on
to the network since the upgrade. You then receive instruction from the CIO to
address the situation. You thus need to improve logon performance.
What should you do? (Choose all that apply.)
A. At each site you should configure a server as a global catalog server.

B. At each site you should configure a domain controller as a global catalog server.
C. For the entire network, you should configure a domain controller as a catalog server.
D. You should configure all domain controllers in the Certkiller .com domain to be global
catalog servers.
Answer: B, D
Explanation
: In an Active Directory, when a user logs on, the client computer contacts the global
catalog to determine universal group membership. If there is no global catalog in the site,
then the domain controller in the site that processes the logon request must contact the
global catalog server in another site to retrieve the universal group membership. This is
what is causing the slow logon times currently. In an effort to address the problem, you
should designate a global catalog server at each site. Or alternatively each domain
controller must be made a global catalog server.
Incorrect answers:
A: Global catalogs cannot exist on a server, only on domain controllers. Thus this option
is invalid.
C: The default is to have a domain controller to have the global catalog server role. Thus
this is also the situation that is played out in the current setup and experiencing the slow
logon performance. This option is thus not a modification to improve the situation.
QUESTION 2:
You work as the network administrator at Certkiller .com. The Certkiller .com
network consists of a Active Directory forest named Certkiller .com. The forest
consists of two domains and two sites. These two sites are located in Chicago, which
is the head quarters, and in Dallas, which is the branch office, respectively. All
servers on the Certkiller .com network run Windows Server 2003 and all client
computers run Windows XP Professional.
Actualtests.com - The Power of Knowing

070-294
The Chicago office has ten domain controllers and the Dallas office has one domain
controller. The Dallas office is connected to the Chicago office via a reliable 56-Kbps
link. However, the Dallas users complained about slow response times when they
attempt to log on to the network. You thus received instruction from the CIO to
address the problem that the Dallas users are experiencing without incurring extra
costs for the company. You need to rectify the problem.
What should you do?
A. The Dallas office should get a global catalog server.

B. The Chicago office should have a global catalog server removed.
C. You should increase bandwidth to improve replication.
D. You should implement universal group membership caching.
Answer: A
Explanation: It is mentioned in the question that there is a reliable link between the
offices albeit a slow link. This causes slow logon authentication times because users are
required to authenticate over the slow WAN link. To prevent slow logon authentication
in the Dallas office you should install a global catalog server in the Dallas office on a
domain controller. This should improve logon times because the access will not have to
traverse the WAN link.
Incorrect answers:
B: The first domain controller in the forest becomes the global catalog server by default.
Thus there is already a global catalog server in the Chicago office and you should not
remove the global catalog server from the Chicago site because it is needed to handle
Active Directory requests in the Chicago office.
C: To increase the bandwidth will potentially improve access and logon times. However,
not only will it possibly mean a more expensive link between the offices, but it will still
not negate to necessity of an additional global catalog server in the Dallas office.
D: Universal group membership caching is configured when a global catalog server
cannot be placed in a site due to hardware limitations, or when network services are
interrupted. In this case universal group membership is not appropriate since there are
multiple domains in the forest.
QUESTION 3:
You work as the network administrator at Certkiller .com. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas. The network consists of two
Active Directory domains and two sites. Each office functions as a separate site. All
Only two domain controllers are configured to function as global catalog servers in
the Chicago office. The Research department is located in the Dallas office.
Members of the Research department have an application that they use frequently.
This application, though used in the Dallas office, often directs LDAP queries of the
global catalog server to TCP Port 3268.

070-294
The Research department users lodged a complaint regarding the application's slow
responses. They need to application to perform optimally. The CIO then gave you
instruction to address the problem. You now need to improve performance of this
application and minimize the inter-site traffic that occurs across the WAN link
between the Chicago and Dallas offices.
What should you do?
A. The value of the replication interval should be increased.

B. The value of the replication interval should be decreased.
C. You should configure a domain controller in the Dallas office to host the global
catalog.
D. You should configure universal group membership caching on a Dallas office domain
controller.
Answer: C
Explanation: When operational in a multi-domain forest, the global catalog in a site

must be hosted by at least one domain controller if an application often queries the global
catalogue though TCP port 3268. In this case the querying occurs across sites and thus
more bandwidth is used and resulting in slow response times. Thus is would make sense
in this case to configure a Dallas office domain controller as a global catalog.
Incorrect answers:
A: The replication interval is the amount of time between consecutive replication
sessions over a site link. Increasing this interval will not affect the performance of the
application.
B: The replication interval is the amount of time between consecutive replication sessions
over a site link. Decreasing this interval will not affect the performance of the
application.
D: Universal group membership caching can be used to minimize use r logon times in the
absence of a global catalog server, or when the site link is down. This is hardly going to
change the performance of the application.
QUESTION 4:
Certkiller .com network run Windows Server 2003 and all client computers run
Windows XP Professional. Certkiller .com has its headquarters in Chicago and a
branch office in Dallas. This exhibit below illustrates the company network:
Exhibit:
Both the Chicago office and the Dallas office are configured as a separate domain

070-294
and each office has an Active Directory site configured. The Certkiller .com users
make use of many shared folders that are published in Active Directory.
Consequently the users, when working, need to query the Active Directory often.
However, the Certkiller .com helpdesk received complaints from the Dallas office
users that the directory searches have become unacceptably slow and their work is
negatively affected. You then receive instruction from the CIO to address the
problem that the Dallas office users are experiencing. You now need to take action
to improve the search response times for the Dallas users.
What should you do?
A. You should enable a domain controller in the Dallas office to host an additional global
catalog.
B. You should add a domain controller for the Chicago office to the Dallas office.
C. The value of the replication interval should be increased.
D. You should enable universal group membership caching in the Dallas office.
E. You should enable universal group membership caching in the Chicago office.
Answer: A
Explanation: you should add an additional global catalog at the Dallas office. The global
catalog stores a replicated, read-only copy of all objects in the forest, including a partial
set of each object's attributes. Given that the company is quite large and the performance
of the directory searches has degraded, the best solution is to add another global catalog
and distribute the load across multiple global catalog servers.
Incorrect answers:
B
: You should not add a domain controller in the Dallas site for the Chicago office. When
a user searches for other users or printers from the start menu, that user is searching the
global catalog. Adding a domain controller from a remote domain can help when users
with accounts from the remote domain roam to the local domain and log in., but it does
not affect performance of directory searches.
C: There is no need to increase the replication interval. In this question there is no
indication that the new shared resources are causing the delays. There is however a need
to an additional global catalog based on the excessive amount of queries to the size of the
company.
D: There is no need to enable universal group membership caching in the Dallas office.
Universal group membership caching allows domain controllers in sites to contact remote
global catalogs during authentication and cache responses for future authentication.
Universal group membership caching does not affect directory search performance.
E: There is no need to enable universal group membership caching in the Chicago office.
Universal group membership caching allows domain controllers in sites to contact remote
global catalogs during authentication and cache responses for future authentication.
Universal group membership caching does not affect directory search performance.
QUESTION 5:

070-294
DRAG DROP
You work as the network design consultant. Certkiller .com has headquarters in
London and branch offices in Paris, Berlin, Milan, and Madrid. All servers on the
Certkiller .com network will run Windows Server 2003 and all client computers run
Windows XP Professional.
You have been presented with the opportunity to plan the deployment of Active
Directory for Certkiller .com since the company is still relatively new. The intention is
to create three domains and five sites; the five sites representing the different
offices. The exhibit below illustrates the Certkiller .com network:
Currently bandwidth usage on the WAN links between offices, more specifically
between London and the other offices never exceeds 75%. The Milan office is
destined to host a custom application. This application routinely queries the global
catalog.
Your task now is to plan the placement of the domain controllers on the network.
Your strategy must be of such a nature so that:
1. computer hardware requirements will be kept to a minimum
2. user logon times should be minimized
3. network traffic over the WAN links should be kept to a minimum
What should you do? To answer, select the appropriate applicable type of domain
controller from the column on the right and place it in the appropriate office/site in
the column on the left. Please note: you may use each domain controller type more
than once.

070-294
Answer:
Explanation:
Domain controllers should be placed in offices that:
1. Have more than 100 users,
2. Is connected to other offices through a WAN link slower than 256 Kbps,
3. WAN bandwidth utilization exceeds 90% during peak hours
4. Availability of WAN connectivity to other offices is less than 99,5%
5. Users in the office use custom applications that query the global catalog via port 3268.
There should be at least one domain controller per site in a multi-domain forest.
Universal group membership caching should be used for a site that will have a domain
controller, but does not need the global catalog. When using universal group membership
caching, you minimize the need for extra computer hardware requirements for the
domain controller and you also minimize the amount of bandwidth required for the
network.
Thus the Paris and Berlin offices get a domain controller with a global catalog each -
more than 100 users per office.
The Milan office also gets a
domain controller with a global catalog - the Milan users make use of the custom
application that queries the global catalog. Querying the global catalog requires
bandwidth, more than Active Directory replication that is caused by the presence of a

070-294
global catalog placed locally.

The Madrid office should get a domain controller with Universal group membership
caching enabled. - You should also specify that the cache be refreshed from the Paris
office, which has a global catalog.
The London office, being the headquarters, is relatively well-connected to each of the
offices that host global catalogs, bandwidth utilization never exceeds 75%, and it has less
than 100 users, there is no need for a domain controller.
QUESTION 6:
You work as the network administrator at Certkiller .com. The Certkiller .com logical
network design consists of a single Active Directory forest that has eight domains,
all operating at the Windows 2000 native functional level. All domain controllers on
the network run Windows Server 2003. All the client computers run Windows XP
Professional and have Outlook 2002 Service Pack 1 installed. Furthermore,
Certkiller .com makes use of Windows Exchange 2000 for its messaging
infrastructure.
You job description includes the maintenance of the company's group structure.
You are currently busy creating a distribution group. This group will be used to
send e-mail messages. These messages are destined to be distributed to users
throughout the entire company's single exchange organization. The only
requirement for the configuration of this distribution group is that replication
traffic should be minimized when group membership changes are made. You thus
need to make use of a distribution group strategy.
What should you do?
A. First you should create a universal distribution group and place all the appropriate
users of each of the eight Certkiller .com domains in a single global distribution group.
Assign domain users to the global distribution group in the domain where the user
accounts resides.
And then nest each global distribution group in the universal distribution group.
B. First you should create a universal distribution group.
Place all appropriate users of the eight Certkiller .com domains in the universal distribution
group.
accounts resides.
C. First you should create a universal distribution group.
Then, in each of the eight Certkiller .com domains, you should create a global distribution
group.
accounts resides.
D. First you should create a universal distribution group.
Then you should create a global distribution group.

070-294
accounts resides.
Answer: C
Explanation: In Windows 2000 native functional level, universal groups can contain
user accounts, global groups, and universal groups from any domain in a forest. These
are stored in the global catalog and are visible in any domain in the forest. However,
there is no provision of all the domain- and forest-wide features that are available in a
Windows Server 2003 forest functional level. In this case membership changes in
universal groups still require the entire group (i.e. all members with attributes and all) to
be replicated to all the global catalogs. To minimize the amount of data to be replicated,
and reducing the size of the Active Directory, you should place all user accounts in
global groups created in the local domain. You should then nest the global groups in the
universal groups. Membership changes to these global groups will then not be replicated
across the forest because global groups are stored in Active Directory on all local domain
controllers. Universal group will only show the global groups as members, and
replication will only take place when groups are added or removed from the universal
group.
Incorrect answers:
A: You should make use of universal groups which are stored in the global catalog when
you create distribution groups. Global groups can contain users and groups from all
domains in the forest in Windows 2000 native mode, but making use of universal groups
will improve performance as well. You should not place the appropriate users from all
domains in a single global distribution group.
B: In a Windows 2000 native domain functional level, any changes to universal group
membership will require the full group to be replicated with each change that takes place
and will thus result in excessive replication traffic. Thus you should not place users from
all domains in the universal distribution group.
D
: This option is partly correct, but global distribution groups should be created in each of
the eight Certkiller .com domains and not just one global distribution group.
QUESTION 7:
network consists of a single Active Directory network named Certkiller .com.
Certkiller .com has headquarters in London and branch offices in Paris, Berlin,
Milan, and Madrid. All servers on the Certkiller .com network run Windows Server
2003 and all client computers run Windows XP Professional. The exhibit below
illustrates the Certkiller .com network:
Exhibit:

070-294
All the branch offices are configured as an Active Directory site, each with at least
one IP subnet. Each branch office on the Certkiller .com network is connected to the
head quarters via a 56 Kb link and each branch office has a preferred bridgehead
server configured. Currently all replication on the network is scheduled to take
place during off-peak hours, and all global catalogs are located in the London office.
The Certkiller .com helpdesk were inundated with calls reporting sluggish logon
performance at the branch offices. To this end the CIO gave you instruction to
address the problem without incurring extra costs to the company. You thus need to
increase performance of logons at the branch offices and decide to implement
domain controllers in each of the branch offices. Because you should not incur extra
costs and also the slow network links between offices, you cannot configure these
domain controllers as global catalog servers. (These domain controllers would need
extra hardware to be able to server as global catalogs).
What should you do?
A. You should enable Universal Group Membership Caching for each of the client
computers via a Group Policy.
B. You should enable Universal Group Membership Caching for the London office.
C. You should enable Universal Group Membership Caching for each of the branch
offices.
D. You should enable Universal Group Membership Caching at each of the client
computers across the network.
Answer: C
Explanation: Whenever a user logs on to the Certkiller .com network, which is an Active
Directory, the client computer must contact a global catalog to determine the universal
group membership. If there is no global catalog locally from where the user is trying to
authenticate, the domain controller processing the logon request must contact a global
catalog server in another site/office. Universal Group Membership Caching is most
practical for smaller branch offices with lower-end servers, where it might be problematic
to add the additional load of hosting a GC, or locations that have slower WAN
connections. You can enable universal group membership caching in Active Directory.
The local domain controllers at each branch office retrieves the universal group

070-294
membership from the global catalog server, the information is cached. Once the
information is cached, all following requests for logons will be processed entirely by the
local domain controller.
Incorrect answers:
A: You cannot use a group policy to configure universal group membership caching n
client computers. Universal group membership caching is used on domain controllers in
the absence of a local global catalog.
B: The global catalog is located in the London office by default. There is thus no need to
make use of Universal group membership caching in the London office. Furthermore, it
will not decrease the logon time for the branch offices if caching is done in the London
office.
D: Client computers are not domain controllers and cannot be configured with universal
group membership caching.
QUESTION 8:
network consists of a single forest, two domains, and one site. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas. All servers and domain
controllers on the Certkiller .com network run Windows Server 2003 and all client
The Dallas office is connected to the Chicago office via a 512 Kbps WAN link. Due
to the sheer number of users on the Certkiller .com network, the traffic between the
two offices is usually heavy. Against a background of limited available bandwidth
between the two offices you should try to minimize the amount of Active Directory
replication traffic over the WAN link. Since Certkiller .com is a developing company,
the Dallas office has grown rapidly and you were thus prompted to create a new site
in Active Directory. To this end you set up a domain controller at the Dallas office.
The only requirement you now need to satisfy is to ensure that the Dallas users will
be able to access resources and will be able to log on to the Certkiller .com network
even in the event of the WAN link becoming unavailable.
What should you do?
A. You should install a global catalog in the Dallas office.

B. You should remove the global catalog server from the Chicago office.
C. You should enable universal group membership caching at the Dallas office.
D. You should enable universal group membership caching at the Chicago office.
Answer: C
Explanation
: with limited bandwidth between the two offices you should not even consider making
use of a global catalog server in the Dallas office. If you do replication traffic between
offices will increase. You should rather be enabling universal group membership caching.
When a user first logs in to the network from the Dallas office, the domain controller
obtains the logon information from the global catalog server in the Chicago office. It then
caches the information, so that with every subsequent logon of that user, the logon

070-294
information is obtained from the local cache in the Dallas office. Thus you will be
reducing network traffic and improving logon response.
Incorrect answers:
A: Deploying a global catalog in the Dallas office will result in increased replication
traffic traversing the WAN link between the two offices.
B: The first domain controller in the forest by default becomes the global catalog server,
thus there is already a global catalog server in the Chicago office. You should not remove
the global catalog server from Chicago because it is needed for handling Active
Directory requests in the Chicago office.
D: The Chicago office has a global catalog server that was installed automatically and
thus you should not enable universal group membership caching in the Chicago office.
QUESTION 9:
headquarters in Chicago and branch offices in Dallas and Miami that are all
connected via Wide Area Network WAN links. The Certkiller .com network consists
of a single Active Directory forest. All servers on the Certkiller .com network run
Windows Server 2003 and all client computers run Windows XP Professional. The
exhibit below illustrates the Certkiller .com network:
Exhibit:
Each office is configured as a separate site.

1. The Chicago office has four domain controllers named Certkiller -DC01,
Certkiller -DC02, Certkiller -DC03, and Certkiller -DC04.
Certkiller -DC01 and Certkiller -DC02 serves as global catalog servers.
The Chicago office has 400 users.
2. The Dallas office has three domain controllers named Certkiller -DC05,
Certkiller -DC06, and Certkiller -DC07.
Certkiller -DC06 serves as a global catalog server.
The Dallas office has 250 users.
3. The Miami office has two domain controllers named Certkiller -DC08 and
Certkiller -DC09.
The Miami office has 75 users.

070-294
The CertK ign.com helpdesk received numerous calls from the Miami office users
complaining about unacceptably slow authentication and logon performance when
they try to log on to the company network. The CIO gives you instruction to address
the problem. You now need to reduce the logon times for the Miami users without
increasing Active Directory replication traffic over the company WAN links.
What should you do?
A. You should configure Certkiller -DC08 as a global catalog server.

B. You should configure Certkiller -DC09 as a global catalog server.
C. You should enable universal group membership caching in the Chicago office.
D. You should enable universal group membership caching in the Dallas office.
E. You should enable universal group membership caching in the Miami office.
Answer: E
Explanation: Universal group memberships are stored only in the global catalog in a
multi-domain forest environment. To process a user's logon request, a domain controller
has to query a global catalog server to determine the user's universal group membership.
In the absence of a global catalog in a site, the domain controller will query a global
catalog in another site. Thus if WAN links between sites are slow, the logon can take
long. Alternatively, the domain controller that authenticates a user's logon request queries
a global catalog server and then stores the user's universal group memberships in a local
cache. The information is stored in the cache indefinitely and is refreshed, by default
every eight hours. Thus to alleviate the problem for the Miami users, you should enable
universal group membership caching.
Incorrect answers:
A: You could configure Certkiller -DC08 as a global catalog server. But the presence
of a global catalog in Miami will increase Active Directory replication traffic across the
WAN links, especially between Dallas and Miami.
B: You could configure Certkiller -DC09 as a global catalog server. But the presence of
a global catalog in Miami will increase Active Directory replication traffic across the
WAN links, especially between Dallas and Miami.
C: The Chicago office has a global catalog server that was installed automatically and
thus you should not enable universal group membership caching in the Chicago office.
D: Universal group membership caching is enabled on a site where there are no global
catalogs locally. The Dallas office has a global catalog server.
QUESTION 10:
headquarters in Chicago and a branch office in Dallas. The Certkiller .com network
consists of two Active Directory domains and two sites. Each office represents a site.
All servers on the Certkiller .com network run Windows Server 2003 and all client
computers run Windows XP Professional. The offices are connected via a 128 Kbps
WAN link.
Each office is configured as a separate domain and separate site. The Chicago office

070-294
has three domain controllers and 1500 users. The Dallas office has one domain
controller and 75 users. Two of the domain controllers in the Chicago site host the
global catalog. Universal groups are used to accommodate the configuration of
access to shared resources.
The Certkiller .com helpdesk received calls from the Dallas office users complaining
that they sometimes have to wait up to ten minutes just to log on to their domain.
The CIO gave you instruction to address the issue. You now need to minimize the
logon time for the Dallas users.
What should you do?
A. You should reduce the site link cost between the Chicago office and the Dallas office.
B. You should increase the site link cost between the Chicago office and the Dallas
office.
C. You should enable universal group membership caching in the Dallas office.
D. You should create an additional site link between the Chicago office and the Dallas
office.
Answer: C
Explanation: When a user logs on to the domain, the client computer send the logon
request to the closest domain controller for that domain or if there is no domain controller
in the site, to the site that is connected to the local site with a site link that has the lowest
cost. The domain controller must determine all groups to which the user belongs. In a
multi-domain forest, universal group membership is maintained in the global catalog
server. Therefore the authenticating domain controller must query the global catalog.
However, in the absence of a global catalog in the site, then you should consider
universal group membership caching for the site. To authenticate a logon request the
domain controller obtains the logon information from the global catalog server in the
Chicago office. It then caches the information, so that with every subsequent logon of
that user, the logon information is obtained from the local cache in the Dallas office.
Thus you will be reducing network traffic and improving logon response.
Incorrect answers:
A: A site link is a logical object that represents physical connectivity between sites.
Changing the existing cost of the site link is not going to affect logon times.
B: Whether you increase the site link cost is not going to affect the logon time. Thus this
option is irrelevant in this case.
D: There is not need to create an additional link.
QUESTION 11:
DRAG DROP
network consists of two Active Directory domains and two sites in a single forest. All
servers and domain controllers on the Certkiller .com network run Windows Server
2003 and all client computers run Windows XP Professional. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas. Both offices are configured

070-294
as separate sites on the Certkiller .com forest.

The Chicago office has two domain controllers that are configured as global catalog
servers. The global catalog servers are named Certkiller -DC01 and
Certkiller -DC02 respectively. The Dallas office has two domain controllers that
are named Certkiller -DC03 and Certkiller -DC04 respectively.
performance at the Dallas office. To this end the CIO gave you instruction to
address the problem without incurring extra costs to the company. You thus need to
increase performance of logons at the branch office without generating additional
inter-site replication.
What should you do? To answer, select a possible action from the options on the left
and drag it to the appropriate place on the right. You may use as many possible
actions and targets as required.
Answer:
Explanation:
Universal group memberships are stored only in the global catalog in a multi-domain
forest environment. To process a user's logon request, a domain controller has to query a
global catalog server to determine the user's universal group membership. In the absence
of a global catalog in a site, the domain controller will query a global catalog in another
site. Thus if WAN links between sites are slow, the logon can take long. Alternatively,
the domain controller that authenticates a user's logon request queries a global catalog
server and then stores the user's universal group memberships in a local cache. The

070-294
information is stored in the cache indefinitely and is refreshed, by default every eight
hours. Thus to alleviate the problem for the Miami users, you should enable universal
group membership caching.
Incorrect answers:
PDC emulator - a PDC emulator in an Active Directory domain is the domain controller
that appears as the primary controller to legacy client operating systems, e.g. Windows
NT. A PDC emulator is the only computer in a domain that processes logon and
password change requests for legacy clients. This makes a PDC emulator irrelevant to
this scenario as co mention is made of legacy operating systems.
Replication bridgehead configuration - a replication bridgehead server is a domain
controller that is designated to participate in inter-site replication in an Active Directory
environment. They are assigned by default and are thus not a required option to select in
this scenario.
Minimize replication interval - the replication interval is the amount of time between two
consecutive replication sessions. This option will have no effect on logon times.
QUESTION 12:
network consists of two Active Directory domains and two sites in a single forest. All
servers and domain controllers on the Certkiller .com network run Windows Server
2003 and all client computers run Windows XP Professional. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas which are connected via a
slow Wide Area Network (WAN) link. Both offices are configured as separate sites
on the Certkiller .com forest. The forest functional level is set at Windows Server 2003.
1. The Chicago office has two domain controllers named Certkiller -DC01 and
Certkiller -DC02.
The Chicago office has 500 users.
2. The Dallas office has two domain controllers named Certkiller -DC03 and
Certkiller -DC04.
There are 55 users in the Dallas office.
The exhibit below illustrates the Certkiller .com network.
Exhibit:
The Certkiller .com new written security policy states that all logons should be
authenticated by domain controllers. The CIO thus gave you instruction to comply
with the company written security policy as well as enable users in the Dallas office
to be able log on to the network in the event of the WAN link failing. You now need
to comply with the CIO's instruction and additionally you also want to minimize
replication traffic over the WAN connection since it is a slow connection.

070-294
What should you do?
A. You should use a Group Policy Object (GPO) that enables the Dallas users to log on
using cached credentials.
B. You should enable universal group membership caching for the Dallas office.
C. You should configure a domain controller as a global catalog server in the Dallas
office.
D. You should modify the network to be single site.
Answer: B
Explanation: When a user logs on to the domain, the client computer send the logon
request to the closest domain controller for that domain or if there is no domain controller
in the site, to the site that is connected to the local site with a site link that has the lowest
cost. The domain controller must determine all groups to which the user belongs. In a
multi-domain forest, universal group membership is maintained in the global catalog
server. Therefore the authenticating domain controller must query the global catalog.
However, in the absence of a global catalog in the site, then you should consider
universal group membership caching for the site. To authenticate a logon request the
domain controller obtains the logon information from the global catalog server in the
Chicago office. It then caches the information, so that with every subsequent logon of
that user, the logon information is obtained from the local cache in the Dallas office.
Thus you will be reducing network traffic and improving logon response.
Incorrect answers:
A: You should not implement a GPO that allows users to log on by using cached
credential because the company written security policy states that all logon requests
should be authenticated by a domain controller. You would thus violate the written
security policy.
C: Placing a global catalog in the Dallas office would not be advisable because it would
result on Active Directory traffic over the WAN link to increase because the domain
controller would receive changes from the Chicago office.
D: If you would merge the two separate sites into one single site, then all computers would
regard each other as local, this will result in increased network traffic over the WAN link.
QUESTION 13:
network consists of five domains in a single Active Directory forest. All servers and
domain controllers on the Certkiller .com network run Windows Server 2003 and all
client computers run Windows XP Professional. All Certkiller .com users typically
access resources in their own domain. The exhibit below illustrates the relevant
portion of the network:

070-294
The forest root is Certkiller .com and includes three sites for the England offices. The
head quarters are located in London. The London office has two domain controllers
that are configured as global catalog servers. The global catalog servers are named
Certkiller -DC01 and Certkiller -DC02 respectively. The Newcastle office
represents another site and has two domain controllers that are named
Certkiller -DC03 and Certkiller -DC04 respectively. There are no global catalog
servers configured in the Newcastle office due to hardware constraints.
performance at the Newcastle office. To this end the CIO gave you instruction to
address the problem. You thus need to improve performance of logons at the
Newcastle office whilst minimizing replication traffic over the WAN link between
the London and Newcastle offices.
What should you do?
A. You should place an additional domain controller in the Newcastle office.

B. You should configure at least one domain controller to be a global catalog server in
the Newcastle office.
C. You should enable universal group membership caching on the London and Newcastle
offices.
D. You should enable universal group membership caching in the Newcastle office.
Answer: D
Explanation: You are not presented with enough information regarding the number of
users per site/office, though you should still determine a solution that will improve logon
performance whilst minimizing replication traffic between the two offices. When a user
logs on to the domain, the client computer send the logon request to the closest domain
controller for that domain or if there is no domain controller in the site, to the site that is
connected to the local site with a site link that has the lowest cost. The domain controller
must determine all groups to which the user belongs. In a multi-domain forest, universal
group membership is maintained in the global catalog server. Therefore the
authenticating domain controller must query the global catalog. However, in the absence
of a global catalog in the site, then you should consider universal group membership
caching for the site. To authenticate a logon request the domain controller obtains the
logon information from the global catalog server in the London office. It then caches the
information, so that with every subsequent logon of that user, the logon information is
obtained from the local cache in the Newcastle office. Thus you will be reducing network
traffic and improving logon response.
Incorrect answers:

070-294
A: There is no need to place an additional domain controller in Newcastle. There is not

information mentioned in the question that indicates that the logon performance is being
slowed by domain controller availability.
B: Adding a global catalog server in the Newcastle office will improve logon times, but
will also have another effect: it will increase replication traffic across the WAN link
between the two offices.
C: This option is only partly correct because you do not need to enable universal group
membership caching for the London office. It will not affect the Newcastle users who are
experiencing the problem.
QUESTION 14:
network consists of a single Active Directory domain named Certkiller .com. Sites
have been configured for Certkiller .com's Research Department, Sales Department
and Finance Department. There are currently seven domain controllers across all
the sites. All servers and domain controllers on the Certkiller .com network run
Windows Server 2003 and all client computers run Windows XP Professional.
Since Certkiller .com is a growing company, there are plans to add a Marketing
section in one of the departments. To this end you create new computer and user
objects for the department to which the Marketing section will be added. These
objects are to be created in the existing organizational units (OUs). You thus start to
create the objects on a domain controller named Certkiller -DC03. However,
halfway through the process the operation fails and you are thus unable to create
the remainder of the objects.
You then investigate the problem and discover that a WAN link to one of the
Departments is unavailable and that department has only one domain controller
which is configured to host a single operations master role.
What is the role hosted by this domain controller causing the problem?
A. It is a PDC emulator role

B. It is a Domain naming master role
C. It is a Relative ID (RID) master role
D. It is an Infrastructure master role
E. It is a Schema master role
Answer: C
Explanation: The RID master role is responsible for allocating blocks of RIDs to domain
controllers in the domain. Whenever new objects are created, a unique security identifier
(SID) is assigned by the domain controller to the object. When the domain controller
providing the RIDs runs out of available RIDs, it will attempt to contact the RID master
to request another block of RIDs. If the RID master is not available, you cannot create
new objects. This is exactly what the case is in this scenario.
Incorrect answers:
A

070-294
: The PDC emulator unavailability will result in an inability to change passwords on

client computers that do not have Active Directory client installed and replication to
BDCs will not take place. Thus this is the incorrect option.
B: The Domain Naming Master role controls the addition and removal of domain in the
forest. The unavailability of this role will result in an inability to add or remove domains
in the forest.
D: The Infrastructure master updates object references in the domain that point to objects
in other domains. If unavailable, group membership lists will not reflect changes in the
user interface when users are moved from one group to the other or of a name or other
account attribute values are changed. This is clearly not he problem in this scenario.
E: The Schema master hosts the schema for the forest. If unavailable then any changes to
the schema will be impossible.
QUESTION 15:
network consists of a single Active Directory forest that contains two domains
named Certkiller -north.com and Certkiller -south.com. All servers on the Certkiller .com
network run Windows Server 2003 and all client computers run Windows XP
Professional. You currently enjoy membership of the Enterprise Admins group.
1. Certkiller -north.com:
There are 950 users who each has been assigned a client computer.
There is a single domain controller named Certkiller -DC05 in this domain.
2. Certkiller -south.com:
There are 2500 users who each has been assigned a client computer.
There are two domain controllers named Certkiller -DC06and Certkiller -DC07
respectively.
Exchange Server 2003 is deployed on a server named Certkiller -SR01.
All operations masters are in their default locations.
The Certkiller .com Exchange administrator, Amy Wilson, plans to make
modifications to the Active Directory scheme in the next week. However, you have
scheduled maintenance events that will require the domain controller that hosts the
schema to be offline periodically. You thus need to ensure that the scheduled
maintenance tasks will not conflict with the Exchange server modifications.
What should you do? (Each correct answer presents a complete solution. Choose all
that apply.)
A. Transfer the Schema master role from south. Certkiller .com to Certkiller .com using the
Ntdsutil tool.
B. Transfer the Schema master role from Certkiller .com to south. Certkiller .com using the
Ntdsutil tool.
C. Transfer the Schema master role from south. Certkiller .com to Certkiller .com using the
Active Directory Users and Computers console.
D. Transfer the Schema master role from Certkiller .com to south. Certkiller .com using the
Active Directory Users and computers console.
E. Transfer the Schema master role from south. Certkiller .com to Certkiller .com using the

070-294
Active Directory Schema snap-in.

F. Transfer the Schema master role from Certkiller .com to south. Certkiller .com using the
Active Directory Schema snap-in.
Answer: B, F
Explanation: By default the schema master role is installed on the first domain controller
in the forest. Thus in any one forest there can be only one schema master. In this case the
schema master role will be located on Certkiller -DC05. This role can be moved via
transfer from an operational domain controller or by seizure from a non-operational
domain controller. There are two methods of transferring schema master role: using the
Active Directory Schema console, which is a MMC snap-in, and using the Ntdsutil tool.
The Roles submenu in Ntdsutil is used to perform controlled transfer and recovery of
operations master roles.
Incorrect answers:
A: You should not make use of the Ntdsutil tool to transfer the schema master role from
south. Certkiller .com to Certkiller .com. Since all operations master roles are located in their
default locations, you cannot make use of the Ntdsutil tool to transfer the schema master
role from south. Certkiller .com to Certkiller .com. South. Certkiller .com is a child domain.
C: You cannot make use of Active Directory Users and Computers console to transfer
schema master roles. This is the wrong utility.
D: You cannot make use of Active Directory Users and Computers console to transfer
schema master roles. This is the wrong utility.
E: You should not make use of the Active Directory Schema snap-in to transfer the
schema master role from south. Certkiller .com to Certkiller .com. South. Certkiller .com is a
child domain.
QUESTION 16:
You work as the systems engineer at Certkiller .com. The Certkiller .com network
consists of a single forest, two domains and two sites. The two domains are named
Certkiller -north.com and Certkiller -south.com. Certkiller -north.com is the parent
domain and encompasses both sites. Certkiller -south.com is the child domain and is
located in the Chicago site which is also the main site. All servers on the
Certkiller .com network run either Windows Server 2003 or Windows NT Server 4.0
and all client computers run Windows XP Professional.
Your job description includes the configuration of operations master roles. You
have been given instruction by the CIO to place the RID master. You now need to
decide where to configure the RID master role.
What should you do?
A. Place the RID master in the site with the largest number of BDCs.
B. Place the RID master in the site where most user and group accounts are created.
C. Place the RID master on a domain controller in the Chicago site.
D. Place the RID master on a domain controller in the remote site.

070-294
Answer: B
Explanation: For each domain one should place the RID master in the site where the
most user and group accounts are created. The RID master allocates blocks of RIDs to
each domain controller in the domain. Whenever a new user, group, or computer object is
created, the domain controller assigns the object a unique security ID. It is thus more
efficient to have the RID master in the same location as the users and user accounts since
the RID master provides the RID blocks.
Incorrect answer:
A: The PDC emulator and not the RID master should be placed in the site with the most
BDCs.
C: You should rather place the schema and domain naming masters on a physically
secure domain controller at the Chicago site.
D: The RID master should not be placed in a remote site. There will be potentially more
latency in user and computer account information if you do.
QUESTION 17:
network consists of a single Active directory forest. The forest consists of four
domains that are named Certkiller -north.com, Certkiller -south.com, Certkiller -east.com
and Certkiller -west.com respectively. You are located in the Certkiller -south.com
domain. Every domain has multiple servers that are configured as domain
controllers. The following exhibit illustrates the Certkiller .com operations master role
distribution on the domain controllers:
Exhibit:
On a weekly basis, the administrators in each of the domains make changes to the
user account information. These routine changes can include name and address
changes as well as group membership changes. You then discovered that some of
these routine name changes that was made by the administrators in their respective
domains were not reflected in groups lists in the Certkiller -south.com domain where
you are located.
You need to troubleshoot this issue. To this end you need to check the domain

070-294
controller whose operations master role is responsible for updating these object
references.
What should you do?
A. You need to check the PDC emulator.

B. You need to check the Infrastructure master.
C. You need to check the Domain Naming master,
D. You need to check the Relative ID master.
E. You need to check the Schema master.
Answer: B
Explanation: The Infrastructure master is responsible for updating object references in

the domain that points to objects in other domains. It is a domain -wide role.
Incorrect answers:
A: The PDC emulator is also a domain-wide role, but it acts as the primary domain
controller in domains that contain Windows NT 4.0 back-up domain controllers. It also
manages password changes, etc. BUT it is not responsible for updating object references.
C: The Domain naming master is a forest -wide role and is responsible for controlling the
addition or deletion of domains in the forest.
D: The Relative ID master - though also a domain-wide role, is not responsible for
updating these object references. Rather it is responsible for allocating blocks of RIDs to
domain controllers in the domain. RIDs are assigned to newly created security principals
in the domain.
E: The Schema master is a forest -wide role and is responsible for maintaining a master
list of all object classes and attributes in the creation of Active Directory objects and
controlling all originating changes that are made to the schema.
QUESTION 18:
network consists of a single Active directory forest. The forest consists of three
domains that are named Certkiller -north.com, Certkiller -south.com, and
Certkiller -west.com; and two sites.
The parent domain is Certkiller -north.com and encompasses both sites. The one child
domain is named Certkiller -south.com and is located in London. The other child
domain is named Certkiller -west.com and is located in Newcastle which is also the
main site. You have been given instruction to configure the operations master roles.
You do need to keep in mind that the servers on the network run either Microsoft
Windows Server 2003 or Microsoft Windows NT Server 4.0. You now need to
decide where you should place the schema master.
What should you do?
A. Place it on a domain controller in the London site.

B. Place it on a domain controller in the Newcastle site.
C. Place it in the site with the greatest number of BDCs.

070-294
D. Place it in the site where most users are located.
Answer: B
Explanation: The schema master role should be placed on a domain controller in the
main site which is Newcastle. This is necessary because the schema master is critical to
the functioning of Active Directory structure in the network. Furthermore you also want
to provide this specific domain controller with a high level of security and adequate
fault-tolerance.
Incorrect answers:
A: It is not advisable to place the schema master in a remote site which is the London
site. Besides you need to access the domain controller on which it is located.
C: To place the schema master in a location where there is the greatest number of BDCs
is not a requirement.
D: There is no need to place the schema master in a site where the most users are located.
QUESTION 19:
network consists of a single Active Directory forest and three domains. Your
administrative account currently enjoys membership of the Enterprise Admins
group.
You normally log on to the domain using you administrative account to carry out
you duties of regular maintenance on a domain controller named
Certkiller -DC03. However, Certkiller -DC03 hosts two operations masters role:
that of schema master and domain naming master.
You need to transfer the schema master role before you take Certkiller -DC03
down for maintenance. To this end you use the Active Directory Schema snap-in,
and then you right-click Active Directory Schema and then you click the Change
Domain Controller option. Then you encounter an error message stating that the
role cannot be transferred. You need to transfer the schema master role prior to
taking down Certkiller -DC03 for maintenance.
What should you do?
A. Select the target computer, click Connect to Domain Controller, and restart the
transfer operation in Active Directory Users and Computers (ADUC).
B. Run the regvr32 schmmgmt.ddl to register the Active Directory Schema snap-in at a
command prompt on Certkiller -DC03.
C. Ask another administrator whose account belongs to the Schema Admins group to
perform the move operation.
D. Move the domain naming master role prior to moving the schema master role using
the Active Directory Domains and Trust console.
Answer: C
Explanation: the user account used to perform this procedure must either be a member

070-294
of the Schema Admins group in Active Directory or have been delegated the appropriate
authority. You account only has Enterprise Admins group membership which do not
have the appropriate permissions to perform this operation. You thus need to ask ad
administrator with Schema Admins group membership to perform the operation.
Incorrect answers:
A: This option is not the answer. The Active Directory Schema snap-in does need to be
connected to the schema master. However, the Active Directory Schema snap-in connects
to the schema master by default, there fore it will not help if you open the ADUC, select
the target computer, click Connect to Domain Controller and then restart the transfer
operation.
B: This console has been registered if you open the console; connect to the schema
master, and attempt the transfer operation. Thus you should not run regvr32
schmmgmt.dll.
D
: You should not make use of Active Directory Domains and Trusts console. Moving the
domain naming master role is not a pre-requisite for transferring the schema master role.
QUESTION 20:
network consists of a single Active Directory forest and three domains. The
functional level of the forest is set at Windows 2000 mixed. All servers on the
Certkiller .com network run either Windows Server 2003 or Windows NT Server 4.0.
Part of your job description includes the management of replication in Active
Directory on the network. During routine management you discovered that the
Windows NT 4.0 Backup Domain Controllers (BDCs) are not part of the Active
Directory replication that occurs on the Certkiller .com network. The Windows Server
2003 domain controllers are participating in Active Directory replication.
You received instruction from the CIO to ensure that replication occurs properly.
You now need to find out what is causing the problem so as to troubleshoot the
issue. To this end you need to check what is causing the problem.
What should you do?
A. You should check the RID master operations role for malfunction.
B. You should check the Domain naming master operations role for malfunction.
C. You should check the PDC emulator operations role for malfunction.
D. You should check the Schema master operations role for malfunction.
E. You should check the Infrastructure master operations role for malfunction.
Answer: C
Explanation: The PDC emulator is responsible for synchronization with Windows NT

4.0 BDCs. it is also responsible for time synchronization, password latency issues, and
password changes for non-Active Directory clients. If the PDC malfunctions, you lose
the replication to NT 4.0 BDCs. You can even be delayed up to a quarter of an hour when
a password is changed before users can authenticate to any domain controller. In this

070-294
case, there is no replication for the Windows NT 4.0 BDCs, so the most likely place to
check would be the PDC emulator to check for malfunctions.
Incorrect answers:
A: RID master role is responsible for the provision of blocks of RIDs to the domain
controllers. These RIDS are used to assign to new objects that are created in the domain.
It does not impact on replication as is described in the question.
B: Domain naming master role is responsible for the addition and removal of domains in
the forest. If this role is absent, you will be unable to add or remove domains in the
forest.
D: Schema master role is the domain controller that handles all the updates to the
schema. This is not what is causing problems.
E: Infrastructure master role is responsible for keeping track of objects are not from your
domain. If this role does not function then users in the other domains in the forests will
not be able to access resources in your domain.
QUESTION 21:
network consists of a single Active directory forest. The forest consists of three
domains that are named Certkiller -north.com, Certkiller -south.com, and
Certkiller -west.com; and two sites.
The parent domain is Certkiller -north.com and encompasses both sites. The one child
domain is named Certkiller -south.com and is located in Miami. The other child
domain is named Certkiller -west.com and is located in Chicago which is also the main
site. You have been given instruction to configure the operations master roles. You
do need to keep in mind that the servers on the network run either Microsoft
Windows Server 2003 or Microsoft Windows NT Server 4.0. You now need to
decide where you should place the infrastructure master.
What should you do?
A. Place the Infrastructure master in any of the sites.

B. Place the Infrastructure master in the same site as the Domain naming master.
C. Place the Infrastructure master in the same site as the RID master.
D. Place the Infrastructure master in the same site as the Schema master.
Answer: C
Explanation
: The Infrastructure master makes fast updates of references that cross domains. Thus it is
best that it should be placed in the site where the most user accounts are created.
However, the infrastructure master role cannot be placed on the same domain controller
as the global catalog server, but they should be in the same site. An Infrastructure master
role should be placed in the same site as the RID master for each domain.
Incorrect answers:
A: For the proper and effective functioning of Active Directory you should not place the
infrastructure master in just any site.
B: The domain naming master should be placed on a domain controller at the Chicago

070-294
site, and it is not necessarily the proper location to place the infrastructure master in the
same site.
D: The schema master belongs on a domain controller in the Chicago site. It is not
necessary to place the infrastructure master in the same location.
QUESTION 22:
network consists of a single Active Directory domain. The Certkiller .com network
consists of one physical location. All servers on the Certkiller .com network run
Windows Server 2003 and all client computers run either Windows 2000
Professional or Windows XP Professional. There are currently 2,500 client
computers and 30 servers of which five have been configured to serve as domain
controllers.
The Certkiller .com Human Resources manager accidentally gave the wrong
personnel information to the data capturers. This resulted in many personnel data
requiring changes. These changes have to be tracked in Active Directory. To this
end you attempted to add objects and attributes into the directory service. However,
you encounter an error message that states that the operation cannot be performed.
You need to perform this task, and thus verify that you are logged on as the
administrator. What else could be causing the problem?
A. A missing PDC emulator master role.

B. A missing schema master role.
C. A missing Infrastructure master role.
D. A missing Domain Naming master role.
E. A missing RID master role.
Answer: B
Explanation: You need to manipulate the schema when you want to add new objects into
Active Directory. The Active Directory schema stores all the definitions for all objects
and their attributes. The schema master is the domain controller that handles all the
updates to the schema. In this case, you want to add to the schema and make changes and
the operation is failing. This is because the schema master is not available.
Incorrect answers:
A: The PDC emulator is responsible for synchronization with Windows NT 4.0 BDCs. it
is also responsible for time synchronization, password latency issues, and password
changes for non-Active Directory clients. This is not what is causing problems.
C: Infrastructure master role is responsible for keeping track of objects are not from your
domain. If this role does not function then users in the other domains in the forests will
not be able to access resources in your domain. This is not what is missing.
D: Domain naming master role is responsible for the addition and removal of domains in
the forest. If this role is absent, you will be unable to add or remove domains in the
forest.

070-294
E: RID master role is responsible for the provision of blocks of RIDs to the domain
controllers. These RIDS are used to assign to new objects that are created in the domain.
QUESTION 23:
network consists of a single Active Directory domain that encompasses three sites.
These sites are named Certkiller A, Certkiller B, and Certkiller C respectively. They
are connected to each other via fast and highly reliable Wide Area Network (WAN)
links. All servers on the Certkiller .com network run Windows Server 2003 and there
is at least one domain controller in each site.
The client computers and their respective operating systems and locations are as
follows:
You have been given instruction to configure the PDC emulator to accommodate all
of the client computers that are currently on the network. You thus need to select an
appropriate site in which to place the PDC emulator.
What should you do?
A. Place the PDC emulator on a domain controller in all the sites.

B. Place the PDC emulator on a domain controller in Certkiller A.
C. Place the PDC emulator on a domain controller in Certkiller B.
D. Place the PDC emulator on a domain controller in Certkiller C.
Answer: D
Explanation: A PDC emulator acts as a Windows NT primary domain controller for the
legacy client computers. Only the PDC emulator is capable of processing logon and
password change requests from the legacy clients. The Windows 2000 Professional and
Windows XP Professional client computers are not dependent on the availability of the
PDC emulator. Therefore, in a single domain that spans multiple sites you should place
the PDC emulator in the site where the largest number of legacy client computers is
located. Thus Certkiller C would be the appropriate location. You will then get faster
logon and password changes in the site where it is most needed.
Incorrect answers:
A: This would be inappropriate as Certkiller C is the site where most legacy client
computers are located.
B: The WAN links between sites are fast a highly reliable thus Certkiller A will not be left
without a PDC emulator. Besides there are fewer legacy client computers located here
than in Certkiller C.
C: The WAN links between sites are fast a highly reliable thus Certkiller B will not be left
without a PDC emulator. Besides there are fewer legacy client computers located here
than in Certkiller C.

070-294
QUESTION 24:
You work as the network engineer at Certkiller .com. Certkiller .com has
headquarters in London and branch offices in Paris, Berlin, Milan, Madrid,
Stockholm, Marrakech, Minsk, Delhi, Abu Dhabi, Perth, Johannesburg, and Rio de
Janeiro.
You have been commissioned to plan the deployment of a Microsoft Windows
Server 2003 Active Directory environment for Certkiller .com. Following is a list on
constraints that you need to keep in mind in your plans:
1. The London office is the head quarters.
2. Only the London office sill store custom, confidential data in Active Directory.
3. The London office users will make exclusive use of a custom application.
4. This custom application will allow the insertion and retrieval of the custom
objects to and from Active Directory.
5. The branch offices do not need to maintain custom objects in Active Directory.
To this end you thus decided to maintain two different schemas. The one schema
will serve the London office and the other schema will serve the branch office.
What should you do?
A. You need to create a parent and child domain.

B. You need to create two separate domains in the same forest.
C. You need to create one forest root domain.
D. You need to create two forest root domains.
Answer: D
Explanation: A forest is made up of trees whose root domains are connected with
transitive trusts, but do not share a namespace. There is only one schema per forest. This
schema is replicated to all domain controllers. Consequently a schema is common
throughout the forest. The question states that you need to accomplish two separate
schemas. Thus you need to make use of two separate forests. The concept forest root
domain refers to the fact the domain will be the first one created and any future domains
in the tree or forest will receive a schema replication from the forest root domain during
the configuration of Active Directory.
Incorrect answers:
A: The creation of a child and parent domain will lead to only one forest, which means
there can only be one schema.
B: The creation of two separate domains in the same forest will lead to a common
schema which is not what is wanted in this case.
C: The creation of one forest root domain will force the sharing of a common schema
between the London office and the other offices since the schema is common throughout
the forest. This is not what is wanted.
QUESTION 25:

070-294
You work as a systems engineer at Certkiller .com. You are presented with an Active
Directory forest and domain structure design whose specifications include multiple
forests and domains. An implemented DNS solution capable of supporting Active
Directory is already in place.
You then set about your task according to the design and consequently:
1. created the forests and the necessary cross-forest trusts that should be in place
2. created the domain hierarchy in each forest
3. created the shortcut trusts between domains
4. set the forest and domain functional level.
Now you need to create the forest root domain.
What should you do?
A. Implement DNS on the network.

B. Install the first domain controller on the network.
C. Configure cross-forest trusts
D. Set the forest and domain functional level.
Answer: B
Explanation
: The installation process of Active Directory creates the forest root domain. If the server
is the first domain controller on the network, the installation process will create the forest
root domain, and then assigns master operations roles to the domain controller.
Incorrect answers:
A: Implementing DNS does not result in the creation of the forest root domain.
C: Configuring cross-forests trusts will not have the creation of the forest root domain as
a result.
D: Setting the forest and domain functional level does not result in the creation of the
forest root domain.
QUESTION 26:
You work as the network engineer at Certkiller .com. The Certkiller .com network
consists of an Active Directory forest with two domains.
All the domain controllers in the root domain run the Windows Server 2003
operating system. The functional level of the root domain is set at Windows Server
2003. All the domain controllers in the child domain run the Windows 2000 Server
operating system. The functional level for the child domain is consequently set at
Windows 2000 native, by default.
You have been requested to rename the root domain. You are aware of the fact that
there are steps that you need to complete prior to renaming the root domain.
What should you do?
A. Raise the forest functional level to Windows Server 2003 in one step.
B. Upgrade the child domain PDC emulator to Windows Server 2003.
Then raise the child domain functional level to Windows Server 2003.
Then raise the forest functional level to Windows Server 2003.

070-294
C. Upgrade all the child domain - domain controllers to Windows Server 2003.
D. Upgrade all the child domain - domain controllers to Windows Server 2003.
E. Upgrade all domain controllers that are currently running Windows 2000 Server to
Windows Server 2003.
Answer: E
Explanation: A Windows Server 2003 forest functional level allows one to change the
name of a domain. When you want to set the forest functional level to Windows Server
2003, then all domains in the forest must be set to Windows Server 2003 functional level.
This means that all domain controllers in that domain should also run the Windows
Server 2003 operating system.
In this scenario you should raise the forest functional level to Windows Server 2003 if all
the domain controllers in the forest run Windows Server 2003, some domains are set at
Windows Server 2003 functional level and the other is set at Windows 2000 native
functional level. Then the functional level of these domains will automatically be raised
to Windows Server 2003 when you raise the forest functional level to Windows Server
2003. Then you will be able to rename the root domain.
Incorrect answers:
A: In this scenario you will not be able to raise the forest functional level to Windows
Server 2003 in one step.
B: The PDC emulator is the first domain controller that password changes are sent to in
domain. The PDC emulator replicates user and group information to down-level domain
controllers in a domain. But in this scenario you should upgrade all the domain
controllers and not just the PDC emulator. Else you will not be able to raise the domain
functional level to Windows Server 2003.
C: This solution is only partly correct there are still the matter of the child-domain and
the forest functional level that has to be raised prior to renaming the forest.
D: This option is correct up to a point. It however omits the raising of the forest
functional level which should also take place.
QUESTION 27:
consists of an Active Directory forest with two domains.
All the domain controllers in the root domain run the Windows Server 2003
operating system. The functional level of the root domain is set at Windows Server
2003. All the domain controllers in the child domain run the Windows 2000 Server
operating system. The functional level for the child domain is consequently set at
Windows 2000 native, by default.
You have been requested to rename the root domain. You know that there are steps
that you need to complete prior to renaming the root domain.
What should you do?

070-294
A. There is no preliminary action required prior to renaming the root domain.

B. Raise the child domain functional level to Windows 2000 native.
C. Upgrade the child domain - domain controllers to Windows Server 2003.
D. Impossible, you cannot rename a forest root domain.
Answer: C
Explanation: A Windows Server 2003 forest functional level allows one to change the
name of a domain. When you want to set the forest functional level to Windows Server
2003, then all domains in the forest must be set to Windows Server 2003 functional level.
This means that all domain controllers in that domain should also run the Windows
Server 2003 operating system.
In this scenario you must first upgrade all child domain - domain controllers to Windows
Server 2003. Then raise the child domain functional level to Windows Server 2003 and
then raise the forest functional level to Windows Server 2003. Then you will be able to
rename the root domain.
Incorrect answers:
A: This is incorrect; you need the forest functional level to be at Windows Server 2003.
B: This is incorrect; the child domain functional level should be raised to Windows
Server 2003 to enable you to rename the root domain.
D: A Windows Server 2003 functional level will enable you to rename the root domain.
QUESTION 28:
You work as the network engineer at Certkiller .com. You have been given the task
to design the layout as well as the domain controller placement for the Certkiller .com
Active Directory network. Certkiller .com has its headquarters in Chicago and a
branch office in Dallas.
The requirements for the Active Directory design include the following:
1. A single schema.
2. 8-character passwords are compulsory for the Dallas office users.
3. 12-character passwords are compulsory for the Chicago office users.
4. The Chicago user passwords must be stored using reversible encryption.
5. Both Chicago and Dallas office users need to be able to access resources in both
locations upon a single logon.
6. Once authenticated, all users, regardless of which location they logged on, should
have universal access to resources.
You need to decide on the best way to design the Active Directory to meet the
afore-mentioned requirements.
What should you do? (Each correct answer presents part of the solution. Choose
two.)
A. Create a single domain. Then create two top level Organizational Units (OUs): One

070-294
for Chicago and one for Dallas.

B. Create a domain for the Chicago office, named Certkiller .com; and then create a child
domain for the Dallas office, named testlab.com.
C. Create two separate domains: one for each office, named Certkiller .com and
dallas.test.com respectively - each a forest root domain.
D. Assign a Group Policy Object (GPO) to the Dallas OU that configures the password
requirements. Assign a GPO to the Chicago OU that configures the password
requirements.
E. Create and link a GPO that configures the password requirements to Certkiller .com.
Then create and link a GPO that configures the password requirements to
dallas. Certkiller .com.
Answer: B, E
Explanation: One of the requirements is different security policies to control password

requirements. Domains can be defined as security boundaries, and password security
policies can thus be applied at domain level. Because there is a requirement for different
password policies for each office you should create two domains. Naming the domains
Certkiller .com and dallas. Certkiller .com means that the Dallas office (domain) is located in
the same tree as the Chicago office.
You should further configure GPOs linked to each of the domains with the appropriate
password policies for that domain.
Incorrect answers:
A: Creating a single domain with two top-level OUs will not allow you to assign
different password policies to each location.
D: password security policies can only be assigned at domain-level.
C
: This would violate the one requirement that calls for a single schema. Schema is
common in a forest, so, if you had two different forests, you would have two different
schemas.
QUESTION 29:
consists of a forest that is made up of a single domain named Certkiller .com.
Certkiller .com operates in a Windows 2000 native mode. The company recent
acquired a new subsidiary. Your job description includes the planning to
incorporate this new subsidiary. Your administrative account enjoys Enterprise
Admins and Schema Admins group membership. To this end you plan to create a
new domain tree in the forest that will contain a tree root domain, named
testlab.com, and a child domain, named research.testlab.com.
In the Certkiller .com domain there are two domain controllers that have the Domain
Name System (DNS) server service installed. The DNS zone for Certkiller .com is
configured as an Active Directory-integrated zone. You then create a new zone
named testlab.com on one of the Certkiller .com DNS servers. During the setting up of
testlab.com, you accepted the default settings for the zone.

070-294
You intend making use of Windows Server 2003 computers as the domain
controllers for the new domains. You then run the ADprep utility with the
forestprep option form the Windows Server 2003 installation CD-ROM to update
the forest schema to support the new domains. Now you need to ensure that you will
be able to create a child domain in the new domain tree.
What should you do?
A. You should delegate a DNS subdomain named research.testlab.com to a new DNS

server that is joined to the child domain.
B. On the testlab.com DNS subdomain you should create a new DNS zone named
research.testlab.com for the child domain.
C. You should configure the testlab.com zone to allow dynamic updates.
D. You should convert the testlab.com zone to an Active Directory integrated zone.
Answer: C
Explanation
: In the question it is mentioned that you accepted the default settings for the testlab.com
DNS zone. This means that you should modify the settings to allow for dynamic updates.
If you do not, then the DNS service (SRV) records and host/address (A) records for the
domain controllers for testlab.com will not be created. And consequently you will not be
able to locate a domain controller for testlab.com.
Incorrect answers:
A: If you do delegate a subdomain for the child domain to a new DNS server, you must
also create the zone for the subdomain on the new DNS server and configure the
computers that you will promote to domain controllers for research.testlab.com to use the
new DNS server.
B: There is no need to create a new DNS zone named research.testlab.com for the child
domain on the DNS testlab.com server. Although each Active Directory domain can use
a separate DNS zone, an Active Directory domain can be configured as a subdomain in
the zone defined for its parent domain.
D: you should not convert the testlab.com zone to an Active Directory integrated zone.
Even if you do, you still need to configure the zone to allow dynamic updates.
QUESTION 30:
You work as the systems engineer at Certkiller .com. Your job description involves
the planning of the domain structure for Certkiller .com. To this end you have been
given an Active Directory forest and domain structure that specifies multiple forests
and domains.
Currently Certkiller .com has a DNS solution in implementation. This DNS solution
supports Active Directory. And you have already created a domain named
Certkiller .com. Since Certkiller .com is a growing company a decision was taken by
management to accommodate all new company acquisitions in a child domain under
the Certkiller .com domain. The CIO has instructed you to create a child domain as it
will be a requirement under the new company structure after they made a new
acquisition.

070-294
What should you do?
A. Use the dcdiag utility to create a child domain.

B. Use the Active Directory Schema MMC to create a child domain.
C. Use the Active Directory Installation Wizard to create a child domain.
D. Use the dcgpofix utility to create a child domain.
Answer: C
Explanation: When you make use of Active Directory Installation Wizard, the procedure
to create a child domain is similar to that of creating the forest root domain. In the Active
Directory Installation Wizard navigate to the Create New Domain step, click Child
domain in an existing domain tree. The domain naming master is used to confirm the
uniqueness of the child domain name. This must be available in order for you to create a
child domain.
Incorrect answers:
A: The dcdiag utility is used to troubleshoot computers that are unable to locate a domain
controller. You cannot use it to create a child domain.
B: The Active Directory Schema MMC can be used to configure the types of objects
stored in Active Directory, not the creation of child domains.
D: The dcpofic utility is used to restore default Group Policy objects to their default
settings.
QUESTION 31:
network consists of a single Active Directory domain named Certkiller .com. All
servers in the Certkiller .com domain run Windows Server 2003 and all client
computers run Windows XP Professional. Your job description involves the
planning of the domain structure for Certkiller .com.
You are in planning to create a new child domain in the Certkiller .com domain. To
this end you install Windows server 2003 on a new computer named
Certkiller -SR10. You then connect Certkiller -SR10 to the network and verified
that it can communicate successfully with the other computers on the Certkiller .com
network. You then decide to make use of Active Directory Installation Wizard to
create the new child domain.
In the Active Directory Installation Wizard you navigate to the location where you
that you want to install the first domain controller in the new domain. You then get
prompted to specify a user account from the parent domain. However, your efforts
fail and the promotion of Certkiller -SR10 to a domain controller comes to naught.
Instead you receive an error message that states that no domain controllers for the
parent domain can be found.
You need to correct the problem because it will prevent you from promoting the
server to a domain controller in the new child domain.
What should you do?

070-294
A. You should run the Active Directory Installation Wizard again prior to joining
Certkiller -SR10 to the Certkiller .com domain.
B. You need to configure Certkiller -SR10 to use another DNS server for name
resolution.
C. You need to configure Certkiller -SR10 to make use of another WINS server for
name resolution.
D. You should run Active Directory Installation Wizard again and when prompted
specify a user account that enjoys Schema Admins group membership.
Answer: B
Explanation: Windows Server 2003 operating system makes use of DNS as the locator
service to locate domain controllers on the network. Currently the problem here arises
because Certkiller -SR10 is unable to locate domain controllers for Certkiller .com. This
means that the DNS client on Certkiller -SR10 is not configured to use a DNS server
that can locate the domain controllers. Since it is also mentioned that Certkiller -SR10
can communicate successfully with the other computers on the network, it probably
makes use of NetBIOS over TCP/IP to use WINS server or b-node broadcasts for name
resolution purposes. However, since Certkiller -SR10 is configured with Windows
Server 2003, you should configure it to use a DNS server that is authoritative for
Certkiller .com and then run the Active Directory Installation Wizard again.
Incorrect answers:
A: There is no need to join Certkiller -SR10 to Certkiller .com domain prior to its
promotion to domain controller. Al that is required would be to run Active Directory
Installation Wizard on a stand-alone server and promote it to a domain controller in any
domain, as long as you provide credentials for the user account with sufficient privileges.
C: Windows Server 2003 requires DNS server locator and not WINS.
D: Membership of the Schema Admins group is not enough to be able to create a new
child domain. The user account requires either Enterprise Admins universal group
membership or Domain Admins global group membership.
QUESTION 32:
servers in the Certkiller .com domain run Windows Server 2003 and all client
computers run Windows XP Professional. Your job description involves the
planning of the domain structure for Certkiller .com.
You are in planning to create a new child domain in the Certkiller .com domain. To
this end you install Windows server 2003 on a new computer named
Certkiller -SR06. You then connect Certkiller -SR06 to the network and joined it
to the Certkiller .com network.
You then make use of your non-administrative user account and start the Active
Directory Installation Wizard. In the Active Directory Installation Wizard you
navigate to the location where you that you want to install the first domain
controller in the new domain. You then get prompted to specify the credentials of a

070-294
user account from the parent domain that has sufficient privileges to create the
child domain. You thus need to specify a user account with sufficient privileges.
What should you do?
A. Specify an account that enjoys built-in domain Administrators group membership.

B. Specify an account that enjoys local Administrators group membership on the server.
C. Specify an account that enjoys Enterprise Admins group membership.
D. Specify an account that enjoys Schema Admins group membership.
Answer: C
Explanation: To be able to create a new domain in an existing forest, you must install a
first domain controller in that domain. To be able to do this, you need to have been
assigned a sufficient level of authority. This authority should include permissions for the
Configuration and Schema containers in Active Directory. This authority if assigned by
default to members of the Enterprise Admins universal group as well as members of the
Domain Admins global group in the parent domain of the new child domain. The forest
root domain is the patent of all tree root domains in the same forest. Membership of any
other group, by default does not provide sufficient authority to create a new child
domain.
Incorrect answers:
A: The built-in Domain Administrators group does not have permissions for the
Configuration and Schema containers in Active Directory.
B: The local Administrators group does not have permissions for the Configuration and
Schema containers in Active Directory.
D: The Schema Admins group does not have permissions for the Configuration and
Schema containers in Active Directory.
QUESTION 33:
and domains.
supports Active Directory. You then carry on creating the forests and all the
necessary cross-forest trusts as specified in the design. You then create the domain
hierarchy in each forest, the shortcut trusts between domains. You then set the
forest and domain functional level.
You now need to determine which programs use the Application Directory Partition
in order to determine which information is replicated in Active Directory.
What should you do?
A. Make use of the Active Directory Installation Wizard to determine the required
information.
B. Make use of the tapicfg tool to determine the required information.

070-294
C. Make use of the ntdsutil tool to determine the required information.

D. Make use of the DNS server snap-in to determine the required information.
Answer: A
Explanation: The first port of call to check which programs are accessing the application
directory partition in Active Directory is the first page of the Active Directory
Installation Wizard.
Incorrect answers:
B: The tapicfg is used to create a Telephony Application Programming Interface
application directory partition and not to determine which programs us the Application
Directory Partition.
C: The ntdsutil tool is used to add or delete an application directory partition, not to
determine which programs use it.
D: The DNS server snap-in is used to manage DNS servers in the network. it is not used
to determine which programs make use of the Application Directory Partition.
QUESTION 34:
network consists of a single domain that has a functional level configured at
Windows Server 2003. Your job description involves the planning and
implementation of new applications for Certkiller .com.
You are currently assigned to the Research and Development department. As such
you need to plan and implement a new application for the Research and
Development department. It is a custom application that will use Active Directory to
store information. There is a user named Mia Hamm who is a developer in the
Research and Development department. Mia Hamm requires the ability to create
the application directory partition in Active Directory that the department will use.
To this end Mia Hamm require the necessary permissions to enable her to create the
application directory partition root node. You thus need to delegate the necessary
permissions to Mia Hamm to create application directory partitions.
What should you do?
A. Mia Hamm should be added into the Schema Admins group for the domain.
B. Mia Hamm should be provided with the Active Directory Service Interfaces.
C. You should create a cross-reference object and delegate permission over it to Mia
Hamm.
D. You should upgrade all the Research and Development department domain controllers
to Windows Server 2003 Enterprise Edition.
Answer: C
Explanation: You must first create a cross-reference object to allow Mia Hamm to create
and manage an application directory partition in Active Directory. This cross-reference
object for an application partition holds several crucial pieces of information. Then you

070-294
can delegate control of the cross reference object to Mia Hamm. Once she has authority
over the cross-references object, she will be able to create and manage the application
directory partition.
Incorrect answers:
A: Schema Admins group membership does not allow one to be able to create and
manage application data partitions.
B: Active Directory Service Interfaces can be used to create, delete, or manage
application directory partitions; however, in this scenario Mia Hamm requires permission
to perform these tasks. Merely providing the tool to do the tasks is not sufficient, she
needs to be able to use it. She needs permissions.
D: Windows Server 2003 Enterprise Edition is not a requirement to support application
directory partitions.
QUESTION 35:
network consists of a single Active Directory domain named Certkiller .com. Your
administrative account enjoys Enterprise Admins and Schema Admins group
membership. Your job description involves the planning of the domain structure for
Certkiller .com. Certkiller .com is configured to run in a Windows 2000 native mode.
You are currently busy updating the Certkiller .com forest schema to support a new
child domain and to this end you thus run the Adprep utility with the forestprep
option from the Windows Server 2003 installation CD-ROM. You install Windows
Server 2003 on a server named Certkiller -SR05. Certkiller -SR05 is to function
as the first domain controller for the new child domain. You select the "Typical
setup for a first server" option in the Configure Your Server Wizard when the
server starts for the first time after the installation of Windows Server 2003.
You make use of Active Directory Users and Computers on a Windows XP
Professional client computer named Certkiller -WS25 to connect to a global
catalog server for the forest root domain. You are trying to the Find tool in Active
Directory Users and Computers to create a custom search that makes use of the
"entire directory" as the container for the search. This custom search must query
Active Directory for multicast conferences currently in progress. Unfortunately you
are unable to locate this target in the Find Custom Search dialog box. The default
application partition for the Telephony Application Programming Interface (TAPI)
stores this information.
Why are you unable to locate the desired search target?
A.
There is no replica of the application partition for TAPI hosted on the domain where the
global catalog is located.
B. There is no replica of the application partition for TAPI hosted on the global catalog
server.
C. There is no data from the application partition for TAPI in the global catalog.
D. You are not connected to the schema operations master for the existing forest.
Answer: C

070-294
Explanation: The most probable reason for you being unable to locate the desired target
for your search is that the data from the application partition for TAPI is not in the global
catalog. When selecting "entire directory" as search target, you are in essence creating a
custom search against the global catalog. Since data in application partitions is not
replicated to the global catalog. TAPI-related fields are not available in the Find Custom
Search dialog box.
Incorrect answers:
A: This is not the reason for you being unable to locate the desired search target. If you
use LDAP query with the TAPI application partition as the container for your search, you
will be able to locate the desired information even if the domain controller to which you
are connected is in a domain that does not host the replica of the application partition for
TAPI.
B: When one makes use of a LDAP query with the TAPI application partition as the
container for the search, you will be able to locate the desired information regardless of
the domain controller that you are connected to do not host a replica.
D: There is no need to be connected to a schema operations master for a forest to obtain
information from an application partition. The schema operations master is used to
modify the schema.
QUESTION 36:
computers run Windows XP Professional. The functional level of the domain is set
at Windows Server 2003.
A server named Certkiller -SR24 is designated to function as an application server
in the Certkiller .com domain. There are many different groups of users that require
different configurations of the same applications that will be hosted on
Certkiller -SR24. You are now required to configure the appropriate COM+
partitions and assign the appropriate users access.
What should you do?
A. Create a COM+ partition in Active Directory and on Certkiller -SR24 for each
configuration of each application.
Then create COM+ partition sets on Certkiller -SR24.
Assign Certkiller .com users to the appropriate COM+ partition sets in Active Directory.
B. Create a COM+ partition in Active Directory and on Certkiller -SR24 for each
Then create COM+ partition sets in Active Directory.
Assign Certkiller .com users to the appropriate COM+ partition sets on Certkiller -SR24.
C. Create a COM+ partition in Active Directory and on Certkiller -SR24 for each
Assign Certkiller .com users to the appropriate COM+ partition sets in Active Directory.

070-294
D. Create a COM+ partition in Active Directory and on Certkiller -SR24 for each
Assign Certkiller .com users to the appropriate COM+ partitions in Active Directory.
Answer: C
Explanation: To make local COM+ partitions on Certkiller -SR24 available to the

domain users, you need to create COM+ partitions in Active Directory that correspond to
the local COM+ partitions on Certkiller -SR24, organize the COM+ partitions in
Active Directory into partition sets, and then assign users or OUs that contain multiple
users to the appropriate partition sets. A Com+ partition is a logical container that
separates a particular configuration of an application from other configurations of the
same application on the same computer.
Incorrect answers:
A: This option is correct except that one creates partition sets only in Active Directory
and not on applications servers, i.e. Certkiller -SR24 in this case.
B
: This option is correct except that the appropriate partition sets should be assigned in
Active Directory and not on Certkiller -SR24.
D: This option is correct except for the omission of partition sets. Domain users and OUs
can be assigned only to partition sets and not individual partitions as is suggested in this
option.
QUESTION 37:
network consists of a single Active Directory forest. All servers on the Certkiller .com
Professional. The functional level of the forest is set at Windows Server 2003.
A server named Certkiller -SR20 is designated to host a custom application that is
supposed to be deployed for the benefit of the Sales department. The Sales
department is spread throughout the many Certkiller .com offices. This custom
application makes use of Active Directory replication data amongst the multiple
locations. You need to create an appropriate application directory partition on
several domain controllers.
What should you do?
A. You should use the DNS console.

B. You should use the Ntdsutil Utility.
C. You should use the Active Directory Domains and Trusts console.
D. You should use the Active Directory Sites and Services console.
E. You should use the Active Directory Users and Computers console.
Answer: B

070-294
Explanation: Windows Server 2003 has a feature names application directory partitions.
All Active Directory aware applications can be programmed to store data in application
specific partitions in Active Directory. An application directory partition is assigned a
DNS name defining its namespace. The application directory partition can then be
replicated to any specified domain controllers in the forest. An Active Directory aware
application directory partition will automatically create and provide the tolls for its
management. In the event of an application directory partition not being created
automatically, you can make use of Ntdsutil command line utility to create, delete and
manage application directory partitions.
Incorrect answers:
A: The DNS Console is used to configure the scope of replication of the DNS application
partitions. It is not used to create the application directory partitions on the domain
controllers.
C: This tool is not used for the creation of application directory partitions on the domain
controllers.
D: The Active Directory Sites and Services tool is not used for the creation of application
directory partitions on the domain controllers.
E: The Active Directory Users and Computers tool is not used for the creation of
application directory partitions on the domain controllers.
QUESTION 38:
DRAG DROP
network consists of a single Active Directory forest that contains two child domains
named us. Certkiller .com and uk. Certkiller .com.
All servers and domain controllers on the Certkiller .com network run Windows
2000 Server. All operations master roles are in their default locations.
You have been given the task to upgrade the domain controllers in uk. Certkiller .com
to Windows Server 2003. You thus need to take the appropriate steps that are
required to prepare the forest for the impending deployment.
What should you do? (To answer, select the appropriate required steps from the
column on the left and place it in the correct order in the column on the left. The
first task should be listed from the top down.)
Answer:

070-294
Explanation:
The Adprep.exe command will complete a number of tasks, which includes extending the
schema, modifying display modifiers, and changes the default security descriptors, all
which are required steps for the upgrade.
Step 1 should be to extend the forest schema - thus you need to run the adprep/forestprep
command on the schema master role holder. (In this scenario all the master operations
roles are one the default locations, in other words, the roles are on the first domain
controller installed in the new forest. Thus you need to run forestprep on the first domain
controller in Certkiller .com.
Step 2 should be to run the domainprep command on the infrastructure master role holder
in each domain, i.e. parent and child domains. You cannot prepare a domain controller by
using domainprep unless it has received the changes made by the forestprep command. If
you do, then you will encounter an error message.
Incorrect answers:
You cannot run the forestprep command on the schema master of uk. Certkiller .com.
Because all operations master role holders are in the default locations, this role will be
one the first domain controller in Certkiller .com and not in uk. Certkiller .com.
You cannot run domainprep on the infrastructure master only of the uk. Certkiller .com
domain. This command should be run on the infrastructure master role holder in each
domain before a successful upgrade is made possible.
You should not force replication between the schema master and the PDC emulator.
While you must wait for changes made when forestprep is run to replicate throughout the
domain, specifically forcing replication between schema master role holder and PDC
emulator role holder is not a requirement. These changes must be replicated to the
infrastructure master role holder, but will eventually be replicated to every domain
controller in the forest.
QUESTION 39:
network is currently operating in a Microsoft Windows NT 4.0 environment. It is a
complete trust model with seven domains with each domain representing a physical
location on the network.
You have been commissioned to migrate the current Certkiller .com network to
Microsoft Windows Server 2003. Because the current network is a complete trust
model, you took the following decision:
1. Restructure and create a single domain.

070-294
2. All domain controllers are to run Windows Server 2003.

3. Migrate the e-mail system to Microsoft Exchange 2000.
4. All member servers are to run Windows 2000 Advanced Server and Windows TN
4.0 Server.
5. The Windows NT 4.0 Servers are required to run in order to support a couple of
existing applications and some non-Microsoft applications.
The CIO gave you instruction to ensure that all the legacy applications will continue
to function normally after the installation of Active Directory and the domain
migration to Windows Server 2003.
What should you do?
A. You need to migrate the legacy applications to Windows 2000 Advanced Server or
B. You need to select the "Permissions Compatible with pre-Windows 2000 Server
operating systems" option during the Active Directory installation.
C. You need to remove the Anonymous Logon group from the pre-Windows 2000
Compatible Access security group after the Active Directory installation.
D. You need to select the "Permissions Compatible only with Windows Server 2003
operating systems" option during the Active Directory installation.
Answer: B
Explanation: On the Windows NT 4.0 servers the read access for user and group
information is assigned to anonymous users to enable proper functioning. On Windows
2000 and Windows Server 2003 server, the Anonymous Logon group has read access to
this information only when this group is added to the Pre-Windows 2000 Compatible
Access group. You need to allow the legacy application that are running on the Windows
NT 4.0 Servers to continue functioning, thus you should select the "Permissions
Compatible with pre-Windows 2000 server operating systems" option.
Incorrect answers:
A: There is no need to migrate the Windows NT 4.0 Servers. During the Active Directory
installation, you can relax the permissions that allow the legacy applications to function.
C: If you remove the Anonymous Logon group from the pre-Windows 2000 Compatible
Access group, you will switch Active Directory to a higher security level which will
result in the legacy applications not functioning at all.
D: Members of the Anonymous Logon group will not be able to read user and group
information and this will result in the legacy applications not functioning if you select the
"Permissions Compatible only with Windows Server 2003 operating systems".
QUESTION 40:
and domains.

070-294
supports Active Directory. You then carry on creating the forests and all the
necessary cross-forest trusts as specified in the design. You then create the domain
hierarchy in each forest, the shortcut trusts between domains. You then set the
forest and domain functional level.
You now need to promote a member server in one domain to a domain controller.
What should you do?
A. Make use of the Active Directory Installation Wizard.

B. Make use of the Active Directory Schema tool.
C. Make use of the Active Directory Domains and Trusts.
D. Make use of the Active Directory Sites and Services.
Answer: A
Explanation: Part of the installation of Active Directory process includes the installation
of the first domain controller on the network by default. And you initiate the Active
Directory installation process by ringing the Active Directory Installation Wizard. You
also do promotions of member servers to domain controllers by running Active Directory
Installation Wizard on it.
Incorrect answers:
B: The Active Directory Schema tool is used to configure the types of objects stored in
Active Directory and not to promote member servers to domain controllers.
C: The Active Directory Domains and Trusts snap-in is used to manage Active Directory
domains and trusts and not to promote member servers to domain controllers.
D: The Active Directory Sites and Services snap-in is used to view and manage sites and
services, not to promote member servers to domain controllers.
QUESTION 41:
network consists of three Active Directory domains named Certkiller .com,
us. Certkiller .com and uk. Certkiller .com respectively. These three domains are located
in one site. The following exhibit illustrates the Certkiller .com network structure:
Exhibit:
All servers and domain controllers on the Certkiller .com forest run Windows 2000
070-294
Server. All operations master roles are in their default locations.

You have been given the task to upgrade the domain controllers in us. Certkiller .com
to Windows Server 2003. You thus need to take the appropriate steps that are
required to prepare the forest for the impending deployment of the upgrade.
What should you do?
A. Prepare all domains in the forest starting with Certkiller .com.

B. Prepare Certkiller .com and us. Certkiller .com.
C. Prepare us. Certkiller .com only
D. Prepare the forest then prepare all domains in the forest starting with Certkiller .com.
E. Prepare the forest then prepare Certkiller .com and then us. Certkiller .com.
F. Prepare the forest then prepare us. Certkiller .com.
Answer: E
Explanation: To update a schema you need to perform two actions: prepare the forest -
running adprep with the /forestprep switch on the domain controller that holds the
schema master operations role. Then you should wait for the schema changes to be
replicated to all domain controllers that hold infrastructure operations master roles in all
the domains. Then you prepare the domain where you want to install a first domain
controller using the adprep command with the /domainprep switch.
Incorrect answers:
A: You do not need to prepare all the domains since not all of them are destined to get
Windows Server 2003 domain controllers.
B: You first need to prepare the forest.
C: This will be insufficient preparation.
D: You do not need to prepare all the domains since not all of them are destined to get
Windows Server 2003 domain controllers.
F: This is partly correct, but you also need to prepare the Certkiller .com domain since it is
the parent domain.
QUESTION 42:
computers run Windows XP Professional. Seven Active Directory sites have been
created.
Certkiller .com is a developing company and expansion is planned for one of the
several branch offices. A total of 50 new users are to be added to this branch office.
The distance between this specific branch office and the head quarters is in excess of
700 miles. There are currently no domain controllers at this location and the
connection between these two offices is a 256 Kbps WAN connection that is quite
unreliable and congested at times. You have been instructed to configure a new site
for the branch office.
To this end you want to install a replica domain controller in the new site, however

070-294
you do have some reservations insofar as the replication over the WAN link is
concerned. You also want to accomplish this task in the shortest time possible with
the least amount of monetary expense to the company.
three.)
A. Allow replication to occur.

B. Ship the backup set to the branch office "new" site.
C. Ship the domain controller to the branch office "new" site.
D. Configure a site link using SMTP between the branch office and the head quarters.
E. Force replication from a head quarters domain controller.
F. Back up the system state data on a domain controller in the head quarters.
G. Install the replica domain controller at the head quarters.
H. Restore Active Directory to the new replica domain controller.
Answer: B, F, H
Explanation: To create a replica domain controller, Windows Sever 2003 has the Install
Replica from Media tool which allows you to create an initial replication source when
backing up an existing domain controller or global catalog server. The backup files must
be generated by an Active Directory-aware backup utility which can then be transported /
shipped to a remote domain controller for restoration. You reduce time required for a
domain controller to be fully replicated over a slow WAN connection which is unreliable
as mentioned in the question if you use this method. The replica is created by installing
Windows Server 2003 on the target computer and running dcpromo. Thus you should
back up the system state data on a headquarters domain controller, ship the backup set to
the new site and then restore Active Directory to the new domain controller.
Incorrect answers:
A: You should not allow replication to occur over the slow unreliable WAN link. This is
not a speedy solution.
C: You do not need to ship a domain controller to the new site; you can save time by
promoting a member server to domain controller. Further more you will be incurring
extra costs to the company.
D: This is not advisable, a domain controller must be installed in the remote location and
a site configured to allow for the creation of a site link.
E: There is no need to force replication from a head quarters domain controller. This will
take time.
G: The replica should be installed in the new branch office site.
QUESTION 43:
DRAG DROP
You work as the network engineer at Certkiller .com. Certkiller .com has
headquarters in Chicago and branch offices in Paris, Berlin, Stockholm,
Marrakech, Minsk, Delhi, Abu Dhabi, Perth, Johannesburg, Miami, Dallas, Buenos
Aires, and Rio de Janeiro. The Paris, Berlin, Stockholm, Marrakech, Minsk, Delhi,

070-294
Abu Dhabi, Perth, and Johannesburg offices has domain controllers that run
Windows 2000 Advanced Server. Whereas the Chicago, Miami, Dallas, Buenos
Aires, and Rio de Janeiro offices all have domain controllers that run Windows
Server 2003.
Your job description includes the setting up of domain and forest functional levels
in the Certkiller .com company network. You have been commissioned to achieve the
highest level of forest and domain functionality for the company network.
What should you do? To answer, choose from the appropriate functional levels and
place them on the appropriate places in the work area. You may use a functional
level more than once if required.
Answer:
Explanation:
The domain functional level should be set at Windows 2000 native and the Forest
functional level should be set at Windows 2000.
When all of your domain controllers are running either Windows 2000 Server or
Windows Server 2003, the forest functional level should be set at Windows 2000 and the
domain functional level should be set at Windows 2000 native to achieve the highest
possible functional level under the circumstances.
Incorrect answers:
The forest functional levels are: Windows 2000, Windows Server 2003, and Windows
Server 2003 interim.
The domain functional levels are: Windows 2000 mixed, Windows 2000 native,
Windows Server 2003, and Windows Server 2003 interim.
Windows 2000 mixed is used when there are Windows NT 4.0 backup domain
controllers.
Windows Server 2003 is sued when ALL the domain controllers are running Windows
Server 2003.
Windows Server 2003 interim is a special functional level used to support Windows NT
4.0 and Windows Server 2003 domain controllers.
QUESTION 44:

070-294
You work as the enterprise administrator as part of the infrastructure team at

Certkiller .com. The Certkiller .com logical network consists of a parent domain
named Certkiller .com and two child domains named us. Certkiller .com and
uk. Certkiller .com respectively. The domain functional levels for all three domains are
Windows 2000 Native.
The following exhibit illustrates the Certkiller .com network structure:
Exhibit:
You are currently busy migrating the Windows 2000 environment to Windows
Server 2003. All the Certkiller .com domain controllers have been upgraded to
Windows Server 2003. The domain controllers in us. Certkiller .com and
uk. Certkiller .com still run Windows 2000 Server.
A new company directive states that the naming convention used for the naming of
the domain controllers in the root domain should be changed to the naming
convention used in the child domain: us.Certkiller.com and uk. Certkiller .com. The
infrastructure team has been tasked to change the naming convention accordingly.
You are now required to rename all domain controllers in Certkiller .com. However,
prior to renaming domain controllers there are some required steps that need to be
performed that will allow you to change the names of the domain controllers. You
need to perform these tasks to prepare the network environment.
What should you do?
A. The domain functional level of Certkiller .com, us. Certkiller .com and uk. Certkiller .com
should be raised to Windows Server 2003.
B. The domain functional level of Certkiller .com should be raised to Windows server
2003, and the forest functional level to Windows Server 2003.
C. The domain functional level of Certkiller .com should be raised to Windows Server
2003.
D. The forest functional level should be changed to Windows Server 2003.
Answer: C
Explanation: There are two requirements that have to be fulfilled before changing the
name of a Windows Server 2003 domain controller. 1. The user performing the task must
have Domain Admins group or Enterprise Admins group membership in Active
Directory. 2. The domain in which the domain controllers are hosted must operate at
Windows Server 2003 domain functional level. This is usually achieved when all the
domain controllers have been upgraded to Windows Server 2003. Thus you should be

070-294
raising the Certkiller .com domain functional level to Windows Server 2003.
Incorrect answers:
A: The domain controllers in the root domain, i.e. Certkiller .com; must be renames, and all
the domain controllers in the child domains will remain the same, thus only the domain in
which the domain controllers are to be renamed is required to operate at Windows Server
2003 functional level.
B: This is not a necessary action. The changing of the forest functional level is not a
requirement to rename domain controllers.
D: The forest functional level cannot be changed to Windows Server 2003, firstly it is not
a requirement for renaming domain controllers; and secondly you would need all the
domain controllers to be running Windows Server 2003.
QUESTION 45:
You work as a network administrator at Certkiller .com. The Certkiller .com network
consists of an Active Directory forest that comprises many domains. The forest root
domain is named Certkiller .com. The exhibit below illustrates the domains in the
Certkiller .com forest:
Exhibit:
The following table displays the domain functional levels of each of the domains:
Since the company is developing, over a period of six months, all the domain
controllers in the forest have been upgraded to Windows Server 2003. The CIO thus
gave you instruction to raise the forest functional level to Windows Server 2003.

070-294
You thus need to prepare the forest for the functional level to be raised successfully.
What should you do? (Each correct answer presents part of the solution. Choose all
that apply.)
A. Raise the us. Certkiller .com functional level.

B. Raise the uk. Certkiller .com functional level.
C. Raise the research.testlab.com functional level.
D. Raise the testlab.com functional level.
E. Raise the team.research.testlab.com functional level.
Answer: A, C, E
Explanation: You need to raise the functional level of us.Certkiller.com,

research.testlab.com, and team.research.testlab.com to either Windows 2000 native or
Windows Server 2003 before you can raise the forest functional level successfully. You
cannot raise the forest functional level to Windows server 2003 unless the function al
level of each domain in the forest is set to at least Windows 2000 native.
Incorrect answers:
B: The uk. Certkiller .com functional level is already at Windows 2000 native and does not
require raising to accommodate the raising of the forest functional level.
D: The testlab.com functional level is already at Windows 2000 native and does not
require raising to accommodate the raising of the forest functional level.
QUESTION 46:
network consists of a single Active Directory forest. The functional level of the forest
is set at Windows 2000. The domain controllers on the network run either Windows
2000 Server or Windows Server 2003.
Your job description includes the setting up and management of the company
networks functional levels. You have been commissioned to restructure the forest
and raise the functional level to Windows Server 2003. You also need to reassign a
Windows 2000 Server domain controller with Service Pack 4 to a different domain
and then upgrade it to Windows Server 2003. To this end you complete the
necessary tasks up to the point where you disconnected the server from the network
to move it to its new location.
What should you do next?
A. Configure the server to leave its original domain.

Upgrade the server to Windows Server 2003.
Reconnect the server to the network and join it to the new domain.
B. Move the computer object for the domain controller from the old domain to the new
domain in Active Directory Users and Computers.
Reconnect the server to the network and then upgrade the server to Windows Server
2003.
C. Demote the domain controller to a stand-alone server.

070-294

Remove the relevant information from Active Directory and reconnect the server to the
network.
Promote the server to a domain controller in the new domain.
D. Move the server object for the domain controller from the old container to the new
domain container in Active Directory Domains and Trusts.
Configure the server to leave its original domain.
Reconnect the server to the network and join the server to the new domain.
Answer: C
Explanation
: You already disconnected the domain controller without demoting it, you thus need to
first demote the domain controller to a stand-alone server. Because the other domain
controllers do not know of this demotion, you should remove the metadata associated
with the demoted domain controller from Active Directory using the Ntdsutil utility.
Only then you may reconnect the server to the network, and then promote it to a domain
controller in the new domain. The actual upgrade of the domain controller to Windows
Server 2003 may happen at any time: either after forceful demotion and metadata
cleanup, before reconnection or even after reconnection or after promotion to domain
controller in the new domain.
Incorrect answers:
A: You cannot configure a domain controller to leave its own domain without first
demoting it to a member server.
B: You cannot move a computer in Active Directory Users and Computers between
domains.
D: There are no server objects in Active Directory Domains and Trusts.
QUESTION 47:
network consists of a single Active Directory forest that contains several domains
each of which further contain child domains. The functional level of the forest is set
You are currently busy creating a shared folder on a file server named
Certkiller -FS03. This shared folder is intended for use in one of the child domains
in the forest. Certkiller .com has a partner company and in this company there is a
group of employees who will also require access to this shared folder. This group of
users all belong to n Active Directory child domain in another forest. You received
instruction from the CIO to grant that group of employees in the partner company
access to the shared folder. You now need to comply with the instruction, but you do
not want these users to be able to access any other resources on the Certkiller .com
forest.
What should you do?
A. An external trust with domain-wide authentication should be created.

070-294
B. A forest trust with domain-wide authentication should be created.

C. An external trust with selective authentication should be created.
D. A forest trust with selective authentication should be created.
Answer: C
Explanation: An external trust is a one-way or two-way non-transitive trust between a

local domain and a domain in another forest, or between a local domain and a Windows
NT domain. An external trust from the domain where Certkiller -FS03 resides to the
partner company domain where users require access to a resource in your forest will
allow those users to authenticate directly to your resource domain.
Selective authentication allows users from a trusted domain only to those resources to
which they are explicitly allowed to authenticate
Incorrect answers:
A: Domain-wide authentication means that users from a trusted domain will have the
same level of access to local resources that it provides users from the local forest. Though
an external trust creation would be correct, the domain-wide authentication will cause
problems.
B: A forest trust is a one-way or two-way transitive trust between two forests that
operates on the same functional level. You cannot create a forest trust with domain-wide
authentication in this case: it would expose the Certkiller .com resources to the partner
company and it is also not mentioned that the functional level of the partner forest is set
at Windows Server 2003. Domain-wide authentication means that users from a trusted
domain will have the same level of access to local resources that it provides users from
the local forest.
D: A forest trust is a one-way or two-way transitive trust between two forests that
operates on the same functional level. You cannot create a forest trust with selective
authentication in this case: it is not mentioned that the functional level of the partner
forest is set at Windows Server 2003.
QUESTION 48:
network consists of a single Active Directory forest that contains several domains
each of which further contain child domains. The functional level of the forest is set
A file server named Certkiller -SR05 hosts a shared folder that is being used by
certain users and groups in the domain. Part of you job description includes the
management of access to resources on the Certkiller .com network. You are currently
busy reviewing access permissions for this shared folder on Certkiller -SR05.
However, you discover that one entry in the list of security principals is displayed as
a Security ID (SID) instead of a user name or even group name that it is supposed to
represent. The following exhibit illustrates the access permissions:
Exhibit:

070-294
What could be the cause of this type of display output? (Each correct answer
presents a complete solution. Choose three.)
A. The deletion of an incoming trust with an external domain.

B. The deletion of an outgoing trust with an external domain.
C. A disabled user account.
D. A deleted user account.
E. A renamed user account.
F. The absence of domain controllers for the trusting domain due to a network failure.
G. The absence of domain controllers for the trusted domain due to a network failure.
Answer: B, D, G
Explanation: The direction of a trust is from a trusting domain toward a trusted domain,
thus a trusting domain has an outgoing trust with a trusted domain. Any user accounts,
global and universal groups in the trusted domain are visible and can be assigned
permissions for resources in the trusting domain. But if an outgoing trust becomes
unavailable due to network failure for instance, then the security principals from the
trusted domain that are specified in Access Control Lists (ACLs) are represented by their
SIDs and not the common names.
SIDs also appears in the ACL whenever a valid user account with the proper permissions
for the resource has been deleted.
Incorrect answers:
A: A trust, per definition, is named from the trusting domain to the trusted domain
rendering this option invalid, since it should rather read trusted domain.
C: A disabled user account's representation in the ACL does not change.

070-294
E: A renamed user account's representation is automatically changed to the new user

name.
F: As per the definition, a trust is named from the trusting domain to the trusted domain,
thus this is incorrect to talk about the trusting domain. Instead the option should read the
trusted domain.
QUESTION 49:
network consists of a single Active Directory forest and a UNIX-based Kerberos V5
realm. The UNIX-based Kerberos V5 realm consists of the two child domains
named Certkiller .com, us. Certkiller .com and uk. Certkiller .com respectively. These three
domains are located in one site. The following exhibit illustrates the Certkiller .com
forest structure:
Exhibit:
You received instruction from the CIO to allow the UNIX users in the child domains
access only to the resources that they require. They should NOT have access to the
resources in the forest root domain. You thus need to configure the appropriate
trust / trusts in Active Directory to carry out this task.
What should you do?
A. You should configure one outgoing transitive trust relationship.

B. You should configure two outgoing non-transitive trust relationships.
C. You should configure one incoming transitive trust relationship.
D. You should configure two incoming non-transitive trust relationships.
Answer: B
Explanation: A trust, per definition, is named from the trusting domain to the trusted
domain. It is possible to configure an Active Directory domain and a non-Windows
Kerberos V5 domain with either one-way or two-way transitive or non-transitive trust
relationships. In this scenario the two child domains must trust the security principals in
the realm. Thus you should configure an outgoing trust from each of the child domains:
one outgoing non-transitive trust from each child domain.

070-294
Incorrect answers:
A: Transitivity means that trusts can be chained; this would not be advisable in this
scenario.
C: Transitive trusts, outgoing, between any of the domains and the realm would allow
UNIX users the ability to access resources, for which they has permissions, in any
domain in the forest including the forest root domain.
D: Incoming trusts would be required if Windows users were to access resources in the
realm.
QUESTION 50:
network consists of a forest that contains three Active Directory domains named
Certkiller .com, us. Certkiller .com and uk. Certkiller .com respectively. These three
domains are located in one site.
Certkiller .com in involved in a joint venture with a partner company named
TestLab.com. Similarly to Certkiller .com, the TestLab.com network consists of a
forest that contains three Active Directory domains named testlab.com,
east.testlab.com and west.testlab.com respectively. These three domains are located
in one site. The functional levels of both forests are set at Windows Server 2003. The
following exhibit illustrates the Certkiller .com and TestLab.com networks:
Exhibit:
You have been given instruction to set up the appropriate trust relationship between
the two forests. Following is a list of requirements for the trust relationship that you
should set up for the joint venture:
1. The us. Certkiller .com users require access to resources that are located in the
west.testlab.com domain.
2. The TestLab.com administrators must have the ability to assign permissions for
resources in west.testlab.com only to users from the us. Certkiller .com domain.
3. The Certkiller .com administrators should not have the ability to assign
permissions in the TestLab.com domains to the TestLab.com users.
You now need to set up a trust relationship with the appropriate characteristic that
will comply with all the requirements with the cooperation of a TestLab.com
administrator.
three.)
A. You should configure an external trust relationship.

070-294
B. You should configure a forest trust relationship.

C. You should configure a transitive trust relationship.
D. You should configure a non-transitive trust relationship.
E. You should configure an outgoing trust relationship.
F. You should configure an incoming trust relationship.
Answer: A, D, F
Explanation: Type, Direction, and transitivity are the three main attributes of trusts that
can exist in a Windows server 2003 forest.
An external trust is a trust between a domain in a forest and another domain outside the
forest. This second domain can belong to another forest
A trust, per definition, is named from the trusting domain to the trusted domain, i.e. from
resources toward security principals. Thus you should configure an incoming trust
relationship.
Transitivity means that two or more separate trusts can be chained. In this scenario you
would require a non-transitive trust. An External trust is by definition non-transitive.
Incorrect answers:
B: A forest trust is a trust between all domains in one forest and all domains in another
forest. This would not comply with all the requirements.
C: A transitive trust relationship would mean an internal trust relationship and this
scenario requires an external trust relationship which by definition is non-transitive.
E: You should be configuring an incoming trust relationship rather than an outgoing one
because the direction of a trust relationship is from resources toward security principals.
QUESTION 51:
network consists of a forest that contains three Active Directory domains named
Certkiller .com, us. Certkiller .com and uk. Certkiller .com respectively. These three
domains are located in one site.
Certkiller .com in involved in a joint venture with a partner company named
TestLab.com. Similarly to Certkiller .com, the TestLab.com network consists of a
forest that contains three Active Directory domains named testlab.com,
east.testlab.com and west.testlab.com respectively. These three domains are located
in one site. The functional levels of both forests are set at Windows Server 2003. The
following exhibit illustrates the Certkiller .com and TestLab.com networks:
Exhibit:

070-294
You have been given instruction to set up the appropriate trust relationship between
the two forests. Following is a list of requirements for the trust relationship that you
should set up for the joint venture:
1. The us. Certkiller .com users require access to resources that are located in the
2. The TestLab.com administrators must have the ability to assign permissions for
resources in west.testlab.com only to users from the us. Certkiller .com domain.
3. The Certkiller .com administrators should NOT have the ability to assign
permissions in their domains to the TestLab.com users.
You now need to set up an appropriate trust relationship that will comply with all
the requirements in cooperation with a TestLab.com administrator.
What should you do?
A. You should configure a forest trust with TestLab.com forest trusting Certkiller .com
forest.
B. You should configure a forest trust with Certkiller .com forest trusting TestLab.com
forest.
C. You should configure an external trust with west.testlab.com domain trusting
us. Certkiller .com domain.
D. You should configure an external trust with us. Certkiller .com domain trusting
Answer: C
Explanation: An external trust is a trust between a domain in a forest and another

domain outside the forest. This second domain can belong to another forest. A trust, per
definition, is named from the trusting domain to the trusted domain, i.e. from resources
toward security principals. Thus you should configure the external trust relationship
where west.testlab.com, trusts the account domain which is us. Certkiller .com.
Incorrect answers:
A: A forest trust is a trust between all domains in one forest and all domains in another
B: A forest trust is a trust between all domains in one forest and all domains in another
D: You should be configuring an incoming trust relationship rather than an incoming one
because the direction of a trust relationship is from resources toward security principals.
QUESTION 52:
network consists of a single Active Directory forest that contains two domain trees.
Each of these domains contains five domain controllers each. The following exhibit
illustrates the company's network structure:
Exhibit:

070-294
The us. Certkiller .com domain users often need access to the resources that are located
on the west.testlab.com domain. Although the us. Certkiller .com domain users are able
to access resources on the west.testlab.com domain, they complain about very slow
access. You thus receive instruction from the CIO to address the problem. You now
need to find a way to speed up the access for the us. Certkiller .com users in the
What should you do?
A. A realm trust from the west.testlab.com domain to the us. Certkiller .com domain should
be created.
B. A realm trust from the us. Certkiller .com domain to the west.testlab.com domain should
be created.
C. An external trust from the west.testlab.com domain to the us. Certkiller .com domain
should be created.
D.
An external trust from the us. Certkiller .com domain to the west.testlab.com domain should
be created.
E. A shortcut trust from the west.testlab.com domain to the us. Certkiller .com domain
should be created.
F. A shortcut trust from the us. Certkiller .com domain to the west.testlab.com domain
should be created.
Answer: E
Explanation: Shortcut trusts are also transitive trusts. Transitivity means that two or
more separate trusts can be chained. Thus shortcut trusts between two distant domains
will optimize the authentication process. A shortcut trust will result in a shortened path
between the two domains involved. Furthermore shortcut trusts can either be one-way or
two-way. In this scenario you should be creating a shortcut trust from west.testlab.com to
us. Certkiller .com.
Incorrect answers:
A: A realm trust is a trust between a non-Windows domain and a Windows Server 2003

070-294
domain to accommodate interoperability. This is not what is required in this case because
the question does not mention any differences in functional levels of these domains. The
assumption would thus be that they all have a Windows Server 2003 functional level.
B: A realm trust is a trust between a non-Windows domain and a Windows Server 2003
domain to accommodate interoperability. This is not what is required in this case because
the question does not mention any differences in functional levels of these domains. The
assumption would thus be that they all have a Windows Server 2003 functional level.
C: An external trust is a trust relationship between a domain in a forest and another
domain outside the forest. In this scenario the domains are located in a single forest.
D: An external trust is a trust relationship between a domain in a forest and another
domain outside the forest. In this scenario the domains are located in a single forest.
F: To configure a shortcut trust from us. Certkiller .com domain to west.testlab.com will
result in us. Certkiller .com trusting west.testlab.com and the trust should be the other way
around.
QUESTION 53:
You work as the systems engineer at Certkiller .com. You have been given an Active
Directory site topology design. Your job description includes the implementation of
network design by means of creating sites, site links, and site link bridges.
The design consists of a single Active Directory forest that contains three domains.
These domains are named Certkiller -north.com, Certkiller -south.com, and
Certkiller -west.com respectively. You then implement three sites named Certkiller A,
Certkiller B, and Certkiller C respectively. Each of the three sites hosts a single domain
and domain controller that runs Windows Server 2003. You then configure the
following site links:
1. Site Link AB between Certkiller A and Certkiller B
2. Site Link BC between Certkiller B and Certkiller C
Both site links have persistent T1 connections. The following exhibit illustrates the
network design:
Exhibit:

070-294
The IP network is not fully routed and the firewalls at each site are configured to
only allow replication between domain controllers on specific subnets. The
Certkiller A site domain controller named Certkiller -DC01 serves as a global
catalog server. Certkiller -DC01 requires data form the domain controller in the
Certkiller C site.
You want to optimize the communication between site Certkiller A and site
Certkiller B.
What should you do?
A. Disable automatic site link bridging and then implement a site link bridge between
Certkiller A and Certkiller B.
B. Enable automatic site link bridging and then implement a site link bridge between
Certkiller A and Certkiller C.
C. Disable automatic site link bridging and then implement a site link bridge between
Certkiller A and Certkiller C.
D. Enable automatic site link bridging and then implement a site link bridge between
Certkiller B and Certkiller C.
Answer: C
Explanation: You want to disable automatic site link bridging so that you will be able to
create a custom site link bridge that will correspond to the actual routing behavior of the
network as described in the question. It is mentioned in the question that this is not a

070-294
fully routed IP network, thus you will have to create a site link bridge between Certkiller A
and Certkiller C.
Incorrect answers:
A: Disabling automatic site link bridging is correct but then you should also create a
custom site link bridge between Certkiller A and Certkiller C instead of with Certkiller B
involved since there is already a site link between these two sites.
B: Enabling automatic site link bridging might result in site link bridges that are created
automatically that may not correspond to the natural most efficient method of transport
between sites.
D: Enabling automatic site link bridging might result in site link bridges that are created
automatically that may not correspond to the natural most efficient method of transport
between sites. Furthermore a link between these two sites would be incorrect.
QUESTION 54:
You work as a systems engineer at Certkiller .com. The Certkiller .com network
consists of a single domain named Certkiller .com. Certkiller .com contains two Active
Directory sites. These two sites are connected via 128 Kb ISDN lines. Each site has
its own domain controllers that run Windows Server 2003.
The Certkiller .com users have been complaining about slow Wide Area Network
(WAN) link over the 128 Kb ISDN lines between the sites. They need these sites to
be optimally accessible since they all require resources that are hosted in both sites.
You then receive instruction from the CIO to address the issue. You now need to
troubleshoot the network. In your efforts you observe that the domain controllers at
each location are replicating across the WAN link throughout the course of the
business day whilst most Certkiller .com users require access to resources in the sites
other than where they are located. All this replication consumes all the bandwidth
for extensive periods of time making it difficult for the Certkiller .com users to carry
out heir tasks. You need to alleviate the bandwidth problem.
two.)
A. A Site Link between the two sites should be created.

B. A Site Link bridge between the two sites should be created.
C. The two sites should be merged to form a single site.
D. You should schedule replication to occur at off-peak hours.
E. You should schedule replication to occur at peak hours.
F. A preferred bridgehead serve should be configured at each location.
Answer: A, D
Explanation: The two sites are replicating throughout the day over a low availability 128
Kb line which slows down the network considerably. When sites are created they are
associated with the DefaultIPSiteLink site link. The default Active Directory replication
schedule for the DefaultIPSiteLink is set to replicate every three hours. Thus you should
create a new site link using the two sites and then configure replication stop occurring

070-294
during business hours by rescheduling it to take place in off-peak time. (Alternative you
could change the replication schedule on the DefaultIPSiteLink, but this option is not
available in this question.)
Incorrect answers:
B: A Site Link bridge is used to specify a replication path in the site link topology. Thus
this option is not addressing the issue.
C: If you merge the two sites into a single site, then replication will occur using a change
notification mechanism which would further result in replication within five minutes of
every change to Active Directory.
E: Replication should be schedules to occur at off-peak hours rather.
F: Configuring a preferred bridgehead server will simply force the server to handle
replication between the sites and will not address the problem.
QUESTION 55:
Directory site topology design. Your job description includes the implementation of
network design by means of creating sites, site links, and site link bridges.
The Certkiller .com design consists of four sites named Certkiller A, Certkiller B,
Certkiller C, and Certkiller D respectively. These four sites are connected via Wide
Area Network (WAN) links as the following exhibit illustrates:
Exhibit:
The IP network is fully routed, but the Wide Area Network (WAN) links between
Certkiller A and Certkiller B and between Certkiller C and Certkiller D are unacceptably
slow. Due to this slow WAN link you want to prevent Certkiller B from replicating
directly with Certkiller D. You thus delete the default site link and disable the default
bridging of all the site links. However, you should take care and ensure that all the
other sites will still be able to directly replicate with each other.
What should you do?
A. Create a site link that includes Certkiller A, Certkiller B and Certkiller C.

Create a site link that includes Certkiller A, Certkiller C and Certkiller D.
B. Create a site link that includes Certkiller A, Certkiller B, Certkiller C and Certkiller D.
C. Create three site links between: Certkiller A and Certkiller B; Certkiller A and Certkiller C;
Certkiller C and Certkiller D.

070-294
D. Create a site link bridge that includes Certkiller A, Certkiller B, and Certkiller C
Create a site link bridge that includes Certkiller A, Certkiller C and Certkiller D.
E. Create three site link bridges between: Certkiller A and Certkiller B; Certkiller A and
Certkiller C; Certkiller C and Certkiller D.
Answer: A
Explanation: Site links are logical objects that represent the sites' physical connectivity
with each other. The Knowledge Consistency Checker (KCC) assumes that all domain
controllers in the sites that belong to the same link can communicate directly with each
other. If the actual WAN topology does not support direct connectivity among all domain
controllers, then you can delete the default site links and create the appropriate site links
for you network. You can bridge those site links that include at least one common site.
In this scenario you should create two site links: a site link that includes Certkiller A,
Certkiller B and Certkiller C; and a site link that includes Certkiller A, Certkiller C and
Certkiller D.
Incorrect answer:
B: This option is not correct since you need to create site links and not one that includes
all four sites.
C: This is incorrect since this option's site links suggestion will allow Certkiller B to
replicate directly with Certkiller D.
D: Bridges can only include site links, they cannot include sites. Thus this option is
incorrect.
E: Site link bridges can only include site links and not sites.
QUESTION 56:
HOTSPOT
You work as the systems engineer at Certkiller .com. Certkiller .com has its
headquarters in Chicago and branch offices in Dallas, Miami, and Ontario. The
Certkiller .com network consists of a single Active Directory forest. You have been
given an Active Directory site topology design. In the Active Directory site topology
design there are four domains, four sites and eight domain controllers. The four
domains are named Certkiller -north.com, Certkiller -south.com, Certkiller -east.com and
Certkiller -west.com; the four sites are named Chicago, Dallas, Miami, and Ontario;
and the eight domain controllers are named CERTKILLER-DC01 through
Certkiller -DC08. Certkiller -DC01, Certkiller -DC02 and Certkiller -DC03
belong to the Certkiller-north.com domain; Certkiller -DC04, Certkiller -DC05,
and Certkiller -DC06 belong to the Certkiller -west.com domain; while
Certkiller -DC07 belong to the Certkiller -east.com domain and Certkiller -DC08
to the Certkiller -south.com domain.
Your job description includes the implementation of network design by means of
creating sites, site links, and site link bridges. You are currently planning a site link
topology. You may NOT use more than one site link between any two sites. You are
compelled to make use of SMTP site links wherever it is possible and feasible.
What should you do? Each place represents a possible SMTP site link. Indicate on

070-294
these possible SMTP site links where you would create an SMTP site link. You may
create as many SMTP site links as necessary.
Answer:
Explanation:
When you create a site link you need to specify which transport the site link will use.
Each site link may only use one transport. SMTP transport uses e-mail messages and
therefore does not require direct IP connectivity between two sites. SMTP transport does
not support the replication of domain directory partitions. Hence the SMTP transport
cannot be used for replication between two domain controllers that belong to the same
domain. For SMTP transport to be used for Active Directory replication, an enterprise
certification authority must be available.
In this scenario you can use SMTP site link only between Chicago and Dallas and
between Chicago and Ontario because Chicago does not host common domains with
Miami or Ontario.
Incorrect answers:
You may not use any more site links in this scenario other than the ones mentioned in the
explanation. This is because all other pairs of sites have common domains.
Chicago and Miami both host the Certkiller .com domain. Dallas, Miami and Ontario host
the central. Certkiller .com domains. Thus you could possibly make use of an SMTP site
link along with an IP site link between any two of these sites, but the question states
pertinently that you may not use more than one site link between any two sites.
070-294
QUESTION 57:
You work as the enterprise administrator at Certkiller .com. The Certkiller .com
network consists of a two Active Directory domains named Certkiller .com and
testlab.com. The functional level of both these domains is set at Windows Server
2003. Certkiller .com has its headquarters in Chicago and a branch office in Dallas
and each office represents a domain. Each of these offices has two locations. Each of
these locations has been configured as an Active Directory site. Certificate services
have been deployed on the network. The exhibit below illustrates the network
structure.
Exhibit:
1. ChicagoA andChicagoB is located in the forest root domain named Certkiller .com
2. MiamiA and MiamiB is located in the east.Certkiller.com domain
3. The connection between ChicagoB and MiamiA is an unreliable connection.
Your job description includes the implementation of network design by means of
creating sites, site links, and site link bridges. You have been instructed to ensure
that the Active Directory database is regularly updated over the unreliable link
between these two sites. To this end you need to configure replication between
ChicagoB and MiamiA
What should you do?
A. An SMTP site link between ChicagoB and MiamiA should be created.

B. An SMTP site link bridge between ChicagoB and MiamiA should be created.
C. An IP site link between ChicagoB and MiamiA should be created.
D. An IP site link bridge between ChicagoB and MiamiA should be created.
Answer: A
Explanation: To enable replication to occur you need to create at least one site link.
Replication between sites can occur with RPC over IP transport (synchronously) or with
SMTP over IP (asynchronously). SMTP replication functionality is limited and requires
an enterprise certificate authority (CA). SMTP can only replicate configuration, schema,
and application directory partitions. It does not support the replication of domain
directory partitions. It is mentioned in the question that there is an unreliable connection
between ChicagoB and MiamiA, thus a SMTP would be the appropriate site link between
the two sites.

070-294
Incorrect answers:
B: A site link bridge involves a set of site links using a transport. And it also corresponds
to a router or set of routers in an IP network. No mention is made of existing site links in
the question. Thus this option is invalid.
C: The link should be an SMTP link rather than an IP link between the two sites. You
could have done this but the link between the two sites is unreliable.
D: A site link bridge involves a set of site links using a transport. And it also corresponds
to a router or set of routers in an IP network. No mention is made of existing site links in
the question. Thus this option is invalid.
QUESTION 58:
Directory site topology design document. Your job description includes the
implementation of network design by means of creating sites, site links, and site link
bridges. You have been given instruction to implement the design.
Certkiller .com has two offices: one in Chicago and another in Dallas. The Active
Directory implementation consists of a single forest with a single domain and two
sites. The two sites are represented by the two offices. The exhibit below illustrates
the network:
Exhibit:
In the Chicago site:

1. Three Windows Server 2003 servers that are configured as domain controllers.
2. Domain controllers are named Certkiller -DC01, Certkiller -DC02 and
Certkiller -DC03 respectively.
In the Dallas site:
1. Two Windows 2000 Server servers that are configured as domain controllers
2. Domain controllers are named Certkiller -DC04 and Certkiller -DC05
respectively.
There is a persistent T1 connection between the sites and replication for the site link

070-294
is set for 3 A.M. to 6 A.M. (EST) the replication frequency is set to 90 minutes.
You have been given instruction to control which domain controllers are to manage
site-to-site replication. To this end you want to implement preferred bridgehead
servers. Now you need to decide on the amount of preferred bridgehead server in
the Dallas site.
What should you do?
A. You should implement one preferred bridgehead server in the Dallas site.
B. You should implement two preferred bridgehead servers in the Dallas site.
C. You should implement three preferred bridgehead servers in the Dallas site.
D. You should implement four preferred bridgehead servers in the Dallas site.
E. You should implement five preferred bridgehead servers in the Dallas site.
Answer: A
Explanation: A bridgehead server is a domain controller that sends and receives

replicated data at each site. The bridgehead server from the originating site collects all
replication changes and then sends them to the receiving site's bridgehead server which in
turn replicates the changes to all domain controllers in the site.
Each domain must have a bridgehead server. Since there is a single domain in Dallas site,
you must have a single bridgehead server for the site.
Incorrect answers:
A - E: It is considered good practice to have more than one preferred bridgehead server
in a site. However if you are to control which domain controllers are to manage
site-to-site replication, it must be one preferred bridgehead server and not more. If you
specify a custom list of bridgehead servers, Active Directory will first try to use the first
server on the list to send replication data to the other site. If it cannot locate the first
server in the list, it will try the next server in the list until it finds an available server to
perform replication.
QUESTION 59:
HOTSPOT
named Certkiller .com and us. Certkiller .com, as well as three sites named Certkiller A,
Certkiller B, and Certkiller C. All servers on the Certkiller .com network run Windows
Server 2003. The Certkiller .com network contains 12 domain controllers named
Certkiller -DC-01 through Certkiller -DC12. The first six domain controllers
belong to the Certkiller .com domain while the rest belong to the us. Certkiller .com
domain. All 12 domain controllers are equally distributed among the three sites so
that each site contains two domain controllers from each domain. Of the 12 domain
controllers, Certkiller -DC02, Certkiller -DC04, Certkiller -DC05,
Certkiller -DC07, Certkiller -DC09 and Certkiller -DC11 are configured as
Prefered bridgehead servers.
You are located in Certkiller B. There are many Certkiller C users that require access

070-294
to a shared folder. All user accounts reside in the Certkiller .com domain. To this end
you have added all the user accounts of those users that require shared folder access
to a global group. This specific global group has been assigned permissions for the
shared folder. However, after several hours the users in Certkiller C still complain
that they are unable to access the shared folder.
You then checked the event log on a domain controller and noticed that there was a
replication failure. You need to restore replication functionality so as to grant the
Certkiller C users access to the shared folder. You need to designate a preferred
bridgehead server to resolve the problem.
What should you do? To answer select the least amount of domain controllers that
should be designated as preferred bridgehead servers. You may designate as many
preferred bridgehead server as necessary.
Answer:
Explanation
: Only cone domain controller from each domain is designated as a preferred bridgehead
server in each site. Thus in the event of a bridgehead server failing, you must manually
designate another domain controller in the same domain as preferred bridgehead server in
that site. When you changed the group membership in Certkiller .com on the domain
controller in Certkiller B; that change should have been replicated to Certkiller C to allow
those users to access the shared folder. This did not happen because of a replication
070-294
failure that occurred due to the bridgehead server failure in the Certkiller .com domain. You
should identify which bridgehead server failed and designate another domain controller
from Certkiller .com domain in the same site to be preferred bridgehead server. The
available choice is DC1. Certkiller .com that belongs to the Certkiller .com domain.
Incorrect answers:
It seems that the network is not fully IP routed and thus computers in Certkiller B cannot
communicate directly with computers in Certkiller C. Else you could have enabled site
link bridging between the two sites.
QUESTION 60:
network consists of a single Active Directory domain that contains two sites named
Certkiller A and Certkiller B respectively. All servers on the Certkiller .com network
run Windows Server 2003.
There are currently three domain controllers in Certkiller
A. These domain
controllers are also configured to serve other purposes:
1. Certkiller -DC01 also serves as DNS server as well as DHCP server.
2. Certkiller -DC02 also serves as an application server.
3. Certkiller -DC03 also serves as a Routing and Remote Access server that
provides connectivity with the network in site Certkiller B.
There are currently two domain controllers in Certkiller B. These domain controllers
are also configured to server other purposes:
1. Certkiller -DC04 also serves as a Routing and Remote Access server that
provides connectivity with the network in site Certkiller A.
2. Certkiller -DC05 is just a domain controller.
The exhibit below illustrates the current network:
Exhibit:
The Certkiller .com helpdesk have receives calls from various users complaining about
Certkiller -DC02 being very slow, becoming slow and sometimes even
unresponsive. You received instruction from the CIO to address the problem and
improve the performance of Certkiller -DC02. To this end you need to determine
the cause of Certkiller -DC02's poor performance. You investigate and discover
that the poor performance of Certkiller -DC02 coincides with the scheduled
inter-site Active Directory replication times. And the reason why so many users are
complaining is that it is scheduled to happen during business hours. You must thus
improve the Certkiller -DC02 performance during the times when inter-site
replication occurs.
070-294
What should you do?
A. You should increase the site link cost.

B. You should decrease the site link cost.
C. You should designate Certkiller -DC03 as a preferred bridgehead server.
D. You should designate Certkiller -DC01 as a preferred bridgehead server.
Answer: C
Explanation: The deterioration in Certkiller -DC02 performance during inter-site

replication happens because Certkiller -DC02 is the bridgehead server in Certkiller A.
Currently replication traffic is handled inefficiently in Certkiller
A. Certkiller -DC03 is
the RRAS server that provides connectivity to Certkiller B. This means that all replication
traffic from Certkiller B is directed towards Certkiller -DC03. Then only
Certkiller -DC03 will forward the replication traffic to Certkiller -DC02 which in
turn will record the changes in its copy of Active Directory, and then replicate those
changes back to CERTKILLER-DC03 either directly or indirectly via CERTKILLER-DC01.
To alleviate the problem, CERTKILER-DC03 should be designated as the preferred
bridgehead server.
Incorrect answers:
A: A site link is a logical object that represents physical connectivity between sites.
Changing the existing cost of the site link is not going to affect replication.
B: Whether you decrease the site link cost is not going to affect replication. Thus this
option is irrelevant in this case.
D: Designating Certkiller -DC01 as the preferred bridgehead server will not alleviate
the problem you need to designate the preferred bridgehead server to the domain
controller that has direct connectivity with the Certkiller B site.
QUESTION 61:
network consists of a single Active Directory forest. All servers and all domain
controllers on the Certkiller .com network run Windows Server 2003 and all client
computers run Windows XP Professional. The functional level of the forest is set at
A server named Certkiller -SR20 is designated to host a custom application that is
supposed to be deployed for the benefit of the Sales department. The Sales
department is spread throughout the many Certkiller .com offices. This custom
application makes use of Active Directory replication data amongst the multiple
locations. You need to create an appropriate application directory partition on
several domain controllers.
What should you do?
A. You should use the DNS console.

B. You should use the Ntdsutil Utility.

070-294
C. You should use the Active Directory Users and Computers console.
D. You should use the Active Directory Domains and Trusts console.
E. You should use the Active Directory Sites and Services console.
Answer: B
Explanation: Windows Server 2003 has a feature names application directory partitions.
All Active Directory aware applications can be programmed to store data in application
specific partitions in Active Directory. An application directory partition is assigned a
DNS name defining its namespace. The application directory partition can then be
replicated to any specified domain controllers in the forest. An Active Directory aware
application directory partition will automatically create and provide the tolls for its
management. In the event of an application directory partition not being created
automatically, you can make use of Ntdsutil command line utility to create, delete and
manage application directory partitions.
Incorrect answers:
A: The DNS Console is used to configure the scope of replication of the DNS application
partitions. It is not used to create the application directory partitions on the domain
controllers.
C: The Active Directory Users and Computers tool is not used for the creation of
application directory partitions on the domain controllers.
D: This tool is not used for the creation of application directory partitions on the domain
controllers..
E: The Active Directory Sites and Services tool is not used for the creation of application
directory partitions on the domain controllers
QUESTION 62:
HOTSPOT
headquarters in Chicago and branch offices in Dallas, Miami, and Ontario. Each
branch office is connected to the Chicago head quarters via a separate Wide Area
Network (WAN) link. The Certkiller .com network consists of a single Active
Directory domain. Each of the offices on the Certkiller .com network is configured as a
separate Active Directory site.
You are currently planning a site link topology. You must create the appropriate
site links to ensure that Active Directory replication will take place between all four
sites. You should not create any unnecessary links.
What should you do?
Each place represents a possible site link. Indicate on these possible SMTP site links
where you would create a site link. (You may create as many SMTP site links as
necessary.)

070-294
Answer:
Explanation:
You should create three site links: one for each physical WAN link between the offices.
There is no point in creating site links between any of the branch offices because their
networks are not directly connected to each other. If the network was fully routed
through the Chicago office, then you could enable site link bridges of all sites so as to
support replication between domain controllers in the branch offices.
Site links that do not correspond to the physical communication links are usually
redundant and unnecessary complicate the network administration.
QUESTION 63:
network design consists of a single Active Directory domain named Certkiller .com.
All servers on the Certkiller .com network run Windows Server 2003.
The Certkiller .com domain consists of three sites. These three sites are named
Certkiller A, Certkiller B, and Certkiller C. Each of these sites contains two domain
controllers. One domain controller is to function as a preferred bridgehead server
in each of these sites. The following exhibit illustrates the Certkiller .com network
structure:
Exhibit:

070-294
The network is not fully IP routed and the default bridging of all site links is
disabled. You received instruction from the CIO to make changes to the Active
Directory. These changes are to be propagated to the other sites even if any one of
the domain controllers in each site happens to fail.
What should you do?
A. Both domain controllers in Certkiller 2 should be configured as preferred bridgehead

servers.
B. You should create a site link between Certkiller 1 and Certkiller 3.
C. The two site links should be bridged.
D. Each site should be reconfigured to have no preferred bridgehead servers.
Answer: D
Explanation: Changes that are made to Active Directory on a particular domain

controller in a particular site are first replicated to other domain controllers within that
site. When the bridgehead server for that particular site receives the changes, it then
replicates the changes to other bridgehead servers in the other sites, and each of those
bridgehead servers replicates the changes to other domain controllers in their respective
sites. In the event of a bridgehead server in a site failing another domain controller is
automatically designated bridgehead server for that site. An administrator has control
over which domain controllers are designated as bridgehead servers. if more than one
bridgehead server is designated in a site then only one of those domain controllers can
become a bridgehead server for that site. Now, if those bridgehead servers all fail in a
particular site, then replication between that site and the other sites will NOT occur. In
this scenario you should reconfigure the domain controllers so that there are no preferred
bridgehead servers in any of the sites. (Or you could reconfigure all the domain
controllers in all the sites to be preferred bridgehead servers in their respective sites;
however, this option is not available.)
Incorrect answers:
A: If both domain controllers in Certkiller 2 is configured as preferred bridgehead server,
then Certkiller 2 would be able to replicate with other sites should any one of the domain
controllers in Certkiller 2 fail. BUT then Certkiller 1 and Certkiller 3 would be able to
replicate with Certkiller 2 if the bridgehead server in Certkiller 1 and Certkiller 3 failed.
B: Creating a site link between Certkiller 1 and Certkiller 3 would have no effect in this
case.

070-294
C: Bridging the existing two site links will have no effect since the network is not fully
IP routed.
QUESTION 64:
network design consists of a single Active Directory domain named Certkiller .com.
The Certkiller .com domain consists of four sites. These four sites are named
Certkiller 1, Certkiller 2, Certkiller 3, and Certkiller 4 respectively. The network is not
fully routed and site link bridging has been disabled. The exhibit below illustrates
the site configuration:
The Certkiller .com schema administrator added a few new attributes to the schema
on a domain controller in the Certkiller 1 site on a Saturday. On the following
Monday you verified the schema on a domain controller in the Certkiller 3 site and
then discovered that the modifications have not been replicated to the domain
controller. You then received instruction to ensure that the Active Directory
replicate to the Certkiller 3 site in an efficient manner.
What should you do?
A. Configure a site link bridge between Certkiller 1 and Certkiller 3.

B. Configure a site link between Certkiller 1 and Certkiller 3.
C. Move the schema master operations role to a Certkiller 4 domain controller.
D. Install a domain controller for Certkiller 4 in the Certkiller 3 site.
Answer: A
Explanation
: A Site link bridge is used to connect two or more sites if the IP network is not fully
routed or if replication is not converging efficiently. Site link bridging enables domain
controllers that are not directly connected via a communication link to communicate with
each other. Thus a site link bridge between Certkiller 1 and Certkiller 4 would solve the
problem.
Incorrect answers:
B: Site links can only be created on a fully IP routed network between the sites that have
IP connectivity.

070-294
C: You should not move the schema master role to a domain controller in Certkiller 4.
This will result in a replica schema modification to the Certkiller 3 site, but would not
improve Active Directory replication to Certkiller 3.
D: There is no need to place a domain controller for Certkiller 4 in the Certkiller 3 site. This
will not provide efficient replication between Certkiller 1 and Certkiller 3.
QUESTION 65:
You work as the network architect at Certkiller .com. Your job description involves
designing the Certkiller .com logical network design. All servers on the Certkiller .com
network will run Windows Server 2003 after they have been migrated from a
Windows NT 4.0 environment. Certkiller .com has its headquarters in Chicago and
branch offices in Dallas and Miami.
Each of the Certkiller .com offices has a Finance department, Sales department and a
Marketing department. Only the head quarters in Chicago has two additional
departments named the Research and Development department and the
Management department respectively. Domain administration will be handled by
the Certkiller .com IT department. In addition, onsite administrators will be deployed
and they will be responsible for the administration of user accounts in each of the
Certkiller .com branch offices. At the Chicago office an administrator will be assigned
to manage the Research and Development department users and another
administrator to manage the Management department users.
You have been given instruction to create the organization unit (OU design to
support the company's administrative structure. You thus need to keep in mind
that:
1. Administrators should only be delegated control to objects for which they are
responsible.
2. The design must allow for permissions to be maintained using the least amount of
administrative effort.
To this end you need to decide on which OU structure would best suit the
Certkiller .com administrative goals.
What should you do? (To answer choose the appropriate OU structure that you
would implement.)

070-294
Answer:
Explanation:
The scenario needs the OU design to accommodate the IT administrative model of the
company. There is a strong centralized tendency in the IT department being responsible
for domains. But there is also the geographic aspect that has to be kept in mind. Thus it is
a hybrid administrative model which calls for an OU structure that is geographically
based at the higher level OU and then making use of unit-based lower level OUs. With
this type of approach you can have granular delegation of administration.
Thus you should have three top level OUs based of geographic location, then create two
child OUs that is subordinate to the Chicago OU. This way all the different requirements
and responsibilities of the IT department are accommodated. Furthermore the containers
will be tailored to both geographic and departmental requirements which making
administrative permissions that have to be applied and modified possible with the least
amount of administrative effort.
Incorrect answers:
A: You should not choose a geographic based OU structure. This would not make
070-294
provision for the ability to maintain the permissions and administrative assignments for
the Research and Development department and the Management department in an
efficient way.
B: This design where the OU structure includes top-level OUs for Chicago, Dallas,
Miami and Management would not provide the ability to maintain the permissions and
administrative assignments for the Research and Development department and the
Management department.
D: Chicago OU should not be the only top-level OU with Dallas, Miami, Research and
Development, and Management the child OUs. This structure will allow for the
delegation of administrative duties, but is not compatible with the Microsoft
recommendations for hybrid administrative models.
QUESTION 66:
You work as the network architect at Certkiller .com. Your job description involves
designing the Certkiller .com logical network design. All servers on the Certkiller .com
network will run Windows Server 2003 and all client computers will run Windows
XP Professional. Certkiller .com has its headquarters in Chicago and branch offices
in Dallas, Los Angeles and Miami.
A new Certkiller .com company directive is as follows:
1. Administrators are to be deployed to each office.
2. These administrators will be responsible for the local resources where they will be
located.
3. Only the Chicago office administrators will have the exclusive ability to create
and manage all user accounts.
4. The branch office administrators will not be granted any abilities that will allow
them to control resources in the other locations.
To this end you decided on a design that will make use of a decentralized IT
administration model.
two.)
A. Use a domain tree.

Configure Chicago as the parent domain.
Configure each branch office as a child domain.
B. The branch office administrators should be added to the Domain Admins group in
their child domain.
C. Use a single domain structure with organizational units (OUs) representing each
branch office.
Place the branch office resources in their respective OUs.
D. The branch office administrators should be added to the Enterprise group in the
domain tree.
E. Authority for resource administration should be delegated to branch office
administrators for their respective OUs.
The ability to create and manage user accounts for the domain should be delegated to the
Chicago office administrators.

070-294
Answer: C, E
Explanation: A single domain with the appropriate OUs will provide the best solution.
You should only create extra domains when a single domain will not suffice. OUs
provide containers into which groups of users and other types of objects can be places.
OUs can also be used to model the organization's management hierarchy for delegation
of administration. Thus creating an OU per office allows resource management to be
delegated to local administrators. The authority for user administration would not be
delegated to the branch office administrators for these OUs, but this authority should be
granted to the Chicago administrators from the domain level.
Incorrect answers:
A: There is no need to make use of a domain tree; a domain tree implies multiple
domains which is an unnecessary complexity that is not required at this stage.
B: The branch office administrators should not be added to the Domain Admins group in
their child domains as it will result in them having excessive permissions.
D: The branch office administrators should not be added to the Enterprise group in the
domain tree. This will allow them with too many permissions than is necessary under the
circumstances.
QUESTION 67:
servers on the Certkiller .com network run Windows Server 2003. The functional
level of the domain is set at Windows Server 2003.
The Certkiller .com organizational unit (OU) structure corresponds with the
departments and consists of three top-level OUs named Personnel, Finance and
Sales respectively. Each of these OUs stores the user and computer objects that are
associated with their department.
The Personnel department maintains their employee records by making use of a
Custom application. Consequently all employee records are stored in a non-LDAP
directory service. To this end you created an InetOrgPerson object for each user to
allow them to use the application. These objects are stored in the Finance OU.
Synchronization between the InetOrgPerson attributes and Active Directory and
the third-party directory service is dandled by Microsoft Identity Integration Server
(MIIS).
An assistant administrator named Amy Wilson is responsible for the administration
of InetOrgPerson class objects for the Finance department. You received
instruction to ensure that Amy Wilson will be able to carry out her tasks. You now
need to configure Active Directory to allow Amy Wilson to administer the
InetOrgPerson class objects while still preventing her from administering the
Windows-based user or computer accounts.
What should you do? (Each correct answer presents a complete solution. Choose
two.)

070-294
A. You should delegate control of user objects for the domain to Amy Wilson.
Block inheritance of these permissions to the Personnel and Sales OUs.
B. You should delegate control of InetOrgPerson objects for the domain to Amy Wilson.
Block inheritance of these permissions on the Finance OU.
C. You should delegate control of the InetOrgPerson objects for the domain to Amy
Wilson.
Block inheritance of these permissions to the Personnel and Sales OUs.
D. You should delegate control of InetOrgPerson objects for the domain to Amy Wilson.
E. You should delegate control of InetOrgPerson objects for the Finance department to
Amy Wilson.
Answer: C, E
Explanation: The Windows Server 2003 domain functional level makes it possible to
have the InetOrgPerson object. This object class is available for providing access to third
party applications that do not have a LDAP-based directory service.
Custom tasks can be defined. These tasks can be managing contact objects or site link
objects. In this scenario Amy Wilson requires the ability to manage InetOrgPerson
objects. This can be done by defining the task to delegate and determine the level where
the delegation should be configured. It is advisable to define these delegations at the
lowest possible container, in this case the OU. Administrative authority for an OU and
the objects that it contains can be delegated to an individual administrator or security
group. You would thus delegate authority for the task at the Finance OU.
Alternatively you could define this authority at the domain level and block the
permission from being inherited on any container where the objects do not exist. In this
case the Personnel and Sales OUs.
Incorrect answers:
A: Delegating control of user objects for the domain to Amy Wilson and blocking
inheritance of these permissions to the Personnel and Sales OUs will result in her having
abilities like manage user objects in the Finance OU which is beyond her scope of duty.
B: Delegating control of InetOrgPerson objects for the domain to Amy Wilson and
blocking inheritance of these permissions on the Finance OU will prevent Amy Wilson
from administering the InetOrgPerson objects in the Finance OU.
D: Delegating control of InetOrgPerson objects for the domain to Amy Wilson will result
in her having the ability to manage all InetOrgPerson objects in the domain and not only
those used to access the Finance Custom application.
QUESTION 68:
network consists of a single Active Directory domain named Certkiller .com. The
network is configured in such a way that all user, group, and computer objects are
located in their default Active Directory containers.
In the Research department there are two administrators named Dean Austin and
Clive Wilson. Currently Dean Austin is responsible for the creation, deletion and
management of the Research department user objects while Clive Wilson is

070-294
responsible for the management of the memberships for the global group objects
associated with the Research department. These two requested that they be
delegated responsibility for only the objects that they are responsible. To this end
you want to define the organizational unit (OU) structure accordingly with the least
amount of administrative effort.
three.)
A. Create an OU named ResearchOU, and then create two child objects named
ResearchUsers and ResearchGroups and move the appropriate objects to each container.
B. Create an OU named ResearchOU and move the appropriate user and group objects to
the container.
C. Deny Dean Austin the right to modify group memberships on the ResearchOU.
D. Allow Dean Austin the right to manage user objects on the ResearchOU.
E. Allow Dean Austin the right to manage all objects on the ResearchUsers OU.
F. Deny Dean Austin the right to manage group memberships for objects in the
ResearchGroups OU.
G. Deny Clive Wilson the right to manage user objects on the ResearchOU.
H. Allow Clive Wilson the right to modify group memberships on the ResearchOU.
I. Allow Clive Wilson the right to manage all objects in the ResearchGroups OU.
J. Deny Clive Wilson the right to manage user objects in the ResearchUsers OU.
Answer: B, D, H
Explanation: You want to assign Dean Austin the right to manage user objects in the
Research department and Clive Wilson the right to modify group memberships in the
Research department. It is further mentioned in the question that neither of the two wants
to be assigned permissions beyond their duties. You can place all user and group objects
in a single OU and then delegate granular control of the OU to each of these two, using
the Delegation of Control Wizard. Dean Austin should then be granted the ability to add,
delete, and manage users, while Clive Wilson should be granted the ability to grant and
rescind group memberships in the OU. Making use of the Delegation of Control Wizard
feature of granularity, you achieve you goal with the least amount of administrative effort
since you will only be creating a single OU.
Incorrect answers:
A
: There is no need to create an OU with two child objects. The Delegation of Control
Wizard does allow granularity which will afford you to accomplish the task at hand using
a single OU.
C: Simply denying Dean Austin the right to modify group memberships on the OU does
not allow him to perform his tasks.
E: Allowing Dean Austin the right to manage all objects in the OU will provide him with
full administrative privileges and not just the desired tasks that he is responsible for.
F: Denying Dean Austin the right to manage group memberships for objects in the
ResearchGroups OU will only deny him the right it will not allow him to carry out his
tasks.

070-294
G: Denying Clive Wilson the right to manage user objects on the OU will not allow him
to carry out his tasks, it will only deny him from performing the management of user
objects which is the job of Dean Austin.
I: Allowing Clive Wilson the right to manage all objects in the ResearchGroups OU will
result in him getting full administrative privileges on each container and not just the tasks
that he is responsible for.
J: Denying Clive Wilson the right to manage user objects in the ResearchUsers OU will
not allow him to carry out his tasks. You should rather assign rights that allow the
appropriate task permissions.
QUESTION 69:
You work as a network administrator at Certkiller .com. You are currently working
with the other administrators in the company on planning the deployment of the
Certkiller .com Active Directory forest. All the domains controllers will be running
Certkiller .com contains three subsidiaries. Each subsidiary has four divisions and
each division has five departments. Certkiller .com has its headquarters in Chicago
and branch offices in Dallas, Los Angeles, New York, Miami, and Toronto. Each of
these has a team of network administrators that is responsible for all computers and
user accounts at the location where they are.
There are many factors that have to be kept in mind when planning and deploying
the Certkiller .com forest. These include:
1. All the branch offices are connected to the head quarters via a T1 connection.
2. Each location has computers and employees for each subsidiary.
3. Each subsidiary has different requirements regarding the passwords and locking
out accounts.
You now need to decide which top-level organizational units (OUs) should be
created in your domains or domains.
What should you do?
A. You must create one top-level OU per department.

B. You must create one top-level OU per division.
C. You must create one top-level OU per subsidiary.
D. You must create one top-level OU per location.
Answer: D
Explanation: It is mentioned in the question that at each location there is a team of

network administrators. Thus it would make logical sense to create one top-level OU per
location. You should design the top levels of an OU hierarchy to support network
administration requirements so as to facilitate the delegation of authority of these OUs.
Incorrect answers:
A: Network administrators will be responsible for all users and computer accounts in the
location where they are, thus you would rather want lower-level OUs based on either
division or department to facilitate the use of GPOs.

070-294
B: You should not create the top-level OU per division. Since network administrators
will be responsible for all computers and user accounts at the location where they are at,
you should structure the top level by location rather than division.
C: Each subsidiary has different password and account lock out requirements and thus
you should create a separate domain for each subsidiary. Within each domain, you should
create one top-level OU per location.
QUESTION 70:
You work as the network administrator at Certkiller .com. Certkiller .com has
headquarters in London and branch offices in Paris, Berlin, Milan, and Athens. The
Certkiller .com network consists of a single Active Directory domain named
Certkiller .com. All servers on the Certkiller .com network have been upgraded to
Windows Server 2003. The functional level of the domain is set at Windows 2000
native.
Your job description includes the management and administration of thirty file
servers. These file servers are located throughout the Certkiller .com offices. There are
six file servers per office. Each office represents a site in the Active Directory
domain. All file servers are members of the organizational unit (OU) named
UserDocs.
You received instruction from the CIO to specify a user in each site that will be
responsible for managing access to the folders that reside on the file servers. You
need to specify a user per site to manage access to these file servers take care not to
grant these users too much permission than is necessary.
three.)
A. Create a new Restricted Groups group policy object named FileServerAdmin GPO.
B. Add the users to a global group named FileServerTeam.
C. A new domain local group named FileServerAccess that is granted the appropriate
access to the file servers must be created.
D. The FileServerAdmin GPO must be linked to the UserDocs OU.
E. FileServerTeam should be granted permission to modify FileServerAccess
membership.
F. FileServerTeam should be made members of the Server operators group.
G. FileServerTeam should be made members of the Power Users group on each file
server.
H. FileServerTeam should be granted permission to modify computer objects in
UserDocs OU.
Answer: B, C, E
Explanation: creating a domain local group that is configured with the appropriate
permissions and allowing the users to control membership of the group will meet the
requirements stated in the question. Allowing these users to control membership of a
domain local group will allow them access to the servers without assigning them

070-294
additional administrative permissions on the file servers. When possible these users
should be placed in global groups, then domain local groups should be created with the
desired permissions: then you should add the global group to the domain local group.
Windows server 2003 will allow you to specify granular access control of the domain
local group, including the ability to add and delete group members.
Incorrect answers:
A: Restricted group policies are used to control group membership. This policy can be
used to specify which members are part of a group or removed. This occurs during policy
formation or refresh. However, this GPO will not have the desired result if linked to the
UserDocs OU since option D would be the logical next step in this procedure.
D: If option A is use din conjunction with this option then you will not be getting the
desired result.
F: The FileServerTeam group should not be made members of the server operators
group. This group will be able to administer servers beyond just adding or deleting
members to the group. This is way too much permission for them.
G: The Power Users group has permissions to create local user accounts, as well as
modify and delete only the accounts they create. They can perform administrative tasks
that goes beyond the scope of the permissions intended for this group.
H: Granting the FileServerTeam permission to modify computer objects in the UserDocs
OU will not allow then to control access to resources on the file servers, however it will
allow them to perform undesired administrative tasks.
QUESTION 71:
You work as the systems engineer at Certkiller .com. Your job description includes
the implementation of network design. The Certkiller .com network operates in an
Active Directory environment.
You are currently planning to use a single domain with top-level geographic
organizational units (OUs) for each location on the company's network. Each
geographic OU will consist of departmental OUs. And each departmental OU will
consist of divisional OUs. The exhibit below represents a portion of the structure:
Exhibit:
The Research department consists of 150 employees. Each of these employees will be
distributed to each office where they will be able to perform administrative tasks.
These tasks will include all the computers and uses in their respective locations

070-294
where these employees will be deployed.

There are six locations and each location will be assigned 25 IT employees. The CIO
does NOT want these IT employees to be able to manage any resources or Active
Directory objects at any location other than their own.
What should you do?
A. A global group named OU Administrators should be created. Then place all the IT
employees in it.
Delegate the necessary level of authority to the OU Administrators group.
B. A global group for each top-level geographic OU should be created.
Then place the IT employees from each location into the global group that represents the
OU where they will be deployed.
Delegate control over each top-level geographic OU to the global group that contains the
IT employees that will manage the location.
C. All the IT employees should be placed in the Domain Administrators group.
D. All the IT employees should be placed in the Account Operators and Server Operators
groups.
E. Delegate control over each top-level geographic OU to each IT employee responsible
for managing the particular location.
Answer: B
Explanation: The most efficient way to grant all 25 IT employees at each location the
appropriate rights would be:
1. Creating one global group for each geographic OU.
2. Place the 25 IT employees into the global group representing the OU they will be
responsible for.
3. Delegate control of geographic OU to the global group that contains the IT employees
tasked with the management of that particular location.
This way you can give other users, such as new employees, the necessary permissions to
perform their jobs by just adding them to a group.
Incorrect answers:
A: Placing all the IT employees in the same global group will result in all of them having
the same level of control at all the OUs in the domain. This is not what is desired.
C: Placing all the IT employees in the Domain Admins group, will result in all 150 IT
employees full control over every object in the entire domain.
D: Placing all the IT employees in the Server Operators and Account Operators groups,
will result in all IT employees able to manage all users and servers throughout the
domain. This is not what is required. They should only be able to manage resources in
the location where they are at.
E: Delegating the appropriate level of control toe ach of the IT employees, one at a time
seems very inefficient. You should rather make use of groups to assign permissions to.
QUESTION 72:
SIMULATION

070-294
network consists of a single Active Directory forest that contains two trees with a
single domain each. These two domains are named Certkiller .com and testlabs.com.
The functional level of the forest is set at Windows 2000 mixed.
Certkiller .com is planning to upgrade or replace all Windows 2000 Server
computers to Windows Server 2003 within the following two months, and the
Certkiller .com will have to be renamed within the following three months.
Certkiller .com has a sister company named TestLabs.com that is made up of a
UNIX-based network, which operates with Kerberos version 5. You are required to
allow TestLabs.com users access to resources in the Certkiller .com domain within the
next week. TestLabs.com users should not be allowed access to any other domain or
tree in the Certkiller .com's forest.
You need to prepare to rename the Certkiller .com domain, while ensuring that
interoperability between Certkiller .com and testlabs.com is maintained. You should
also ensure that your strategy maintains interoperability between Certkiller .com and
the other tree in Certkiller .com's forest.
What should you do? To answer, configure the options that are required before you
can rename the Certkiller .com domain.
Answer:
Open Administrative Tools by clicking Start, Programs, and then Administrative Tools;
or Start, Control Panel, and then Administrative Tools.
In Administrative Tools, open Active Directory Domains and Trusts to open the Active
Directory Domains and Trusts console.

070-294
In the Active Directory Domains and Trusts console, right-click the Certkiller .com
domain and select Raise Domain Functional Level from the context menu.
Select Windows Server 2003 from the drop down list and click Raise.

070-294
When the message stating that raising the domain level is irreversible is displayed, click
OK.
When the message stating that the functional level was raised successfully is displayed,

070-294
click OK.
Back in the Active Directory Domains and Trusts console, right-click the Certkiller .com
domain and select Properties from the context menu to open the Certkiller .com Properties
dialog box.

070-294
On the Certkiller .com Properties dialog box, select the Trusts tab. Then click the New
Trust button to open the New Trust Wizard.

070-294
On the Welcome to the New Trust Wizard page, click Next.

070-294
On the Trust Name page, enter testlabs.com in the Name text box and click Next.
On the Trust Type page, select the Realm trust radio button and click Next.

070-294
On the Transitivity of Trust page, select the Nontransitive radio button and click Next.

070-294
On the Direction of Trust page, select the One-way: outgoing radio button and click
Next.

070-294
On the Trust Password page, enter a password that is at least eight characters long and
contains uppercase characters, lowercase characters, numbers and special characters in
the Trust password text box and the Confirm trust password text box. Then click Next.

070-294
On the Trust Selections Complete page, and click Next.

070-294
Then on the Completing the New Trust Wizard page, click Finish.

070-294
Finally, on the Certkiller .com Properties dialog box, click OK.
Explanation:
To rename a domain, the forest must be in Windows Server 2003 functional mode.
Before you can raise the forest level to Windows Server 2003 functional level, all
domains in the forest must have Windows Server 2003 domain controllers, and each
domain in the forest must have its domain level raised to Windows 2003. If the
forest level has been raised to Windows Server 2003 functional mode, you will lose
interoperability with any Windows 2000 domain controllers in the other tree in the
Certkiller .com forest. You should raise the domain level of Certkiller .com to Windows
2003 instead. This will not affect interoperability with any Windows 2000 domain
controllers in the other tree in the Certkiller .com forest.
Nontransitive means that the trust relationship doesn't extend beyond the two parties.
You should, therefore, set up a nontransitive outgoing trust between Certkiller .com and
testlabs.com to allow testlabs.com users to access resources in the Certkiller .com domain.
QUESTION 73:
named us. Certkiller .com and uk. Certkiller .com. The functional level of the forest is set
You are a member of the Enterprise Admins group. Certkiller .com is planning joint

070-294
ventures with 4 other companies in the ensuing year. You will be require to establish
trust relationships with Kerberos realms, as well as Active Directory domains and
forests that have been implemented by the other companies.
What type of trust can you not create using the netdom utility?
A. A realm trust.
B. A shortcut trust.
C. A forest trust.
D. An external trust.
Answer: C
Explanation: You cannot use the netdom utility, which is also known as the
Windows Domain Manager, to create a forest trust. You have to use the Active
Directory Domains and Trusts console to create a forest trust.
Incorrect Answers:
A, B, D: You are able to use the netdom utility to create these three types of trusts.
QUESTION 74:
SIMULATION
You work as the enterprise administrator at Certkiller .com. Certkiller .com has
recently launched a new Active Directory application named ckapp2, which will
replace the old Active Directory application named ckapp.
You need to ensure that the following requirements are met:
1. The Active Directory class for ckapp2 must be ready for use.
2. The Active Directory class for ckapp must no longer be used.
3. The ckapp2 attribute must be easily searchable and added to the global catalog.
4. A member of the IT Admin group named Rory Allen has to manage any issues
with any attributes.
What should you do? To answer, configure the appropriate options to meet these
requirements in the simulation.
Answer:
Click on the Start button and then on Run.

070-294
In the Run dialog box, enter regsvr32 schmmgmt.dll in the Open: text box and click OK.
When the message stating DllRegisterServer in scmmgmt.dll succeeded is displayed,

click OK.
Click on the Start button and then on Run again.

070-294
This time, enter mmc in the Open: text box of the Run dialog box, and click OK to open
the Microsoft Management Console.
In the Microsoft Management Console, click File on the Menu bar and then Add/Remove
Snap-in on the drop down menu.

070-294
On the Standalone tab of the Add/Remove Snap-in dialog box, click Add to open the Add
Standalone Snap-in dialog box.

070-294
In the Add Standalone Snap-in dialog box, select the Active Directory Schema and then
click Add.
Then click Close.

070-294
Back in the Add Standalone Snap-in dialog box, click OK.

070-294
Expand the Active Directory Schema node and then the Classes node.
Scroll down to and right-click ckapp2. Then select Properties from the context menu to
open the ckapp2 Properties dialog box.

070-294
In the ckapp2 Properties dialog box, select the Class is active check box and click OK.

070-294
Now right-click ckapp and select Properties from the context menu to open the ckapp
Properties dialog box.

070-294
In the ckapp Properties dialog box, clear the Class is active check box.

070-294
When the message stating that you will not be able to make changes to the ckapp
schema once it's made defunct appears, click Yes.
Back in the ckapp Properties dialog box, click OK.

070-294
In the left-hand pane of the Active Directory Schema console, click on Attributes.

070-294
In the right-hand pane on the Active Directory Schema, scroll down to and right-click
ckapp2Attribute. Then select Properties from the context menu to open the
ckapp2Attribute Properties dialog box.

070-294
In the ckapp2Attribute Properties dialog box, select the Index this attribute in the Active
Directory check box and the Replicate this attribute to the Global Catalog check box.
Also make sure that the Index this Attribute for containerized searches in Active
Directory check box is selected. Then click OK.

070-294
Now close the Active Directory Schema console.

070-294
Next, open Administrative Tools by clicking Start, Programs, and then Administrative
Tools; or Start, Control Panel, and then Administrative Tools.

070-294
In Administrative Tools, click Active Directory Users and Computers to open the Active
Directory Users and Computers console.

070-294
In the Active Directory Users and Computers console, expand the Certkiller .com node and
click the Users node.

070-294
In the left-hand pane of the Active Directory Users and Computers console, scroll down
and right-click the Rory Allen user account. Then click Properties on the context menu to
open the Rory Allen Properties dialog box.

070-294
On the Rory Allen Properties dialog box, click on the Member Of tab, and then click
Add.

070-294
On the Select Groups dialog box, click Advanced.

070-294
Then click Find Now.

070-294
Scroll down to and select Schema Admins then click OK.

070-294
Click OK again to close the Select Groups dialog box.

070-294
Then click OK to close the Rory Allen Properties dialog box.
Explanation: The scenario requires that you deactivate the ckapp class and
activate the ckapp2 class. Activating and deactivating schema classes must be done
in the
Active Directory Schema snap-in, which is not available unless you register the
schmmgmt.dll. Clearing the "Class is active" check box in the Properties of ckapp
will deactivate the ckapp class in Active Directory. Selecting the "Class is active"
check box in the Properties of ckapp2 will activate the ckapp2 class in Active
Directory. Selecting the Index this attribute in the Active Directory check box will
allow the attribute to be searched in Active Directory. Selecting the Replicate this
attribute to the Global Catalog check box will allow the attribute to be part of
Global Catalog. To allow Rory Allen to manage any future issues with the ckapp2
application, he has to be added to the Schema Admins group because only members
of this group can edit and manage the schema.
QUESTION 75:
network consists of a single Active Directory forest that contains a domains named
Certkiller .com, and a child domain named us. Certkiller .com. The Certkiller .com and
us. Certkiller .com domains are running in native mode. All domain controllers on the
Certkiller .com network run Windows 2000 Server.

070-294
You are planning to upgrade a domain controller in the us. Certkiller .com domain
from Windows 2000 Server to Windows Server 2003. Before you can commence
with the upgrade, you require an administrator for the Certkiller .com domain to
prepare the forest for the upgrade.
The Certkiller .com domain administrator needs to ensure that he is able to
successfully run the "adprep /forestprep" command.
What should the Certkiller .com domain administrator do?
A. Ensure that the schema master is online.

B. Ensure that the infrastructure master is online.
C. Ensure that the PDC emulator is online.
D. Ensure that the global catalog server is online.
Answer: A
Explanation: Because the "adprep /forestprep

" command makes changes to the schema of an Active Directory forest, the schema
master has to be online for the command to execute successfully. The Certkiller .com
administrator must also ensure that the schema partition of Active Directory is
enabled for updates on the schema master.
Incorrect Answers:
B: The infrastructure master ensures that group memberships are updated properly when
a user account is moved from one domain to another domain in the same forest. The "
adprep /forestprep" command does not move any user accounts from one domain to
another.
C: All updates to GPOs defined in a domain are made on the PDC emulator and then
replicated to other domain controllers in the domain. The "adprep /forestprep" command
does not update any GPOs.
D: The global catalog does not need to be online to successfully run the "adprep
/forestprep" command. The changes made to the schema will be replicated to the global
catalog server or any domain controller as soon as it comes back online.
QUESTION 76:
network consists of a single Active Directory forest that contains a domains named
Certkiller .com, and a child domain named us. Certkiller .com. The Certkiller .com and
us. Certkiller .com domains are running in native mode. All domain controllers on the
Certkiller .com network run Windows 2000 Server.
You are planning to upgrade a domain controller in the us. Certkiller .com domain
from Windows 2000 Server to Windows Server 2003. Before you can commence
with the upgrade, you require an administrator for the Certkiller .com domain to
prepare the forest for the upgrade.
The Certkiller .com domain administrator needs to ensure that he is able to
successfully run the "adprep /forestprep" command.
What group/groups should the Certkiller .com domain administrator be a member of?

070-294
A. The Certkiller .com domain administrator's user account should be a member of only the
Schema Admins group.
B. The Certkiller .com domain administrator's user account should be a member of both the
Domain Admins group in the us. Certkiller .com domain and the Enterprise Admins group.
C. The Certkiller .com domain administrator's user account should be a member of both the
Enterprise Admins group and the Schema Admins group.
D. The Certkiller .com domain administrator's user account should be a member of only the
Enterprise Admins group.
Answer: C
Explanation: The Enterprise Admins group and the Schema Admins group are
defined only in the forest root domain. The groups are universal groups when the
forest root level is running in native mode. The account used to run the "adprep
/forestprep" command must be a member of the Schema Admins group because the
"adprep /forestprep" command makes changes to the schema of an Active
Directory forest. The account should also be a member of the Enterprise Admins
group because the "adprep /forestprep" command adds objects to the Active
Directory database. Therefore, A and D are incorrect.
Incorrect Answers:
B: An account that is a member of the Enterprise Admins group does not also have to be
a member of the Domain Admins group of a domain to add objects to the domain
partition of Active Directory. By default, members of the Enterprise Admins group have
administrative privileges in each domain in the forest.
QUESTION 77:
headquarters in Chicago and branch offices in Dallas and Miami. These offices are
connected to each other via a T1 WAN link.
You are worried that replication traffic over the WAN links will be too much. You
feel that several schema objects that were created during the installation of Active
Directory are not needed by Certkiller .com.
In an attempt to minimize the amount of replication traffic, you open the Schema
management console to deactivate the unnecessary schema objects. This attempt
proves to be unsuccessful.
What is probably the reason for this happening?
A. The Schema snap-in has not been registered using the regsvr32 utility.
B. Your user account does not belong to the Schema Admins group.
C. You are not physically sitting in front of the Schema master.
D. Objects that were created during the installation of the schema cannot be deactivated.
Answer: D

070-294
Explanation: Any objects or attributes that are placed into the schema during
Active Directory installation cannot be deactivated because they are required for
Active Directory to function properly.
Incorrect Answers:
A: This is an invalid reason because you are already using the Schema management
console.
B: You do have to be a member of the Schema Admins group to manipulate the Active
Directory schema, but in this case the reason that you cannot deactivate the objects is
because they were installed during the Active Directory installation.
C: You can manipulate the schema at any domain controller.
QUESTION 78:
computers run Windows XP Professional. The functional level of the domain is set
The Certkiller .com network contains three domain controllers named
Certkiller -DC01, Certkiller -DC02, and Certkiller -DC03, which are
configured as shown in the following exhibit:
After discovering that certain user object attributes are being duplicated when the
user object is copied, you deem it necessary to manipulate Certkiller .com's Active
Directory schema. You try to add the Active Directory Schema snap-in into the
MMC console from Certkiller -DC01, but the object is unavailable. You have
received confirmation that your user account belongs to the Schema Admins group
for the Certkiller .com domain.
You need to ensure that you are able to use the Active Directory Schema snap-in.
What should you do?
A. You should add your user account to the Enterprise Admins group.
B. You need to separate the infrastructure master and the global catalog.
C. You need to register the schmmgmt.dll using the regsvr32 utility.
D. You should use Certkiller -DC03 to make the modifications to the schema.
Answer: C
Explanation: You have to register the schmmgmt.dll using the regsvr32.exe to be

able to use the Active Directory Schema snap-in.
Incorrect Answers:
A: Being a member of this group will not allow you to manipulate the schema.

070-294
B: Separating the infrastructure master and the global catalog has no bearing on
accessing the Active Directory Schema snap-in.
D: Schema management can be performed at any domain controller, as long as the
Schema master is available.
QUESTION 79:
Certkiller .com acquires a subsidiary company named Lightsource.
All servers on the Lightsource network run Windows Server 2003. Half the client
computers run Windows 2000 Professional, and the rest run Windows XP
Professional. Lightsource partners and clients have been using e-mail addresses in
the following format to communicate with Lightsource staff:
alias@lightsource.com
A new Certkiller .com naming policy requires that all employees log on using their
e-mail addresses.
You need to include Lightsource's network users into Certkiller .com's existing
network with minimal administrative effort, while allowing them to keep their
existing e-mail addresses. The solution that you choose should use as little
administrative effort as possible for future network management procedures.
You need to ensure that you provide a solution that meets all of these requirements.
What should you do?
A. Create user accounts for the new users in the existing domain.
B. Create a new tree-root domain named lightsource.com.
C. Assign user logon names in the format alias@lightsource.com for all users.
D. Create user accounts for the new users in the root domain of the new Active Directory
forest named lightsource.com.
E. Create a new Active Directory forest named lightsource.com.
F. Create user accounts for the new users in the new tree-root domain named
lightsource.com.
G. Specify an alternative user principal name (UPN) suffix of lightsource.com for all
users.
Answer: A, G
Explanation: To include the new users into Certkiller .com's network with the least
amount of administrative effort, you should add the new servers to the existing
domain. To log on to a domain, a user can specify his/her UPN, which is a
concatenation of the user's logon name, the @ character and a UPN suffix. By
default, a user can log on by specifying a UPN that has a suffix that is the same as
the DNS name of the use's domain. If a forest contains multiple domains, then any
of those domain names can be assigned as UPN suffixes to user accounts in the

070-294
forest. In addition to this, an administrator can use

Active Directory Domains and Trusts to add alternative UPN suffixes, which will
appear as choices in the drop-down list box on the Account tab of the user object's
Properties sheet for all users in the forest.
Incorrect Answers:
B, D, E, F: Creating and maintaining multiple domains or forests normally uses more
administrative effort than maintaining a single domain.
C: You should not assign logon names in the format alias@lightsource.com because
users with such logon names would not be able to log on. When the @ character is typed
in the User name text box in the Log on to Windows screen, the text is interpreted as a
UPN and not a user logon name. As a result, the Log on to drop-down list box where the
names must be specified is disabled because the characters that follow the @ sign are
assumed to specify a UPN suffix and because a UPN suffix can be used to route the
logon to the appropriate domain. The portion of the text preceding the @ sign would be
interpreted as a user logon name. However, no such logon names or UPN suffix named
lightsource.com would exist.
QUESTION 80:
DRAG DROP
network consists of a single Active Directory domain named Certkiller .com that is
divided into two sites named Certkiller -north.com and Certkiller -south.com.
You have received reports from the administrator in the Certkiller -south.com site,
who says that Active Directory data is not being replicated from Certkiller -north.com
site. You have a suspicion that the problem is being caused by a replication linkage
failure at the Certkiller -north.com site. You have also verified that replication within
each site is successful.
You need to ensure that the proper steps to troubleshoot the replication problem
are used.
What should you do? To answer, select the required troubleshooting steps and place
it in the correct order in the work area.

070-294
Answer:
Explanation:
You should first execute the repadmin command to determine which domain controllers
are failing during replication. Once the link failure has been determined, you should use
the dcdiag command to determine if the failed domain controller is registered in DNS. If
it is not, then you should ensure that DNS is configured to accept dynamic updates.
QUESTION 81:
network consists of a single Active Directory domain named Certkiller .com.
The Certkiller .com network contains two Windows Server 2003 domain controllers
named Certkiller -DC01 and Certkiller -DC02. Certkiller -DC02 is
temporarily being used by the Marketing department as an application server.
An application on Certkiller -DC02 either responds slowly or stops completely
during replication. This results in slow replication occurring. You have a suspicion
that the CPU on Certkiller -DC02 is being overused during replication.
070-294
You need to verify if this is the problem.

What should you do?
A. Run the dcdiag command.

B. Use the Performance Monitor tool.
C. Run the repadmin command.
D. Use the Replication Monitor tool.
Answer: B
Explanation: The Performance Monitor tool allows you to measure the properties of
performance counter objects. You can measure CPU utilization with on the domain
controller that hosts the application.
Incorrect Answers:
A: The dcdiag command is used to determine whether domain controllers are registered
in DNS.
C: The repadmin command is used to display linkage failures for domain controller
replication partners.
D: You cannot measure CPU utilization with this tool. It allows you to determine
operations master roles and force replication between two domain controllers.
QUESTION 82:
The Certkiller .com network contains two Windows Server 2003 domain controllers
named Certkiller -DC01 and Certkiller -DC02. Certkiller -DC01 is located on
the first floor of the office building and Certkiller -DC02 is located on the second
floor.
When Certkiller -DC02 experiences hard drive failure, you take it offline for two
days to replace it. When you bring it back online, you notice that a replication
problem between Certkiller -DC01 and Certkiller -DC02. You view the
Directory Service event log and find an Access Denied message that originates from
the Knowledge Consistency Checker (KCC).
You need o troubleshoot the problem.
What should you do?
A. You need to verify that Certkiller -DC01 and Certkiller -DC02 are properly
connected to each other.
B. You need to verify that Certkiller -DC01 and Certkiller -DC02 are registered in
DNS.
C. You need to verify that the account passwords on Certkiller -DC01 and
Certkiller -DC02 are the same.
D. You need to verify that the replication configuration Certkiller -DC01 and
Certkiller -DC02 matches the physical topology of the network.

070-294
Answer: C
Explanation: Because Certkiller -DC02 was taken offline for two days, it is
possible that the computer account password on Certkiller -DC01 has changed.
Incorrect Answers:
A, B, D: The event message indicates that the source domain controller linked
successfully with the target domain controller, but authentication between the two failed.
QUESTION 83:
configured as a single site.
The Certkiller .com network contains a domain controller running Windows 2000
server, and a domain controller running Windows Server 2003. These domain
controllers are named Certkiller -DC01 and Certkiller -DC02 respectively. You
are required to troubleshoot Active Directory replication between the two domain
controllers, and suspect that the problem is related to the File Replication service on
one of them. You would like to customize the log files that were created by the File
Replication service so that you are able to troubleshoot the problem better.
To accomplish your goal, you need to change the characteristics of the File
Replication service log files.
What should you do?
A. Configure a site link for Certkiller -DC01 and Certkiller -DC02.

B. Modify the registry settings on Certkiller -DC01 and Certkiller -DC02.
C. Run the NTFRSUTL tool on Certkiller -DC01 and Certkiller -DC02.
D. In Event Viewer, configure the columns to be viewed.
Answer: B
Explanation: The registry key to configure is

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NtFrs\Parameters.
Within this key, you can specify the number of log files that can be created, log
severity, and the maximum number of log messages.
Incorrect Answers:
A: A site link is not necessary because the problem is intra-site replication.
C: This tool does not allow configuration of the File Replication service log files.
D: The columns that you can view with Event Viewer are specific to Event Viewer. They
are not specific to the File Replication service
QUESTION 84:
spread over two sites named Certkiller -north.com and Certkiller -south.com.

070-294
The Certkiller -north.com site contains a Windows Server 2003 domain controller
named Certkiller -DC01 and the Certkiller -south.com site contains a Windows
Server 2003 domain controller named Certkiller -DC02. You have scheduled
Active Directory replication between Certkiller -DC01 and Certkiller -DC02 to
occur every four hours. During routine monitoring, you notice that the File
Replication service comes to a sudden stop during Active Directory replication.
What is the reason for this?
A. The staging area of the source domain controller has reached its capacity.
B. The replication interval value is currently set too high.
C. The target domain controller has not been registered in DNS.
D. The source domain controller and the target domain controller are located in the same
site.
Answer: A
Explanation: A common cause of the File Replication service suddenly stopping

during replication is that the staging area is full. If data exceeds the default size of
the staging area, the File Replication service may stop. Adding more space to the
staging area will rectify this problem.
Incorrect Answers:
B: The replication interval relates to Active Directory replication, and the File
Replication service is totally independent of Active Directory replication.
C D: These are not valid reason for the File Replication service stopping suddenly during
replication.
QUESTION 85:
The Certkiller .com network contains a domain controller named Certkiller -DC01,
from which you accidentally deleted an organizational unit (OU) named
CKBranch1 that contains more than a few hundred user accounts and computer
accounts.
This deletion has already been replicated to all the other domain controllers in the
Certkiller .com domain.
You need to ensure that the deleted objects are recovered. You also need to ensure
that their original functionality and level of privileges are fully restored with the
least amount of administrative effort.
What should you do?
A. You have to carry out an non-authoritative restore of Active Directory.

B. You should recreate the CKBranch11 OU and all of its contents.
C. You have to carry out an authoritative restore of Active Directory.

070-294
D. You should recreate the CKBranch11 OU, and then move the deleted user and
computer accounts to CKBranch11 from the LostAndFound container.
Answer: C
Explanation: To recover the deleted objects in this scenario, you need to perform an
authoritative restore of Active Directory from a recent backup that had been made
prior to the deletion. You can generally use the most recent of the available backups
of any domain controller in the domain made before you deleted the objects.
However, to avoid any unexpected results, you should consider some additional
circumstances, such as whether any changes were made to Active Directory on any
domain controllers in the domain after deleting the object and whether those
changes were replicated across the domain.
Incorrect Answers:
A: If you performed only a non-authoritative restore, then the tombstones of the deleted
objects that exist on other domain controllers would be considered more recent than the
objects that were restored from the backup. As a result, the tombstones would overwrite
the restored CKBranch11 OU and its contents, and those would be deleted again.
B: If you use this option, the new user and computer accounts would be considered
different from the respective original objects because the new objects would be assigned
new unique security IDs (SIDs). As a result, this option would require more
administrative effort than is necessary.
D: The LostAndFound container is intended for objects that are created in or moved
into a container that has been deleted on another domain controller and whose tombstone
has not been replicated to the domain controller where those objects were created or
moved.
QUESTION 86:
You are in the process of formulating a disaster recovery strategy for the network.
Your proposed strategy involves backing up Active Directory on each domain
controller every Friday evening.
You need to ensure that if a domain controller fails, you are able to restore it from
the most recent backup without the risk of corrupting Active Directory.
What should you do?
A. You have to configure the tombstone lifetime to be 10 days.

B. You have to configure the garbage collection period to be 120 hours.
C. You have to configure the tombstone lifetime to 5 be days.
D. You have to configure the garbage collection period to 240 be hours.
Answer: A

070-294
Explanation: If a domain controller fails and you restore it from a backup, that
backup should not be older than the tombstone lifetime because you might
introduce inconsistencies into Active Directory by restoring objects that no longer
exist on other domain controllers. The default, the tombstone lifetime is 60 days.
This is the period of time that deleted Active Directory objects remain in the Active
Directory database. Therefore you should reduce the tombstone lifetime to a value
that still allows sufficient time for replication latency. To maintain the consistency
of Active Directory in this scenario, you have to configure the tombstone lifetime to
be longer than seven days, which is the period of time between consecutive backups.
Incorrect Answers:
B, D: Deleted Active Directory objects are removed from the Active Directory database
by the garbage collection process once the tombstone lifetime has expired. Adjusting the
frequency of the garbage collection process will have no effect on the consistency of the
Active Directory database.
C: To maintain the consistency of Active Directory database in this scenario, you have to
configure the tombstone lifetime to be longer than seven days, which is the period of time
between consecutive backups.
QUESTION 87:
network consists of a single Active Directory forest that contains numerous domains
and sites around the world. The functional level of the forest is set at Windows 2000.
A number of chosen sites have local administrators that are responsible for carrying
out Active Directory management tasks, such as implementing changes to group
memberships in response to requests from IT departments in other sites.
There is frequently a situation where administrators in two different sites make
different changes to the membership of the same group at approximately the same
time. This results in some group membership changes being lost and must then be
implemented again.
You need to ensure that these incidents are either prevented, or that the number of
these incidents is reduced.
What should you do?
A. You need to alter the replication schedules on the links between the sites that regularly
experience conflicts.
B. You need to bridge all site links.
C. You have to decrease the cost of all site links.
D. You have to raise the functional level of the forest to Windows Server 2003.
Answer: D
Explanation:
In Windows 2000, Active Directory replication occurs at the attribute level. Group

070-294
memberships are stored in Active Directory as multi-valued attributes. In windows

2000, the entire list of members of that group will be replicated because an attribute
is the smallest unit of replication. If two administrators in different sites make
changes to the same group at the same time, a replication conflict is created. The
change that is created last will be replicated and the change that was created slightly
earlier will be lost. To eliminate these conflicts, you need to raise the functional level
of the forest to Windows Server 2003. One of the enhancements in Windows Server
2003 is linked value replication, which is the ability to replicate individual values of
multi-valued attributes. Therefore, if administrators in two different sites make
different changes to the membership of the same group at approximately the same
time, no replication conflicts will occur because only the changed values of the same
multi-valued attribute will be replicated.
Incorrect Answers:
A: Replication conflicts are inherent to multi-master replication and are not generally
dependent on specific replication schedules.
B: Bridging is enabled by default and is irrelevant to the problem in this scenario.
C: Site link costs are relative values that are used to order site links by preference,
therefore, reducing or increasing the cost of all site links by the same value would make
no difference.
QUESTION 88:
DRAG DROP
Certkiller .com domain is spread over two offices located in Chicago and Dallas.
The Chicago office contains a domain controller named Certkiller -DC01 and the
Dallas office contains a domain controller named Certkiller -DC02. You schedule
replication between the sites for once a day after business hours, and Active
Directory is backed up on the two domain controllers nightly.
You create an organizational unit (OU) named Sales on Certkiller -DC01 and
move 50 user accounts into it. You receive a report from an administrator in the
Dallas office the following week, saying that he inadvertently deleted the Sales OU
on Certkiller -DC02. You discover that the deletion took place about a half an
hour after you successfully moved 10 new user accounts into the Sales OU.
You need to ensure that the Sales OU with all its contents, as well as the 10 new user
accounts, are available on Certkiller -DC02 as soon as possible.
What should you advise the administrator in the Dallas office to do? To answer,
choose the appropriate actions and place them in the correct order in the work area.

070-294
Answer:
Explanation:
Inter-site replication only occurs once a day after hours. Therefore, at the time that you
moved ten new user accounts into the Sales OU, the deletion had not yet been replicated
from Certkiller -DC02 to Certkiller -DC01. To reverse this deletion and to provide
the Dallas office with the latest changes to the Sales OU, you should advise the
administrator in the Dallas office to first reboot Certkiller -DC02 in Directory Services
Restore Mode (DSRM). In this mode, a domain controller is started as a stand-alone
server and Active Directory is not initialized. Next, the administrator should restore the
System State on Certkiller -DC02 from the latest backup that was made the previous
night. This backup contains the Sales OU as it existed before it was inadvertently deleted.
When the restore is complete, the administrator should reboot Certkiller -DC02
normally. The newer changes to the Sales OU will be replicated at night.

070-294
QUESTION 89:
network consists of a single Active Directory domain named Certkiller .com and a
single Active Directory site named Site1.
Certkiller .com has its headquarters in Chicago and opens a new branch office in
Dallas. You install a domain controller named Certkiller -DC01 in a new domain
in the Chicago office and also install Windows XP Professional on the new client
computers that will be used in the Dallas office. The Dallas office is connected to the
Chicago office via a dedicated WAN link. You then create a new Active Directory
site named Site2.
You need to ensure that Certkiller -DC01 and the new client computers are
configured to belong to Site2 when they are delivered to the Dallas office.
What should you do?
A. Configure a policy that assigns Certkiller -DC01 to Site2 in a GPO linked to the
Domain Controllers organizational unit.
B. Move the server objects for the new client computers to Site2.
C. Create a subnet object in Site2 and assign Certkiller -DC01 an IP address from the
range of that subnet.
D. Move the Certkiller -DC01 server object to Site2.
E. Create a subnet object in Site2 and assign the new client computers IP addresses from
the range of that subnet.
F. Configure a policy that assigns the new client computers to Site2 in a GPO linked to
the new domain.
Answer: D, E
Explanation: To assign a domain controller to a specific Active Directory site, the

server object that represents the domain controller must be moved to the Servers
container in the appropriate site. To move Certkiller -DC01 to Site2 in this
scenario, you should use the Active Directory Sites and Services to move the
Certkiller -DC01 server object to the Servers container that is a child of the Site2
container. Client computers and member servers are not assigned to sites explicitly.
Their site affiliations are determined automatically from the IP addresses assigned
to those computers. In this scenario, you should use Active Directory Sites and
Services to create a new subnet object in Site2 and specify an IP address for that
subnet. When the new client computers are physically connected to the network in
the branch office, you should assign them IP addresses that belong to the new
subnet.
Incorrect Answers:
A, F: Site affiliations cannot be configured in Group Policy objects (GPOs).
B, C, D: Client computers and member servers are not assigned to sites explicitly. Their
site affiliations are determined automatically from the IP addresses assigned to those
computers.

070-294
QUESTION 90:
named Certkiller -north.com and Certkiller -south.com.
Site1 and Site3 hosts the us. Certkiller .com domain that contains four domain
controllers named Certkiller -DC01, Certkiller -DC02, Certkiller -DC03, and
Certkiller -DC04. Site2 hosts the uk. Certkiller .com domain that contains two
domain controllers named Certkiller -DC05 and Certkiller -DC06. The
Certkiller .com network is not fully routed. The Certkiller .com network configuration
is displayed in the diagram shown below.
When you discover that certain changes to Active Directory do not replicate
between Certkiller A and Certkiller B, you view the event log on Certkiller -DC01.
While viewing the event log, you come across a message that says the Knowledge
Consistency Checker (KCC) is unable to suitably create a replication topology
because it does not have sufficient information.
You need to ensure that replication of all Active Directory changes occurs between
Site1 and Site3.
What should you do?
A. You need to bridge all site links.

B. In Certkiller B, designate a preferred bridgehead server.
C. In each site on the network, designate a preferred bridgehead server.
D. In Certkiller B, install a new domain controller named Certkiller -DC07 for the
Certkiller -south.com domain.
Answer: D
Explanation: An Active Directory domain partition can be replicated only between

domain controllers for the same domain. In the above scenario, all domain
controllers in Certkiller A and Certkiller C belong to the Certkiller -south.com domain,
and all domain controllers in Certkiller B belong to the Certkiller -north.com domain.
You should, therefore, install a domain controller for the Certkiller -south.com
domain in Certkiller B to ensure that replication of all Active Directory changes
occurs between Certkiller A and Certkiller C.

070-294
Incorrect Answers:
A: This option would work if the network was fully routed.
B C: Designating any preferred bridgehead servers is not necessary since KCC
designates an appropriate domain controller in each site as a bridgehead server for that
site, by default.
QUESTION 91:
Certkiller .com domain is spread over three sites named Certkiller A, Certkiller B, and
Certkiller C.
Certkiller A contains only client computers, Certkiller B contains two domain
controllers named Certkiller -DC01 and Certkiller -DC02, and Certkiller C
contain two domain controllers named Certkiller -DC03 and Certkiller -DC04.
The Certkiller .com network is configured as shown in the following diagram.
You need to ensure that users in Certkiller A log authenticate to domain controllers
only from Certkiller B.
What should you do?
A. You should decrease the cost of the site link between Certkiller A and Certkiller C to 50.
B. You should move the computer objects for the client computers from Certkiller A to
Certkiller B.
C. You should increase the cost of the site link between Certkiller A and Certkiller B to 150.
D. You need to configure the subnet object that corresponds to the IP address range of
the client computers in Certkiller A to belong to Certkiller B.
Answer: D
Explanation: Client computers in a site where there are no domain controllers will
send user logon requests to the site/sites with the lowest site link cost where domain

070-294
controllers are available. To ensure that users in Certkiller A authenticate to domain

controllers only from Certkiller B, you can either reduce the cost of the site link
between Certkiller A and Certkiller B, or configure the client computers in Certkiller A
to belong to Certkiller B. You should use the Active Directory Sites and Services to
reconfigure the subnet object that corresponds to the IP address range of the client
computers in Certkiller A to belong Certkiller B.
Incorrect Answers:
A, C: These options will ensure that Client computers in Certkiller A will ensure that users
in Certkiller A authenticate to domain controllers only from Certkiller C.
B: Client computers and member servers are not assigned to sites explicitly. Their site
affiliations are determined automatically from the IP addresses assigned to those
computers.
QUESTION 92:
The Certkiller .com network contains a domain controller named Certkiller -DC01
that runs DNS Server with the default settings. You recently successfully completed
adding a new domain controller to the Certkiller .com domain, named
Certkiller -DC02, which does not run DNS Server.
While performing routine monitoring a short while later, you discover that
automatic Active Directory replication between Certkiller -DC01 and
Certkiller -DC02 has failed. When you verify connectivity to both domain
controllers from your client computer, named Certkiller -WS007, you are
presented with the information displayed in the following exhibit.
You also find that you are able to ping Certkiller -DC01 from Certkiller -DC02
successfully, but you are unable to ping Certkiller -DC02 from Certkiller -DC01.
You need to ensure that Certkiller -DC01 and Certkiller -DC02 are able to
replicate with each other.
What should you do?
A. You should manually add the host (A) DNS resource record for Certkiller -DC02 to

070-294
the DNS zone on Certkiller -DC01.

B. You should manually force DNS name registration on Certkiller -DC02
C. You should force Active Directory replication between Certkiller -DC01 and
Certkiller -DC02 manually.
D. You need to enlist Certkiller -DC02 in a DNS default application directory partition.
Answer: B
Explanation:
Active Directory relies on DNS as a service locator. For other computers to be able
to locate a domain controller, that domain controller should be registered with DNS.
By default, this happens automatically when a domain controller is being added to a
domain. It seems that in this scenario Certkiller -DC02 is not currently registered
with DNS. Certkiller -DC01 is, therefore unable to locate Certkiller -DC02 and,
as a result, Active Directory replication between them is unsuccessful. To rectify this
problem, you have to ensure that the DNS zone for the domain is configured to
allow dynamic updates and then use the ipconfig /registerdns command on
Certkiller -DC02 to force Certkiller -DC02 to register its name and IP address
with DNS.
Incorrect Answers:
A: This option will allow Certkiller -DC01, as well as other computers to communicate
with Certkiller -DC02. For Active Directory replication to succeed, you would also
have to add the correct SRV resource record.
C: This option will only work if Certkiller -DC02 is properly registered with DNS.
D: You cannot enlist Certkiller -DC02 with any application directory partition because
enlisting is a procedure that that is applicable only to Windows Server 2003 DNS servers,
and Certkiller -DC02 is not a DNS server.
QUESTION 93:
Certkiller .com domain is spread over three sites named Certkiller A, Certkiller B, and
Certkiller C.
Certkiller A contains two domain controllers named Certkiller -DC01 and
Certkiller -DC02, Certkiller B contains two domain controllers named
Certkiller -DC03 and Certkiller -DC04, and Certkiller C contain two domain
controllers named Certkiller -DC05 and Certkiller -DC06. The Certkiller .com
network is configured as shown in the following diagram.

070-294
The table below shows the schedule for Active Directory replication between the
sites.
You receive complaints from users who say that the changes made to Active
Directory in Certkiller A during normal business hours, takes two days to reach
Certkiller C.
You need to ensure that all the changes made during normal business hours in one
site are available by the following business day in the other sites.
What should you do?
A. You should modify the availability of the site link between Certkiller A and Certkiller B
to 7 P.M. - 1 A.M., and the availability of the site link between Certkiller B and Certkiller C
to 2 A.M. - 6 A.M.
B. You should decrease the cost of the site link between Certkiller A and Certkiller B to 50.
C. You should modify the availability of the site link between Certkiller A and Certkiller B
to 8 P.M. - 2 A.M
D. You should reconfigure the replication frequency for the site link between Certkiller A
and Certkiller B to be 30 minutes.
Answer: C
Explanation: Active Directory replication between sites can be configured to occur

at specified intervals during specified site link availability windows. In this scenario,
changes that are made in Certkiller A during business hours are replicated to
Certkiller B on the following night, every hour, between 2 A.M. and 6 A.M. Those
changes start being replicated to Certkiller C only after the end of the next business
day, from 7 P.M. to 1 A.M. To ensure that changes made in any site reach all other
sites by the following day, you can change the replication schedule between
Certkiller A and Certkiller B to 8 P.M. - 2 A.M. Both site links will now be available
between 8 P.M. and 2 A.M., therefore, any changes made at any site during normal
business hours will be replicated to all other sites during this period on the same

070-294
night.
Incorrect Answers:
A: If you use this option, then changes that are made in Certkiller A would reach
Certkiller B the same night and then reach Certkiller C the following morning.
B: changing the site link costs would not affect the propagation of Active Directory
changes among the sites in this scenario because the replication topology does not
include alternative paths between the same sites.
D: Replication frequency defines the duration of the interval between consecutive
replication sessions. However, replication over a site link occurs only when the site link
is available.
QUESTION 94:
network consists of a single Active Directory domain named Certkiller .com and a
single Active Directory site named Certkiller A.
Certkiller .com has its headquarters in Chicago and opens a new branch office in
Dallas, which has a domain controller and several client computers installed. The
new domain controller runs Windows Server 2003 and the client computers run
Windows XP Professional. The Dallas office is connected to the Chicago office via a
private WAN link.
You need to ensure that all Active Directory changes made on domain controllers in
the Chicago office will be implemented on the domain controller in the Dallas office
as soon as possible. You also need to ensure that network traffic over the private
WAN link is minimized, and that users in the Dallas office only use their local
domain controller for authentication.
What should you do? (Choose two)
A. Assign the cost of 0 to the local domain controller on each client computer in the
Dallas office.
B. Create a new Active Directory site.
C. Assign the cost of 100 to all other domain controllers on each client computer in the
Dallas office.
D. Configure all computers in the Dallas office to belong to the newly created Active
Directory site and set the replication interval to 0.
E. Assign the cost of 0 to all local client computers on the domain controller in the Dallas
office.
F. Configure all computers in the Dallas office to belong to the newly created Active
Directory site and set the replication interval to 15 minutes.
G. Assign the cost of 100 to all other client computers on the domain controller in the
Dallas office.
Answer: B, F
Explanation: To minimize the replication latency, you might consider maintaining

the entire network as a single Active Directory site because each change to Active

070-294
Directory is replicated almost immediately. However, intra-site replication is

optimized in order to minimize latency rather than conserve bandwidth. Also, client
computers can send user authentication requests to any domain controller within
the same site. Therefore, to minimize network traffic over the WAN link and to
ensure that client computers in the Dallas office use only the local domain controller
fro authentication, you should create a second Active Directory site for the network
in the Dallas office. To configure the new domain controller to belong to that site,
you should move the server object for that domain controller to the new site
container in
Active Directory Sites and Services. Domain members other than domain
controllers are assigned to sites automatically based on their IP addresses. To
configure client computers in the Dallas office to belong to the new site, you should
create an IP subnet object for that site and configure the client computers with IP
addresses from that subnet. To minimize replication latency between the two sites,
you should set the replication interval to the lowest possible value, which is 15
minutes.
Incorrect Answers:
A, C, E, G: Costs are assigned to site links, not domain controllers and client computers.
D: The lowest possible value for the replication interval is 15 minutes, not 0.
QUESTION 95:
Site1 and Site3 hosts the us. Certkiller .com domain that contains four domain
controllers named Certkiller -DC01, Certkiller -DC02, Certkiller -DC03, and
Certkiller -DC04. Site2 hosts the uk. Certkiller .com domain that contains two
domain controllers named Certkiller -DC05 and Certkiller -DC06. The
Certkiller .com network is fully routed.
The Certkiller .com network configuration is displayed in the diagram shown below.
Users, who frequently travel from Site2 to Site3's offices with their Windows XP
Professional laptop computers, report that when they connect to the network on
Site3, it takes approximately 5 to 10 minutes to log on to their network.
070-294
You need to ensure that the time it takes for users to log on to their domain is
minimized. You should also ensure that the solution you choose does not involve
additional expenses and that the availability and reliability of the existing network
services are not reduced.
What should you do?
A. You have to combine Site2 and Site3 into a single Active Directory site.
B. You should increase the cost of the site link between Site2 and Site3 from 200 to 300.
C. You need to move one of the domain controllers from site2 to Site 3.
D. You have to reconfigure one of the domain controllers in Site3 to belong to the
uk. Certkiller .com domain.
Answer: B
Explanation: Users in Site2 belong to the uk. Certkiller .com domain. There are no
domain controllers for this domain in Site3. Therefore, logon requests to the
uk. Certkiller .com domain are routed from Site2 to Site3. When site links form
multiple paths between two sites, logon requests are sent over the path with the
lowest total site link cost. In this case, it is the direct link between site2 and site3,
which has a site link cost of 200. The total site link cost of the alternative route
through Site1 is 250.
Incorrect Answers:
A: Combining Site2 and Site3 into a single site results in logon requests to the
uk. Certkiller .com domain being routed within that site over the 56-Kpbs WAN link.
C: If you move a domain controller from the uk. Certkiller .com domain from Site2 to Site3,
then the uk. Certkiller .com domain controllers would have to replicate over the slow link
between Site2 to Site3.
D: If you reconfigured a domain controller in Site 3 to belong to the uk. Certkiller .com
domain, then the reliability and availability of network services for the us. Certkiller .com
users in Siite3 might be adversely affected because only one uk. Certkiller .com domain
controller would be left in Site3.
QUESTION 96:
named Certkiller -south.com and Certkiller -north.com.
The sites named Certkiller A and Certkiller C hosts the Certkiller -south.com domain that
contains four domain controllers named Certkiller -DC01, Certkiller -DC02,
Certkiller -DC03, and Certkiller -DC04. The Certkiller B site hosts the
Certkiller -north.com domain that contains two domain controllers named
Certkiller -DC05 and Certkiller -DC06. The Certkiller .com network
configuration is displayed in the diagram shown below.

070-294
The site links are not bridged. The table below shows the schedule for Active
Directory replication between the sites.
You have created a new user account far a user located in Certkiller C on
Certkiller -DC01.
What statement explains how Active Directory replication will occur?
A. The user account will be available on the domain controllers in Certkiller C

immediately.
B. The user account will be available on the domain controllers in Certkiller C a day later.
C. The user account will never be available on the domain controllers in Certkiller C
D. The user account will be available on the domain controllers in Certkiller C two days
later.
Answer: C
Explanation: An Active Directory domain partition can only be replicated between

domain controllers for the same domain. In this scenario, all domain controllers in
Certkiller A and Certkiller C belong to the Certkiller -south.com domain, and all domain
controllers in Certkiller B belong to the Certkiller -north.com domain. The
Certkiller -south.com domain partition cannot replicate between Certkiller A and
Certkiller C through the domain controllers in Certkiller B. Therefore, the new user
account that you created will never appear on the domain controllers in Certkiller C.
Incorrect Answers:
A, B, D: The Certkiller -south.com domain partition cannot replicate between Certkiller A
and Certkiller C through the domain controllers in Certkiller B. Therefore, the new user
account that you created will never appear on the domain controllers in Certkiller C..
QUESTION 97:
network consists of a single Active Directory forest that contains numerous domains

070-294
spread across several sites. All servers on the Certkiller .com network run Windows
Server 2003 and all client computers run Windows XP Professional.
After certain users in a remote site reports that the logon process took longer than
normal when they logged on in the morning, you investigate and find that you are
unable to perform administrative tasks on the domain controller named
Certkiller -DC10 remotely. This domain controller is located in the same site as
the users who sent in the report. You ask a fellow administrator named Andy Booth,
who is stationed at that site, to log on to Certkiller -DC10 interactively to verify its
functionality. Andy Booth reports that the Certkiller -DC10 seems to be operating
as it should.
You need to ensure that you are able to administer Certkiller -DC10 remotely as a
domain controller.
What should you do?
A. Change the replication interval for the site link that connects the remote site to your site
to a lower value.
B. On Certkiller -DC10, restart the Net Logon service.
C. You should force replication between Certkiller -DC10 and another domain
controller in the same domain.
D. On Certkiller -DC10, enable NetBIOS over TCP/IP.
Answer: B
Explanation: The Net Logon service on domain controllers is responsible for

registering and periodically refreshing their locator records, which are the DNS
SRV resource record and host (A) record. Because you are able to access shared
resources on Certkiller -DC10 by its host name, it seems that the A record for
Certkiller -DC10 is correct. You are, however, unable to locate Certkiller -DC10
as a domain controller, which indicates that the SRV record for Certkiller -DC10
is either missing or corrupt. You should, therefore, restart the Net Logon service on
Certkiller -DC10 to force it to refresh its locator records in DNS.
Incorrect Answers:
A: Using this option will result in Active Directory replication occurring more frequently
between the sites connected via that link, which is not relevant to the problem in the
scenario.
C: You cannot force Active Directory replication between Certkiller -DC10 and
another domain controller until other computers on the network can identify
Certkiller -DC10 as a domain controller.
D: NetBIOS is used as a service locator in legacy operating systems. It is not required by
windows server 2003 and Windows XP Professional.
QUESTION 98:
The Certkiller .com network contains three Windows Server 2003 domain controllers

070-294
server named Certkiller -DC01, Certkiller -DC02, and Certkiller -DC03. you
are responsible for managing the Certkiller .com domain.
During the replication process, a power outage occurred and resulted in the
Marketing OU on Certkiller -DC02 not being replicated to the other domain
controllers. When one of your assistants, named Andy Reid, attempts to perform
manual replication on the Marketing OU, he receives an error message stating that
access is denied.
You need to ensure that this problem is rectified.
What should you do?
A. You have to create an empty Marketing OU on Certkiller -DC01 and

Certkiller -DC02 to allow replication to take place.
B. You need to configure the File Replication service to run under Andy Reid's account.
C. You have to delegate administrative authority for the Marketing OU to Andy Reid.
D. You have to assign Andy Reid the Replication Synchronization permission for the
Marketing OU.
Answer: D
Explanation: You can perform manual replication only if you are assigned the
Replication Synchronization permission.
Incorrect Answers:
A: If the Marketing OU does not exist on the other domain controllers before replication,
it will be created during replication.
B: Running the service under Andy Reid's account will grant the service the same
privileges on the file system as Andy Reid is granted.
C: It is your responsibility to manage the Certkiller .com domain. An OU resides within a
domain and is, therefore, also your responsibility.
QUESTION 99:
HOTSPOT
servers on the Certkiller .com network, including domain controllers, run Windows
Server 2003 and all client computers run Windows XP Professional. Certkiller .com
has headquarters in London and branch offices in Paris, Berlin, Milan, and Madrid.
You are required to configure Active Directory replication for all Active Directory
partitions so that it takes place during non-peak times.
What should you do?
To answer, select the node in the tree that will allow you to achieve your goal.

070-294
Answer:
Explanation:
To solve this problem, you need to first configure site links and then configure them to be
available during non-peak times only. The Inter-Site Transports node is use to create site
links. You are given two options:
1. RPC over IP
2. SMTP
A single domain can only use IP.
QUESTION 100:
named Certkiller -north.com and Certkiller -south.com. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas, New York, and Miami that
are each assigned its own subnet. All of these offices are connected via a fast WAN
link.
The Chicago and Dallas offices belong to the Certkiller -north.com, and the New York
and Miami offices belong to the Certkiller -south.com. all domain controllers in the
Chicago, Dallas, and New York offices run Windows Server 2003, while the Miami
office domain controllers run Windows NT Server 4.0.
Changes to directory data occur frequently at each office. You need to ensure that
replication between the offices are occurs efficiently.
What is the number of sites that Certkiller .com should have?
A. 1
B. 2
C. 3
D. 4

070-294
Answer: A
Explanation: Because all offices are connected via a fast WAN link, you only require
one site. This will ensure that frequent changes are replicated throughout the forest
in a timely manner.
Incorrect Answers:
B: Inter-site replication is more efficient than inter-site replication. If each domain's
networks were connected by fast WAN links, but the network connection between the
two domains were slow, you could configure two sites to optimize replication traffic.
C: Inter-site replication is more efficient than inter-site replication.
D: Inter-site replication is more efficient than inter-site replication. If bandwidth
consumption were a concern, and if each office were connected via a slow WAN link,
you could configure four sites to optimize replication traffic.
QUESTION 101:
The Certkiller .com network contains two domain controllers named
Certkiller -DC01 and Certkiller -DC02. Certkiller -DC01 is the first domain
controller in the domain and is currently assigned all domain operations master
roles.
You are required to perform routine maintenance on Certkiller -DC01, which will
result in the domain controller being offline for several hours. At the same time you
need allow a different administrator to create several thousand new user accounts in
the Certkiller .com domain for a newly acquired company.
You need to ensure that the maintenance schedule is adhered to and that the other
administrator can complete his task as soon as possible. You also need to ensure
that these tasks are accomplished using the least amount of steps required.
What should you do?
A. Connect to Certkiller -DC02 and transfer the PCD emulator role to

Certkiller -DC02.
B. Connect to Certkiller -DC02 and seize the PCD emulator role to Certkiller -DC02.
C. Connect to Certkiller -DC02 and transfer the infrastructure master role to
Certkiller -DC02.
D. Connect to Certkiller -DC02 and seize the infrastructure master role to
Certkiller -DC02.
E. Connect to Certkiller -DC02 and transfer the RID master role to Certkiller -DC02.
F. Connect to Certkiller -DC02 and seize the RID master role to Certkiller -DC02.
Answer: E

070-294
Explanation:
The RID master assigns batches of relative IDs to other domain controllers, which
in turn assign those IDs to new security principal objects that are being created in
the domain. The RID master does not have to be online when new user accounts are
being created as long as the domain controller where the user accounts are being
created has not exhausted its pool of available RIDs. In this scenario, a large
number of RIDs will be required in order to create several thousand new user
accounts. You should, therefore, transfer the RID master role to another domain
controller in the domain to ensure that domain controllers do not run out of RIDs
during the creation of new user accounts.
Incorrect Answers:
A, B: The temporary absence of the PCD emulator can be tolerated because none of
the computers in the domain runs legacy operating systems.
C, D: The temporary absence of the infrastructure master can be tolerated because
the scenario does not indicate that any relevant activity, such as renaming or moving user
accounts or modifying group memberships, is expected to be performed during the next
few hours.
F: You should not seize the RID master role unless you are completely certain that the
original RID master will never be brought back online.
QUESTION 102:
Certkiller -DC01 and Certkiller -DC02. When Certkiller -DC01 fails, it is
reported that the soonest that it can be repaired and brought back online, is the
following day. At the same time as the failure, you are given the task of creating
more than 1000 new user accounts in the Certkiller .com domain. You attempt to
create the new user accounts on Certkiller -DC02, but only succeed in creating 700
new accounts. You also receive an error message stating that no more user accounts
can be created.
You need to ensure that the remaining user accounts are created as soon as possible.
What should you do?
A. You have to transfer the infrastructure master role to Certkiller -DC02.

B. You have to configure Active Directory replication to occur continuously.
C. You have to seize the RID master role to Certkiller -DC02
D. You have to wait for a period of 15 minutes to allow replication to occur.
Answer: C
Explanation: When new security principal objects, such as user accounts, are being
created, each object must be assigned a relative ID (RID) that is unique in the

070-294
domain. One domain controller in each domain is assigned the RID master role,
which produces unique RIDs and allocates them in batches of several hundred to
other domain controllers in the domain. If the RID master for a domain becomes
unavailable, then you can create only as many new security principals in that
domain as there are RIDs available on the other domain controllers in that domain.
If the number of remaining RIDs is inadequate, then you can transfer the RID
master role to another domain controller in that domain. However, to transfer the
RID master role gracefully, the original RID master must be online. In the above
scenario, the RID master is currently offline, and you cannot wait for it to be
repaired. You should, therefore, seize the RID master role to Certkiller -DC02 and
not bring the original RID master back online. You should remove all information
about Certkiller -DC01 from Active Directory instead, then create a fresh
installation of Windows Server 2003 on the computer that originally was
Certkiller -DC01 and configure it as a new domain controller for the Certkiller .com
domain.
Incorrect Answers:
A: The infrastructure master is a domain controller that is responsible for updating
references from local objects to objects in other domains; it does not have to be online
when new user accounts are being created.
B, D: In this scenario, there is only one available domain controller in the domain, so
there is currently nowhere for the new accounts to replicate.
QUESTION 103:
You work as the network administrator at Certkiller .com. You are currently in the
process of setting up an Active Directory forest for Certkiller .com.
Thus far you have two Windows Server 2003 domain controllers named
Certkiller -DC01 and Certkiller -DC02, which are part of the same domain
named Certkiller -north.com. Certkiller -DC01 is the first domain controller in the
Certkiller -north.com domain, in the new forest.
You now want to create a new domain. You install Windows Server 2003 on a new
computer and name it Certkiller -DC03. After starting the Active Directory
installation wizard, you specify that Certkiller -DC03 as a domain controller for a
new domain in the forest. You are then presented with an error message stating that
Certkiller -DC03 cannot be promoted to a domain controller.
After a brief investigation, you discover that Certkiller -DC01 has failed as a
result of hardware failure. You are informed that the replacement part will only be
delivered within the next couple of days.
You need to ensure that the deployment of Active Directory continues immediately,
and that Certkiller -DC03 is promoted to a domain controller in the new domain.
What should you do? (Choose all that apply)
A. Specify Certkiller -DC03 as a domain controller for a new child domain in the
existing domain.
B. Configure Certkiller -DC02 to hold all operations master roles.
C. Add Certkiller -DC03 to the existing domain.

070-294
D. Promote Certkiller -DC03 to an additional domain controller in the existing domain

E. Promote Certkiller -DC03 to a domain controller in a new tree-root domain.
Answer: B, E
Explanation: In an Active Directory forest, certain types of operations can be

performed only on the domain controllers that are designated as operations masters
for those types of operations. There are five operations master roles. The schema
master and domain naming master are forest-wide roles. The PDC emulator, RID
master and infrastructure master are domain wide roles. By default, the first
domain controller in a new forest hosts all five operations master roles. The first
domain controller in a new domain in a forest holds the three domain-wide roles for
that domain by default.
In order for a new domain to be created in a forest, the domain naming master must be
available in that forest. In this scenario, to proceed with the creation of a new tree-root
domain, you should force the transfer of at least the domain naming master role to
Certkiller -DC02, which is the only remaining domain controller in the existing forest.
Once this has been accomplished, you should not bring the original domain naming
master, Certkiller -DC01, back online. You should therefore also seize the other master
roles to Certkiller -DC02.
Incorrect Answers:
A, C, D: A domain controller in one domain cannot be directly reconfigured as a domain
controller in another domain.
QUESTION 104:
network consists of a single Active Directory forest that contains several domains.
All servers on the Certkiller .com network, including domain controllers, run
The Certkiller .com network contains a domain controller named Certkiller -DC01
that hosts the schema master role. Certkiller -DC01 has to be taken offline for the
purpose of a hardware upgrade. It is required that a schema master is available at
all times because Certkiller .com makes use of a line-of-business Active
Directory-aware application that makes regular changes to the Active Directory
schema.
You need to ensure that the hardware upgrade goes forward as planned, while the
continuity of business operations are maintained.
What should you do?
A. Access the schema master and transfer the schema master role to a different domain
controller in the forest root domain.
B. Access a different domain controller in the forest root domain and seize the schema
master role.
C. Access a different domain controller in any domain in the forest and transfer the
schema master role to that domain controller.

070-294
D. Access a different domain controller in any domain in the forest and seize the schema
master role.
E. Access the schema master and transfer the schema master role to a different domain
controller in any domain in the forest
Answer: C
Explanation: Changes to the Active Directory schema can only be made on the
domain controller that holds the schema master role. To be able to reassign the
schema master role you must be a member of the Schema Admins universal security
group or you must be assigned the Allow - Change Schema Master permission for
the schema. You can transfer the schema master role by using Active Directory
Schema or the Ntdsutil command-line utility. You must access the domain
controller that you want to transfer the schema master role to.
Incorrect Answers:
A, E: You need to access the domain controller that you want to transfer the schema
master role to.
B, D: You should only seize master roles if you are sure that the original operations
master will never be brought back online. Seizing is also possible only when the original
operations master is unavailable on the network.
QUESTION 105:
You are required to formulate a strategy for the recovery of FSMO role failures.
What option explains how you should normally recover from FSMO role failure?
A. If the FSMO role cannot be seized, transfer it.

B. You should always transfer the role.
C. You should always seize the role.
D. If the FSMO role cannot be transferred, seize it.
Answer: D
Explanation: By seizing a role, you are forcing the transfer of a role that could not
otherwise be transferred.
Incorrect Answers:
A: By seizing a role, you are forcing the transfer of a role that could not otherwise be
transferred.
B, C: You should always attempt a transfer first. If the transfer is unsuccessful, you
should attempt to seize the role.
QUESTION 106:

070-294
You are responsible for managing the us. Certkiller .com domain that resides on six
domain controllers spread across two sites. You configure each FSMO role to run
on a dedicated domain controller. The domain controller that hosts the Domain
Naming Master role also hosts the global catalog.
Due to a recent power outage, one of the domain controllers suffers permanent
failure. As a result the recent changes that were made to the global catalog are not
being replicated to four of the other domain controllers. For that reason, object
references to other domains are lost.
You need to ensure that these changes to global catalog are replicated to the other
four domain controllers.
What should you do?
A. Transfer the schema Master role

B. Transfer the Infrastructure Master role
C. Transfer the RID Master role.
D. Transfer the PDC Emulator master role.
Answer: B
Explanation: This role is responsible for ensuring that all domain controllers in a
domain are updated with object references to other domains. It uses the global
catalog to determine which Active Directory objects need to be replicated.
Incorrect Answers:
A: This role is responsible for allowing schema changes to Active Directory objects.
C: This role is responsible for the uniqueness of Active Directory objects in each
domain.
D: The purpose of the PDC Emulator role is to provide backward compatibility to
domain controllers running Microsoft Windows NT Server.
QUESTION 107:
Certkiller .com uses several applications that stores data in Active Directory on the
Certkiller .com network. After adding a large amount of data to one of these
applications, you find that a domain controller named Certkiller -DC03 is no
longer able to support Active Directory because the size of the Active Directory data
file has reached 2 GB. This Active Directory data file is installed in its default
location. Certkiller -DC01 has a single hard disk that has nearly reached its
storage capacity.
You need to ensure that Certkiller -DC01's ability function as a domain controller
is restored.

070-294
A. Install another hard disk.

B. Force replication between Certkiller -DC01 and another domain controller.
C. Remove the old Active Directory transaction log files.
D. Mount the new disk to the C:\Windows\NTDS folder.
E. Move the Active Directory data file to the new disk.
Answer: A, E
Explanation: You can add a new disk and move the Active Directory database to
that disk to restore the Active Directory functionality on the domain controller that
has run out of disk space. You should restart the computer in Directory Services
Restore Mode (DSRM), use the Ntdsutil command-line utility to move the data
fileand then restart the computer normally.
Incorrect Answers:
B: Using this option will free up no disk space on either domain controller because changes
to Active Directory are replicated from one domain controller to another.
C: Old Active Directory transaction log files are automatically deleted once they have
been backed up.
D: You can only mount a new disk to an empty folder on an NTFS volume, and
since the C:\Windows\NTDS folder is the default location for the Active Directory
database it cannot be empty.
QUESTION 108:
network contains a domain controller named Certkiller -DC01 that currently
hosts the Active Directory data files and transaction logs in their default locations.
When you are asked to optimize the performance of write operations and to provide
fault tolerance on Certkiller -DC01, you add two RAID devices to
Certkiller -DC01. The one RAID device is configured as RAID 1, while the other is
configured as RAID 5.
You need to ensure that your solution meets the requirements.
A. You should transfer the Active Directory data file to the RAID 5 device.
B. You should transfer the Active Directory transaction logs to the RAID 5 device.
C. You should transfer the Active Directory data file to the RAID 1 device.
D. You should transfer the Active Directory transaction logs to the RAID 1 device.
Answer: A, D
Explanation: Both RAID 1 and RAID 5 configurations provide fault tolerance.

RAID 1 is a mirror set in which synchronized copies of the same data is maintained
on two physical hard disks. If one of the disks fails, the remaining disk can continue
to provide access to the data. RAID 5, which is also known as a stripe set with

070-294
parity, is a configuration that involves three or more physical hard disks. During
each write operation, a block of redundant data is added that can be used to recover
missing data in the event of the failure of one of the disks.
During write operations, data is written into the current transaction log first, and then
transactions are copied to the data file in the background. As far as the Active Directory
service is concerned, the write operation is considered complete as soon as it is recorded
in the transaction log. You should, therefore, optimize the write performance of the
transaction logs to optimize the performance of the write operations in the Active
Directory database. RAID 1 devices provide better write performance than RAID 5
devices because RAID 5 devices must calculate the parity block of data being recorded.
You should, therefore move the transaction log files to the RAID 1 device. Placing the
transaction log files on a dedicated storage device, separate from other devices, will
minimize radial movements of read/write heads and, thus, will further improve the write
performance. You should therefore move the Active Directory data file to the RAID 5
device so that it is kept separate from the transaction log files.
QUESTION 109:
Certkiller .com domain is spread over several sites. All servers on the Certkiller .com
network, including domain controllers, run Windows Server 2003 and all client
computers run Windows XP Professional. Active Directory is currently being
backed up on a nightly basis.
Your manager informs you that Certkiller .com is restructuring and that you have to
suitably modify the organizational unit (OU) structure. He instructs you to move all
users from the Marketing OU into a different OU and delete the Marketing OU
during normal business hours.
In another site, at about the same time, another administrator receives instructions
to add additional users to the Marketing OU, which he does.
The following day, these users complain that they are unable to log on to the
domain.
You need to ensure that the Marketing OU and the deleted user accounts are
recovered with the least amount of administrative effort, and without interfering
with the network services for other users.
What should you do?
A. You should create an OU named Marketing and then move the deleted user accounts
from the LostAndFound container into that OU.
B. You have to perform an authoritative restore of the Marketing OU from the last
backup made before the Marketing OU was deleted.
C. You should create an OU named Marketing, then create user accounts with the same
names as the deleted user accounts and place these new user accounts into that OU.
D. You have to perform an authoritative restore of the Marketing OU from the last
backup made before the Marketing OU was deleted and then move the deleted user
accounts from the LostAndFound container into the Marketing OU.

070-294
Answer: A
Explanation: All Windows Server 2003 domain controllers in a domain are peers,
which implies that it is possible to implement conflicting changes to Active Directory
on different domain controllers simultaneously. In the scenario above, when the
domain controllers replicated their changes, the objects in the deleted container
become orphaned and are placed into a special container named LostAndFound. To
correct the problem, you should create a new OU named Marketing and then move
the orphaned user accounts from the LostAndFound container into that OU.
Incorrect Answers:
B: Because the backup that contains the Marketing OU was made before the additional
users were moved into it, authoritatively restoring the Marketing OU alone would not
recover the deleted user accounts.
C: If you use this option, the new user and computer accounts would be considered
different from the respective original objects because the new objects would be assigned
new unique security IDs (SIDs). As a result, this option would require more
administrative effort than is necessary.
D: Performing an authoritative restore of the Marketing OU from the last backup would
require more administrative effort than creating a new OU named Marketing.
QUESTION 110:
DRAG DROP
Certkiller .com has headquarters in London and branch offices in Milan and
Stockholm. The branch offices are connected through slow and unreliable, links.
Certkiller .com contains a Finance department which resides in the Milan branch
office and a Research department in the Stockholm office. The Certkiller .com
network contains three file servers named Certkiller -SR11, Certkiller -SR12
and Certkiller -SR13. Certkiller -SR11 resides in the main office and
Certkiller -SR12 resides is the Finance department and Certkiller -SR13 resides
in the Research department.
The employers of the Finance department needs to access resources on the file
servers in each branch office. The employee's in the Research department need to
access Certkiller -SR13, in their department. All the managers of Certkiller .com
need to access the file servers in each branch office. When you review the business
and resources of the Certkiller .com network, you decided to design a security group
strategy. You need to find the scope of each department so that you can use it on
each security groups that you are going to create. The security groups that you are
going to create are the following: the managers from all three offices will be located
in the CKManager group; users from the Finance department will be located in the
CKFinance group; and users from the Research department will be located in the

070-294
CKResearch group. You need to select a security group that meets the specific
requirements of the departments.
What should you do? To answer, drag the appropriate security group to the correct
location or locations in the work area.
Answer:
Explanation:
To have access to the recourses in the same domain, you should create a domain local
group. If you want access to recourses in any domain in the Active Directory forest, you
should create global groups. The Research department needs the minimum scope, so it is
best to apply the domain local group. The Finance department needs to access all the
resources in the domain, so it can be allowed the global and the universal groups. The
CKManager consists of member of all the offices, so it needs the universal scope.
QUESTION 111:
named us. Certkiller .com and uk. Certkiller .com. All servers on the Certkiller .com
network run Windows Server 2003. Half the client computers run Windows 2000
Professional, and the rest run Windows XP Professional.
Certkiller .com has its headquarters in London and a branch office in Dallas. In the
Dallas branch office resides the us. Certkiller .com domain, and in the London branch
office resides the uk. Certkiller .com domain. The branch offices are connected through

070-294
slow and unreliable links. Each of the branch offices contains file servers and two
domain controllers, named Certkiller -DC01 in Dallas and Certkiller -DC02 in
London. The file servers act as member servers. Each of these branch offices also
consists of a global catalog server.
Certkiller .com contains a Research department which resides in the London office.
The Research department's employees need to access the files servers in the main
office. Most of the employees of the Research department are temporary employees.
You have to have control over these users, so you need place them in a security
group. You need to create a security group scope to grant these users in the
Research department access to resources on the files servers.
Which of the following scopes should you use?
A. A global group
B. A local group
C. A domain local group
D. A universal group
Answer: A
Explanation: If you want access to recourses in any domain in the Active Directory
forest, you should create global groups. The resources that are needed are in the two
branch offices, so you can grant the Research department the permissions to the
resources in both of these branch offices.
Incorrect Answers:
B: A local group only will grant resources on a local computer. It is best to create a
global group. If you want to create a local group, then you have to create local groups on
each files server and each of the Research employees would need a universal or a global
group.
C: You do not need domain local groups because the domain local group grants access to
resources only in the same domain. The scenario states that there are two domains.
D: Universal groups are not needed here. Membership of the universal groups is
replicated to every global catalog server in the forest. This will cause regular changes
across the WAN.
QUESTION 112:
network consists of a single Active Directory forest that contains three domains
named paris. Certkiller .com, italy. Certkiller .com and germany. Certkiller .com. The
functional level of the forest is set at Microsoft Windows Server 2003. All servers on
the Certkiller .com network run Windows Server 2003. Half the client computers run
Windows 2000 Professional, and the rest run Windows XP Professional. The
Certkiller .com network contains a few domain controllers.
Certkiller .com has its headquarters in Paris and a branch office in Berlin and Milan.
In the Berlin branch office resides the germany. Certkiller .com, in the Milan branch
office resides the italy. Certkiller .com and in the Paris main office resides the

070-294
paris. Certkiller .com. The branch offices are connected through slow and unreliable
links. All offices contain a global catalog server. Each office also consists of its own
administrator. Each office consists of a Marketing department. Each branch also
contains a dedicated file server, which consists of resources which is needed by all
offices.
Due to company growth, most of the employees are temporary or contract staff.
Each office consists of almost 150 employees. You need to configure security group
strategies that will coincide with the Marketing department's needs and maintained
with the minimum amount of effort.
What should you do? (Select all that apply)
A. Add the marketing employees to the Berlin Marketing, the Milan Marketing and the
Paris Marketing groups and add these groups as members of the Certkiller .com Marketing
group.
B. Create three global groups named Berlin Marketing, Milan Marketing and Paris
Marketing then create a universal group named Certkiller .com Marketing.
C. Create three domain local groups named Berlin Marketing, Milan Marketing and Paris
Marketing.
D. Add the marketing employees to the Certkiller .com Marketing group and create a
global group named Certkiller .com Marketing group.
Answer: A, B
Explanation: You must create a global group for the Berlin and Milan offices. The
members in the global group are not replicated to every global catalog server. Most
of the employees are temporary or contract workers, so it is best to have a global
group. You then should create a universal group and add the global groups to the
universal group. Universal groups is used anywhere in the forest.
Incorrect Answers:
C: The domain local group is used to grant permission to resources on domain controllers
and member servers.
D: Global groups should be named appropriately, not Certkiller .com Marketing. You
could have named it Berlin Marketing or Milam Marketing. You cannot add the
marketing members to a global group named Certkiller .com Marketing. Global groups
only contain members of the same domain.
QUESTION 113:
Certkiller .com has its headquarters in Chicago and a branch office in London. In the
Chicago office resides the us. Certkiller .com and in the London branch office resides
the uk. Certkiller .com. The branch offices are connected through slow and unreliable
links.
Certkiller .com contains a Research department which resides in the Chicago office.

070-294
The Chicago office also contains a few file servers. Resources of the Research
department reside on the file servers. The domain users of the Chicago and London
offices need to access the resources on the file servers. You need to create a security
group for the domain users in these departments to have access to the resources.
What should you do?
A. Create a local group.

B. Create a domain local group.
C. Create global group.
D. Create a universal group.
Answer: B
Explanation: The best option is the domain local group. This group contains
members of any group. With this group you can grant access to resources.
Incorrect Answers:
A: A local group can only grants access to resources on local computers. The resources
that is needed resides on the file servers, you cannot create local groups.
C: The global group contains members of the same domain. Certkiller .com contains two
domains.
D: You can only create universal groups on Windows 2000 Server and Windows Server
2003. Windows NT Server does not support universal groups.
QUESTION 114:
Certkiller .com has its headquarters in Chicago and a branch office in London. In the
Chicago office resides the us. Certkiller .com and in the London branch office resides
the uk. Certkiller .com. The offices are connected through slow and unreliable links.
Each of these offices contains file servers and two domain controllers. The file
servers act as member servers. Global catalog servers reside in the Chicago and
London office.
Certkiller .com contains a Development department which resides in both offices.
Each office consists of almost 200 employees. Most of the employees of the
Development department are temporary employees. You have to have control over
these users, so you need place them in a security group. You need to create a
security group scope to grant these users in the Development department access to
resources on the files servers.
What should you do? (Select two)
A. Create two domain local groups named Chicago Development and London
Development.
B. Create two global groups named Chicago Development and London Development.
C. Add each Development department's members to the Chicago Development and

070-294
London Development groups.

D. Add each Development department's members to the Certkiller .com Development
group.
Answer: B, C
Explanation: You should create a global group and add the users to that group. The
members in the global group are replicated to every global catalog server. Most of
the employees are temporary or contract workers, so it is best to have a global
group.
Incorrect Answers:
A: The domain local group is used to grant permission to resources on domain controllers
and member servers. This will lead to unnecessary management.
D: It is not advisable to add the Development department's members to a global group
named Certkiller .com Development. You could have named it Chicago Development or
London Development. Global groups only contain members of the same domain.
QUESTION 115:
named us. Certkiller .com, uk. Certkiller .com and north. Certkiller .com. The functional
level of the forest is set at Windows Server 2003 and the functional level for
us. Certkiller .com, uk. Certkiller .com and north. Certkiller .com is set at Windows Server
2003. Half the client computers run Windows 2000 Professional, and the rest run
Certkiller .com has headquarters in London and branch offices in Paris and Athens.
The branch offices are connected through slow and unreliable links. Certkiller .com
contains three departments named Research, Marketing and Finance department.
The Finance department resides in London, the Research department in Paris and
the Marketing department in Athens. File servers reside in all the offices of the
Certkiller .com forest. The file servers also act as member servers. Corporate
management resides in each office. The employees in the Finance department need
access to the resources on the file servers in the other offices. The managers also
need access to the resources on the file servers in the each office.
You need to design a security strategy and find the scopes that can be used on each
security group.
Which of the following scopes should you use?
A. For the Finance department, create a universal group and a global group, for the
managers you must create a universal group.
B. For the Finance department, create a universal group and a global group, for the
managers you must create a domain local group.
C. For the Finance department, create a universal group and a domain local group, for the
managers you must create a global group.
D. For the Finance department, create a domain local group and a global group, for the

070-294
managers you must create a universal group.
Answer: A
Explanation: The global group and the universal group are used to access resources
in any domain. The global group contains members of the same domain and the
universal group contains members any where in the forest. For the managers you
should use the universal group and the Finance department you can use the global
groups or the universal group.
Incorrect Answers:
B: The domain local group is used to grant permission to resources in the same domain. The
managers need access to the entire forest.
C, D: You should not create global groups because global groups for the manager will
only allow access to resources in the same domain. The domain local group is used to
grant permission to resources in the same domain. The Finance department needs access
to the entire forest
QUESTION 116:
at Windows Server 2003 and the functional level for us. Certkiller .com and
uk. Certkiller .com is set at Windows Server 2003. Half the client computers run
Windows 2000 Professional, and the rest run Windows XP Professional.
Certkiller .com has its headquarters in Chicago and a branch office in London.
The branch offices are connected through slow and unreliable links. The
Certkiller .com contains a Research department and a Development department. The
Research department resides in us. Certkiller .com and the Development department
resides in uk. Certkiller .com. Each branch office contains a domain controller. The
Research department contains two files servers named Certkiller -SR11 and
Certkiller -SR12. These servers contain resources which can only be accessed by
certain users in Certkiller .com. Certkiller -SR11 consists of resources that are used
by the internal use. Certkiller -SR12 consists of documents that are available for
the public.
On Certkiller -SR11 you create a security group named CKResearch to grant
access to the resources. You expect the members to change often. You want the
CKResearch group to be available only on Certkiller -SR11 and
Certkiller -SR12. You need to create a security group to grant access to the
resources on Certkiller -SR11.
What should you do?


070-294
Answer: A
Explanation: A local group can only grants access to resources on local computers.
The resources reside on Certkiller -SR11 and Certkiller -SR12. You should
create the CKResearch group on both file servers. Each files server will have the
permissions on each group that needs access to the documents.
Incorrect Answers:
B: The domain local group is used to grant permission to resources on domain controllers
and member servers. The CKResearch group only needs access to the files servers.
C: The global group is used to grant access to resources that is in different domain. The
CKResearch group only needs access to the files servers in the same domain.
D: Universal groups are not needed here. Membership of the universal groups is
replicated to every global catalog server in the forest. This will cause regular changes
across the WAN.
QUESTION 117:
named spain. Certkiller .com, uk. Certkiller .com and italy. Certkiller .com. The functional
level of the forest is set at Windows Server 2003 and the functional level for
spain. Certkiller .com, uk. Certkiller .com and italy. Certkiller .com is set at Windows Server
2003. Half the client computers run Windows 2000 Professional, and the rest run
Certkiller .com has headquarters in London and branch offices in Milan and Madrid.
contains three departments named Research, Development and Finance. The
Finance department resides in London, the Research department in Milan and the
Development department in Madrid. The us. Certkiller .com is in London and the
uk. Certkiller .com is in Milan and south. Certkiller .com is in Madrid.
File servers reside in all the offices of the Certkiller .com forest. The file servers also
act as member servers. The files servers contain resources of Certkiller .com. You
have received instruction from the CIO to design a resource authorization
infrastructure. You want to use a combination of local, domain local and universal
in the design. The managers which are in the three departments need to access the
resources on the file servers of these departments. You need to design a security
group to grant access to the resources.
What should you do?

Answer: D

070-294
Explanation: The managers of the three departments can be members of the

universal group. The universal group will allow the managers to have access to the
entire forest.
Incorrect Answers:
A: If you create a local group, you will have to create a local group on each file server in
the three domains. Local groups are only used to grant access to local computers.
B: If you create a domain local group, you will have to create a domain local group on
each file server in the three domains. The domain local groups cannot be used to grant
access to resources in other domains.
C: The global groups only contain members of the same domain. The managers need
access to resources on all the three domains.
QUESTION 118:
servers on the Certkiller .com network run Windows Server 2003. Half the client
Professional.
Certkiller .com contains a Marketing department. This department works from 9:00
AM to 4:00 PM. This department is busy throughout the day. You have created a
few printers on a few member servers in the domain. The printers in the
Certkiller .com domain are shared on the network and published in Active Directory.
A number of users in the Marketing department have been selected to manage the
printers and print queues. You want to add these users to the appropriate security
groups. The users should not have too much permission. You need to add these
users to the security groups to manage the printers.
Which groups should you use?
A. The Print Operators built-in domain local group.

B. The Server Operators built-in domain local group.
C. The Print Operators local group on each print server.
D. The Power Users local group on each print server.
Answer: C
Explanation: The Print Operators local group on each print server is for users who
are designated to manage local printers and queues. These permissions are not
automatically assigned.
Incorrect Answers:
A: The Print Operators built-in domain local group is automatically assigned. This group
is only available on domain controllers and not member servers.
B: Server Operators built-in domain local group is only available on domain controllers.
C: The Print Operators local group is only available on domain controllers.

070-294
QUESTION 119:
Certkiller .com contains a Research department. The Research department is doing
research for a future in-house application. The results of the research reside on a
file server named Certkiller -SR13. You are planning the domain authentication
infrastructure of Certkiller .com. During a meeting you want to put your findings on
the table. You are planning the benefits of using smart cards over user names and
password for authentication.
What should you tell or state in the meeting to the use of smart cards?
A. Smart cards pins are easier to remember and it offers better protection than password.
B. Smart cards are stolen easily.
C. Smart cards offer the strongest authentication.
D. Smart cards cannot be locked after unsuccessful authentication attempts.
Answer: C
Explanation: Smart cards offer stronger authentication than user names and
passwords. Smartcards securely store certificates, public and private keys,
passwords, and other types of personal information. A smartcard reader attached to
the computer reads the smartcard.
Incorrect Answers:
A: It can be easy or difficult. The personal identification number is the responsibility of
the smart card holder and the administrator is responsible for the password policies.
B: If the smart card is stolen, the culprit would still need to know the PIN.
D: You can configure to lock the smart card after a number of unsuccessful attempts.
QUESTION 120:
at Windows Server 2003 and the functional level for us. Certkiller .com and
uk. Certkiller .com is set at Windows Server 2003. Half the client computers run
Certkiller .com has its headquarters in Chicago and a branch office in London. The
us. Certkiller .com is in Chicago and the uk. Certkiller .com is in London. Each of the two
branch offices has a domain controller that is running Windows Server 2003.
contains a Research department and a Development department. The Research
department resides in us. Certkiller .com and the Development department resides in
uk. Certkiller .com. The Research department does research in different in-house

070-294
applications and the Development department develops the in-house applications.

Due to the in-house applications you want to implement a smart card authentication
strategy for Certkiller .com.
What should you do first before using the enabling the smart card?
A. Set up a certification authority.

B. Upgrade the rest of the Windows 2000 Professional to Windows XP Professional.
C. Move all the users to a single domain.
D. Instead of the slow WAN link, replace it with a fast link.
Answer: A
Explanation: Before you can use the smart card, you should set up the certification
authority. In each domain, you must configure the security permissions of the Smart
Card User, Smart Card Logon, and Enrollment Agent certificate templates to allow
smart card users to enroll for certificates. You must also set up the certification
authority to issue smart card certificates and Enrollment Agent certificates.
Incorrect Answers:
B: It can be easy or difficult. The personal identification number is the responsibility of
the smart card holder and the administrator is responsible for the password policies.
C: Smart card authentication can be used on computers running Windows 2000
Professional.
D: There is no need to replace the slow WAN link with a fast link. Authentication only
will occur in each office and if one has to access the other domain in the forest.
QUESTION 121:
Certkiller .com contains a Finance department which is crucial to the company. Due
to security reasons you want the users to use smart card certificates. You want the
Certkiller .com users to log on to the domain and to digitally sign and encrypt e-mail
messages. You also want two certificates to enable smart card authentication.
Which of the following should you choose? (Choose all that apply)
A. Use the Exchange User.

B. Use the Enrollment Agent.
C. Use the Smart Card User.
D. Use the Smart Card Logon.
Answer: B, C
Explanation: The Enrollment Agent certificate is issued to allow smart card users to
enroll for certificates. You must also set up the certification authority to issue smart

070-294
card certificates and Enrollment Agent certificates. The users should assign to a
Smart Card User. The Smart Card User provides domain logon and e-mail security
services.
Incorrect Answers:
A: Exchange User is used for securing e-mail and logging on to a Microsoft Exchange
e-mail server. The Exchange User can be used to integrate with Active Directory and to
encrypt e-mail messages.
D: Smart Card Logon is used to provide only domain logon services.
QUESTION 122:
DRAG DROP
Warsaw, Minsk, and Athens. Certkiller .com contains two departments named
Research and Development. To have more constant access to the branch offices, you
have installed and configured two file servers named Certkiller -SR15 and
Certkiller -SR16 on the Certkiller.com network. You want to use the servers for
an intranet Web network. You are planning to use an Integrated Windows
Authentication.
Due to the important information on the Certkiller .com network, you have decided
to strengthen the password policy. The Certkiller .com users need to have a minimum
of 8 characters and they should change their passwords every 30 days. You also do
not want the users to use 15 passwords before repeating one. You also want the
users to use access all Web-based resources. You need to select the password policy
that meets the goals that you aim for.
What should you do? To answer, select the appropriate options and place them in
the work area.
Answer:

070-294
Explanation:
For the goals you have set, you must configure the password to use a minimum of 8
characters. The maximum password should be set at 30, because you want the passwords
to be changed every 30 days. You should set the password history to 10. Only then you
can use the same password.
Incorrect Answers:
Storing passwords using reversible encryption is used when you are authenticating to a
Web site that uses Digest Authentication. The scenario states that you are using
Integrated Window Authentication. The scenario does not state that you should use upper
a lower cases, so there is no need for complexity. You will only use the minimum
password age if you do not want the users to change there password for a certain period
of time.
QUESTION 123:
Professional.
Certkiller .com contains a Finance department and Marketing department.
Certkiller .com contains two domain controllers which are located in the default
container. All the user accounts of the Finance department are located in an
organizational unit (OU) named CKFinance and the Marketing departments user
accounts are located in the OU named CKMarket. The client computers in the
Certkiller .com domain are located in an OU named CKWorkstations.
During routine monitoring you suspect that an unauthorized user is attempting to
gain access to the network resources. You need to determine the user accounts
which are used in the attacks.
What should you do?
A. Create an account lockout policy and specify the user's accounts to be lockout after
three logon attempts and set the lockout duration to 0.
Link the account lockout policy to the domain.
B. Link the account lockout policy the CKWorkstations OU.
C. Create an account lockout policy and specify the user's accounts to be lockout after
three logon attempts and set the lockout attempts to 1440 minutes.

070-294
D. Create an account lockout policy and specify the user's accounts to be lockout after
three logon attempts and set the lockout attempts to 30 minutes.
Answer: A
Explanation:
In this situation you should create an account lockout policy that will lock the user
account after three failed logons. This is then the indication that there was three log
on attempts and only an administrator can unlock this account. You must set the
logon duration to 0. This means that the account is locked indefinite, until it is
unlocked by an administrator.
Incorrect Answers:
B: You should it link the account lockout policy to the CKWorkstations OU. The account
lockout policy is a security policy, and is applied at the domain.
C, D: If you set the lockout attempts to 30 or 1440 minutes, the hacker will continue
trying.
QUESTION 124:
Professional.
Certkiller .com contains a Finance department and a Development department. The
Finance department contains a file server named Certkiller -SR30 which holds
critical information. The Finance department's user accounts are located on
Certkiller -SR30. A new Certkiller .com security policy requires that the Finance
department users should use strong password to handle the critical information.
You then specify a Group Policy Object (GPO) with the necessary password policy
that needs a strong password. You need to necessary steps to enforce the security
policy.
What should you do?
A. Link the GPO to the OU.

B. Move the client computers objects in the Finance department to a new domain.
C. Link the GPO to a new domain.
D. Link the GPO to the exiting domain.
Answer: D
Explanation:
You should link the GPO to the exiting domain. If you configure the GPO to the
domain, it will affect the domain user accounts, account policies, and password
policies.
Incorrect Answers:

070-294
A: If you link the GPO to the OU, the password policies in that domain would affect all
user accounts on the computers in that OU and not the domain users.
B, C: You should not move the client computers objects in the Finance department to a
new domain. Moving the client computers objects in the Finance department to a new
domain, will cause that the GPO would not have an effect on any users in the original
domain.
QUESTION 125:
Professional.
Certkiller .com contains a Marketing department which is important to the company.
Certkiller .com contains a domain controller named Certkiller -DC02 that runs
Windows Server 2003. Certkiller .com also contains crucial accounting in-house
applications. A Certkiller .com written security policy states that all user and
administrator passwords should be changed every 40 days. You then specify the
password policy in the GPO and link it to the domain.
After a few months you restart Certkiller -DC02 in Directory Services Restore
mode (DSRM). You notice that the administrative password is still valid. You need
to change the DSRM password on Certkiller -DC02.
What should you do?
A. Use the Default Domain Policy GPO, configure the password policy.
B. Reset the password for the local Administrative account.
C. Reset the DSRM password by using the Ntdsutil.
D. Use the Default Domain Controllers Policy GPO, configure the password policy
Answer: C
Explanation: The DSRM is used to perform maintenance on the Active Directory

database. If you reset the DSRM password, you should use the Ntdsutil.
Incorrect Answers:
A: If a password policy is configured in the GPO, it does not affect DSRM password on
Certkiller -DC02.
B: No local account will be on the Certkiller -DC02, a domain controller.
D: If a password policy is configured in the Default Domain Controllers Policy GPO, it
does not affect DSRM password on Certkiller -DC02.
QUESTION 126:

070-294

Certkiller .com contains a Research department. A user named Andy Reid is working
for the department. 5 of the client computers which are specified as public
computers are configured to log on his name. Due to the inexperience of Andy Reid,
you need to configure the 5 public computers with restricted desktops where some
of the features are disabled. You do not want the other employees with their client
computers to be affected by these settings. You then specify a Group Policy object
(GPO) with the needed user policy settings.
What is you next step?
A. Consign the 5 client computers in an OU and link the GPO to this OU.
B. Add Andy Reid's user account to the Group Policy Creator Owner group and link the
GPO to the domain.
C. Link the GPO to the domain and specify the Allow - Read and Allow - Apply Group
Policy permissions for the GPO to the 5 client computers.
D. Consign Andy Reid's user account to the OU and link the GPO to this OU.
Answer: D
Explanation: If you want to assign a GPO, it must be linked to an OU that contains

the users or computer objects. You then have to Consign Andy Reid's user account
to the OU and link the GPO to this OU.
Incorrect Answers:
A: If you only place the 5 client computer to the in an OU and link the GPO to this OU, it
will not serve its purpose because only user-specific have been configured.
B: If you add Andy Reid's user account to the Group Policy Creator Owner group and
link the GPO to the domain, he will be able to create and manage GPOs in the domain.
C: You can link the GPO to the domain and specify the Allow - Read and Allow - Apply
Group Policy permissions for the GPO to the 5 client computers. You should then enable
loopback processing mode in the GPO to the domain. This will then force the settings in
the GPO to apply to all users that logs on to the 5 client computers.
QUESTION 127:
at Windows Server 2003. All servers on the Certkiller .com network run Windows
Certkiller .com contains a Marketing department. The Marketing department
contains 40 users. All of the users and the computers in this department have
domain-based Group Policies that are applied to them. They are located in an OU.
The 40 users of the Marketing department belong to a global group named
CKMarketing. You want 10 users of the Marketing employees not to be affected by
the policy. The 10 users of the Marketing employees are in a child OU named
ChildOU. You need to deploy the desktop lockdown GPO to the domain. You also

070-294
need to ensure that the 10 users of the Marketing department are not affected by
the settings.
What should you do?
A. On each of the 10 users, deny Apply Group Policy for the desktop lockdown GPO.
B. On ChildOU, deny Apply Group Policy.
C. On ChildOU, block the inheritance.
D. Put the 10 users in a group and deny Apply Group Policy for the desktop lockdown
GPO to the group.
Answer: D
Explanation: If you want to the 10 users not to have the setting, you should place the
users in a group and deny Apply Group Policy for the desktop lockdown GPO to the
group.
Incorrect Answers:
A: You have already assign permission on all the users in the Marketing department, you
cannot block the inheritance.
B, C: You cannot deny Apply Group Policy to an OU.
QUESTION 128:
Professional.
Certkiller .com contains a Finance department. The Finance department run crucial
accounting applications. The accounting applications reside on three file server. The
users of Certkiller .com that uses this application belong to a group named
CKEmployees. The user objects of these users belong to an organizational unit (OU)
named CKFinanceOU. The three file servers belong to a group named CKServer,
and their computer objects are located in the CKFinServerOU.
You need to configure a Group Policy object (GPO) to allow the employees of the
Finance department to log on to the file servers. You then specify a GPO that
assigns the Allow log on locally user right.
In where should you configure the GPO?
A. To the CKFinanceOU and link the GPO to the CKFinServerOU.

B. To the CKFinServerOU and link the GPO to the CKFinanceOU.
C. To the CKEmployees and link the GPO to the CKFinServerOU.
D. To the CKServer and link the GPO to the CKFinanceOU.
Answer: C
Explanation: All user rights are computer-specific policies. You must create a GPO

070-294
and assign user rights to the CKEmployees. The next step is to link the GPO top the
CKFinServerOU.
Incorrect Answers:
A, B, D: You cannot assigns the Allow log on locally user right to OU's. You also should
not link the GPO to the CKFinanceOU. All user rights are computer-specific policies,
which are not applied to user objects.
QUESTION 129:
Professional.
Certkiller .com contains two departments named Research and Marketing.
Certkiller .com also has 1,500 employees. Certkiller .com contains two file servers
named Certkiller -SR33 and Certkiller -SR44 which run Microsoft Windows
Server 2003. You have critical in-house applications which are used on these
servers. The Research department's organizational unit (OU) contains all the users
and computers. The employees of the Research department are in a global group
named CKResearch.
Due to the advancement of the technology, the CIO has acquired a new third-party
application. The new third -party application needs to be available for the Research
department's managers. The manager's user accounts reside also in the
CKResearch. You need to deploy the new third-party application to the Research
department's managers.
A. Create and link a GPO at the CKResearch that installs the third-party application.
B. Create a GPO that installs the third-party application and link it to the Research
department's managers group.
C. Create a child OU named CKManagersOU inside of the CKResearch and place the
managers user accounts in the CKManagersOU.
D. Create and link a GPO at the CKManagersOU that assigns the third-party application
to the users.
Answer: C, D
Explanation: To deploy the application you should create a child OU inside of the
CKResearchOU and place the mamagers user accounts in the CKManagersOU.
Create and link a GPO at the CKManagersOU that assigns the third-party
application to the users.
Incorrect Answers:
A: You cannot link a GPO to a group.
B: If you create a GPO that installs the third-party application and link it to the Research
department's managers group, the application will not be available to the managers.

070-294
QUESTION 130:
Professional.
Certkiller .com contains two departments named Development and Finance. The
Development department develops accounting in-house applications for the Finance
department. Because of the confidentiality of the information the Finance
department work with, the employees of the Finance department log on by using
their local user accounts. A new Certkiller .com security policy requires that the
finance employees must use strong passwords for their local user accounts. The
other users in the other department are not restricted to this rule. You then specify
suitable policies in a Group Policy object (GPO). You need to apply the GPO.
What should you do?
A. Move the user objects for the finance employees to the CKFinanceOU, that you should
create, and link the GPO to the OU.
B. Move the computer objects for the client computers of the finance employees to the
FinanceClientOU, that you should create, and link the GPO to the OU.
C. Create a security group named CKUsers and add the user accounts to the finance
employees to this group, and link the GPO to Certkiller .com and assign the Allow - Read
and Allow - Apply Group Policy permissions for the GPO to the CKUsers.
D. Create a security group named CKComputers and add the user accounts to the finance
and Allow - Apply Group Policy permissions for the GPO to the CKComputers.
Answer: B
Explanation: The GPO is always applied to a site, domain or an OU. That way you
should put the computer objects for the client computers of the finance employees to
the FinanceClientOU.
Incorrect Answers:
A: You should not link the GPO to the OU that contains the computer and user objects.
This will have no effect on the password policies.
C, D: You should not create a security group and add the user accounts to the finance
and Allow - Apply Group Policy permissions for the GPO to the CKUsers.
QUESTION 131:

070-294
Professional.
Certkiller .com contains four departments, named Development, IT, Research and
Marketing. These departments are crucial to the business operation at
Certkiller .com. All the client computers are divided in the Development, Research
and Marketing department. You are designing the organizational unit (OU)
structure for Certkiller .com. The OUs will consist from the main office to the other
departments. You also made provision for extra OUs for internal departments. The
bottom-level will contain the computers and user accounts for the specific
departments. As seen in the exhibit.
Due to the maintenance, of computers and assistance of the broker computers, the
IT department has two sub-sections named Help Desk and Administration. You
need the Help Desk employees to reset password for all user accounts in the domain
and to manage all user accounts except those in the IT OU. You need to do this with
the least amount of administrative effort.
What should you do?
A. Delegate authority of the domain to the Help Desk group and allow them to reset
passwords and manage user objects. Block Group Policy Inheritance at the IT OU.
B. Delegate authority of the Development, IT, Research and Marketing to the Help Desk
and allow them to reset passwords and to give permissions to manage the user objects.
C. Delegate authority of the domain to the Help Desk group and allow them to reset
passwords and authority of the Development OU, IT OU, Research OU and Marketing
OU to manage the user objects.
D. Delegate authority of the domain to the Help Desk group and allow them to reset
passwords and allow them to manage user objects. Block Permission inheritance at the IT
OU.
Answer: C
Explanation: To do all this you need to delegate control of Active Directory to the
Help Desk group. For the Help Desk to reset passwords you need to delegate

070-294
authority at the domain. To manage user account, except the IT's OU, authority is
acquired at top-level OU's except for IT.
Incorrect Answers:
A: Blocking Group Policy Inheritance at the IT OU will not stop a domain-based
delegation from delegating from the top-level.
B: For the Help Desk to reset passwords you need to delegate authority at the domain. To
manage user account, except the IT's OU, authority is acquired at top-level OU's except
for IT.
D: Block Permission inheritance at the IT OU, would not allow the Help Desk to reset
passwords for the IT users.
QUESTION 132:
Professional.
Certkiller .com has headquarters in London and branch offices in Paris, Berlin and
Athens. Each of the branch offices are configured as an Active Directory site. The
London office consists of 1,500 users and these branch offices each consists of 500
users. Certkiller .com has a group named CK_Admin which manages all of the OUs
as seen in the exhibit.
To make the task of the CK_Admin group easier, you want to have teams of three
users that will be responsible for each of the branch offices. The teams should
control users and resources in their own branch and not the other branches.
What should you do?
A. Create for each branch office a group and add each group into the appropriate group
and make each group a member of the OU Administrators group.
B. Create for each branch office a group and add each group into the appropriate group
and delegate control of each OU to the appropriate group.
C. Create for each branch office a group and add each group into the appropriate group
and make the group a member of the Domain Admins group.
D. Delegate control of each OU to the three users who will be responsible for managing
the location.

070-294
Answer: B
Explanation: The best way to delegate control over the OUs to the appropriate users
is to first create three groups, one for each branch office. This action will simplify
administrations.
Incorrect Answers:
A: This option will allow them to have control over all the OU's in the domain.
C: This will allow the groups to have full control over the domain.
D: If you Delegate control of each OU to the three users who will be responsible for
managing the location, you will have to use the A G P model for permission assigning.
QUESTION 133:
Professional.
Certkiller .com contains two departments named Research and Development. These
departments are run by three new inexperienced administrators named Andy Reid,
Rory Allen and Andy Booth. Certkiller .com also contains a file server named
Certkiller -SR33. Certkiller .com also contains a shared printer named
Certkiller -PR04, which resides in the Admin OU. The resources of Certkiller .com
are located in the following organizational unit (OU) as seen in the exhibit.
The administrative responsibilities of the OUs are set as follows: Andy Reid -
Admin OU, Rory Allen - Research OU and Andy Booth - Sales OU. It is expected
that the administrators are only responsible for managing the resources in their
respective OU where they where assign to.
When you moved Certkiller -PR04 from the Admin OU to the Sales OU, Andy
Booth and Andy Reid has the ability to manage Certkiller -PR04. You want Andy
Booth to alone manage Certkiller -PR04.
What should you do?
A. Make sure that Andy Reid's does not have explicit permissions granted to

070-294
Certkiller -PR04.
B. Make sure that Andy Reid's has been denied the Full Control permissions on
Certkiller -PR04.
C. Make the authority to manage the Sales OU has been delegated to Andy Booth.
D. Make sure the Allow inheritable permissions from parent to propagate to this object
check box is selected Certkiller -PR04's properties.
Answer: A
Explanation: When an object is moved from the Admin OU to another OU, it will
keep all the permissions. So you need to make sure that Andy Reid's does not have
explicit permissions granted to Certkiller -PR04.
Incorrect Answers:
B: It is of no use to deny the Full Control permissions on Certkiller -PR04. This usually
is the result of wrongly configured permissions. You should do this option as the last
option. You should either remove the permissions.
C: Youshould not change the authority to manage the Sales OU has been delegated to
Andy Booth. This usually is the result of wrongly configured permissions.
D: Youshould not change the Allow inheritable permissions. This will not provide Andy
Booth the ability to manage the printer.
QUESTION 134:
servers on the Certkiller .com network run Windows Server 2003 and Microsoft
Windows 2000 Advanced Server. All the client computers are running Windows XP
Professional.
Certkiller .com contains a Finance department and a Marketing department. The
user accounts of the Finance department belong to the organizational unit (OU)
named FinOU and the user accounts of the Marketing department belong to the
organizational unit (OU) named MktOU.
A Certkiller .com employee named Andy Reid works in the Finance department. Due
to the workload in the Marketing department, Andy Reid was shift to the
Marketing department. You then move the user account of Andy Reid from the
FinOU to the MktOU.
Which settings will change when the user account is moved? (Select two)
A. Andy Reid's permission to access and manage the user account object.
B. Logon hours
C. Group Policy objects that affect the user account.
D. Andy Reid's security group membership.
Answer: A, C
Explanation: If you change user account from one OU to another OU, it will have

070-294
an effect on the user account. You can link a GPO from one OU to another.
Incorrect Answers:
B: If you change from one OU to another, it will not affect the logon hours.
D: If you change from one OU to another, it will not affect the security membership.
QUESTION 135:
Professional.
Certkiller .com has a Research department and a Development department. The
Research department does research in the developing of new in-house application.
The Development department is used to develop the applications that were
successful in the research department. The users in the Research department are
members of the Research security group. The user accounts of the Research
department belong to the organizational unit (OU) named ResOU. The users in the
Development department are members of the Development security group and the
user accounts of the Development department belong to the organizational unit
(OU) named DevOU.
A Certkiller .com employee named Mia Hamm works in the Research department. A
user named Mia Hamm was moved from the Research department to the
Development department. You need to change the user rights, permissions and
restrictions to that of the Development department. Mia Hamm needs to access all
of her personal files at any time.
What should you do?
A. Delete Mia Hamm's user account and create another user account with the same name
in the DevOU and add the new account to the Development security group.
B. Move Mia Hamm's user account from the ResOU to the DevOU.
C. Remove Mia Hamm's user account from the Research security group to the
Development security group.
D. Move Mia Hamm's user account from the ResOU to the DevOU and remove the user
account from the Research security group to the Development security group.
Answer: D
Explanation: If you want to change the permission that it co-inside with the other
department you should remove the user account from the one OU and add it to the
new or other OU. GPO's does not apply to group objects. You need to change the
Group Policies and move it from the ResOU to the DevOU.
Incorrect Answers:
A: If the user account is deleted, Mia Hamm cannot access her personal files.
B: Yes, you have to move Mia Hamm's user account from the ResOU to the DevOU, but
you also have to remove the user account from the Research security group to the

070-294
Development security group. If you just move the user account from the ResOU to the
DevOU it will not change the permissions.
C: Yes, you have to remove Mia Hamm's user account from the Research security group
to the Development security group, but you also have to move the user account from the
ResOU to the DevOU.
QUESTION 136:
Certkiller .com has its headquarters in Chicago and a branch office in Dallas that are
configured as Active Directory sites. These sites are physically linked via an ATM
backbone. You have also installed a 128Kb ISDN line as a backup to the ATM
backbone.
The Chicago office currently hosts all domain controllers on the Certkiller .com
network. GPOs exist that are linked to the domain and OUs.
As a result of the high-speed link between the two offices, users in the Dallas office
do not have any problems with Group Policy processing. You create a slow link
GPO, and then configure certain GPO nodes to not process when the slow link is
detected.
You need to ensure that this GPO performs correctly. You have to accomplish this
by simulating a slow network connection.
What should you use?
A. Secedit
B. Resultant Set of Policy in planning mode.
C. Resultant Set of Policy in logging mode.
D. Gpupdate
Answer: B
Explanation: To simulate a slow network connection, which in this case emulates the
ATM going down and the ISDN link being used, you should use the Resultant Set of
Policy in planning mode. Resultant Set of Policy in planning mode is used to plan
Group Policy changes before putting them into effect.
Resultant Set of Policy in planning mode is used if:
1. You want to simulate the effect of specific policy settings on a computer or user,
domain, organizational unit, or site.
2. You want to test policy precedence in the following situations:
1. The user and the computer are in different security groups.
2. The user and the computer are in different organizational units.
3. The user or the computer is moving to a new location.
4. You want to create a slow network connection.
5. You want to create a loopback simulation.

070-294
Incorrect Answers:
A, D: These two options cannot be used to simulate a slow network connection.
C: Resultant Set of Policy in logging mode is used if:
1. You want to discover which policy settings are applied to a computer or user.
2. You want to discover failed or overwritten policy settings.
3. You want to see how security groups affect policy settings.
QUESTION 137:
Certkiller .com has made several Windows XP Professional computers available for
clients to browse the Internet while waiting for meetings. You have configured these
computers to automatically log on a user named Client. You now need to prevent
these users from modifying the configuration or functionality of Internet Explorer.
You need to ensure that these restrictions are not applied to Certkiller .com
employees and their client computers.
What should you do?
A. Configure a Group Policy object (GPO) with the appropriate user and computer policy
settings, place all public computers and the Client user account into an OU, and then
link the GPO to this OU.
B. Configure a Group Policy object (GPO) with the appropriate user and computer policy
settings, place all public computers into an OU, and then link the GPO to this OU.
C. Configure a Group Policy object (GPO) with the appropriate user and computer policy
settings, place the Client user account into an OU, link the GPO to this OU, and
enable loopback processing mode.
D. Configure a Group Policy object (GPO) with the appropriate user and computer policy
settings, place the Client user account into an OU, and then link the GPO to this OU.
Answer: A
Explanation: A GPO contains computer-specific policies that are found under the
Computer Configuration node, and user-specific policies that are found under the
User Configuration node. Computer-specific policies target computer accounts and
user-specific policies target user accounts. For this scenario, you can configure some
restrictions on Internet Explorer in computer-specific policies, and some restrictions
can be configured in user-specific policies. You should therefore configure both
user-specific and computer-specific policies in a GPO and apply the GPO to both
the Client user object and the public computers.
Incorrect Answers:
B: If you linked the GPO to an OU that only contains the computer objects, then only the
computer-specific policies would be applied.
C: If you enabled loopback in a GPO and linked it to an OU that contains only user

070-294
objects, then the loopback policy, as well as all the other computer-specific policies in
the GPO would have no effect, and only the user specific policies in that GPO would be
applied.
D: If you linked the GPO to an OU that only contains the Client user object, then only
the user-specific policies would be applied.
QUESTION 138:
consists of a single Active Directory domain named Certkiller .com. The Certkiller .com
network is set up in a single Active Directory site that contains 2,000 users. All
computers run Windows 2000 Professional.
The Certkiller .com network contains four domain controllers named
Certkiller -DC01, Certkiller -DC02, Certkiller -DC03, and Certkiller -DC04,
as well as a member server named Certkiller -SR07.
You have previously created organizational units (OUs) named Sales, Marketing,
and Finance. You are required to configure custom Web browser settings in the
Group Policy settings for users.
What should you do?
A. Open the Group Policy Object Editor console and click on User Configuration
Software Settings.
B. Open the Group Policy Object Editor console and click on System User Profiles from
User Configuration Administrative Templates.
C. Open the Group Policy Object Editor console and click on Internet Explorer
Maintenance URLs from User Configuration Windows Settings.
D. Open the Group Policy Object Editor console and click on Security Settings from
Computer Configuration Windows Settings.
Answer: C
Explanation: To configure custom Web browser settings for users, you should first
open the Group Policy Object Editor. In the console tree, click on Internet Explorer
Maintenance, and then click on URLs from the User Configuration Windows
Settings.
Incorrect Answers:
A: The User Configuration Software Settings are used to assign properties for
Software Installation onto users' computers.
B: The User Configuration Administrative Templates are used to assign properties for
Windows Components, Start Menu and Task Bar, Desktop, Control Panel, Shared
Folders, Network, and System.
D: The Computer Configuration Windows Settings are used to assign startup and
shutdown scripts to computers and assign security settings.

070-294
QUESTION 139:
consists of a single Active Directory domain named Certkiller .com. All servers on the
Certkiller .com network run Windows Server 2003. Half the client computers run
The Certkiller .com network contains a single domain controller named
Certkiller -DC01, and 2000 client computers.
You have previously created organizational units (OUs) that contain only user
accounts named Sales, Marketing, Finance, and IT. You have also created an OU
named QC that contains only computer accounts of the QC department.
An employee in the IT, named Rory Allen, requires access to computers in the QC
department from time to time. Rory Allen's user account belongs to the IT OU.
Remote desktop sharing is disabled and the disk quota limit is set to 100 MB in a
Group Policy object (GPO) that is linked to the QC OU. In a GPO linked to the IT
OU, remote desktop sharing is enabled and the disk quota limit is set to 200 MB.
You need to ensure that the computer's settings to override the settings applied to
Rory Allen's user account when he logs on to a computer in the QC department.
What should you do?
A. You should import settings from the GPO linked to the QC OU, to the GPO linked to
the IT OU.
B. Enable Group Policy loopback processing and select the Replace mode.
C. You should import settings from the GPO linked to the IT OU, to the GPO linked to
the QC OU.
D. Enable Group Policy loopback processing and select the Merge mode.
Answer: B
Explanation:
User settings should not be applied to a departmental computer. The
replace mode for Group Policy loopback processing allows the settings in the User
Configuration portion of the of a GPO applied to a computer to override the
settings in the User Configuration portion of a GPO applied to a user logging on to
the computer. Loopback processing is supported for computers running Microsoft
Windows 2000 or above. Loopback processing is an Active Directory feature, so the
computer and user accounts must be in Active Directory.
Incorrect Answers:
A: Using this option would cause the IT OU user settings to be permanently overwritten.
C: Using this option would cause the QC OU user settings to be permanently
overwritten.
D: the merge mode for Group Policy loopback processing merges settings from the
User Configuration portion of the GPOs associated with the user logging on to a
computer with the settings in the User Configuration portion of the GPO associated with
the computer account. If there is conflict between the user GPO settings and the computer
GPO settings, the computer GPO settings prevail.

070-294
QUESTION 140:
DRAG DROP
named Certkiller .com and us. Certkiller .com. The diagram in the work area shows the
domain and OU structure for the Certkiller .com network.
Internet access for the entire network is provided via a WAN connection in the
Certkiller .com domain. When you audited the domain controllers in the Certkiller .com
domain recently, you found that a large number of failed logon attempts have
occurred. It is for this reason that Certkiller .com introduced a new security policy
that requires all user accounts in the Certkiller .com domain to log on using complex
passwords that expire every ninety days. It also requires all user accounts in the
SalesUsers OU to log on using passwords that are five characters long and has to be
changed every one hundred and eighty days.
You have created a Group Policy object (GPO) named PwdGPO1 and configured it
to require complex passwords that has to be changed every 90 days. You have also
created a GPO named pwdGPO2 and configured it to require a password length of
5 characters and that passwords be changed every 180 days.
You need to ensure that these GPOs are linked in a manner that will satisfy the
requirements of Certkiller .com's new security policy.
What should you do? To answer, select the appropriate GPO in the list, and place it
in the correct space or spaces provided.
Answer:

070-294
Explanation:
You should apply PwdGPO1 at the domain level in the Certkiller .com domain and
PwdGPO2 at the domain level in the us. Certkiller .com domain.
Domains are used to define logical security boundaries for the network. It is
recommended that Password Policy, Account Lockout Policy, and Kerberos policy
settings be defined in GPOs linked at the domain level. This will enforce the policy
settings on all local and domain user accounts. To apply password policies to enforce
complex passwords and password change intervals for local and domain accounts in the
Certkiller .com domain, the PwdGPO1 GPO should be linked to the Certkiller .com domain.
Similarly, to set a password policy to enforce a minimum password length and password
change intervals for local and domain accounts in the us. Certkiller .com domain (including
users in the SalesUsers OU), PwdGPO2 GPO should be linked to the us. Certkiller .com
domain.
QUESTION 141:
Professional.
The Marketing, Management, and Finance organizational units (OUs) are
configured in both the us. Certkiller .com and uk. Certkiller .com domains. A user named
Dean Austin is a member of the Management OU in the us. Certkiller .com domain.
Dean Austin asks you to install Microsoft NetMeeting so that he can discuss
financial issues with upper management, whose user accounts belong to an OU
named DIRECTORS in the uk. Certkiller .com domain.
You are required to publish the Microsoft NetMeeting service to Active Directory.
070-294
A. Publish the Microsoft NetMeeting service from the System container for
us. Certkiller .com.
B. Publish the Microsoft NetMeeting service to Dean Austin's computer.
C. Publish the Microsoft NetMeeting service from the Management OU of the
D. Publish the Microsoft NetMeeting service in the DIRECTORS OU.
E. Publish the Microsoft NetMeeting service from the System container for
uk. Certkiller .com.
Answer: B, D
Explanation: In the us. Certkiller .com domain there is only one user that requires the
use of the Microsoft NetMeeting service. You should, therefore, only publish the
service to Dean Austin's computer. In the uk. Certkiller .com domain there is an entire
organizational unit (OU) that requires access to the service. You should, therefore,
publish the service to the DIRECTORS OU to provide the service to those users.
Service publication is the creation, storage, and maintenance of information stored in the
Active Directory data store. This form of publication is different from publishing
applications.
Incorrect Answers:
A, E: Generally, you should publish services like Microsoft NetMeeting in a
container beneath the System container when the service is not strongly tied to a
computer. If the service is strongly tied to a specific computer, you should publish the
service as a child of the computer that hosts the service.
C: You should not use this option because Dean Austin is the only user who requires this
service.
QUESTION 142:
SIMULATION
You are required to perform the following tasks:
1. The desktops of the employees in the Sales department have to be locked down by
removing the Run command and hiding the Internet Explorer icon. You need to
make sure that these settings disappear when users in the Sales department log off.
2. You have to rename the local administrator account of all Certkiller .com
computers, except the computers in the Sales department, to CK_Admin.
3. You have to give the MK_Admin global group, which is located in the Marketing
OU, the ability to create user accounts and reset passwords for the Marketing
department.
You need to ensure that you use only the GPOs that are available and that you do
not change the links of any existing GPOs. You also need to ensure that the number

070-294
of GPOs that has to be edited is kept to a minimum.

What should you do? To answer, configure the appropriate options to achieve your
objective.
Answer:
or Start, Control Panel, and then Administrative Tools. Then click Group Policy
Management to open the Group Policy Management console.
In the Group Policy Management console expand the Forest: Certkiller .com node, the
Domains node, and the Certkiller .com node. Then expand the Sales OU.

070-294
Right-click the Sales GPO under the Sales OU and select Edit from the pop-up menu.

070-294
This will open the Group Policy Object Editor for the Sales GPO.

070-294
In the Group Policy Object Editor, expand the User Configuration node, and the
Administrative Templates node. Then click on Start Menu and Taskbar.

070-294
Then, in the left-hand pane, scroll down to and select the Remove Run menu from Start
Menu setting.

070-294
Right-click the Remove Run menu from Start Menu setting and select Properties from the
pop-up menu.

070-294
In the Remove Run menu from Start Menu Properties dialog box, select the Enabled
radio button and click OK.

070-294
Next, click on Desktop under the

Administrative Templates node in the right-hard pane of the Group Policy Object Editor.

070-294
Then, right-click the Hide Internet Explorer icon on Desktop setting in the left-hand pane
of the Group Policy Object Editor and select Properties from the pop-up menu.

070-294
In the Hide Internet Explorer icon on Desktop Properties dialog box, select the Enabled
radio button and click OK.

070-294
Right-click the Sales OU in the Group Policy Management console and select Block
Inheritance from the pop-up menu. This will prevent the local administrator account of
the computers in the Sales department from being renamed.

070-294
Inheritance to the Sales OU is now blocked as is indicated by the blue exclamation mark
over the Sales OU icon.

070-294
Now right click on the Default Domain Policy GPO under the Certkiller .com node and
select Edit from the pop-up menu.

070-294
This will open the Group Policy Object Editor for the Default Domain Policy GPO.

070-294
In the Group Policy Object Editor, expand the Computer Configuration node, the
Windows Settings node, and the Security Settings node. Then click on Security Options.

070-294
Then, in the left-hand pane, right-click on the

Accounts: Rename administrator account policy and select Properties from the pop-up
menu.

070-294
In the Accounts: Rename administrator account Properties dialog box, select the Define
this policy setting check box and enter CK_Admin in the text box. Then click OK.

070-294
This will rename the local administrator account of all Certkiller .com computers except
those in the Sales OU to CK_Admin. We've already blocked inheritance to the Sales OU
so the local administrator account of the computers in the Sales OU will not be renamed.
Now close the Group Policy Object Editor.

070-294
Then close the Group Policy Management console.

070-294
Next, in Administrative Tools, click Active Directory Users and Computers to open the
Active Directory Users and Computers console.

070-294
In the Active Directory Users and Computers console, expand the Certkiller .com node.

070-294
The right-click the Marketing OU and select Delegate Control from the pop-up menu top
open the Delegation of Control Wizard.

070-294
On the Welcome to the Delegation of Control Wizard page, click Next.

070-294
On the Users or Groups page, click Add.

070-294
On the Select Users, Computers, or Groups dialog box, click Advanced.

070-294
Then click Find Now.

070-294
Next, scroll down to and select the MK_Admin group and click OK.

070-294
Click OK to close the Select Users, Computers, or Groups dialog box.

070-294
Back on the Users or Groups page of the Delegation of Control Wizard, click Next.

070-294
On the Tasks to Delegate page, select the Create, delete, and manage user accounts and
the Reset user password and force password change at next logon check boxes. Then
click Next.

070-294
Finally, click Finish on the Completing the Delegation of Control Wizard page.

070-294
Explanation: GPOs are stored in Active Directory, which is hosted on domain

controllers. Computer-specific policies in GPOs are applied when they start up, and
user-specific policies are applied to users when they log on. In this scenario, the
settings should go away when the user logs off. These settings should, therefore,
apply only to the users and not the computers.
This scenario requires you to minimize the number of GPOs that has to be edited. You
should, therefore, configure the new name for the local administrator account for all
computers in a GPO at the domain level. This GPO is the default domain policy. To
prevent this setting from applying to the computers in the Sales department, you should
enable Block Policy Inheritance for the Sales OU. If you enable the Block Policy
Inheritance option for the Sales OU, the GPOs that are linked to the site or domain would
not apply to the Sales OU.
QUESTION 143:
You work as the network engineer at Certkiller .com. All servers on the
Windows 2000 Professional. Certkiller .com has its headquarters in Chicago and a
branch office in Dallas, and both are configured as Active Directory sites.
The Chicago site contains a domain controller named Certkiller -DC01 and 2000

070-294
employees. The Dallas site contains a domain controller named Certkiller -DC02
and 1000 employees. You have created the organizational units (OUs) for the
Finance and Marketing departments named Finance and Marketing.
The two sites are connected to each other via a 56 Kbps, 512 Kbps, and a T1 link.
The following diagram displays the Active Directory structure.
You are required to test the outcome of software deployment settings on individual
computers.
You need to ensure that the manner in which group policy is applied to computers
in the domain is customized, and that the processing of software installation policy
Group Policy object (GPO) settings is allowed over slow link connections.
A. You should configure Security Settings from the Computer Configuration Windows
Settings.
B. You should click System, and then Group Policy from the Computer Configuration
Administrative Templates.
C. You should configure Software Restriction Policies from the Computer Configuration
Windows Settings.
D. You should select Enabled, and then select Allow processing across a slow connection
under the Software Installation policy properties setting.
E. You should disable the background refresh of group policy from the Computer
Configuration Administrative Templates.
Answer: B, D
Explanation: To allow processing of GPOs for software installation over slow link

070-294
connections, you should click Group Policy from the console tree of the Group
Policy Object Editor. Then click Computer Configuration, Administrative
Templates, System, and Group Policy. From there, you should click Software
Installation policy properties setting, select Enabled, and then select Allow
processing across a slow connection. Group Policy uses a special algorithm to
determine whether or not a link is slow. By default, it compares the actual link to
500 Kbps.
Incorrect Answers:
A: You cannot configure installation properties from the Security Settings under
Computer Configuration Windows Settings.
C: You cannot configure installation properties from the Software Restriction
Policies under Computer Configuration Windows Settings.
E: You cannot configure installation properties disabling the background refresh of
group policy. Disabling this property prevents group policy from being applied while the
user is logged on or while the computer is on.
QUESTION 144:
DRAG DROP
You have created an OU for each of Certkiller .com's departments, named Sales,
Marketing, Finance, and IT. The following exhibit displays Certkiller .com's Active
Directory structure.
Certkiller .com, who handles classified financial data, requires you to secure all
critical financial data on the local computers in the Finance department and
whenever finance data is transmitted over the network. You plan to employ IP
Security (IPSec) to ensure the confidentiality of the finance data.
You need to ensure that data is encrypted whenever it is transmitted by computers
in the Finance department to computers within the network, and that all other

070-294
computers within the network only use IPSec to communicate with computers in the
Finance department. You should also ensure that all IPSec policies assigned to
computers will be applied no matter what the network speed is.
After a great deal of consideration, you find that Group Policy is the best method of
achieving your objectives. You need to ensure that Group Policy is applied
correctly.
What should you do? To answer, select the appropriate GPO or option and place it
under the correct node in the work area.
Answer:
Explanation:
By linking a Group Policy object (GPO) to the Finance OU that configures an IPSec
policy to require security, you will force all of the Finance computers to only
communicate using IPSec encryption. To allow the other computers in the network to
communicate with the computers in the Finance department, they must also use IPSec.

070-294
Since the computers outside the Finance department do not need to use IPSec to
communicate with each other, you can configure a GPO at the domain level that will
enable the IPSec Respond Only Policy.
To ensure that all IPSec policies configured with a GPO are applied no matter what the
network speed is, you must configure a GPO that forces IPSec policies to process
regardless of a slow link. By linking the GPO to the domain, it will apply to all OUs that
have GPOs with IPSec policies.
QUESTION 145:
network consists of a single Active Directory forest that contains a single domain
named Certkiller .com. All servers on the Certkiller .com network run Windows Server
2003 and all client computers run Windows XP Professional.
You create a separate forest, which has no trust relationship with the Certkiller .com
domain, and contains a test laboratory. You create and test all Group Policy objects
(GPOs) in the forest containing the test lab before you apply them to the
When users reports that they are experiencing problems with an application which
has been running successfully on their computers for several weeks. After
troubleshooting this computer, you discover that a new wallpaper has been installed
on the computer. When you install this wallpaper on a computer in the test lab, you
receive the same results.
You create a new GPO named WPaper to apply standardized wallpaper to all
computers and users in the Certkiller .com domain.
You need to ensure that WPaper is applied using as little administrative effort as
possible.
What should you do?
A. Back up the WPaper GPO and import the backup into the Certkiller .com domain using
the Group Policy Management Console.
B. Copy the WPaper GPO to the Certkiller .com domain using the Group Policy
Management Console.
C. Replicate the WPaper GPO to the Certkiller .com domain using the Distributed File
System (DFS).
D. Create a new WPaper GPO for the Certkiller .com domain and configure it with all the
settings that are configured in the WPaper GPO for the test lab.
Answer: A
Explanation: To back up a GPO, you should right-click the GPO, and click Back
Up. When a GPO is backed up, all data is exported to a file that you choose. All
Group Policy template (GPT) files are saved. Importing the WPaper GPO allows
you to transfer only the GPO settings from a backed-up GPO. Importing is useful
when migrating GPOs between untrusted environments because you only need
access to the backed-up GPO, not the actual GPO.

070-294
Incorrect Answers:
B: The copy utility requires that domains be in the same forest or a trusted forest.
C: DFS is a service that allows network administrators to organize and manage files that
are physically distributed across a network. With DFS, you can make files distributed
across multiple servers appear to users as if they reside in one place on the network.
D: This option does not meet the requirement of the least administrative effort necessary.
If you create a new GPO, you would still have to test the GPO.
QUESTION 146:
DRAG DROP
servers on the Certkiller .com network has bee upgraded to Windows Server 2003,
and all client computers run Windows XP Professional. Certkiller .com has deployed
a PKI infrastructure.
Certkiller .com's IT department has the responsibility of managing all of
Certkiller .com's network resources. Prior to the upgrade, Certkiller .com employees
were allowed to execute Windows Installer-based applications for installing
software that they needed to do their work. As a result, the installation of some of
this software has caused certain client computers to become unstable.
You are required to use group policy to allow users to only install software on client
computers using authorized Windows Installer-based applications
You need to ensure that other types of executables are not affected by the group
policy settings.
What should you do?
To answer, select the correct policy settings and place them in the appropriate space
in the action list.
Answer:

070-294
Explanation: You should set the default security level of the policy to Unrestricted.
When defining the software restriction policy, you can set the security level as either
Unrestricted or Disallowed. The setting is defined for the default security setting
and for each rule that is created as part of the policy. Setting the default security
level to Unrestricted allows user to run any type of software, but allows you to
define exceptions.
Defining the path rule to disallow .msi files will prevent the execution of only .msi files.
This is accomplished by setting the rule to Disallow and then specifying the file type that
will disallowed. Rule precedence has to be considered. The path rule must be defined
before the certificate rule is defined so that exceptions can be specified for approved .msi
files.
The next step is to define a certificate rule with security level set to Unrestricted.
Certificate rules specify a code-signing, software publisher certificate. This setting will
allow all software to execute, but allows an exception to be specified for the .msi file
type. Certificates can be issued from a commercial certificate authority (CA), a Windows
2000 or Windows Server 2003 PKI, or self-signed certificate.
The last step is to specify all approved .msi files by using the certificate. This action will
allow .msi files to be tested by the IT department and certified for installation on network
computers.
QUESTION 147:
The Certkiller .com network contains five domain controllers, four member servers,
and 1,000 client computers. All client computers belong to the Clients OU, all
member servers belong to the Servers OU, and all domain controllers belong to the
DomainControllers OU. The OU structure is shown in the following exhibit.

070-294
Certkiller .com's written security policy dictates that all logon attempts that use a
local user account on any computer must be logged. You are planning to employ
group policy to implement this requirement, as well as other security related
settings to all computers in the Certkiller .com domain.
You need to ensure that in the event of further changes being made to the security
policy, you are able to redeploy and refresh these settings. You also need to ensure
that you are able to verify the security settings during periodic audits.
What should you do?
A. Create a new GPO and link it to the Computers OU.

B. Create an administrative template with the desired settings and import it into the GPO.
C. Create a new GPO and link it to the Clients OU.
D. Create an IPSec policy with the desired settings and import it into the GPO.
E. Create a new GPO and link it to the Servers OU.
F. Create a security template with the desired settings and import it into the GPO.
G. Create a new GPO and link it to the DomainControllers OU.
Answer: A, F
Explanation: Security templates are collections of policy settings that can be applied
to a local computer, imported to a GPO, or used to analyze security. You can define
the desired policy settings using the Security Templates MMC. After the template is
configured, you can apply the template to local policy on a computer or when
applying the settings to a collection of users or computers, import the template into
a GPO. Once applied, the security settings can be analyzed and verified using the
Security Configuration and Analysis tool, which is used to is used to configure a
computer with a security template or to compare the current computer settings with
the settings in a security template.
Incorrect Answers:
B: The security settings in this scenario are not configured in an administrative template.
C: The security settings in this scenario should apply to all computers in the domain, not
just the client computers.
D: The security settings in this scenario include settings other than those found in the
IPSec policy.
E: The security settings in this scenario should apply to all computers in the domain, not
just the member servers.
G: The security settings in this scenario should apply to all computers in the domain, not
just the domain controllers.
070-294
QUESTION 148:
SIMULATION
Certkiller .com's Finance department employs a custom application for processing
classified financial data. All Finance staff that uses this application, has to log on to
the workstations in the Finance department with a local user account.
A new Certkiller .com security policy requires the following:
1. All user accounts in the Finance department should have passwords with a
minimum of eight characters.
2. Marketing, Sales, and Freight department staff must have their accounts locked
out after five bad logon attempts.
3. The bad password counter has to be reset after thirty minutes.
4. Once these accounts have been locked out, only the administrator can unlock
them.
Before Certkiller .com decides to deploy an application to the whole company, they
would like to beta test it on the employees in the Sales department. The application
is located in a shared folder named ck_app, on a server named Certkiller -SR07.
You can navigate to the application by typing \\ Certkiller -sr07. Certkiller .com\ck_app.
You need to ensure that the beta application is accessible on all computers that the
Sales employees log on to, and that this application is only available to the Sales
staff. Furthermore, you need to ensure that the beta application is installed at logon,
and also that users are not required to install any extra options for the beta
application.
You are required to create the following Group Policy objects (GPOs):
1. pwdGPO for configuring the suitable password settings.
2. lcktGPO for configuring the suitable lockout settings.
3. ckaGPO for distributing the ck_app application.
Once you have configured these settings, you should link them to the appropriate
containers.
What should you do? To answer, execute the actions that will meet all the
requirements in the following simulation.
Answer:
or Start, Control Panel, and then Administrative Tools.

070-294
In the Group Policy Management console expand the Forest: Certkiller .com node, the
Domains node, and the Certkiller .com node. Then right-click the Finance OU and select
Create and Link a GPO Here from the context menu.

070-294
In the New GPO dialog box, enter pwdGPO in the Name: text box and click OK.

070-294
Now expand the Finance OU and right-click the pwdGPO GPO. Then select Edit from
the context menu to open the Group Policy Object Editor for the pwdGPO GPO.

070-294
Windows Settings node, the Security Settings node, and the Account Policies node. Then
click on Password Policy.

070-294
In the left-hand pane of the group policy editor, right click Minimum password length
and select Properties from the context menu to open the Minimum password length
Properties dialog box.

070-294
In the Minimum password length Properties dialog box, select the Define this policy
setting check box set the Password must be at least x characters to 8. Then click OK.

070-294

070-294
Back in the Group Policy Management console, right-click the Certkiller .com node and
select Create and Link a GPO Here from the context menu.

070-294
In the New GPO dialog box, enter lcktGPO in the Name: text box and click OK.

070-294
Now right-click the lcktGPO GPO and select Edit from the context menu.

070-294
Windows Settings node, the Security Settings node, and the Account Policies node. Then
click on Account Lockout Policy.

070-294
In the left-hand pane of the group policy editor, right click Account lockout duration and
select
Properties from the context menu to open the Account lockout duration Properties dialog
box.

070-294
In the Account lockout duration Properties dialog box, select the Define this policy
setting check box set the Account is locked out until administrator unlocks it to 0
minutes. Then click OK.

070-294
In the Suggested Value Changes dialog box that appears, click OK to accept the
suggested settings.

070-294

070-294
Back in the Group Policy Management console, right-click the Sales OU and select
Create and Link a GPO Here from the context menu.

070-294
In the New GPO dialog box, enter tkaGPO in the Name: text box and click OK.

070-294
Now expand the Sales OU, right-click the lcktGPO GPO and select Edit from the context
menu.

070-294
In the Group Policy Object Editor, expand the User Configuration node, the
Software Settings node and then click on Software Installation.

070-294
Right-click Software Installation and select New from the context menu. Then click on
Package.

070-294
Navigate to // Certkiller -SR07. Certkiller .com/ck_app and select the

ck_app.msi package. Then click Open.

070-294
On the Deploy Software dialog box, click the Advanced radio button and then click OK.

070-294
On the application Properties dialog box, select the Assigned radio button in the
Deployment Type section; select that Install this application at logon check box in the
Deployment options section; and select the Basic radio button in the Installation user
interface options section. Then click OK.

070-294
Explanation: This scenario requires the Finance department staff that uses the
custom application to use a local account on the Finance computers. It also requires
the password length for local accounts on the Finance computers to have a
minimum of eight characters. The password policy should apply to the Finance OU
because they are using local accounts and not domain accounts.
In this scenario, all users in the Marketing, Sales, and Freight department must have their
accounts locked out after five bad logon attempts. The bad password counter has to be
reset after thirty minutes. Only the administrator can unlock these accounts once they
have been locked out. These restrictions affect domain accounts, not local accounts. The
password policy settings and account lockout restrictions must be set in a GPO at the
domain level.
Because only the Sales staff should have the beta application deployed, you should link
GPO03 to the Sales OU. You should deploy the application at the User Configuration
level since the application will apply to the user.
QUESTION 149:
You work as the desktop administrator at Certkiller .com. The Certkiller .com

070-294
You are required to implement a software distribution design that specifies the
deployment of software to groups of users. The design requires you to install Access
for users in the IT department. And that Microsoft Word and Excel are installed on
all computers in the Finance department.
You place the user accounts of the users in the IT department into an organizational
unit named ITUsers. You then place the computer objects of the Finance
department into an OU named FinanceComputers.
You need to ensure that Access is installed when users in the IT department log on
even if they are not logging on to the Finance department computers.
What should you do?
A. You should create a GPO named AccessPublish and link it to the

FinanceComputersOU.
B. You should create a GPO named AccessAssign and link it to the FinanceComputers
OU.
C. You should create a GPO named AccessAssign and link it to the ITUsers OU.
D. You should create a GPO named AccessPublish and link it to the ITUsers OU.
E. You should create a GPO named WordExcelAssign and link it to the ITUsers OU.
F. You should create a GPO named WordExcelAssign and link it to the
FinanceComputers OU.
Answer: C, F
Explanation: If you assign Microsoft Access to the IT users, they will not have the
option of deciding whether or not to install the application. The application will be
installed automatically when the user logs on, or an advertisement will appear
notifying users that the application will be installed when they select the application
from the Start menu. You can accomplish this by creating a GPO named
AccessAssign to assign Microsoft Access and then linking it to the ITUsers OU.
If you assign Microsoft Word and Excel to the Finance users, anyone starting the
computer will not have the option of installing the application. The application will be
installed automatically when any user logs on, or an advertisement will appear notifying
users that the application will be installed when they select the application from the Start
menu. You can accomplish this by creating a GPO named WordExcelAssign to assign
Microsoft Word and Excel, and then linking it to the FinanceComputers OU.
Incorrect Answers:
A, D: These options will publish the different applications to its respective targets,
making the applications available for users to install manually.
B: Using this option will assign the Microsoft Access application to computers in the
Finance department.
E: Using this option will assign the Microsoft Word and Excel applications to users in
the IT department.
QUESTION 150:

070-294
Certkiller .com network contains an application server named Certkiller -SR07
You are required to implement a software distribution design that specifies the
deployment of software to groups of users. The design requires you to install three
different configurations of Microsoft Office XP Professional to various groups of
users. The three different configurations are as follows:
1. The first one installs a shortcut on the desktop.
2. The second one does not install a shortcut on the desktop.
3. The third one installs a shortcut on the desktop and has a splash screen for users
in the Finance department.
You have specified \\ Certkiller -sr07\officexp as the software distribution point for
these installations.
You need to ensure that these requirements are fully met.
What should you do?
A. You should create a different .mst file for each of the three different Microsoft Office
XP Professional configurations, and copy these .mst files to the specified software
distribution point.
B. You should specify a different software distribution point for each of the three
different Microsoft Office XP Professional configurations.
C. You should remove the Microsoft Office XP Professional .msi file from the specified
software distribution point.
D. You need to copy the correct .adm files to the specified software distribution point.
Answer: A
Explanation: The .mst file extension is used to customize the installation of

Windows Installer packages so that different configurations of the same installation
can be installed. MST stands for Microsoft Transform.
Incorrect Answers:
B: You could use this option, but it uses more disk space and it is less efficient to
maintain.
C: The .msi file extension is used for Windows Installer packages supplied by software
vendors.
D: Adm files contain user and computer Group policy settings, which can be edited
manually and often come from legacy operating systems.
QUESTION 151:
network consists of a single Active Directory domain named Certkiller .com, and two
child domains named Certkiller -north.com and Certkiller -south.com. All servers on the
Each of these domains is configured with top-level organizational units (OUs) for
each department. the IT department's OU has two child OUs named Support and

070-294
HelpDesk. The Support OU contains all of the user accounts for the support users,
while the HelpDesk OU contains all of the user accounts for the help desk users.
You are required to make a troubleshooting application available to support users
regardless of where they log on. Your solution should not automatically install this
application or advertise it on the Start Menu. Your solution should allow the
support users to install the application using tshoot.msi, when they require it.
What should you do?
A. Configure the Computer Configurations section of a GPO to Publish the tshoot.msi

package, and then link the GPO to the Support OU.
B. Configure the User Configurations section of a GPO to Publish the tshoot.msi
C. Configure the Computer Configurations section of a GPO to Assign the tshoot.msi
D. Configure the User Configurations section of a GPO to Assign the tshoot.msi package,
and then link the GPO to the Support OU.
Answer: B
Explanation: To make an application available to a user regardless of where the

user logs on, you must configure the user node of a GPO to either Publish or Assign
the application. The application has to be an .msi package in order to use
Intellimirror to deploy the software. If you Publish an application to a user, the user
will be able to use the Control Panel on any computer to install the software. To
ensure that the troubleshooting application is available for installation from the
Control Panel on any computer that support users log on to, you must link a GPO
to the Support OU that Publishes tshoot.msi to the users.
Incorrect Answers:
A: You cannot Publish an application to a computer, you can only Assign it.
C: If you Assign the tshoot.msiapplication package to the computers in the Support OU,
the application would be installed and advertised only on the computers in the Support
OU.
D: If you Assign the tshoot.msiapplication package to the users in the Support OU, the
application would be advertised on the Start Menu and would not be available i9n
Control Panel..
QUESTION 152:
You are required to deploy Microsoft Windows Installer-based application. You
have created a Group Policy object (GPO) to use during the deployment, named
InstApp. You have also created a software installation package to distribute the
application to Certkiller .com users, named BillApp.

070-294
You are planning to verify the installation process by deploying the installation
package to a small group of users. You will deploy the application to all users in the
domain after the testing process has completed.
For the testing process, you create a security group named Test Users and add the
appropriate users to this group.
You need to ensure that members of the Test Users security group are able to install
the application using a Start Menu shortcut. You also need to ensure that when you
deploy the application to all users in the domain after testing, the application is
available to all users from the Add/Remove Programs utility.
A. For the testing process, you should configure InstApp to assign the application to
computers in the domain, grant the Apply Group Policy permission to the Test Users
group, and then remove this permission from the Authenticated Users group.
B. For the testing process, you should configure InstApp to assign the application to
users in the domain, grant the Apply Group Policy permission to the Test Users
group, and then remove this permission from the Authenticated Users group.
C. For the testing process, you should configure
InstApp to assign the application to computers in the domain, grant the Apply Group
Policy permission to the Authenticated Users group, and then remove this permission
from the Test Users group.
D. For the deployment process after testing, you should configure InstApp to publish the
application to users in the domain, grant the Apply Group Policy permission to the
Test Users group, and then remove this permission from the Authenticated Users
group.
E. For the deployment process after testing, you should configure InstApp to publish the
Authenticated Users group, and then remove this permission from the Test Users
group.
F. For the deployment process after testing, you should configure InstApp to assign the
Authenticated Users group, and then remove this permission from the Test Users
group.
Answer: B, E
Explanation: You should assign the application to users in the domain for the
testing process, grant the Apply Group Policy permission to the Test Users group,
and then remove this permission from the Authenticated Users group. This will
apply the group policy to members of the Test Users group and provide a shortcut
icon for the application on the Start Menu for these users. You should publish the
application to users for the deployment process after testing, grant the Apply Group
Policy permission to the Authenticated Users group, and then remove this
permission from the Test Users group. This will deploy the application to all users
in the domain by providing the ability to install the application from the
Add/Remove Programs utility.

070-294
Incorrect Answers:
A: Using this option would install the application on the hard drives of the Test Users,
but would not provide the desired Start Menu shortcut.
C: Using this option would apply the GPO to all users that are authenticated in the
domain during the testing process. The scenario requires the GPO to only be applied to
the Test Users during this phase.
D: Using this option would only apply the GPO to the Test Users. The scenario requires
the GPO to be applied to all users in the domain for the deployment process after testing.
F: Using this option would provide the Start Menu shortcut desired for the testing
process, but would not provide the ability to install the application from the
Add/Remove Programs utility
QUESTION 153:
An organizational unit named Computers contains all client computer accounts, and
an OU named Employees contain all user accounts.
You are required to a deploy a new application named TourneyPlus to all
Certkiller .com computers, but the application vendor does not provide a Microsoft
Windows Installer package for the application. The TourneyPlus installation files
are stored in a shared folder on the network.
You need to formulate a strategy that allows the following:
1. Users should have the option of installing the application from a shortcut on the
Start Menu.
2. Users should have the option of installing the application by clicking on an
associated document.
3. Users should have the option of installing the application from the Add/Remove
Programs utility.
4. The application should be reinstalled automatically if key application files are
missing.
You create a .zap file for installing the TourneyPlus application, and place a copy of
this .zap file and the installation files in a shared network folder. You then create a
GPO, link it to the Employees OU, and configure the GPO to publish the .zap file.
What requirements have been fulfilled by your actions? (Choose all that apply)
A. Users should have the option of installing the application by clicking on an

associated document.
B. Users should have the option of installing the application from a shortcut on the
Start Menu.
C. The application should be reinstalled automatically if key application files are
missing.
D. Users should have the option of installing the application from the Add/Remove
Programs utility.

070-294
Answer: A, D
Explanation: With Windows Server 2003 you can use GPOs to publish software to
users. When you publish software to users, you do not actually install any software,
but simply make it available to users from Active Directory through the Control
Panel's Add/Remove Programs utility and filename extension association. Because
you linked the GPO to the Employees OU, the application will be available to all
users in the domain.
Incorrect Answers:
B, C: You need to use a Windows installer package to meet these requirements.
QUESTION 154:
The Certkiller .com network contains two Active Directory sites named Site1 and
Site2 that are connected via a T1 connection. Site1 contains three domain
controllers named Certkiller -DC01, Certkiller -DC02, and Certkiller -DC03,
while Site2 contains two domain controllers named Certkiller -DC04 and
Certkiller -DC05.
You are required to deploy Microsoft Excel to all users in the Certkiller .com domain.
You have created a new Group Policy object (GPO) named Excel on
Certkiller -DC03, configured it to assign Microsoft Excel to the required users,
and then linked it to the domain.
A short while later you receive reports that the assigned software is not advertised
on the start menu for any user in Site2. You verify that Microsoft Excel is
advertised on the start menu for users in Site1.
You need to ensure that all users in the Certkiller .com domain are able to access the
assigned software, and that the solution you use causes as little disruption to
network users as possible.
What should you do?
A. Advise the users in Site2 to restart their client computers.

B. Link the Excel GPO to the Site2 container from Certkiller -DC03.
C. Advise the users in Site2 to run gpupdate.
D. Reconfigure the Excel GPO to publish the application to all computers in the
Certkiller .com domain
E. Manually force replication between Site1 and Site2 from Site1.
Answer: E
Explanation: The software is successfully distributed in the site where the GPO is
assigned, but the settings are not being received by users in the remote site. This

070-294
indicates that the settings, which for software installation policies are stored in both
Active Directory and the SYSVOL folder, are not being replicated to domain
controllers in the site. The Group Policy container is located in Active Directory,
while Group Policy Templates and scripts are stored in the SYSVOL folder. Both
Active Directory and SYSVOL are replicated using the File Replication Service
(FRS). If changes are being made to GPOs and the new settings are not being
applied to users or computers in remote sites, replication could be the problem. You
can use Active Directory Sites and Services or Repadmin with the appropriate
switches to force replication. It is important to remember that you cannot force
replication of the SYSVOL folder. If the Group Polcy Container in Active Directory
and the SYSVOL folder become unsynchronized, the Software Installation policy
will be available to site clients, but the installation of the specified software will fail
until the SYSVOL folder is replicated.
Incorrect Answers:
A: Restarting all computers will de disruptive to network users and is unlikely to resolve
the problem.
B: This option will produce duplicate settings from the domain and site linkages and will
still rely on replication for the software to be properly distributed.
C: If the Software Installation policy settings are not being replicated, using gpupdate to
reapply group policy settings will not provide the desired effect.
D: You cannot publish software to computers.
QUESTION 155:
You are required to deploy two word processing applications with group policy to
all users in the Certkiller .com domain. You create a new Group Policy object (GPO)
named WordApp. You need to configure the Software installation policies that will
be applied by the GPO before linking it to the domain.
You need to ensure that all users have access to the applications, but can choose
which application to use.
What should you do?
A. Configure WordApp to assign the two applications to all users.

B. Configure WordApp to install the two applications at logon.
C. Configure WordApp to publish the two applications to all users.
D. Configure WordApp to automatically install the two applications by file extension
activation.
E. Ensure that WordApp is not configured to automatically install the two applications by
file extension activation.
Answer: C, E

070-294
Explanation: Publishing applications using group policy will make the associated
application available to users who are managed by the GPO, in case a user wants to
use the application. Published applications require each user to decide whether or
not to install the published application. A published application is advertised in
Active Directory and is not downloaded to the computer accessed by the user. The
application is available in the Add/Remove Programs console, or the policy can be
configured so that the application is installed when the user invokes a document or
file associated with the application. You should ensure that the Auto-install this
application by file extension activation option is disabled to allow user to choose
which application to use for viewing documents.
Incorrect Answers:
A: Assigning an application will place the application's icon on the user's desktop or on
the Start Menu, and will install the application when the icon is selected or when a file
with an associated extension is invoked.
B: This option is not available for published applications. For assigned applications, this
option will automatically install the application when a user logs on to the domain.
D: This action will install the application that is associated with a document file extension
when the document is opened.
QUESTION 156:
consists of a single Active Directory domain named Certkiller .com. All servers on the
Windows 2000 Professional.
Certkiller -DC01 and Certkiller -DC02, and 4000 client computers. You are
required to allow all users in the Certkiller .com domain to use smart card
authentication to log on to the network.
You receive reports that certain users are unable to logon to the network as a result
of expired EAP certificates.
You need to ensure that all users are able to renew expired certificates for smart
card authentication automatically, without any interference from the user.
What should you do?
A. You should open the certificate template, click the Issuance Requirements tab, and
make the "This number of authorized signatures" value 1.
B. You should make use of a smartcard logon certificate, and select the "Enroll subject
without requiring any user input" option.
C. You should access the Personal folder of the Certificates snap-in, and configure the
appropriate option.
D. You should access the Certification Authority snap-in, and configure the appropriate
option.
Answer: B

070-294
Explanation:
To ensure that a smartcard logon certificate is renewed automatically without user
intervention, you should first open the certificate template. You should use the
Certificate Templates console to access the Properties dialog box of the template.
Click the Request Handling tab, and then select the "Enroll subject without
requiring any user input" check box. This will allow certificates to enroll to users
without their awareness or interaction.
Incorrect Answers:
A: You cannot configure certificates to be enrolled and updated automatically
without user intervention by using the Issuance Requirements tab. This tab is used to
configure options for the issuance of certificates, such as the number of authorized
signatures required to issue a certificate.
C, D: These two options will not allow you to configure the option to automatically
renew expired certificates without user interaction.
QUESTION 157:
network consists of five Active Directory forests that contain two domains each. All
There are a total of 120,000 users on the Certkiller .com network. You are planning
to use a Public Key Infrastructure using Microsoft Certificate Services. You want to
facilitate the installation of the certificates to all Certkiller .com users, but you are
concerned that they may not be able to perform this installation.
You have configured a certificate hierarchy that consists of an Enterprise Root
Certificate server and nine Enterprise Subordinate Certificate servers.
You need to ensure that your solution provides the best method to facilitate the
issuance of user certificates.
A. Use the Certificate Authority snap-in to configure a new certificate that will be issued
by the Enterprise Root Certificate Server.
B. Use the Certificate Authority snap-in to configure a new certificate that will be issued
by the Enterprise Subordinate Certificate Server.
C. Configure the new certificate to autoenroll users.
D. Use the Certificates snap-in to configure a new certificate that will be issued by the
Enterprise Subordinate Certificate Servers.
E. Use the Certificates snap-in to configure a new certificate that will be issued by the
Enterprise Certificate Root Servers.
F. Create a Group Policy for the users that will automatically enroll certificates.
Answer: B, C, F
Explanation: By using the Certificate Authority snap-in, you will be able to

070-294
configure a new certificate to be issued and have it autoenroll the users.

Autoenrollment will automatically issue and install the certificate on the client
computers for the users without any interference. You will then be able to use
Group Policy to automatically enroll the certificates. The Enterprise Subordinate
Certificate Servers will be used by the client computers for the retrieval and
installation of the user's certificates. The Enterprise Root Certificate server will be
used by the subordinate servers for the retrieval of their certificates. After the
subordinate servers are configured, it is a good practice to take the root certificate
server offline. This would prevent the security of the Public Key Infrastructure
from being compromised. The root certificate server will issue certificates to the
subordinate certificate servers, which will then issue certificates to the client
computers.
Incorrect Answers:
A: The root certificate server issues certificates to the subordinate certificate servers,
which will then issue certificates to the client computers.
D, E: The Certificates snap-in is used to view information about the certificates installed
on a computer.
QUESTION 158:
functional level of the domain is set at Windows Server 2003. Currently, servers on
the Certkiller .com network run either Windows Server 2003 or Windows 2000
Server, while all client computers run Windows XP Professional.
You are in the process of setting up a Public Key Infrastructure using Windows
Server 2003. The Certkiller .com network contains an Enterprise Root Certificate
server named Certkiller -SR05 and an Enterprise Subordinate Certificate server
named Certkiller -SR06, which are both running Windows Server 2003.
You have accessed the Certificate Authority snap-in to copy the user certificate
template and renamed it cert1. Cert1 has been configured to enroll certificates for
the users automatically. You have also configured and linked a GPO that forces the
users to autoenroll for certificates. The necessary users have also been assigned the
Read and Autoenroll permissions for cert1.
When the authorized users attempt to obtain certificates using autoenrollment, they
find that they are unable to.
What should you do?
A. You should enable the "This number of authorized signatures" option and make the
value more than 1 in the properties of cert1, on the issuance properties sheet.
B. At the Active Directory container where the Group Policy that forces users to
autoenroll for certificates is linked, you should assign the Read, Enroll, and
Autoenroll permissions to the required users.
C. You should also assign the Enroll permission at cert1 to the required users.
D. You should remove the Autoenroll permission from cert1 and assign the Enroll
permission instead.

070-294
Answer: C
Explanation: The security permissions Read, Enroll, and Autoenroll must be

allowed on cert1 to allow users to autoenroll for cert1. Since you have already
assigned the Read and Autoenroll permissions, you should also assign the Enroll
permission on cert1.
Incorrect Answers:
A: Using this option would disable user autoenrollment for cert1.
B: The Enroll and Autoenroll permissions can be configured at a certificate template
and not an Active Directory container.
D: If you remove the Autoenroll permission, the users would not be able to autoenroll
for the certificate.
QUESTION 159:
HOTSPOT
To provide network messaging services, you have configured a single Exchange
2003 organization. There is also an enterprise certificate installed and configured on
the Certkiller .com network.
According to Certkiller .com's modified security policy, all e-mail messages must be
signed and encrypted. To satisfy this requirement, you create a certificate template
and configure it for autoenrollment.
You are required to employ group policy to enable all Certkiller .com users to
automatically enroll for the necessary certificates. You have opened the Default
Domain Policy to configure the settings.
What should you do? To answer, select the appropriate group policy node to
indicate where this policy should be configured.

070-294
Answer:

070-294
Explanation:
You will configure the Autoenrollment Settings policy, which is located under User
Configurations in the Public Key Policies node. This policy allows users and computers
to automatically enroll for certificates, retrieve issued certificates, and renew expiring
certificates without requiring user interaction.
QUESTION 160:
Certkiller -DC01 and Certkiller -DC02, and 2000 client computers.
When you receive reports that numerous users are complaining that they are losing
important files from their local computers because they forget to run local backups,
you decide to configure group policy to backup their important files regularly as
part of the network backup procedure.
You need to ensure that the most efficient method is used to accomplish your
objective.

070-294
A. You should access the Group Policy Object Editor Folder Redirection properties, and
select the "Move the contents of My Documents to the new location" option.
B. Ensure that all users store their important files in their C:\root directory.
C. Ensure that all users store their important files in their My Documents folders.
D. Ensure that all users store their important files to the network share.
E. You should access the Group Policy Object Editor Folder Redirection properties, and
clear the "Move the contents of My Documents to the new location" option.
Answer: A, C
Explanation: With the "Move the contents of My Documents to the new location"
option enabled, the user no longer has to worry about the backing up of documents
that has been placed in the My Documents folder on his local computer. The My
Documents folder is redirected to a network share. The user must remember to
place his important files in the My Documents folder on his computer. The folders
that can be redirected using group policy are Application Data, Desktop, My
Documents My Pictures, and Start Menu.
Incorrect Answers:
B: If the user stores his files in the C:\root directory on his local computer, those files
will not be redirected to a network share by using group policy.
D: This option would accomplish the goal of backing up his files during the network
backup, but it is not the most efficient method.
E: If you use this option, the contents of the My Documents folder will no longer be
redirected to the network share.
QUESTION 161:
The Certkiller .com network contains two file servers named Certkiller -SR03 and
Certkiller -SR06. The "My Documents" folder of each Certkiller .com user is
currently being redirected to a shared folder named Users located on
Certkiller -SR03.
A new redirection design requires you to change the location to which the users'
"My Documents" folders are redirected, to a shared folder named Users on
Certkiller -SR06. You are also required to create a folder for each user that is
named after his or her username.
You need to ensure that these objectives are achieved using group policy.
A. Open the Group Policy Object Editor, go to User Configuration, Folder Redirection,
My Documents Properties, and specify Basic.
B. Select "Create a folder for each user under the root path", and specify Redirect to the
User's home directory in the Root Path box.

070-294
C. Create a standard user profile, use this profile to log on to a client computer,
right-click on the My Documents folder, and specify
\\ Certkiller -sr06\users\%username% in the Target Folder location.
D. Select "Create a folder for each user under the root path", and specify
\\ Certkiller -sr06\users in the Root Path box.
E. Open the Group Policy Object Editor, go to Computer Configuration, Folder
Redirection, My Documents Properties, and specify Basic.
Answer: A, D
Explanation: By using the Group Policy Object Editor, going to User Configuration,
Folder Redirection, My Documents Properties
, and specifying Basic, policy is used to redirect the My Documents folder. It uses
Basic (rather than advanced that allows you to redirect folders for a group of users,
which is not part of the requirements), and it specifies to automatically create a
separate folder for each user under the root path, \\ Certkiller -sr06\users.
Incorrect Answers:
B: Redirecting to the user's home directory is not part of the designs objectives.
C: This option would work, but you would have to visit each and every client computer
to achieve it.
E: You cannot achieve your objectives for this scenario using Computer
Configuration. It must be achieved under the User Configuration section of this policy.
QUESTION 162:
Professional.
You have created four top-level OUs named Engineering, Marketing, HR, and Sales
that stores the user accounts of all Certkiller .com users The Certkiller .com network
contains a file server named Certkiller -SR07. You configure the properties of all
Certkiller .com users with a home directory on Certkiller -SR07, which must be
used to store user data. You also perform backups of the home directories on a daily
basis.
When certain users report that their client computers will not start, you decide to
deploy a new image to the faulty computers via Remote Installation Services. Before
you can do this, the users inform you that critical company data is stored on their
computers, in the My Documents folder. This development forces you to repair
Windows on these client computers so that the critical company data can be
retrieved.
You need to ensure that this type of incident does not happen again.
What should you do?
A. You should configure the Computer Configurations section of a GPO to redirect the

070-294
contents of the
My Documents folder to the home directory of the user that is logged on.
B. You should configure the use of roaming profiles and rename Ntuser.dat to
Ntuser.man in the properties of each user account.
C. You should configure the use of roaming profiles in the properties of each user
account.
D. You should configure the User Configurations section of a GPO to redirect the
contents of the My Documents folder to the home directory of the user that is logged
on.
Answer: D
Explanation: To prevent this type of incident from happening again, you should
enable a GPO that redirects the contents of the My Documents folder to the home
directory of the user that is logged on. This will transparently store each user's My
Documents folder in his or her home directory. Regardless of where the user logs
on, his or her data will be available. It will also allow you to re-image a workstation
without any loss of data.
Incorrect Answers:
A: You cannot achieve your objectives for this scenario using Computer
Configuration. It must be achieved under the User Configuration section of this policy.
B C: Roaming profiles and mandatory roaming profiles allow the users' environment
such as their desktop and wallpaper to follow them around from computer to computer. A
mandatory roaming profile is configured by renaming Ntuser.dat to Ntuser.man.
QUESTION 163:
The Certkiller .com network contains a member server named Certkiller -SR07.
Employees whose user accounts are located in the Audit OU need to perform their
daily tasks from any client computer in the Certkiller .com domain.
You need to provide members of the Audit OU with the following:
1. The ability to log on to any client computer in the Certkiller .com domain and
receive their familiar desktop.
2. The ability to access their documents located in the My Documents folder from
any client computer in the Certkiller .com domain.
3. A centrally located folder for the storage of personal files and applications.
4. A Reduction in the logon and logoff times by avoiding the transfer of My
Documents folder contents to the logon computer.
You change the profile type for users in the Audit OU to roaming profiles and
configure \\ Certkiller -sr07\profiles\%username% as the profile path. You then create
a new Group Policy object (GPO) named AuditUsers, configure it to redirect My
Documents to \\ Certkiller -sr07\profiles\%username%, and link it to the Audit OU.

070-294
What requirements have been fulfilled by your actions? (Choose all that apply)
A. Users in the Audit OU have been provided with the ability to log on to any client
computer in the Certkiller .com domain and receive their familiar desktop.
B. Users in the Audit OU have been provided with the ability to access their documents
located in the My Documents folder from any client computer in the Certkiller .com
domain.
C. Users in the Audit OU have been provided with a centrally located folder for the
storage of personal files and applications.
D. The logon and logoff times have been reduced for users in the Audit OU by avoiding
the transfer of My Documents folder contents to the logon computer.
Answer: A, B, D
Explanation: Roaming user profiles should be configured to allow users to log on to

any computer in the domain and receive their familiar desktop. To achieve this goal
the user profile type should be changed to Roaming user profile and the user profile
folder must be stored on a remote server. The correct path in this scenario is
\\ Certkiller -sr07\profiles\%username%.
Once roaming user profiles are configured, you should redirect all users' My Documents
folders to a central server location to allow users to access their documents in the My
Documents folder, regardless of the computer they log on to. This achieve by creating a
new Group Policy object (GPO) named AuditUsers, configuring it to redirect My
Documents to \\ Certkiller -sr07\profiles\%username%, and linking it to the Audit OU.
Incorrect Answers:
C:
To provide users with a centrally located folder for the storage of personal files and
applications, you need to create a home folder on a centrally located server and identify
the path to the home folder in the Profile tab of the user's Properties page.
QUESTION 164:
configured as a single site. All servers on the Certkiller .com network run Windows
You are required to modify a Group Policy object (GPO) so that the settings
received by a certain group of employees are changed.
You access the Group Policy Management Console, open a GPO linked to the site
and open the User Configuration folder. You also open the Windows Settings folder,
then the Folder Redirection folder, right-click the My Documents folder, and the
click Properties. You select Advanced-Specify locations for various user groups
setting from the Target tab, enter a group and a specific path, and accept the
default property settings.
What configuration change will occur?

070-294
A. The My Documents and My Pictures folders will be redirected to one location for all
employees in a particular site.
B. The My Documents folder will be redirected to one location for all employees in the
site.
C. The My Documents folder will be redirected to a location according to OU.
D. The My Documents and My Pictures folders will be redirected to a location according
to security group membership.
Answer: D
Explanation: Folder redirection can be set up in one of two ways. You can either
redirect folders to a location according to security group membership, or you can
redirect folders to one location for everyone in the site, domain, or OU.
By default, My Pictures are redirected as part of My Documents. The default behavior is
recommended but can modified by selecting the
Do not specify administrative policy for My Pictures setting from the Settings tab of the
policy's properties page. If the two folders are separated, a shortcut of the My Pictures
folder is placed in My Documents and the folder location data will remain in the original
location.
Incorrect Answers:
A, B: To redirect the My Documents folder to one location for all employees in the
site, you should open the Target tab and select Basic-Redirect everyone's folder to the
same location.
C: To redirect the My Documents folder to one location for all employees in a specific
OU, you should open the Target tab and select Basic-Redirect everyone's folder to the
same location in a group policy linked to an OU.
QUESTION 165:
configured as a single site. All servers on the Certkiller .com network run Windows
Server 2003 and all client computers run Windows XP Professional. OUs exist for
each Certkiller .com department that contains the user accounts of users in that
particular department.
You are required to modify a Group Policy object (GPO) so that the settings
received by a certain group of employees are changed.
You access the Group Policy Management Console, open a GPO linked to the
Finance OU and open the User Configuration folder. You also open the Windows
Settings folder, then the Folder Redirection folder, right-click the My Documents
folder, and the click Properties. You select Basic-Redirect everyone's folder to the
same location setting from the Target tab, enter a specific path, and accept the
default property settings.
What configuration change will occur?
A. The My Documents and My Pictures folders will be redirected to one location for all

070-294
employees in a particular domain.

B. The My Documents folder will be redirected to one location according to security
group membership.
C. The My Documents folder will be redirected to one location for all users in the
Finance OU.
D. The My Documents and My Pictures folders will be redirected to a location according
to security group membership.
Answer: C
Explanation: Folder redirection can be set up in one of two ways. You can either
redirect folders to a location according to security group membership, or you can
redirect folders to one location for everyone in the site, domain, or OU. Because the
GPO is linked at the OU level, only users in that OU will have their My Documents
folders redirected.
Incorrect Answers:
A: Since the GPO is not linked at the domain level it will not apply to everyone in a
specific domain.
B D: Folder redirection can be pointed to a specific location based upon security
group membership by selecting the Advanced-Specify locations for various user
groups setting.
QUESTION 166:
network consists of a single Active Directory forest that contains a domain named
Certkiller .com and two child domains named us. Certkiller .com and uk. Certkiller .com, in
a single Active Directory site. All servers on the Certkiller .com network run
The network topology is shown in the following exhibit:
All user accounts for the Certkiller .com employees are located in the us. Certkiller .com
and uk. Certkiller .com domains. A new Certkiller .com security policy requires all users
to employ strong passwords.
You need to ensure that this requirement is enforced by creating as little Group
Policy objects (GPOs) and GPO links as possible.
What should you do?

070-294
A. You should configure the appropriate password policies in the Default Domain Policy
GPO in the us. Certkiller .com and uk. Certkiller .com domains.
B. Create a Group Policy object (GPO), configure the appropriate password policies in
the GPO, link it to the forest root domain, and enable the No Override option for the
GPO link.
C. Create a Group Policy object (GPO), configure the appropriate password policies in
the GPO, create an OU, place all user accounts into the OU, and link the GPO to the OU.
D. You should configure the appropriate password policies in the Default Domain
Controllers Policy GPO in the forest root domain, and link this GPO to the Active
Directory site.
Answer: A
Explanation: For password policies in a GPO to affect Active Directory user

accounts, the GPO must be applied at domain level. To meet the requirements in the
scenario, you can either configure the appropriate policies in the Domain Policy
GPO in the us. Certkiller .com and uk. Certkiller .com domains, or create a new GPO
with those policies and link it to the us. Certkiller .com and uk. Certkiller .com domains.
Incorrect Answers:
B: If you use this option, the policies will be applied only to user accounts located in the
forest root domain. This option is not valid because the forest root domain does not
contain any employees' user accounts.
C: OUs can only be created within domains. You cannot create an OU that contains user
accounts from the two child domains.
D: If you use this option, then the password policies would apply only to the local user
accounts on all computers in the forest, except domain controllers that do not have local
user accounts.
QUESTION 167:
Professional.
You have created an organizational unit (OU) for each department, and also created
two child OUs for each of these OUs. The one child OU contains the user objects for
that department, and the other OU contains the computer objects for the client
computers assigned that department. Users are able to log on to the domain from
any client computer, in any domain.
A new Certkiller .com security policy requires that a logon script has to be run every
time a user logs on to the domain. A logon script has to be run on all Windows XP
computers, and another logon script has to run on all Windows 2000 computers.
You create a Group Policy object (GPO) for the Windows 2000 operating system
named Win2000, and also create a GPO for the Windows XP operating system

070-294
named WinXP.
You need to ensure that these GPOs are applied to the appropriate computers using
the least amount of GPO links possible.
What should you do?
A. You have to create two groups named Win2000 and WinXP. Add the computer
accounts of all Windows 2000 Professional computers to the Win2000 group,
and add the computer accounts of all Windows XP Professional computers to the
WinXP group. You then have to assign the Allow - Apply Group Policy permission
to each group, and then link both GPOs to the domain.
B. You should specify the appropriate WMI filter in each of the GPOs, enable the
loopback processing mode for each GPO, and then link both GPOs to the domain.
C. You should specify the appropriate WMI filter in each of the GPOs, and then link both
GPOs to the domain.
D. You have to create two child OUs in each OU that contains departmental client
computers. Place all computer objects for that department's Windows 2000 Professional
computers in one child OU, and place all computer objects for that department's
Windows XP Professional computers in the other OU. Link the Win2000 GPO to
each child OU that contains Windows 2000 Professional computers, and link the
WinXP GPO to the child OUs that contains Windows XP Professional computers.
Answer: B
Explanation: Windows Management Instrumentation (WMI) filters are used to

filter the default scope of a GPO. Using the WMI Query Language will allow you to
define a filter that will cause a GPO to apply only to specific computers, such as
those running a specific operating system. In this scenario, you are required to
target specific computers with a logon script. To do this, you should enable the
loopback processing mode, which is an advanced feature that allows you to apply
user-specific policies that is configured in GPOs that target computer objects to all
users of those computers.
Incorrect Answers:
A, C, D: These options do not involve using the loopback processing mode, which is
required to apply a user-specific policy that is configured in a GPO that targets
computers.
QUESTION 168:
An enterprise Certification Authority (CA), which is required to establish secure
communications between Certkiller .com's corporate network and the networks of
numerous business partners and important clients, exists on the Certkiller .com
network. Your plan is to employ secure virtual private network (VPN) connections

070-294
over the internet.

You need to ensure that the VPNs use L2TP/IPSec and certificate-based
authentication.
A. Install a computer certificate from the enterprise CA on a VPN server.

B. Create a computer certificate template and publish it on the intranet Web site.
C. Configure a domain-level auto-enrollment policy.
D. Instruct users to use the computer certificate template to apply to a commercial CA for
their computer certificates.
E. Create L2TP/IPSec connections to the other parties.
F. Implement a domain-level policy that requires encryption of traffic that is directed to
external IP addresses.
G. Implement a domain-level policy that requires all secure channel data to be digitally
encrypted or signed.
H. Configure a local policy that requires all secure channel data to be digitally encrypted
or signed.
I. Configure a local policy that requires VPN traffic to be encrypted.
Answer: A, E, I
Explanation:
This scenario requires you to enable secure connectivity with partners' and major
clients' networks over the Internet. You should, therefore, configure
router-to-router VPN connections on a Windows Server 2003 computer with
Routing and Remote Access. A computer certificate is usually required on each
L2TP/IPSec tunnel endpoint router to enable mutual authentication. Typically, you
would use a certificate from a commercial CA rather than an enterprise or
stand-alone CA because the certificates issued by many commercial CAs are
globally trusted. This means that Certkiller .com's partners and clients may want to
use their certificates for establishing communications with other parties as well.
Incorrect Answers:
B: Certificate templates are stored in Active Directory and are supported only by
enterprise CAs.
C: Typically, Windows 2000 and later clients automatically enroll for computer
certificates with enterprise CAs.
D: Client computers on Certkiller .com's network do not require computer certificates to
communicate over router-to-router VPN connections because only VPN tunnel endpoint
routers must authenticate each other.
F: The authentication of Certkiller .com's client computers and users on external networks
may or may not require certificates.
G, H: The Domain member: Digital encrypt or sign secure channel data (always)
pertains to communications between domain controllers and other member computers.
This is not related to IPSec.

070-294
QUESTION 169:
You have created an OU named Finance that contains all users and computers in
the Finance department. The Finance department employees works exclusively on
the workstations that they are assigned. When you are informed that certain
desktop restrictions has to be applied to the users in the Finance department, you
configure the required user policies in a Group Policy object (GPO) and link it to
the Finance OU.
A few days later, you receive a report from the IT department's technical support
staff that they are unable to resolve certain technical problems on workstations in
the Finance department because some desktop features are disabled on those
computers. This happens even though the IT staff logs on to the domain with their
own user account credentials.
You need to ensure that the restrictions only apply to the users in the Finance
department.
What should you do?
A. You should enable the No Override option for the GPO link.
B. You should enable Block Policy Inheritance for the Finance OU
C. You should assign the Allow - Apply Group Policy permission for the GPO to the IT
staff.
D. In the GPO, disable the loopback processing mode.
Answer: D
Explanation: A GPO contains computer-specific policies that are found under the
Computer Configuration node, and user-specific policies that are found under the
User Configuration node. Computer-specific policies target computer accounts and
user-specific policies target user accounts. In this scenario, you have configured
user-specific policies that restrict desktop features, and you have linked that GPO to
the Finance OU, which contains both user and computer objects. It also appears
that you have enabled the loopback processing mode in that GPO. The loopback
processing mode is an advanced feature that allows you to apply user-specific
policies that is configured in GPOs that target computer objects to all users of those
computers. You should, therefore disable the loopback processing mode to rectify
this problem.
Incorrect Answers:
A: If you enable the No Override option for the GPO link, then that GPO would be
enforced on the Finance OU, and also on any child OU. It will not, however, change the
way that the GPO affects the IT staff when they log on at the computers in the Finance
department.
B: If you enabled the Block Policy Inheritance option for the Finance OU, the GPOs

070-294
that are linked to the site or domain would not apply to the Finance OU. This option,
however, does not have any effect on the GPOs that are linked to the Finance OU.
C:
The GPO in the scenario targets only users and computers in the Finance OU, not the
user accounts of IT staff. Therefore, assigning permissions for that GPO to the IT staff
will have no effect.
QUESTION 170:
DRAG DROP
A new Certkiller .com security policy requires that after a user enters incorrect
passwords thrice in a row within one hour, the user's account has to be locked out
until an administrator unlocks it.
You need to ensure that this policy is enforced.
What should you do? To answer, select the appropriate options and place them in
the appropriate spaces provided in the work area.
Answer:
Explanation: Account lockout policies for domain user accounts can be configured
in a Group Policy object (GPO) that is linked to the domain. These policies define
how the system behaves when user logon attempts are unsuccessful due to
incorrectly specified password. Each time that a user attempts to log on and
provides an incorrect password, the value of the account lockout counter on the
user's account is increased by one. The counter is reset to 0 after a user logs on
successfully or after a specific time period elapses. This time period is defined in the
Reset account lockout counter after policy and can be set to a value between 1 and
99,999 minutes. For this scenario the counter should be reset after 60 minutes. The
number of logon attempts that users are allowed within this time period is defined
in the Account lockout threshold policy and can be set to a value between 0 and 999.
In this scenario, you should set this policy to 3. After an account has been locked,
the Account lockout duration policy defines the period of time after which the
account will be automatically unlocked. This policy can be set to a value between 0
and 99,999 minutes. In this scenario, you should set this policy to 0. When this
policy is set to 0, locked out accounts are never unlocked automatically, only an
administrator can unlock locked accounts.

070-294
QUESTION 171:
When your manager informs you that users in the Marketing department has to use
restricted desktops where certain features are disabled, you place all marketing
users in an organizational unit (OU) named Marketing. You then configure a Group
Policy object (GPO) with the required user policies that restrict user desktops, and
link this GPO to the Marketing OU.
A short while later, you receive a report from the supervisors in the Marketing
department informing you that they are unable to perform some of their
work-related tasks due to the desktops on their computers being restricted.
You need to ensure that the Marketing department users receive unrestricted
desktops, while the rest of the users in the marketing department receive restricted
ones.
A. Create a new GPO where all desktop restriction policies are set to Not configured and
link this GPO to the child OU.
B. Create a new GPO where all desktop restriction policies are set to Not configured and
link this GPO to the Marketing OU.
C. Create a child OU in the Marketing OU and move the user accounts of the supervisors
into the child OU.
D. Link the original GPO where the desktop restrictions are configured to the child OU
and enable the No Override option for this link.
E. Enable the Block Policy Inheritance option for the child OU.
Answer: C, E
Explanation: For policies that are configured in GPOs to take effect, the GPO must
be linked to an Active Directory container, such as a site, domain or OU.
Computer-specific policies target computer objects and user-specific policies target
user objects. By default, a GPO that is linked a parent container also applies to all
child containers of that parent container. If the Block Policy Inheritance option for
a child container, then the GPOs that are linked to parent containers do not apply
to that child container.
Incorrect Answers:
A, B: If you created a new GPO with no configured policies in it in an attempt to
override the GPO that contains the configured desktop restriction policies, then that new
GPO would have no effect , regardless of the container to which it is linked.
D: If the No Override option is enabled for a GPO link, then that GPO applies all
the way down the hierarchy, even if the Block Policy Inheritance option is enabled
for any child containers.

070-294
QUESTION 172:
network consists of a single Active Directory domain named Certkiller .com, which is
spread over two sites named Site1 and Site2. All servers on the Certkiller .com
Professional.
Site1 currently hosts 800 users and contains all Certkiller .com's domain controllers,
while Site2 contains only 50 users. Communications between these two sites take
place via a 384 Kbps Wan link.
You have created a Group Policy object (GPO) and configured some user policies in
it. After linking this GPO to the domain, users in Site2 complain that these policies
have not been receiving these policies.
You need to ensure that the policies configured in the GPO are enforced in both
Site1 and Site2.
What should you do?
A. You should link the Group Policy object (GPO) to Site2.

B. You have to enable the Group Policy slow link detection policy and set the connection
speed to 512 Kbps.
C. You have to enable the Group Policy slow link detection policy and set the connection
speed to 256 Kbps.
D. Disable the Group Policy slow link detection policy in the Group Policy object
(GPO).
Answer: C
Explanation: GPOs are stored in Active Directory, which is hosted on domain

controllers. Computer-specific policies in GPOs are applied when they start up, and
user-specific policies are applied to users when they log on. Applicable policy
settings are downloaded to targeted computers from domain controllers. All domain
controllers in this scenario are located in Site1, so when users in Site2 log on, the
user policies in the GPO that you created must be sent to Site2 over the WAN link.
If the Group Policy slow link detection policy is not configured or is disabled, then
any connection slower than 500 Kbps is considered slow. Typically, applicable
policies will not be applied over a slow link.
Incorrect Answers:
A: Linking the GPO to Site2 will apply the user policies in the GPO to all users who log
on to the computers in Site2. The GPO would still, however, have to be transmitted to
Site2 from a domain controller in Site1 over the 384 Kbps WAN link, which is
considered slow by default.
B: If you enabled the Group Policy slow link detection policy and specified the 512
Kbps connection speed, then connections slower than 512 Kbps would be considered
slow.
D: If the Group Policy slow link detection policy is disabled, then any connection
slower than 500 Kbps is considered slow.

070-294
QUESTION 173:
Certkiller .com's sales representatives are currently servicing three main regions
named North, South and East. Sales representatives that service the North region
are members of the North security group, sales representatives that service the
South region are members of the South security group, and sales representatives
that service the East region are members of the East security group.
One of Certkiller .com's main clients has an office in both the North and East
regions. The sales representatives responsible for this client have been made
members of both the North and East security group. You are required to configure
certain security restrictions for the North group in a GPO that is linked to the Sales
OU, which contains the user accounts of all sales employees, for legal purposes.
You need to ensure that this GPO does not affect any sales users who do not also
belong to the North group.
What should you do?
A. You have to delegate the Allow - Read and Allow - Apply Group Policy permissions
for the GPO to the North group, remove all permissions for the GPO from the
Authenticated Users group, and then assign Deny - Apply Group Policy to the South
group.
B. You have to delegate the Allow - Read and Allow - Apply Group Policy permissions
for the GPO to the South group, remove all permissions for the GPO from the
Authenticated Users group, and then assign Deny - Apply Group Policy to the North
group.
C. You have to delegate the Allow - Read and Allow - Apply Group Policy permissions
for the GPO to the North group, remove all permissions for the GPO from the East group,
and then assign Deny - Apply Group Policy to the North group.
D. You have to delegate the Allow - Read and Allow - Apply Group Policy permissions
for the GPO to the South group, assign Deny - Apply Group Policy to the South
group, and then remove all permissions for the GPO from the users that are members of
both the North and East groups.
Answer: A
Explanation: For the GPO to apply to a specific subset of users in the Sales OU, you
should ensure that only those users who should be affected by that GPO are
assigned the Allow - Read and Allow - Apply Group Policy permissions for that
GPO. Users who are not assigned both of these permissions are not affected by that
GPO. By default, the Authenticated Users group is assigned both of these
permissions for all GPOs. Therefore, by default, the GPO would apply to all users
in the Sales OU. To enforce the requirements in this scenario, you should remove

070-294
these permissions for the GPO from the Authenticated Users group, and then
delegate the Allow - Read and Allow - Apply Group Policy permissions for the GPO
only to the North group.
Incorrect Answers:
B: If you used this option, then the GPO would only apply to the South group.
C, D: If you used these options, then the GPO would apply to the North group and
to the entire East group because of the default permissions assigned to
Authenticated Users.
QUESTION 174:
DRAG DROP
Employees in the Sales department will use a custom sales application that should
not be used by any other Certkiller .com employees. A new Certkiller .com security
policy requires that only Certkiller .com managers use strong passwords.
To meet these requirements, you start by creating a Group Policy object (GPO)
named SalesApp and then configure this GPO to assign the sales application to the
users. You then create a different GPO named Password and configure the suitable
password policies in it.
You need to ensure that these GPOs are linked to the correct Active Directory
containers.
What should you do? To answer, select the appropriate options and place it in the
correct space in the work area. Options can be used more than once, and if you need
to link the GPOs to the same container you can use the option labeled Both.
Answer:

070-294
Explanation:
To apply policies that are configured in a GPO, the GPO must be linked to appropriate
Active Directory containers: sites, domains or organizational units. Lower-level
containers in the Active Directory hierarchy inherit policy settings that are configured in
the GPOs that are linked to any of their parent containers. The SalesApp GPO in this
scenario contains a user-specific policy that assigns the marketing application to users.
You should, therefore link this policy to the Sales Users OU, which contains the user
accounts of all Sales employees.
Password policies that are intended to affect domain user accounts must be configured in
a GPO that is linked to the domain. You should therefore link the Password GPO to the
domain container.
Note: The password policy would apply to all users in the domain. To restrict the policy
to the applying to the managers, you would have to configure the permissions on the
policy so that only the managers have the Read and Apply Group Policy permissions.
QUESTION 175:
The Certkiller .com network contains a domain controller named Certkiller -DC01.
A new Certkiller .com security policy requires that user passwords to be a minimum
of ten characters and have a password history of eight. When you run GPresult
from a Windows XP client computer, you discover that currently the password
length is set at six characters, and the password history is set at twelve.
You are planning to modify security settings remotely on individual client
computers with the Security Configuration and Analysis tool. You log on to
Certkiller -DC01 and open a new security database after starting the Security
Configuration and Analysis snap-in.
You need to ensure that you are able to configure and analyze the security settings
on individual client computers.
What should you do?

070-294
A. You need to run the Security Settings extension to Group Policy first.
B. You need to first export a security template.
C. You need to first import a security template.
D. You need to run the secedit utility from the command-line first.
Answer: C
Explanation: The Security Configuration and Analysis snap-in is used to configure a

computer with a security template or to compare the current computer settings with
the settings in a security template. After launching the snap-in, you should
right-click on the Security Configuration and Analysis scope item, and then click
Open Database. Type the name of the new database, click Open, and then select the
security template you wish to import into the database.
Incorrect Answers:
A: The Security Settings extension to Group Policy tool is used to edit individual
security settings on a GPO.
B: Secedit is used to automate security configuration. It is a command-line tool that can
be incorporated into scripts.
D: You do not have a template to export when you are creating a new security
configuration database.
QUESTION 176:
DRAG DROP
You have created an OU for each of Certkiller .com's departments, named Sales,
Marketing, Finance, and IT. The following exhibit displays Certkiller .com's Active
Directory structure.

070-294
You are required to formulate a strategy to configure Certkiller .com's user

environment using group policy. A new Certkiller .com policy requires that all users,
except those in the IT and Admins OUs, be denied access to the Control Panel or
any other registry editing tools. It also stipulates that only the IT department users
should have the ability to use Windows Update.
You need to ensure that use the most efficient method of enforcing this policy on
Certkiller .com users.
What should you do? To answer, select the appropriate GPO or option and place
them in the correct node in the work area.
Answer:
Explanation:
The best way to apply the GPO strategy is to create three GPOs and link it to the domain.
Create one GPO to disable Control Panel, one to disable registry editing tools, and one to
disable the Windows Update. This will prevent all the users in the domain from accessing
the Control Panel, editing the registry, and using Windows Update.
Blocking policy inheritance for the IT OU will prevent those three GPOs from affecting
users in the IT OU and the two OUs that it contains. This will allow all of the users in the
IT OU to be able to edit the registry, access the Control Panel, and perform a Windows
Update.
Linking the "Disable Control Panel" and the "Disable Registry Tools" GPOs to the
HelpDesk OU will satisfy the requirement, which states that all users, except those in the
IT and Admins OUs, be denied access to the Control Panel or any other registry editing
tools.

070-294
QUESTION 177:
Certkiller .com employs a departmental organizational unit (OU) structure which is
shown in the following exhibit.
The Admins OU contains a global group named CKAdmin. A Certkiller .com

security policy requires that users only be allowed to run authorized applications.
You have recently received reports that users have in fact been using unauthorized
applications that have installed viruses, Trojans, and in some cases corrupted
Windows.
You need to ensure that users are only able to run line of business applications that
have been installed on their computers in the m:\apps folder, and that they are
prevented from running any other applications. You also need to ensure that
nobody in the CKAdmin global group are affected by the solution you use.
You have already created and linked a GPO at the domain level that configures a
Software Restriction Policy.
A. Set the security in the Software Restriction Policy to unrestricted.

B. Set the security in the Software Restriction Policy to disallowed.
C. Create a path rule for m:\apps and set the security level of the rule to unrestricted.
D. Create a path rule for m:\apps and set the security level of the rule to disallowed.
E. Deny Apply Group Policy to the Admin OU.
F. Deny Apply Group Policy to the CKAdmin global group.
Answer: B, C, F
Explanation: A Software Restriction Policy, which is implemented with a GPO, can

070-294
be used to control which software each user can run. There are two security settings
inside a Software Restriction Policy:
1. Unrestricted, which allows software to run with the full rights of the user that is logged
on.
2. Disallowed, which does not allow software to run.
Once you configure the security settings, you must create rules to either allow or disallow
software to run. You can use hash rules, certificate rules, path rules, and zone rules. To
allow only the software in m:\apps to run, you would create and link a GPO at the
domain level that configures a Software Restriction Policy. You will need to set the
security in the policy to Disallowed. This would prevent software from running. You also
need to create a path rule for m:\apps and set the security level of the rule to unrestricted.
This would allow any applications that were installed into that directory to run.
To prevent this policy from applying to the Admin OU, you must Deny Apply Group
Policy to the CKAdmin global group.
Incorrect Answers:
A: If you set the security in the Software Restriction Policy to unrestricted, all
applications would be allowed to be run using the security context of the logged on user.
D: If you use this option, all of the applications on the system would run except for
the applications in the m:\apps directory.
E: You cannot Deny Apply Group Policy to an OU.
QUESTION 178:
Professional. The Certkiller .com network contains 17 servers and 1,200 client
computers.
You are currently configuring security settings for users with the use of a Group
Policy object (GPO). You are planning to deploy a script to all users, which will run
a program to check each client computer that they log on to for the existence of a
Trojan that you believe has gained access to the Certkiller .com network. Users can
only run this program if a particular hotfix is installed on their computers. If a user
does not have the hotfix installed, the script should not be run.
You need to ensure that the logon script will only be applied to the users if the
computer that they are logging on to has the hotfix installed.
What should you do?
A. Check each client computer for the presence of the hotfix, and run the script locally if
the hotfix is installed.
B. Create a GPO that will run the logon script and link it to the domain.
C. Create a GPO the installs the hotfix and link it to the domain.
D. Instruct the users to not run the GPO until they verify that the hotfix is installed.
E. Create a WMI Filter on the on the GPO that checks for the presence of the hotfix by
using a query.

070-294
Answer: B, E
Explanation:
WMI Filters contain WQL based queries, which are evaluated dynamically at the
computer startup or at user logon, and depending on their outcome, allow or
disallow the GPO settings to be applied. By creating a WMI Filter that checks for
the presence of the hotfix on the GPO that will run the logon script, you will prevent
the logon script from running on computers that do not have the hotfix installed. If
the WMI Filter verifies that the hotfix is installed, the GPO will be processed and
the logon script will run.
Incorrect Answers:
A: You could check each client computer individually for the presence of the hotfix, but
you would have to visit 1,200 computers. Also, the script is a logon script that needs to
be run each time a user logs on.
C: Using this option will install the hotfix on the client computers.
D: Users do not have the option of selecting and running GPOs.
QUESTION 179:
DRAG DROP
named Certkiller -north.com and Certkiller -south.com. The Active Directory forest is
configured as a single site named Chicago. All servers on the Certkiller .com network
run Windows Server 2003 and all client computers run Windows XP Professional.
Each domain has the following organizational units (OUs) configured containing the
listed objects.
1. CK_Res, which contains all hardware resources for the Certkiller .com domain.
2. CK_Users, which contains all non-administrative user accounts in the
3. CK_Admin, which contains all administrative accounts in the Certkiller .com
domain.
4. US_Res, which contains all hardware resources for the us. Certkiller .com domain.
5. US_Users, which contains all non-administrative user accounts in the
6. US_Admin, which contains all administrative accounts in the us. Certkiller .com
domain.
You are required to apply new desktop policies for all users on Certkiller .com's
network. You create a new Group Policy object (GPO) named DTPolicy.
Additionally, you are required to apply logon scripts for users of the CK_Admin
OU. You configure the logon script in a GPO named CKScript.
You need to ensure that these policies with as little administrative overhead as
possible.
What should you do? To answer, select the appropriate policy or policies in the list,
and place it in the correct space or spaces provided in the work area.

070-294
Answer:
Explanation:
In this scenario, all domains are members of the Chicago site. Since you want to apply
new desktop settings using a group policy to all users on the network, you should link the
DTPolicy GPO at the site level. This will be the first non-local policy downloaded, and
no other desktop policies exist at the domain or OU level to override a GPO at this level.
All users in the site will receive the GPO at logon. You should then link the CKScript
GPO at the CKAdmin OU level. This will target the use of the script to this group of
users and will have no effect on other users in the site.
QUESTION 180:
network consists of two Active Directory forests named Certkiller -north.com and
Certkiller -south.com. The functional level of each forest is set at Windows Server
2003. All client computers run Windows XP Professional and are members of both
forests. A forest trust has been established between Certkiller -north.com and
Certkiller -south.com.
The Certkiller -north.com forest contains 250 users, and the Certkiller -south.com forest
contains 400 users. The Certkiller -north.com and Certkiller -south.com offices are
connected to the Internet via 128 Kbps connections.
A number of IT employees are frequently required to work on different client
computers on the network. You have configured user settings using Group Policy.
Your manager has informed you that you are required to achieve the following
objectives:

070-294
1. The IT employees in the domain have to be able to work on to any client

computer in the Certkiller .com domain and receive their own predefined desktop.
2. The IT employees must have the ability to make changes to desktop settings while
they are logged on.
3. The IT employees' home folders have to be mapped to the same drive at logon.
4. The configured GPOs settings must be implemented on any computer the IT
employees log on to.
You place the IT employees' user accounts into an OU named ITUsers, and
configure a roaming user profile for IT user on your domain. You configure
\\mgmt\profiles\%username% as the profile path and create a home folder for each
user on \\mgmt\profiles\%username%. You specify the profile path, the home folder
drive letter and network path on the Profile tab of the Properties dialog box of each
user account. You then configure a GPO named RoamPro, enable the slow link
detection option, enable the Allow Cross-Forest User Policy and User Roaming
Profiles option, and then link the RoamPro GPO to the ITUsers OU.
What percentage of your objectives ahs been achieved by your actions?
A. 0 %
B. 25 %
C. 50 %
D. 75 %
E. 100 %
Answer: E
Explanation: In the above scenario, all objectives were met. To enable the IT
employees in the domain to have their own predefined desktop settings on all
computers and enable the IT employees to make changes to desktop settings while
logged on, you should configure a roaming user profile for each IT employee on the
domain.
You should configure a home directory folder to configure the user's home directory to
the same drive at each logon.
To configure the GPO settings so that they are applied to any computer the IT employee
logs on to, you should enable the slow link detection option, and the Allow Cross-Forest
User Policy and User Roaming Profiles options for the GPO. Because the connection
speed is 128 Kbps, you should enable the slow link detection option. If this option is not
enabled, slow connection speeds can prevent group policies from being applied to
computers over the network. The Allow Cross-Forest User Policy and User Roaming
Profiles option will allow the Roaming Profiles to be applied between forests. The GPO
must then be linked to the ITUsers OU.
QUESTION 181:
network consists of three Active Directory domains named Certkiller .com,
uk. Certkiller .com, and us. Certkiller .com. These three domains are located in a single

070-294
site named Chicago and include the organizational units (OUs) shown in the Active
Directory structure diagram below.
You have configured the Group Policy objects (GPOs) shown in the following table:
Group Policy Name Group Policy Type GPO Option
Chicago Site GPO None
CK_Users Domain GPO No override
US_Sales OU GPO Block Inheritance
US_Acc OU GPO No override
US_Fin OU GPO None

A user named Andy Booth logs on to a computer that is a member of the US_Acc
OU. Andy Booth is also a member of the US_Acc OU.
What settings will affect him?
A. The settings from the US_Acc GPO.

B. The settings from the Chicago GPO.
C. The settings from the Chicago, US_Users, and US_Acc GPOs.
D. The settings from the Chicago and US_Acc GPOs.
E. The settings from the US_Users and US_Acc GPOs.
F. The settings from the US_Users GPO.
Answer: C
Explanation: Andy Booth's account in the US_Acc OU. In the Active Directory
hierarchy, the site GPO has no special options. The domain GPO is configured with
the No Override option, ensuring that any settings in this GPO will be applied. The
US_Acc GPO also has the No Override option enabled. Therefore, when Andy
Booth logs on he will first receive the settings configured in the Chicago GPO, next
the settings in the US_Users GPO will be applied, and then the settings in the
US_Acc GPO will be applied.

070-294
QUESTION 182:
You are preparing to perform routine network maintenance on the upcoming
weekend. The maintenance process will cause the network to be unavailable to
dial-in network users. You need to remind network users of this, and plan to use
group policy to deploy a logon banner stating the following:
"The network will be unavailable for local and remote access this weekend. Please
download all files that you will require to this weekend on Friday. The network will
be available 8 o'clock Monday morning."
You have created a Group Policy object (GPO) that will be linked to the domain.
You need to ensure that you configure suitable policy settings to deploy the logon
banner with as little administrative effort as possible.
What should you do?
A. In the GPO, enable the Interactive logon: Message text for users attempting to log on
policy and define the required message.
B. In the GPO, enable the Interactive logon: Message title for users attempting to log on
policy and define the required message.
C. In the GPO, enable the Scripts (Startup/Shutdown) policy and create a script the
displays the required message.
D. In the GPO, enable Domain controller: Allow server operators to log on policy, create
a batchfile that displays the required message, and use Schtasks to run this batch file.
Answer: A
Explanation: This setting will display the desired logon text at logon to users who
receive the policy settings. It is located in the Computer Configurations - Windows
Settings - Local Policies - Security Options policy node.
Incorrect Answers:
B: This setting defines the header for the dialog box displayed at logon when the policy
is set. This policy restricts the amount of text that can be displayed in the header.
C: This setting executes scripts when the computer receiving the policy settings is
restarted. The scenario requires the message to be displayed when users log on to the
network.
D: This option will not provide the message when users log on and would require
excessive administrative effort.
QUESTION 183:

070-294

You are reconfiguring an Administrative template using the Group Policy
Management Console (GPMC). You are currently defining the Offline Files policy
in the Computer Configuration node. At he same time, unknown to you, a different
network administrator is configuring the exact same policy in the User
Configuration node with different settings prior to your settings being replicated
throughout the domain.
What will happen in this case?
A. The settings configured in the User Configuration node will take precedence over the
settings configured in the Computer Configuration node.
B. The system will apply the default settings.
C.
The settings configured in the Computer Configuration node will take precedence over
the settings configured in the User Configuration node.
D. If a conflicting policy is configured, an error will be displayed.
Answer: C
Explanation: Group Policy objects (GPOs) contain windows server 2003 group
policy settings that determine the user's desktop environment. Group policy settings
include policies that contain computer configuration settings and user configuration
settings. The administratively assigned Offline Files policy lists network files and
folders that are always available for offline use. This policy makes the specified files
and folders available offline to users of a computer. This policy appears in the
Computer Configuration and User Configuration folders. If both policies are
configured, the setting in Computer Configuration will override the setting in User
Configuration. Therefore A, B, and D are incorrect.
QUESTION 184:
computers, except the ones in the Manufacturing department, run Windows XP
Professional. The client computers in the Manufacturing department are running
Windows NT 4.0 Workstation.
According to Certkiller .com's modified security policy, the My Network Places and
Network Neighborhood shortcut has to be hidden on the desktops of all
Certkiller .com users. To satisfy the security policy requirements, you create a Group
Policy object (GPO) named UserDT, enable the Hide My Network Places icon on
desktop policy, and link the GPO to the domain.
You need to ensure that the security policy is satisfied on computers running
Windows NT 4.0 Workstation.

070-294
A. Create a system policy that contains the required settings with the System Policy
Editor.
B. Save the system policy file as Config.pol in the NetLogon folder on a domain
controller.
C. Create a system policy that contains the required settings with the Group Policy
Management Console (GPMC).
D. Save the system policy file as Config.pol in the NetLogon folder on each client
computer.
E. Create a system policy that contains the required settings with the Security
Configuration and Analysis tool.
F. Save the system policy file as Ntconfig.pol in the NetLogon folder on a domain
controller.
Answer: A, F
Explanation: In Windows Server 2003 environments, system policies are used to

provide common settings to down-level client computers, such as Windows NT 4.0
Workstation or Windows 98 client computers.
System policies are created using the System Policy Editor utility. For Windows NT 4.0
Workstation computers, the settings are saved as Ntconfig.pol and are placed in the
NetLogon share on a domain controller. This share is replicated to all domain controllers
so that the settings will be received regardless of which domain controller participates in
the logon event.
Incorrect Answers:
B, D: The Config.pol file contains system policy settings for Windows 98 and
Windows Millennium computers.
C: This console is used to access, create, and configure Group Policy objects (GPOs) and
local policy settings for Windows 2000, Windows XP Professional, and Windows Server
2003.
E: This tool is used to analyze or configure computer security using a security template.
This tool cannot be used to create Windows NT-style system policies.
QUESTION 185:
You work as network administrator at Certkiller .com. The Certkiller .com network
consists of a single Active Directory domain named Certkiller .com.
Recently, you implemented various computer-specific group policies. You also
created an organizational unit named Computers that contains two child OUs
named IT and Finance. The current domain and OU structure is displayed by the
diagram shown in the exhibit.

070-294
You have linked a Group Policy object (GPO) named ComputerApps that deploys a
number of software applications to the Computes OU. The Finance OU has no
GPOs linked to it at present. You are required to deploy a financial application that
will only be used by the Accounting department, and should only be deployed to the
computers in this department.
You need to ensure that the policy you create executes as efficiently as possible.
A. Create a GPO called FinanceApps.

B. Edit the ComputerApps, and add the financial application to the software installation
settings.
C. Link the FinanceApps GPO to the Finance OU, and configure the finance installation
application in Software Installation.
D. Create an ACL filter to apply it to the Finance OU only.
E. Disable the User Configuration settings for the FinanceApps GPO.
F. Enable the User Configuration settings for the FinanceApps GPO.
G. On the financial application properties in the FinanceApps GPO, select the "Uninstall
this application when it falls out of the scope of management" option.
Answer: A, C, E, G
Explanation: Creating a policy called FinanceApps for the Finance OU and

configuring finance installation application in Software Installation is the first step
in the process. This will correctly add the application as an MSI package installation
that will install itself on each computer that is added to the Finance OU.
Disabling the User Configuration setting prevents the User settings of the GPO from
being processed. This reduces the processing time and increases efficiency.
By selecting the "Uninstall this application when it falls out of the scope of management"
option of the financial application properties in the GPO, you force the finance
application to be uninstalled when a computer is moved out of the OU. This meets the
requirement to ensure that only the computers in the Finance department have this

070-294
application.
Incorrect Answers:
B D: The combination of these two options could work, but because ACL filtering adds
considerable overhead to the user's logon process it does not satisfy the requirement to
make the policy application as efficient as possible.
F: This option is unnecessary, since the Finance OU contains only computer objects.
QUESTION 186:
Certkiller .com employs a departmental organizational unit (OU) structure which is
shown in the following exhibit.
Admin, Help Desk, Income and Expenses are child OUs.

You are required to deploy a new line of applications to all computers in the
Accounting department, which should be available to any user who logs on to an
accounting computer, including managers from other departments. Due to the
limited amount of licenses available to you, the applications cannot be installed if a
user in the Finance department logs on to a computer outside of the Finance
department.
You need to ensure that you use the best method to achieve your goal.
What should you do?
A. Create a GPO that assigns the accounting applications to computers and link it to the
Finance OU.
B. Create a GPO that publishes the accounting applications to computers and link it to the
Finance OU.
C. Create a GPO that publishes the accounting applications to users and link it to the
Finance OU.
D. Create a GPO that assigns the accounting applications to users and link it to the
Finance OU.
Answer: A

070-294
Explanation: To install the accounting applications on all of the computers in the

accounting department and make those applications available to anyone who logs on
to an accounting computer, you should create and link a GPO to the Finance OU
that assigns the applications to the computers. By doing this, you would also prevent
the accounting applications from being installed on computers outside of the
Finance department when a user from the Finance department logs on.
Incorrect Answers:
B: You cannot configure a GPO to publish software to a computer.
C: If you use this option, the applications would be available for installation in the
Control Panel on all computers that accounting users log on to, regardless of the
department.
D: If you use this option, the applications would be installed on every computer that an
accounting user logs on to.
QUESTION 187:
DRAG DROP
All Web servers on the Certkiller .com network are placed in an OU named
WebServ. The Certkiller .com network includes a Public Key Infrastructure using an
Enterprise Certificate Authority. Recently a fellow network administrator named
Rory Allen created a certificate named WebCert for the Certkiller .com Web servers,
and configured it to autoenroll. You create a Group Policy that forces the
computers to autoenroll for certificates and link it to the WebServ OU. The
following day you try to set up SSL on the Web servers, but find that a certificate is
not available, when you check the event log on one of the Web Servers, you discover
error message that reads as follows:
"Automatic certificate enrollment for local system failed to enroll for one
Certkiller .com WebCert certificate (0x800706ba). The RPC is unavailable."
What is the reason for this? To answer, choose the possible reason or reasons for
this error and place them in the work area.
Answer:

070-294
Explanation:
The event log error means that the Certificate Authority is either not available on the
network or that the certificate service has stopped running on it. The client computers, in
this case the Web servers, cannot establish a Remote Procedure Call (RPC).
Incorrect Answers:
If a domain controller were not available, the following error would be present in the
event logs: "Automatic certificate enrollment for local system failed to contact a
directory server (0x80072751). A socket operation was attempted to an unreachable host.
Enrollment will not be performed."
If the Certificate Authority is under heavy load and cannot process the request, the
following error would be present in the event logs: "Automatic certificate enrollment for
local system failed to enroll for one Certkiller .com WebCert certificate (0x8009400f). An
attempt was made to open a certification authority database session, but there are already
too many active sessions. The server may need to be configured to allow additional
sessions."
QUESTION 188:
Professional.
You have placed all network servers into an organizational unit (OU) named
Servers, and all domain user accounts are located in an OU named Users.
You are required to deploy Microsoft Visio 2003 Professional to all Certkiller .com's
client computers only. You configure a new Group Policy object (GPO) named
Visio2003 and link it to the domain.
You need to ensure that the settings in Visio2003 are configured to install the
application on the appropriate computers without affecting any existing policies or
settings.
A. Create a new Software installation package under the Computer Configuration section
of the GPO and add Microsoft Visio 2003.
B. Enable the Block Policy Inheritance option for the Domain Controllers container and
the Servers OU.
C. On the GPO, filter permissions to deny servers and domain controllers the Read and
Apply Group Policy permissions.

070-294
D. Create a new Software installation package under the User Configuration section of
the GPO and add Microsoft Visio 2003.
Answer: A, C
Explanation: The Visio2003 GPO is linked to the domain. By creating the software
installation package under Computer Configuration, the installation package is
assigned to computers that receive the policy and will make Microsoft Visio 2003
available on the client computers. To prevent the policy from being assigned to
domain controllers and network servers, you should filter the Visio2003 GPO to
deny the Read and Apply Group Policy permissions. This action will prevent servers
and domain controllers from reading and applying the GPO.
Incorrect Answers:
B: This would prevent existing settings in domain-level GPOs from being applied to the
members of these containers.
D:
This action would allow you to assign or publish the program to users. However, the
scenario requires you to assign the application to client computers.
QUESTION 189:
All client computers on the Certkiller .com network are located in an organizational
unit (OU) named Computers.
You are required to deploy a new network connection manager to all client
computers that has a modem installed. You have created a Group Policy object
(GPO) named NetCon, configured the appropriate settings, and linked it to the
Computers OU.
You need to ensure that the settings in the NetCon GPO only affects client
computers that have modems installed.
What could you do? (Choose two)
A. Configure a Windows Management Instrumentation (WMI) filter to only apply the

NetCon GPO to computers in the Computers OU that have modems installed.
B. Configure a Windows Management Instrumentation (WMI) filter to apply the NetCon
GPO to computers in the ModCom OU, and then configure another Windows
Management Instrumentation (WMI) filter to deny the NetCon GPO to computers in
the Computers OU.
C. Under the Computers OU, create a child OU named ModCom and move all computers
with modems into this OU.
D. Configure a Windows Management Instrumentation (WMI) filter to deny the NetCon
GPO to computers in the Computers OU that do not have modems installed.

070-294
Answer: A, D
Explanation: You can either configure a WMI filter to apply the NetCon GPO to
computers in the Computers OU that have modems installed, or you can configure a
WMI filter to deny the NetCon GPO to computers in the Computers OU that do not
have modems installed.
Windows Management Instrumentation (WMI) filters are used to filter the default scope
of a GPO. Using the WMI Query Language will allow you to define a filter that will
cause a GPO to apply only to specific computers.
Incorrect Answers:
B: You can only configure one WMI filter for each GPO.
C: Because the NetCon GPO is linked to the Computers OU, the settings will be
applied to the contents of the child OU unless you specifically blocked policy inheritance
on the child OU.
QUESTION 190:
An enterprise root certification authority (CA) that exists on the Certkiller .com
network. A new Certkiller .com security policy requires that all computers have the
ability to use IPSec for communications within Certkiller .com's internal network. It
also states that all computers have to use certificates for mutual authentication.
You need to ensure that these requirements are enforced.
What should you do?
A. You should acquire a computer certificate from a commercial CA, place it into a
shared folder on a files server, and then instruct users to copy the certificate to the
\Windows\System32 folder on their client computers.
B. You should acquire a computer certificate from an enterprise CA, and use the
Software Settings policy in the Default Domain Policy GPO to distribute it to all
client computers.
C. You should configure an auto-enrollment policy for users in a new GPO, and then link
the GPO to the domain.
D. In the Default Domain Policy GPO, configure an Automatic Certificate Request
Settings policy for computers.
Answer: D
Explanation: For two computers to use IPSec to communicate with each other, each
of the computers should have a computer certificate and should trust the certificate
of the other computer. To automatically deploy computer certificates on your
network, you can configure the appropriate Automatic Certificate Request Settings
for computers in the Default Domain Policy GPO. This policy will force each

070-294
computer on your network to automatically submit a certificate request to your

enterprise CA.
Incorrect Answers:
A: Certificates should be installed in appropriate certificate stores, either local or in
Active Directory. Simply copying a certificate file to the \Windows\System32 folder
would not install the certificate on the computer. Also, each computer should be issued a
unique certificate.
B: Software Settings policies are used for deploying applications with the Windows
Installer .msi packages.
C: By default, the Enroll certificates automatically option is enabled for both users
and computers in the Default Domain Policy GPO.
QUESTION 191:
An enterprise root certification authority (CA) that exists on the Certkiller .com
network. A new Certkiller .com security policy requires that all computers have the
ability to use IPSec for communications within Certkiller .com's internal network,
and that all computers have to use certificates for mutual authentication. The new
security policy also states that all computers should use IPSec to communicate with
computers on the network of a partner company, which uses its own private root
CA.
You need to ensure that these requirements are enforced.
What should you do?
A. You should acquire a computer certificate from a commercial CA, and then import it
into the Personal computer certificate store on all Certkiller .com computers.
B. You should acquire a user certificate from a commercial CA, and then import it into
the Personal user certificate store on all Certkiller .com computers.
C. You have to automatically issue computer certificates from your enterprise CA to all
computers on the Certkiller .com network using a GPO, and import the root CA certificate
of Certkiller .com's partner company into the Trusted Root Certification Authorities
user certificate store.
D. You have to automatically issue user certificates from your enterprise CA to all users
on the Certkiller .com network using a GPO, and import the root CA certificate of
Certkiller .com's partner company into the Trusted Root Certification Authorities user
certificate store.
Answer: C
Explanation: For two computers to use IPSec to communicate with each other, each
of the computers should have a computer certificate and should trust the certificate
of the other computer. To automatically deploy computer certificates on your

070-294
network, you can configure the appropriate Automatic Certificate Request Settings
for computers in the Default Domain Policy GPO. This policy will force each
computer on your network to automatically submit a certificate request to your
enterprise CA.
All computers on your network automatically trust all certificates issued by your
enterprise CA, and, therefore, they all trust each other's certificates. To ensure that
computers on Certkiller .com's network also trust the certificates issued by the partner's
enterprise CA, you can add the partner's root CA certificate to the Trusted Root
Certification Authorities policy in the Default Domain Policy GPO. This policy will
force all computers on your network to import this certificate into their corresponding
certificate store.
Incorrect Answers:
A: If you acquired a computer certificate from a commercial CA and deployed it to
the Personal computer certificate store on each computer on your network, then all your
computers would appear to have the same identity. However, the actual computer names
would not match the subject name in the certificate. This would prevent your computers
from using IPSec to communicate with each other unless you also deploy a unique
computer certificate from your enterprise CA to each computer or configure IPSec to
allow Kerberos V5 or pr-shared key authentication instead of certificate authentication.
This option does not enable your computers to trust the partner's computers' certificates
issued by the partner's private CA.
B: For IPSec communications, computers must have computer certificates, but users on
those computers are not necessarily required to have user certificates.
D: There is no user policy to automatically submit certificate requests on behalf of
users or to import a certificate into the Trusted Root Certification Authorities user
certificate store.
QUESTION 192:
You are required to automatically enroll certificates for computers on the
Certkiller .com network for the Key Recovery Agent certificate template.
You need to ensure that autoenrollment is allowed, while also ensuring that users
are required to have the most interaction in this procedure.
What should you do?
A. You should select the setting to prompt the user during autoenrollment and require
user input when the private key is used on the Request Handling tab of the Key
Recovery Agent template.
B. You should set the authorized signatures setting to a value of 2 on the Issuance
Requirements tab of the Key Recovery Agent template.
C. You should select the setting to prompt the user during autoenrollment on the Request
Handling tab of the Key Recovery Agent template.
D. You should configure the validity and renewal period settings to be equal on the
General tab of the Key Recovery Agent template.

070-294
Answer: A
Explanation: To require users to have the most interaction during certificate

enrollment for the Key Recovery Agent certificate template, you must select the
setting to prompt the user during autoenrollment and require user input when the
private key is used. This setting requires the user to confirm all uses of the private
key and provides the most interaction of all the settings. You use the Certificate
Templates console to configure the settings for a template.
Incorrect Answers:
B: Using this option will disable autoenrollment for this certificate template.
C: If you select the setting to prompt the user during autoenrollment on the Request
Handling tab of the Key Recovery Agent template, the user will receive a message
when certificate autoenrollment takes place. This setting does not allow for the most user
interaction.
D: Using this option will not affect the amount of interaction required by the user during
the certificate autoenrollment process.
QUESTION 193:
You are required to automatically enroll certificates for computers on the
Certkiller .com network based on the RAS and IAS certificate template. You have
placed the computer objects of the IT department into an organizational unit (OU)
named IT.
You need to ensure that users in the IT department use a smart card to authenticate
a certificate when requesting certificates.
What should you do?
A. Choose the "Valid existing certificate" option.

B. You should set the authorized signatures setting to a value of 1.
C. Choose the "Prompt the user during enrollment" option.
D. Configure the Public Key settings.
Answer: C
Explanation: To enroll certificates for computers on the network, you should use
the Certificate Templates snap-in from the Microsoft Management Console (MMC).
You can also use the Certificate Templates Console (certtmpl.msc) to access the
Properties dialog box of the templates.
For the "Prompt the user during enrollment" option, the user receives a prompt and needs
to take action during the certificate enrollment process. This is intended for certificates
that are authenticated with a smart card. The user will usually be required to enter a
personal identification number (PIN).
Incorrect Answers:

070-294
A: The "Valid existing certificate" option allows the Certificate Authority (CA) to
renew a valid certificate for users even if they cannot be configured to use
autoenrollment.
B: You should set the number of authorized signatures value to 1, to require the
certificate requestor to sign a request with a private key from a certificate in his or her
certificate store. If the certificate store contains a matching certificate, the request is
signed with the certificate's private key and the certificate is automatically installed.
D: The Public Key settings are configured from the certificate's details. They specify the
X.509 fields, extensions, and associated properties for the certificate.
QUESTION 194:
Certkiller .com has headquarters in London and twelve branch offices that are all
configured as Active Directory sites. All servers on the Certkiller .com network,
including domain controllers, run either Windows 2000 Advanced Server SP1, or
Windows Server 2003, and all client computers run Windows XP Professional.
Each branch office uses a VPN server running Windows Server 2003 to connect to
the London office via a private, leased back bone. There are two domain controllers
located at each site. All of the global catalog servers on the Certkiller .com network
are situated in the London office.
After an attempt to configure a domain-based GPO that will force all computers to
autoenroll for certificates fails, you troubleshoot the problem. You discover that
none of the Certkiller .com client computers obtained a certificate. You then verify
that the Enterprise Certificate Authority is configured to autoenroll a computer
certificate template. On a domain controller running Windows Server 2003, you
verify that the computer node of the GPO is configured to autoenroll for
certificates.
You need to ensure that the problem is resolved in the easiest way possible.
What should you do?
A. Configure one domain controller in each site as a global catalog server.

B. Upgrade the domain controllers running Windows 2000 Advanced Server SP1 to a
minimum of Service Pack 3.
C.
Upgrade the domain controllers running Windows 2000 Advanced Server SP1 to a
minimum of Service Pack 2.
D. Upgrade the domain controllers running Windows 2000 Advanced Server SP1 to
Answer: B
Explanation: Microsoft Windows XP Professional and Windows Server 2003 will

always request LDAP-signed communications with domain controllers as a security
function. To allow Windows 2000 Advanced Server SP1 domain controllers to

070-294
function with Certificate Authority, they should be upgraded to Service Pack 3.

Incorrect Answers:
A: Windows 2000 Advanced Server SP1 domain controllers should be upgraded to
Service Pack 3 as a minimum.
C: performing this action would have no bearing on this particular problem.
D: This step is unnecessary if Service Pack 3 is installed on allow Windows 2000
Advanced Server SP1 domain controllers.
QUESTION 195:
At present, all Certkiller .com's client computer accounts are located in the
Computers container, and all user accounts are located in the Users container. A
new Certkiller .com security policy requires that certain restrictions be applied to all
client computers and the users who access these computers.
You need to ensure that these restrictions do not apply to any other computers on
the network.
What should you do?
A. Create a group policy object, configure the appropriate user and computer policies in
the GPO, and link it to the Computers container.
B. Create a group policy object, configure the appropriate user and computer policies in
the GPO, and link it to the Users container.
C. Create a Group Policy object (GPO), configure the appropriate user and computer
policies in a GPO, and link it to the Computers container and to the Users container.
D. Create a Group Policy object (GPO), configure the appropriate user and computer
policies in the GPO, place the computer objects for all of the client computers into an
OU, enable the loopback processing mode, and then link the GPO to the OU.
E. Create a Group Policy object (GPO), configure the appropriate user and computer
policies in the GPO, place user accounts into an OU, enable the loopback processing
mode, and then link the GPO to the OU.
F. Create a Group Policy object (GPO), configure the appropriate user and computer
policies in the GPO, link it to the domain, and enable Block Policy Inheritance for
the Domain Controllers OU.
Answer: D
Explanation: To meet this requirement, you should enable the Group Policy
loopback processing mode policy in the GPO that defines the appropriate user and
computer policies for all client computers. You should place the computer objects
for all of the client computers into an OU and link the GPO to that OU. When
loopback processing mode is enabled, its mode can be set to Merge or Replace. In
this case, the computer-specific policies should apply to all client computers, and the

070-294
user-specific policies should apply to all users who log on at any of the client
computers. You should, therefore, set the loopback processing mode to Merge,
which would allow the user-specific settings from the GPOs that target the
computer and the user-specific settings from the GPOs that target the user to be
applied. If there are any conflicting settings, then the user-specific settings from the
GPOs that target the computer takes precedence.
Incorrect Answers:
A, B, C: GPOs can only be linked to sites, domains and OUs. They cannot be linked to
generic Active Directory folders, such as Computers or Users folders.
E: Using this option would only enforce the user-specific policies in the GPO.
F: Using this option would, in addition to all client computers, also apply to all member
servers.
QUESTION 196:
network consists of a single Active Directory forest that contains a domain named
Certkiller .com and two child domains named us. Certkiller .com and uk. Certkiller .com, in
a single Active Directory site. All servers on the Certkiller .com network run
The network topology is shown in the following exhibit:
A new Certkiller .com security policy requires that all application servers in the
Active Directory forest are configured with the same security settings. It also states
that these settings should not be applied to any other computers. All computer
objects in Active Directory are currently located in their default locations.
You need to ensure that this requirement is enforced by creating as little Group
Policy objects (GPOs) and GPO links as possible.
What should you do?
A. Create a single OU named AppServers and place the computer objects for all
application servers in the forest in the AppServers OU.
B. Create a single GPO and link it to the forest root domain.
C. Create an OU named AppServers in each domain and place the computer objects for
all application servers for that domain in the AppServers OU.
D. Create a separate GPO in each domain and link it to each respective domain.
E. Create a single GPO and link it to the site.
F. Create a single GPO and link it to the AppServers OU in each domain.

070-294
Answer: C, F
Explanation: To apply policies that are configured in a GPO, the GPO must be
linked to appropriate Active Directory containers: sites, domains or organizational
units. Physically, the GPO resides in the domain where it was originally created.
This same GPO can, however, be linked to multiple Active Directory containers
anywhere in the forest.
Incorrect Answers:
A: OUs can only be created within domains, and an OU cannot contain objects from
multiple domains.
B: GPO settings are not inherited from a parent domain by its child domain. Parent/child
relationships between domains pertain only to the Active Directory namespace and
default trusts.
D, E: If you linked the GPO to the site or to each of the three domains, then the GPO
would affect all computer objects in the forest, not just the application servers.
QUESTION 197:
The Certkiller .com network contains a file server named Certkiller -SR09. You
have formulated a backup strategy that requires you to redirect the My Documents
folders of all Certkiller .com's users to a shared folder on Certkiller -SR09, and
back them up at regular intervals.
You notice that the volume on which the redirected My Documents folders reside
soon starts running out of disk space due to numerous users neglecting to delete files
that they do not use any longer. You decide to restrict the size of each user's My
Documents folder to 1 GB using a Group Policy object (GPO).
You need to ensure that the restriction will not affect disk space usage on users'
client computers.
What should you do?
A. In the Default domain Policy GPO, configure a 1 GB default quota limit.

B. You should place Certkiller -SR09 into an organizational unit (OU), configure a 1
GB default quota limit in a GPO, and then link this GPO to the OU containing
Certkiller -SR09.
C. You configure a 1 GB default quota limit in a new GPO, and then link this GPO to the
Users container.
D. You should place Certkiller -SR09 into an organizational unit (OU), specify 1 GB in
the Limit profile size policy in a GPO, and then link this GPO to the OU containing
Certkiller -SR09.
Answer: B

070-294
Explanation: Disk quotas apply to each NTFS volume on targeted computers. You
can enable disk quotas, enforce a quota limit, and also set a quota limit and a
default warning level in a GPO. You cannot, however, configure individual quotas
for different users.
Incorrect Answers:
A: If you use this option, then the quota limit will apply to all computers in the domain,
including users' client computers.
C: GPOs cannot be linked to generic Active Directory folder containers, such as the
Users container.
D: The My Documents folder is not always part of a user profile. When this folder is
redirected, only its path is included in the user profile. Therefore, you cannot impose a
disk space limit on My Documents folders by limiting the size of user profiles. Also, the
Limit profile size policy applies to users, not computers.
QUESTION 198:
The Certkiller .com network contains ten new application servers that are
consecutively named from Certkiller -SR07 to Certkiller -SR16. You are
required to configure each of these servers with the same security settings.
You configure the required settings in the local security policy on
Certkiller -SR07, test the configuration, and then tweak these settings where it is
needed.
You need to ensure that these settings are applied to all of the application servers
with as little administrative effort as possible.
What should you do?
A. Log on to Certkiller -SR07, export the current security settings to a security

template, and import the template into a Group Policy object (GPO). Place the ten
application servers into an organizational unit (OU) and link the GPO to the OU.
B. You should create a script that makes use of the Secedit utility to configure the
appropriate security settings, and then run this script on each of the application servers.
C. Log on to Certkiller -SR07, export the current security settings to a security
template, and then copy the template to the \Windows\security\templates folder on all
the other application servers.
D. Log on to Certkiller -SR07, back up the System State, and then restore this backup
on each of the application servers.
Answer: A
Explanation: Once you are satisfied with the security settings that you have
configured on Certkiller -SR07, you can use Security Configuration and Analysis

070-294
to create a security settings database and load any available security template into
it. You can use one of the default pre-defined templates that are located in the
\Windows\security\templates folder. You should then select the Analyze Computer
Now command from the Action menu. The results of the analysis will indicate the
differences in the actual configuration of the computer and the settings database.
You should adjust the database settings to match the computer settings and then
export the database to a new security template. To apply this template to all the
application servers at once, you should place the computer objects of these
application servers into an OU, create a GPO and link it to the OU, then import the
security template into the GPO.
Incorrect Answers:
B:
You can the same settings to each server individually by creating a script that
makes use of the Secedit utility to configure the appropriate security settings, and then
run this script on each of the application servers, but this would require more
administrative effort than necessary.
C: Copying the security template file to the \Windows\security\templates folder on a
computer does not affect security settings on that computer.
D: Restoring the System State backup of Certkiller -SR07 on each of the application
servers would give each of the restored servers the same identity.
QUESTION 199:
You create organizational units for the Finance, IT, Research and Development,
Sales, and Marketing departments that have the same names as these departments.
You are required to configure settings for audit policies and user rights assignments
for computers in the Sales OU, which has a Group Policy object (GPO) linked to it.
What should you do?
A. Access the Security Templates snap-in.

B. Access the Security Configuration and Analysis snap-in.
C. Access the Resultant Set of Policy snap-in.
D. Open Group Policy Object Editor, and use Computer Configuration.
Answer: D
Explanation: To configure local account policies, such as password policy, account

lockout policy, and Kerberos policy, you should use Computer Configuration,
Windows Settings, Security Settings, from the Group Policy Object Editor. Security
Settings are also used for local policies (such as audit policies and user rights
assignments), event log, restricted groups, system services, registry, and file system.
Incorrect Answers:
A: The Security Templates snap-in defines a security policy in a template.
B: The Security Configuration and Analysis snap-in is used to analyze and configure

070-294
security settings using a security template.

C: The Resultant Set of Policy (RSoP) snap-in allows you to simulate a policy
deployment for users and computers before applying the policies. It also allows you to
view the actual policies applied to a user or computer.
QUESTION 200:
You create organizational units for the Finance, IT, Research and Development,
Sales, and Marketing departments that have the same names as these departments.
You are required to configure security settings for computers in the Marketing OU
using Group Policy Object Editor to audit users accessing specified folders on the
computers.
What should you do?
A. Allow Audit account management.

B. Allow Audit logon events.
C. Allow Audit object access.
D. Allow Audit system events.
Answer: C
Explanation: If you enable Audit object access, events relating to users accessing
resources will be logged. This includes accessing folders on a computer. You can
configure Success or Failure audits, or both.
Incorrect Answers:
A: If you enable Audit account management, events will be logged when a user
account is created, deleted, renamed, changed, enabled, disabled, or a password is
changed.
B: If you enable Audit logon events, events will be logged when a user logs on to the
local computer.
D: If you enable Audit system events, events affecting system security will be logged
QUESTION 201:
You work as the security administrator at Certkiller .com. The Certkiller .com
Certkiller .com has offices in five different areas, which are all configured as Active
Directory sites. All servers on the Certkiller .com network run Windows Server 2003.
Half the client computers run Windows 2000 Professional, and the rest run
These five locations are also represented in Active Directory as top-level
organizational units OUs that contains departmental OUs. Each of these sites
contains domain controllers, global catalog servers, and DNS servers. There are also
2500 users and 2000 client computers located in each site.

070-294
As a result of a security agreement that exists between Certkiller .com and a third
party, a specific key in the registry on all computers has to be protected.
You need to ensure that this key cannot be changed by any users or programs.
What should you do?
A. Create a GPO, link it to the domain, add the registry key that needs to be protected
into the Registry node for the user settings, and then assign the appropriate permissions
to the key.
B. Add the registry key that needs to be protected into the Registry node for the computer
settings to configure the Local Security Policy on each computer.
C. Create a GPO that disables access to the Control Panel and all registry editing tools,
and link the GPO to the domain.
D. Create a GPO, link it to the domain, add the registry key that needs to be protected
into the Registry node for the computer settings, and then assign the appropriate
permissions to the key.
E. Create a GPO, link it to each of the sites, add the registry key that needs to be
protected into the Registry node for the computer settings, and then assign the
appropriate permissions to the key.
Answer: D
Explanation: To secure a registry key on all of the computers in the domain, you
must create and link a GPO to the domain and add the registry key that needs to be
protected into the Registry node for the computer settings. You must then assign the
appropriate permissions to the registry key in the GPO. When the client computers
obtain the GPO settings, the registry key will be secured.
Incorrect Answers:
A: The Registry node for a GPO is located under the computer settings and not the user
settings.
B: The Registry node of the security settings does not exist in the Local Security Policy.
C: If you used a GPO that disabled the registry editing tool, the users would not be able
to edit the registry, but malicious code could. You need to ensure that this key of the
registry is protected from users and programs. If you used a GPO that disabled the
Control Panel, the users would be able to use regedit or regedit32 to make changes to the
registry. Programs would also be able to change the key.
E: You could create and link a GPO at each site, but since each site is in the same
domain, it is easier and more efficient to create one GPO linked at the domain that
protects the appropriate registry key. The domain policy will propagate to all of the
computers in the domain.
QUESTION 202:

070-294
Two Certkiller .com employees named Andy Reid and Kara Lang have been given
the task of assisting you with the administration of Certkiller .com's domain
resources. You have delegated the authority to add and remove computer accounts
to Andy Reid, while Kara Lang has been delegated the authority to alter user
account information.
You need to ensure that you are able to track any Active Directory changes made by
Andy Reid and Kara Lang.
A. Create a GPO and link it to the Domain Controllers OU.

B. Create a GPO and link it to the domain.
C. Assign Andy Reid and Kara Lang's user accounts the Read and Apply Group Policy
permissions.
D. Assign your user account the Read and Apply Group Policy permissions.
E. In the GPO, configure the Audit Directory Services Access and Account Management
policies.
F. In the GPO, configure the Audit Object Access and Account Management policies.
Answer: A, C, E
Explanation: If Active Directory is enabled, administrators can monitor access to

Active Directory, which will cause successful and failed attempts (if configured) to
be logged in the directory service event log. This event lo is present only on domain
controllers. For the user you want to audit to receive the GPO, you must assign both
users the Read and Apply Group Policy permissions. You must configure the
Account Management policy to track the changes made to user accounts. You must
configure the Directory Services Access policy to track additions and deletions of
computer accounts in the computer container. You must choose to track either
successful or failed events, or both, in both policy nodes.
Incorrect Answers:
B: The changes you want to track occur only on domain controllers. Applying this GPO
at the domain level will track these events on all computers in the domain.
D: These permissions are required by the users receiving the GPO. Since you are creating
the GPO, you are assigned the Full Control permission as the CREATOR OWNER for
the policy.
F: Object access provides auditing for files, folders, and other objects.
QUESTION 203:
The Certkiller .com network contains five application servers running Terminal
Services named Certkiller -TS01, Certkiller -TS02, Certkiller -TS03,
Certkiller -TS04, and Certkiller -TS05. You have placed these servers in an

070-294
organizational unit (OU) named TerminalServers.

Seven IT department employees have been given the responsibility of dealing with
support issues for these servers. You have created an OU named ASAdmin and
added the user accounts of these users to it. These users are also members of a
global group named TSAdmin.
You need to ensure that the TSAdmin group is assigned the Log on Locally user
right for the application.
What should you do?
A. Access the Properties page of the ASAdmin OU, select the Security tab, and assign
the Allow - Full Control permission for the ASAdmin OU to the TSAdmin group.
B. Create a GPO named AppSup, configure it to grant the TSAdmin group the Log on
Locally user right, and then link it to the TerminalServers OU.
C. Create a GPO named AppSup, configure it to grant the TSAdmin group the Log on
Locally user right, and then link it to the ASAdmin OU.
D. Create a GPO named AppSup. Access the Properties page of the ASAdmin OU, select
the Group Policy tab, and assign the Create a GPO named AppSup the Allow - Full
Control permission for the AppSup GPO group policy object link.
Answer: B
Explanation: to allow a group of users to log on locally to servers in an OU, you can
create a GPO and define the Allow log on locally setting. This setting is located in
the Computer Configuration - Windows Settings - Security Settings - Local Policies
- User Rights Assignment policy node. Defining this policy allows you to add users
or groups that will be allowed to log on to the computer or computers where the
GPO is linked. In this scenario, you want to assign this user right for the computers
located in the TerminalServers OU to members of the TSAdmin global group.
Therefore, the Allow log on locally setting in the AppSup GPO will be configured to
include the TSAdmin group. To apply the settings, you should link the AppSup
GPO to the TerminalServers OU.
Incorrect Answers:
A: There is no Security tab in the OU Properties page
C: The ASAdmin OU contains the user accounts for the IT employees. The GPO
containing the desired settings should be linked to the container that holds the application
server accounts.
D: This action defines the DACLs for the group policy link object. Assigning the Allow -
Full Control permission to the group policy link allows the users receiving the permission
to modify, delete, and change permissions on the group policy link. It does not allow the
users receiving the permission to log on locally to the application servers.
QUESTION 204:

070-294
computers run Windows 2000 Professional.

The Certkiller .com domain contains 25 servers, of which two are configured as
domain controllers and the rest are configured as either file servers, intranet
servers, or database servers. Certkiller .com's OU structure, which is shown in the
following exhibit, is based on the defined server roles.
You are required to configure security baseline settings for all Certkiller .com
servers, except domain controllers. You create a security template that contains the
required NTFS and registry permissions for the file, intranet, and file servers and
name it Servers.inf. in addition to the Servers.inf, you also create three security
templates named File.inf, Intra.inf, and DB.inf.
You need to ensure that these security templates are deployed with as little
administrative effort as possible.
A. Create a new GPO, link it to the Servers, and then import the Servers.inf template into
this GPO.
B. Create a new GPO, link it to the domain, and then import the Servers.inf template into
this GPO.
C. Create a new GPO, link it to the FileServers OU, the IntranetServers OU, and the
DatabaseServers OU, and then import the Servers.inf template into the new GPO.
D. Create a new GPO for the FileServers OU, the IntranetServers OU, and the
DatabaseServers OU. Link these GPOs to its respective OUs, and then import the File.inf
template into the FileServers GPO, the Intra.inf template into the IntranetServers GPO,
and the DB.inf template into the DatabaseServers GPO.
E. Create a new GPO for the FileServers OU, the IntranetServers OU, and the
DatabaseServers OU. Link these GPOs to the Servers OU, and then import the File.inf
template into the FileServers GPO, the Intra.inf template into the IntranetServers GPO,
and the DB.inf template into the DatabaseServers GPO.
Answer: A, D
Explanation: You should create a new GPO, link it to the Servers, and then import
the Servers.inf template into this GPO. This ensures that the Servers.inf template is
applied to all servers in the Servers OU, including those located in child OUs. You
should also create a new GPO for the FileServers OU, the IntranetServers OU, and
070-294
the DatabaseServers OU. Link these GPOs to its respective OUs, and then import
the File.inf template into the FileServers GPO, the Intra.inf template into the
IntranetServers GPO, and the DB.inf template into the DatabaseServers GPO. This
ensures that each role-specific security configuration is applied only to its OU.
Incorrect Answers:
B: This option would result in the Servers.inf template being applied to all computers in
the Certkiller .com domain.
C: This option requires more administrative effort that necessary.
E: The role-specific OUs should be applied at the respective OU so that those properties
are only assigned to members of the OU.
QUESTION 205:
Certkiller .com has its headquarters in Chicago and a branch office in Dallas. The
network contains a demilitarized zone (DMZ) that includes five Web servers
clustered together in a Web farm, and is not part of the domain.
It also contains the internal network that includes two domain controllers and ten
member servers, of which two are running SQL Server 2000. All of the servers on
the internal network are members of the Certkiller .com domain. The internal
network does not include any Web servers.
The following exhibit displays Certkiller .com's Active Directory schema.
You are using Group Policy objects (GPO) to implement all internal policies. You
have configured a new security template that has to be applied to the Web servers.
You need to ensure that this security template is implemented with as little
administrative effort as possible.
What should you do?

070-294
A. Create a GPO that contains the new security template and link it to the Servers OU.
B. Create a batch file that contains the new security template using the
Secedit.exe tool, and then run the batch file on the five Web servers located on the
demilitarized zone (DMZ).
C. Create a GPO that contains the new security template and link it to the Domain
Controllers OU.
D. In the Servers OU, create an OU named Web Servers and place the computer accounts
of the Web servers in this OU.
Answer: B
Explanation: To apply a security template, you should use the Secedit.exe tool to
create a batch file that contains the new security template. You should then run the
batch file on the Web servers on the demilitarized zone (DMZ). Secedit.exe is used
to analyze or configure multiple computers. By calling the Secedit.exe tool at a
command prompt, from a batch file, or using the automatic task scheduler, you can
use it to automatically create and apply templates and analyze system security.
Incorrect Answers:
A, C: The Servers OU and the Domain Controllers OU contains all servers in the
domain. Neither of these is required to have the new security template.
D: In a DMZ, the Web servers are purposely not members of the Active Directory
domain. This is for protection of the internal network.
QUESTION 206:
You have created an organizational unit (OU) for each department that contains
only the user accounts fir that particular department. You have also configured an
OU named ITTest and added the client computers and servers that the IT
department uses for testing new applications before deploying it on the network.
To prevent Certkiller .com users from running unauthorized applications on their
client computers, you deploy a Software Restriction policy, which is configured in
the User Configuration section of a Group Policy object (GPO) named SWControl.
The SWControl GPO has been linked to the domain.
You open the Group Policy Management Console, right-click the ITTest OU, choose
the "Create and Link a GPO Here" option, and then create a GPO named TestSet.
You need to ensure that you configure the settings in the TestSet GPO to override
any user settings that could be applied when a user logs on to a computer whose
computer account belongs to the ITTest OU.
What should you do?
A. In the TestSet GPO, enable the User Group Policy loopback processing mode policy,

070-294
choose merge mode, and define the required policy settings.

B. You have to import settings from the SWControl GPO to the ITTest OU.
C. You have to import settings from the TestSet GPO to the SWControl OU.
D. In the TestSet GPO, enable the User Group Policy loopback processing mode policy,
choose replace, and define the required policy settings.
Answer: D
Explanation: You want to prevent user settings from being applied to computers in
the ITTest OU. The User Group Policy loopback processing mode policy directs the
system to apply the set of GPOs for the computer to any user who logs on to a
computer affected by this setting. When a user logs on to one of these computers,
the user's GPO usually determines which user settings apply. If the loopback setting
is enabled, this behavior is reversed, and the computer's GPO objects determine
which set of GPOs will be applied. Using replace mode, user settings defined in the
computer's GPO will replace the user settings usually applied to the user.
Incorrect Answers:
A: Merge mode for this policy merges settings from the User Configuration section of
the GPOs associated with the user logging on to a computer with the settings in the User
Configuration section of the GPO associated with the computer account. If conflicts
between the user GPO settings and the computer GPO settings exist, the computer GPO
settings are applied.
B: This will change the settings in the ITTest OU to include the settings used in the
SWControl GPO. You will, therefore, not be able to install new applications on the
computers in this OU for testing.
C: This will modify the settings received by all users in the domain to include the
settings used in the TestSet GPO.
QUESTION 207:
The Certkiller .com network contains seven domain controllers that belong to an
organizational unit (OU) named DCServers, and fifteen member servers that belong
to an OU named MemServers. The domain controllers has names from
Certkiller -DC01 to Certkiller -DC07, and the member servers have names from
Certkiller -SR01 to Certkiller -SR15.
When Certkiller .com's security policy changes, you are given the responsibility of
configuring any new security settings on Certkiller .com's servers. You have defined
the new security settings for Certkiller -SR01 and applied these settings to the
local security policy.
You need to ensure that these settings are applied to new and existing member
servers.
What should you do?

070-294
A. Use Security Configuration and Analysis to export the security settings for
Certkiller -SR01. Create a GPO and link it to the MemServers OU. Open the GPO,
right-click Security Settings, and click import policy.
B. Create a script using the netsh command on Certkiller -SR01. Open the GPO and
implement the scripts as startup scripts.
C. Use Security Configuration and Analysis to export the security settings for
Certkiller -SR01. Create a GPO and link it to the domain OU. Open the GPO,
D. Use Security Configuration and Analysis to export the security settings for
Certkiller -SR01.Create a GPO and link it to the DCServers OU. Open the GPO,
Answer: A
Explanation:
When you applied the settings to the local policy on Certkiller -SR01, you made
changes to the analysis database. After the changes have been made to the database,
you can save those settings by exporting them into a template using the Security
Configuration and Analysis tool. This template file can then be used to import the
changes into a GPO.
Incorrect Answers:
B: The netsh command is a command-line scripting utility that allows you to display or
modify the network configuration of a computer that is currently running. IPSec is the
only security policy that can be modified using this command.
C: Creating and linking a GPO to the domain OU will affect all OUs in the domain, not
just the MemServersOU.
D: Creating and linking a GPO to the DCServers OU is not required since the scenario
states that changes should be made to member servers, not domain controllers.
QUESTION 208:
headquarters in Chicago and branch offices in Miami, Dallas, Manchester and
London. The Certkiller .com network consists of an Active Directory parent domain
named Certkiller .com and two child domains named us. Certkiller .com and,
uk. Certkiller .com. All servers on the Certkiller .com network run Windows Server
2003 and all client computers run Windows XP Professional.
The following exhibit displays Certkiller .com's domain and organizational unit (OU)
structure.

070-294
Accounts department employees have user accounts in the us. Certkiller .com domain,
Research and Development employees have user accounts in the uk. Certkiller .com
domain, and all other users have user accounts in the Certkiller .com domain. Each
domain has an OU named DC that only contains the computer accounts of the
domain controllers in that particular domain.
A new Certkiller .com security policy requires that all users in the Accounting
department to use complex passwords that have a minimum length of ten
characters, and that these password restrictions only affect the Accounting
department users.
You need to ensure that these requirements are successfully achieved.
What should you do?
A. Create a GPO named PWRestrict and link it to the DC OU in the Certkiller .com
domain.
B. Create a GPO named PWRestrict and link it to the CKUsers OU in the Certkiller .com
domain.
C. Create a GPO named PWRestrict and link it to the DC OU in the uk. Certkiller .com
domain.
D. Modify the appropriate password policy settings in the Default DC Policy GPO.
E. Create a GPO named PWRestrict and link it to the R&D OU in the uk. Certkiller .com
domain.
F. Create a GPO named PWRestrict and link it to the DC OU in the us. Certkiller .com
domain.
G. Create a GPO named PWRestrict and link it to the Accounts OU in the
Answer: D
Explanation: Three domain-wide account policy settings (Password Policy, Account

Lockout Policy and Kerberos Policy) should be unique to the domain and should
always be defined at the domain level. These settings are enforced by the domain
controller computers in the domain, regardless of the container holding the domain
controllers or the OU structure in the domain. Therefore, all domain controllers
always retrieve the values of these user account policy settings from the Default
Domain Policy GPO.
Incorrect Answers:

070-294
A, C, F: If you use these options, the settings you have configured will be overridden
by those in the Default Domain Policy GPO.
B: Using this option would only apply the settings to users in this OU. Also, the settings
you have configured will be overridden by those in the Default Domain Policy GPO.
E: There are no members of the Accounting department added to the RandD OU.
this GPO will not affect these users.
G: The password policy settings are enforced on the domain controllers. While settings
in a GPO linked at the OU level will apply to users or computers in the container,
password policies should always be applied at the domain level so that the policy will be
applied to all domain computers.
QUESTION 209:
Professional.
Certkiller .com has its headquarters in Chicago and branch offices in Dallas, Miami,
Boston, and Los Angeles. Certkiller .com received a new contract that requires you to
increase network security for the duration of the contract. Certkiller .com introduces
a new security policy that requires all network users to be authenticated by a
domain controller at logon and passwords to be changed every fifteen days. It also
stipulates that no user should be allowed to reuse their for three different password
changes.
You have modified the Default Domain Policy GPO to apply these settings in the
local security policy on all client computers. While troubleshooting a WAN
connection failure, you find that users in the Miami office are still using their latest
expired passwords to log on to the domain.
You need to ensure that these users are prevented from logging on using expired
passwords.
What should you do?
A. In the Default Domain Policy GPO, enable the Interactive logon: Require Domain
Controller authentication to unlock workstation setting.
B. In the Default Domain Policy GPO, decrease the Interactive logon: Number of
previous logons to cache setting to 0.
C. In the Default Domain Policy GPO, disable the Interactive logon: Require Domain
Controller authentication to unlock workstation setting.
D. In the Default Domain Policy GPO, increase the Interactive logon: Number of
previous logons to cache setting to 30.
Answer: B
Explanation: Windows Server 2003 allows logon information for domain accounts
to be cached locally so that a user can still log on even if the domain controller

070-294
cannot be contacted. This setting is located in the computer's local security settings
and determines the number of unique users for which logon information is cached
locally. To prevent users from logging on to the domain using cached credentials,
this setting must be reduced to 0.
Incorrect Answers:
A: This setting requires a user to authenticate to a domain controller only if the
workstation is locked.
C: If this setting is disabled, a user can unlock a locked workstation using cached
credentials.
D: This will allow users to log on to the domain without authenticating to a domain
controller.
QUESTION 210:
Professional.
Certkiller .com contains two departments named Research and Finance. The
Research department user accounts are kept in an OU named TestResearchOU and
the Finance department user accounts are kept in an OU named TestFinanceOU.
The Finance department runs a third-party accounting application.
A Certkiller .com user named Andy Reid is a member of the Finance department.
The manager has decided to move Andy Reid to the Research department. You
need to configure application deployment settings. Because Andy Reid is moving
from the Finance department to the Research department, you want the Microsoft
FrontPage application to be uninstalled on the user's computer. When Andy Reid
was moved, you notice that the Microsoft FrontPage application was not installed.
What should you do?
A. Check that the policy was applied to Andy Reid, using the GPresult command on the
client computer. Edit the group policy and check the Software Installation setting's
Properties. Make sure that the Uninstall this application when it falls out of the scope
of management option is selected.
B. From the Resource kit, run the GPO tool and make sure that there is no version
mismatch on Andy Reid's policy.
C. On the client computer, run the dcgpofix tool.
D. In the Software Installation settings, make sure that the Path to the .MSI package is
valid.
Answer: A
Explanation: This option will cause the Software Installation setting's be uninstalled
when the policy is not relevant anymore. If the Uninstall this application when it
falls out of the scope of management option is enabled the application will be

070-294
removed from the client computer.

Incorrect answers:
B: The GPO tool is used to analyze the integrity of group policy objects on domain
controllers.
C: This tool will allow the domain controller group policy object settings to be restored
to their default settings.
D: The Path to the .MSI package is valid, only affects the installation of packages.
QUESTION 211:
Professional.
Certkiller .com contains a Finance department and a Marketing department.
Because of the technology, the CIO has purchased a new third-party accounting
application. You implement a Group Policy object (GPO) and configure a location
on the Certkiller .com network for the distribution point to deploy the third-party
accounting application to the Finance department. It is specified that when a
Finance user logs on, the third-party accounting application should be available.
A Certkiller .com user named Rory Allen is a member of the Finance department.
One morning Rory Allen complains that he cannot access the third-party
accounting application from one of the user's client computers. You need to know
why the third-party accounting application is not available to Rory Allen.
What should you do?
A. Get the advanced system information-policy, in the Help and Support on the client
computer, and run the GPRESULT utility from this computer and logon as Rory Allen to
get the a list of the Group Policies and Local policies that are applied to the user and the
client computer.
B. Logon as Rory Allen and run the GPUpdate.
C. Get a list of the Group Policies and Local policies that are applied to the user and the
client computer, with the System Information application.
D. Trace the Group policies applied to the domain and the OU where Rory Allen exits,
and check for conflicts.
Answer: A
Explanation: With the Help and Support utility you can get the Group Policies and
Local policies. With this you can see if there are any conflicts. The GPRESULT
displays all the Group Policies and Local policies that are applied to the user and
the client computer.
Incorrect answers:
B: This utility is used to refresh the computer and user settings that are applies to the
Group Policies and Local policies that are applied to the user and the client computer.

070-294
C: The System Information tool is used to return information about the Hardware
Resources, Software Resources, Components and Internet Explorer.
D: To trace the Group policies applied to the domain and the OU, you need to use the
RSoP, GPRESULT and the Help and Support. This will takes a lot of time.
QUESTION 212:
network consists of a single Active Directory forest that contains three trees. The
functional level of the forest is set at Windows 2000 Native Mode. All servers on the
Certkiller .com network run Microsoft Windows 2000 Advanced Server and
Microsoft Windows Server 2003. Half the client computers run Windows 2000
Certkiller .com contains a Marketing department. The CIO of Certkiller .com has
purchased a few third-party accounting applications, which where deployed by you.
During the deployment of the applications you migrate the functional level of the
forest is set at Windows 2000 Native Mode to Windows Server 2003. You would like
to display which application should be available to the user or computer. You also
want to display the software setting changes to assist in future application
deployments.
What should you do?
A. Get the list of user and computer GPOs and Local policies that are applied a specific
remote client computer, by using the System Information utility.
B. Use the RSoP in logging mode and use the GPResult utility on the client computer
while the user is logged on.
C. On the client computer, use the GPUpdate.
D. Use the RSoP in Planning mode.
Answer: B
Explanation: The Logging mode of the RSoP will display which application are
available for any given user or computer. It will also display the software setting
changes that are applied. The GPRESULT displays all the Group Policies and Local
policies that are applied to the user and the client computer.
Incorrect answers:
A: The System Information tool is used to return information about the Hardware
Resources, Software Resources, Components and Internet Explorer.
C: This utility is used to refresh the computer and user settings that are applies to the
Group Policies and Local policies that are applied to the user and the client computer.
D: The RSoP in Planning mode is used to test the settings and effects of a Group Policy
before it is applied.
QUESTION 213:

070-294
Professional.
Certkiller .com consists of three departments named Research, Development and
Finance. The Research and the Development departments research and develop new
in-house applications for Certkiller .com. The development department contains a
troubleshooting application, which is used to troubleshoot problems on the client
computers of Certkiller .com. The troubleshooting application works by starting the
installation of the troubleshooting application by a hyperlink that is posted in a
public folder named TroubleShTest.
You have received an update for the troubleshooting application. The update is then
only installed on the client computer where the application is already installed. You
need to install the update by using a Group Policy object (GPO). You want to
deploy the update on all the client computers where the troubleshooting application
is installed.
What should you do?
A. Specify the update to users and place the user accounts of the development users into
an OU and link the GPO to the OU.
B. Specify the update to users and link the GPO to the domain. Add the user accounts of
the development users to a security group and filter the scope of the GPO by assigning
permissions for the group only.
C. Specify the update to the client computers and link the GPO to the domain and filter
the scope of the GPO by using a WMI filter.
D. On the client computer, use the GPUpdate.
Answer: C
Explanation: You need to filter the scope by using the WMI filter. You can define a
filter that will cause the GPO to specify only the target computers.
Incorrect answers:
A: This action will allow the updates to be deployed only the client computers where the
developments user are logged on to.
B: You should link the GPO to the domain, but you should then use the WMI filter, not a
security group.
D: This utility has nothing to do with assigning updates to users. This utility is used to
refresh the computer and user settings that are applies to the Group Policies and Local
policies that are applied to the user and the client computer.
QUESTION 214:

070-294
Professional.
Certkiller .com contains a Finance department and a Test lab. Certkiller .com also
contains a domain controller named Certkiller -DC01. Any changes done in the
Finance department are first tested in the lab of Certkiller .com. Due to the security
of the Certkiller .com, a new security policy requires that the user name of the last
logged user should not be displayed in the Log On Windows dialog box of any
computers in the Certkiller .com domain. You then specify the suitable Group Policy
object (GPO) on a domain controller, and test it in the lab. During the testing you
notice that the computer in the lab has still the last user name displayed. You want
to use the policy immediately in the Certkiller .com domain.
What should you do?
A. In the Certkiller .com domain, run the Gpupdate /force on the target computers.
B. In the Certkiller .com domain, run the Gpresult on the Certkiller -DC01.
C. On the target computer, run the Secedit /refreshpolicy machine_policy /enforce.
D. On Certkiller -DC01, run the Secedit /analyze.
Answer: A
Explanation: The Gpupdate is used to refresh the computer and user settings that
are applies to the Group Policies and Local policies that are applied to the user and
the client computer. The /force part forces the policy to be reapplied even if they
where not changed.
Incorrect answers:
B: The Gpresult generates a resultant set of policies. It can be used to diagnose complex
situations where more than one GPO is applied.
C: The Gpupdate replaces the Secedit /refreshpolicy machine_policy /enforce which
is used in Windows 2000.
D: The analyze command is used to analyze the current security configuration of a
computer in comparison with the security template and to apply a security template to a
computer.
QUESTION 215:
servers on the Certkiller .com network run Windows Server 2003 and Windows 2000
Advanced Server. Half the client computers run Windows 2000 Professional, and
the rest run Windows XP Professional. The functional level of the Certkiller .com
network is Windows 2000 native.
Certkiller .com contains a Marketing department and a Finance department. The
CIO of Certkiller .com has purchased a new financing application. The users in the
Finance department belong to the TestFinOU. You use the OU, to publish the new
financing application. The next day, you received an e-mail from the vendor of the
new financing application that says that there is a security vulnerability in the
application that was bought. You download the new version and want to deploy it to

070-294
the users that are using the older version. You need to restrict the users to using the
new version of the finance application.
What should you do?
A. Create a new GPO and publish the new version of the application and specify the
properties of the GPO that publish the older version to upgrade the older version.
Select the "Required upgrade for the exiting packages" option.
B. Create a new GPO and publish the new version of the application and specify the
properties of the GPO that publish the older version to upgrade the older version.
C. Use slipstreaming and install the older version with the installation files fro the newer
version of the application.
Redeploy the application in the properties of the GPO.
D. Before you create a new GPO that publishes the new version of the application, you
should remove the older version.
Answer: A
Explanation:
For the users to use the new version, you should create a new GPO and publish the
new version of the application. You should also specify the properties of the GPO
that publish the older version to upgrade the older version and select the "Required
upgrade for the exiting packages" option. These steps will result in that if the users'
logon, the application will be immediately start installing.
Incorrect answers:
B: You must select the "Required upgrade for the exiting packages" option. If it is not
selected, the users will have the option to install the new version or not.
C: When slipstreaming is used, you actually modify the original installation source with
the new copies of the files.
D: It is not necessary to remove the older version.
QUESTION 216:
Professional.
Certkiller .com contains a Development department. The users in the Development
department are in an OU named TestDevelopOU. Almost a year ago, you installed a
third-party 16-bit application for the Development department.
You have received a notice of an upgrade of this third-party 16-bit application. You
then decided to deploy the upgrade to the TestDevelopOU. You need the users to
install the upgrade by using the Add/Remove Programm applet. The upgrade
appears in the Add/Remove Program applet, but it does not allow you to install it.
You need to find the problem, why it could not be installed.
What should you do?

070-294
A. The computer policy, overrules the user policy.

B. The upgrade is assigned and not published.
C. The GPO was not applied.
D. The software distribution point is not accessible.
Answer: D
Explanation: The software distribution point is on the network. The users do not
have permission to access it
Incorrect answers:
A: The computer policy does not overrule the user policy, because the upgrade appears
on the Add/Remove Program applet. This indicates that the upgrade was published
correctly.
B: The upgrade appears in the Add/Remove Program applet. This is an indication that the
upgrade was published.
C: The GPO was applied because the upgrade appears in the Add/Remove Program
applet.
QUESTION 217:
Certkiller .com contains a Marketing department and a Development department.
The users in the Marketing department are in an OU named TestMarketOU. The
users in the Development department are in an OU named TestDevelopOU. A few
months ago you installed Microsoft Excel 2000 to both of the departments. You used
the MSI package for a GPO linked to these departments.
The Marketing department needs more functions from Microsoft Excel 2000. You
then deploy an upgrade to the Marketing department. During routine monitoring
you notice that the Development department also has access to the upgraded
version. You need to find why the Development department also has access to the
upgraded version.
What should you do?
A. Specify the Remote Installation Services, from the Windows settings folder.
B. Specify the Window Components; from the Administrative Templates.
C. Use the Computer Management snap-in.
D. Run the Resultant Set of Policy (RSoP) in logging mode.
Answer: D
Explanation: You need to find out which policies are applied to the Development
department. this is done by using the RSoP in logging mode.

070-294
Incorrect answers:
A: This setting is used to control remotely installations. It cannot be used to troubleshoot
GPO configuration settings.
B: The Window Components in the Administrative Templates is used to configure
settings for different Windows components.
C: The snap-in is used to manage local and remote computers.
QUESTION 218:
Certkiller .com contains a Research department. Certkiller .com also contains a file
server named Certkiller -SR12. Certkiller -SR12 contains applications that are
needed for the Research department. You have been instructed by the CIO to
deploy the Remote Administration Tools software package to the network
administrators. The network administrators belongs an OU named CKAdmin. You
then place an .msi file into a shared folder named CKShare on Certkiller -SR12.
You also create a GPO named CKGPO. You then use a software installation policy
to deploy the package. You then link the CKGPO to the NetAdmin OU, which
contains the client computers and the network administrators.
The following day during a routine monitoring you notice that the network
administrators did not have the Remote Administration Tools on their client
computers. You also notice that the package is not available on you computer.
When going through the event log, it has the following error message:

070-294
You need to ensure that the package is deployed to all the network administrators.
What should you do?
A. Specify Certkiller -SR12\CKShare as the default package location, in the Computer

Configuration\Software installation node in CKGPO.
B. Allow the Authenticated Users group Allow - Read permissions for
Certkiller -SR12\TestShare.
C. Reconfigure CKGPO so that the package is published.
D. Remove the first software installation policy in CKGPO and create another software
installation policy that assigns the package.
Answer: B
Explanation: If you want to install the package, you should use a suitable .msi file
and allow the Authenticated Users group Allow - Read permissions for
Certkiller -SR12\TestShare.
Incorrect answers:
A: To specify Certkiller -SR12\CKShare as the default package location, in the
Computer Configuration\Software installation node in CKGPO; will only provide the
easiness to browse when you are creating a new software installation policy.
C: You cannot publish packages to a computer, you can only assign it.
D: This option will allow the packages to be assigned to the users.

070-294
QUESTION 219:
Professional.
Certkiller .com contains two departments named Research and Development. The
CIO has purchased a third-party application, which you deployed to the network
using a GPO. After a month the CIO purchases a different third-party application
to work with the files that have the same file name extensions instead of the former
installed third-party application. You need to install this latter third-party
application to the users that do not have the former third-party application on their
client computer. This means that a computer should not have both third-party
applications installed. If a user wants to use the former third-party application, they
do not need to install the latter third-party application.
What should you do?
A. Assign the third-party application to the computers and configure in the GPO that the
former third-party application should be removed before the new third-party application
is deployed.
B.
Publish the third-party application to the computers and remove the GPO that deploys the
former third-party application.
C. Assign the third-party application to the users and remove the GPO that deploys the
former third-party application.
D. Publish the third-party application to the users and configure in the GPO that the
former third-party application should be removed before the new third-party application
is deployed.
Answer: D
Explanation: You need to publish the third-party application to the users. You
should also configure in the GPO that the former third-party application should be
removed before the new third-party application is deployed.
Incorrect answers:
A: If you assign the third-party application to the computers, it will cause that when the
users switch on there computer the third-party application would automatically be
installed.
B: You cannot publish applications to a computer, you can only assign it.
C: If you assign the third-party application to the users, the Auto-install this
application by the extension activation would not be available.
QUESTION 220:

070-294
Certkiller .com contains a Marketing department. Certkiller .com contains 13 member
servers. All of the 13 member servers have installed Terminal Services in
Application Server mode separately. The Terminal servers are located in an
organizational unit (OU) named TestTermOU. To maintain certain marketing
information, you need a custom database application. The user accounts of the
Marketing department are located in an OU named TestMarketOU. When you
acquired the custom database application, you want to deploy the custom database
application with a GPO to the Marketing departments users on the terminal
servers.
What should you do?
A. In the GPO's User Configuration folder, define a software installation policy that
assigns the custom database application, and link the GPO to the TestTermOU.
B. In the GPO's User Configuration folder, define a software installation policy that
publishes the custom database application, and link the GPO to the TestMarketOU.
C. In the GPO's Computer Configuration folder, define a software installation assigns the
custom database application, and link the GPO to the TestMarketOU.
D. In the GPO's Computer Configuration folder, define a software installation assigns the
custom database application, and link the GPO to the TestTermOU.
Answer: D
Explanation: In this scenario, to assign an application you should link the GPO to
the TestTermOU. To deploy the application to more that one terminal server, you
should assign the application to the computer instead of the users.
Incorrect answers:
A: If you assign the application to the users, the GPO will have no effect on the
user-specific policies. You must use the Computer Configuration folder, define a
software installation assigns the custom database application, and link the GPO to the
TestTermOU.
B: If you assign the application to the computers, the GPO will have no effect on the
computer-specific policies. You must use the Computer Configuration folder, define a
TestTermOU. Also, you cannot publish application in the GPO.
C: If you assign the application to the users, the GPO will have no effect on the
user-specific policies. You must use the Computer Configuration folder, define a
TestTermOU.
QUESTION 221:

070-294
Professional.
Certkiller .com contains a Research department and a Development department.
Certkiller .com has downloaded a few updates for the Certkiller .com network use.
Certkiller .com also consists of a lab where the updates are tested before it is in
operation. The lab contains a server named Certkiller -SR13. You are planning to
install Software Update Service (SUS) on Certkiller -SR13. You then create a
GPO.
A. Indicate Certkiller -SR13 as the update service location and apply the GPO to the
computers.
B. Indicate Certkiller -SR13 as the update service location and apply the GPO to the
users.
C. Specify that update file be downloaded from Certkiller -SR13 and apply the GPO
top the computers.
D. Specify that update file be downloaded from Certkiller -SR13 and apply the GPO
top the users.
Answer: A
Explanation: A SUS can be used to test and approve update to computers and users.
A SUS is used to download updates.
Incorrect answers:
B: You also should apply the GPO to the computers by linking it to the O, where the
computer accounts are located.
C, D: You also should apply the GPO to the computers by linking it to the O, where the
computer accounts are located.
QUESTION 222:
Certkiller .com contains a Marketing department. Certkiller .com has its
headquarters in Chicago and a branch office in Dallas and Miami. In each of the
offices is an OU where the computer accounts are kept. The computer accounts of
the Chicago office are located in an OU named ChicagoOU, the computer accounts
of the Dallas office are located in an OU named DallasOU and that of Miami are
located in an OU named MiamiOU. You have only authority over the OUs of the
client computers. Certkiller .com also contains a domain controller named
Certkiller -DC02 that is in a default container. There are also OUs for the servers
in each office as seen in the exhibit:

070-294
You need to ensure that the client computers of the three offices have the latest
patches and hotfixes.
What should you do?
A. Create a domain-base policy that specifies the client computers to use the Automatic
Update features and the servers to use the Software Update Services.
B. Create a Group Policy object on one of the OUs that contain the client computers and
specify the computers to use the Automatic Update features to download and install
Windows updates.
Link this GPO to the other two OUs that has the other client computers.
C.
Create a domain-base Group Policy object that configures the computers to use the
Automatic Update features to download and install Windows updates.
Deny apply Group Policy to the domain controllers and Servers OUs.
D. Specify each of the client computers to use the Automatic Update features to
download and install Windows updates.
Answer: B
Explanation: If the Automatic Update is enabled, the computer will automatically

connect to the Windows Update site and download any security updates. You should
create a GPO and configure the computers to download and to use the Automatic
Update feature.
Incorrect answers:
A, C: You only have permission at the OU level as stated in the scenario. That way you
cannot create a domain-based GPO.
D: You can do it this way, but it will be time consuming.
QUESTION 223:
Certkiller .com contains a Research department. Certkiller .com contains a few
servers that are used for downloading updates and patches. You have received
instruction from the CIO to keep the servers updated with the latest service packs
and hotfixes. You need to specify the servers to automatically receive updates and
the client computers in the Research department to receive the updates on a regular
070-294
basis.
What tool should you use?
A. Use the Auto update.

B. Use the Dynamic Update.
C. Use the Software Update Services.
D. Use the Intellimirror.
Answer: C
Explanation The Software Update Services synchronize updates with the Windows
Update Web site. The updates are also tested in the Quality Assurance before it is
installed to the servers.
Incorrect answers:
A: You can use the Auto update, but it will not be tested.
B: Dynamic Update is used for emergency fixes to address setup problems. It is also used
to provide update drivers.
D: The Intellimirror manages information, settings and software. If is not used to manage
the updates through service packs and hotfixes.
QUESTION 224:
Certkiller .com contains a Marketing department. The CIO of Certkiller .com has
purchased a third-party accounting application. You have received instructions to
deploy the third-party accounting application, but you do not have a native .msi
package. You also cannot create an .msi package. You need to deploy the
third-party accounting application with the least amount of administrative effort.
What should you do?
A. Create a .zap file and publish it to the Marketing users.

B. Create an .mst file and publish it to the Marketing users.
C. Create a .zap file and assign it to the computers.
D. Create an .msp file and assign it to the Marketing users.
Answer: A
Explanation You can use the .zap file to publish the application. With a .zap file you can
publish the application and not assign it.
Incorrect answers:
B: With an .mst file you can customize .msi packages.
C: You can use the .zap file to publish the application. With a .zap file you can publish
the application and not assign it.
D: The .msp file is used to modify .msi packages.

070-294
QUESTION 225:
Certkiller .com network contains 15 Windows Server 2003 computers and 1,500
Windows XP Professional client computers. Certkiller .com has its headquarters in
Chicago and branch offices in Dallas.
Certkiller .com contains a server named Certkiller -SR10. You have installed
Terminal Services in Remote Desktop for Administration mode by default and set
up Terminal Services in Application Server mode separately. The terminal server
will enable the users to remotely run application.
You have received instruction from the CIO to deploy a 32-bit third-party
application to the terminal server users. The 32-bit third-party application also
includes a native Windows Installer package.
What should you do?
A. Use the Add or Remove Programs and install 32-bit third-party application on the
terminal server.
B. Create a GPO that assigns the 32-bit third-party application to the users and place the
terminal server users into an OU and link the GPO to the OU.
C. Create a GPO that publishes the 32-bit third-party application to the users and place
the terminal server users into an OU and link the GPO to the OU.
D. Log on as the domain administrator at the terminal server and initiate the installation
by double clicking the Windows Installer package file of the 32-bit third-party
application.
Answer: A
Explanation The best method is to use the Add or Remove Programs and install 32-bit
third-party application on the terminal server.
Incorrect answers:
B, C: If you assign it to the users, the application would be installed on the terminal
server when one of the users log on. After that the application might not be working
correctly to work properly for the other terminal users.
D: If you double click the Windows Installer package file, the application will not
properly be configures for multi-session access.
QUESTION 226:
Professional.
Certkiller .com contains a Finance department. Certkiller .com contains two site
named SiteA and SiteB. You are using Group Policy objects (GPOs) to manage

070-294
users and the computer on the network. The SiteA's users are located in an
organizational unit (OU) named SiteAUsers and their computer are in an OU
named SiteAComps. The SiteB's users are located in an OU named SiteBUsers and
their computer are in an OU named SiteBComps. The OU structure of
Certkiller .com is shown in the following exhibit:
Some of the managers in SiteA need to go to SiteB to do supervisor work. The

managers user their portable computers when they travel to SiteB. One morning
you received instructions to deploy an application to the managers that are busy in
the SiteB which are from Site
A. Your task should not change their configurations
and their settings. You then configure a Windows Installer package and create a
GPO to publish the package.
Which of the following should you do next?
A. Link the GPO to SiteB.

B. Move the managers to the SiteBUsers OU and link the GPO to the OU.
C. Move the portable computers of the managers to the SiteBComps OU and link the
GPO to the OU.
D. Link the GPO to SiteA.
Answer: A
Explanation It states in the scenario that you have published the application to the users.
You only need to link the GPO to SiteB. You could have link the GPO to the SiteAUsers
OU.
Incorrect answers:
B: If you link the managers to the SiteBUsers OU, you would be out of the scope of the
GPOs that are linked to their OU. The users in SiteB also will have access to the
application.
C: If you link the managers to the SiteBComps OU, you would be out of the scope of the
GPOs that are linked to their OU. The users in SiteB also will have access to the
application.
D: The managers' portable computers are connected to the SiteB network. If you link the
GPO to SiteA, it would not have applied to the managers.

070-294
QUESTION 227:
Professional.
Certkiller .com contains a Marketing department and a Research department. Some
of the users in the Research department are located in a global group named
TestCritic, which has access to resources that resides on 10 servers in the
Certkiller .com domain. The global group, TestCritic has rights throughout the
network to perform their duty. The resources consist of critical data. A
Certkiller .com user named Andy Booth has asked permission to access the resources
on the 10 servers.
After verifying with the managers you want to grant Andy Booth membership in
TestCritic. You do not want Andy Booth to have minimum privileges on the
network. You also do not want Andy Booth's new settings to influence the security
of the network.
What should you do?
A. View Andy Booth's effective policies and see if he was a member of the TestCritic
group by using the Result Set of Policy in Planning mode.
B. View Andy Booth's effective policies and see if he was a member of the TestCritic
group by using the GPResult tool.
C. View Andy Booth's effective policies and see if he was a member of the TestCritic
group by using the Result Set of Policy in Logging mode
D. View Andy Booth's effective policies and see if he was a member of the TestCritic
group by using the Security Templates snap-in.
Answer: A
Explanation The planning mode of the RSoP you will see if Andy Booth would violate
the security. The planning mode allows you to simulate situation to see how the group
policy will be affected.
Incorrect answers:
B: This tool will return the list of policies that are affecting users and computers that
Andy Booth is logging on to.
C: The RSoP in logging mode is used to view the policies that are affecting a user or a
computer.
D: The Security Templates snap-in are predefined security settings which are based on
the computer role.
QUESTION 228:

070-294

Certkiller .com contains a Finance department. The Finance department handles
critical data. You have received instructions to test a domain and organizational
unit hierarchy structure. Certkiller .com has quite a few group policy objects that are
providing control of the user environment.
The security policy states that the password length is 10 and the password history
60. You then revise and put into practice the Certkiller .com security policy to a
minimum password length is 6 characters, the password history on 5 and the
maximum password age 1 month.
A Certkiller .com user named Mia Hamm is a member of the Finance department.
Mia Hamm is working on a client computer named Certkiller -SR30. One
morning Mia Hamm complains that she attempts to change her password to 6
characters. She then received an error that the minimum length should be 10 and
the password history 60 days. You need to troubleshoot the case.
A. On Certkiller -SR30, run the Resultant Set of Policy (RSoP) in planning mode.
B. On Certkiller -SR30, logon with Mia Hamm's domain account, edit the Local policy
and note the effective settings for password length and password history.
C. Use another client computer and log on with Mia Hamm domain account and run the
GPresult /v /scope user.
D. On Certkiller -SR30, run the GPupdate utility.
Answer: B, C
Explanation: If you use another client computer and run the GPresult /v /scope
user. This will help to troubleshoot the issue. The effective setting show the result in
the application of the password that is applied o the policy.
Incorrect answers:
A: The RSoP in planning mode will allow you to simulate a policy deployment for users
and computers before it is applied.
D: The GPupdate is used to refresh the policy settings on a computer.
QUESTION 229:
Professional.
Certkiller .com contains three department named Research, Development and
Finance. Each of these departments has its own organizational unit (OU). You have
received instruction by the CIO to improve the security of the Certkiller .com
network. You then test the security that you have created and put it in a Group
Policy object (GPO) in a parallel environment. There after you create a GPO and
linked it to the domain and import the settings. You also setup a test user account in

070-294
each department' OU. A day after the completion of the domain-based GPO, a user
named Rory Allen complains that he cannot log on to the domain with his user
account. During the investigation you notice that some of the security settings
applied and some did not.
What should you do? (Select all that applied)
A. Use the Resultant Set of Policy (RSoP) in Logging mode and get the policy settings
and use the Help and Support Advanced System Information and get a list of all the
policies that is applied to Rory Allen and his client computer.
B. Use the Resultant Set of Policy (RSoP) in Planning mode and get the policy settings.
C. Obtain a list of all the policies that is applied to Rory Allen and his computer by using
the GPudate tool.
D. Obtain a list of all the policies that is applied to Rory Allen and his computer by using
the GPresult tool.
Answer: A, D
Explanation: The logging mode contains a list of effective policy settings. It also has
the GPOs that are applied to the policies. This will allow you to see were the conflict
is. The Help and Support Advanced System Information will view the Group Policy
setting that is applied.
Incorrect answers:
B: The RSoP in planning mode will allow you to test the policy before it is applied.
C: The GPupdate is used to refresh the policy settings on a computer.
QUESTION 230:
You recently work as the network administrator at Certkiller .com. The

Certkiller .com. All servers on the Certkiller .com network run Windows Server 2003.
Certkiller .com contains two departments named Research and Finance. You need to
test a domain and organizational unit hierarchy structure. You notice that quite a
few group policy objects provide control of the users' environment. You have
received instruction from the CIO to set a policy at the site level that will stop the
users form changing the zone settings in the Internet Explorer. After a week you
discover the users are still able to changing the zone settings on the client
computers. You need a tool to display the information on the command line and to
find out why the settings were not applied.
Which of the following tools should you use?
A. GPresult.
B. GPupdate
C. Dcgpofix
D. Secedit

070-294
Answer: A
Explanation: The GPresult tool will return the list of policies that are affecting users
and computers.
Incorrect answers:
B: The GPupdate is used to refresh the policy settings on a computer.
C: The Dcgpofix is used to restore the default GPO.
D: The Secedit is used to automate security configuration tasks by using scripts. This
command can also be used to refresh policy settings. You then will use the /refreshpolicy
option.
QUESTION 231:
You recently work as the network administrator at Certkiller .com. The

Certkiller .com. All servers on the Certkiller .com network run Windows Server 2003.
Certkiller .com contains a Development department. Certkiller.com contains a
server named Certkiller -SR12. You need to test a domain and organizational unit
hierarchy structure. Certkiller .com has quite a few group policy objects that are
providing control of the user environment. During routine monitoring you discover
that quite a few users have access to the security log of Certkiller -SR12. You need
to find out the security settings for these users.
What should you do?
A. Refresh the group policy of the users with the GPupdate.

B. Make sure that the users and their client computer accounts have the Apply Group
Policy and Read access permissions for the correct GPO and run the RSoP in Logging
mode and make sure that the group policy setting is not blocked.
C. Run RSoP with WMI filters.
D. Run RSoP in Planning mode.
Answer: B
Explanation: If there is no result in policies not affecting the users, you should
verify the GPO settings and see if it is not blocked. You also need to make sure that
the users with there client computer has the Apply Group Policy and Read access
permissions for the correct GPO.
Incorrect answers:
A: The GPupdate is used to refresh the policy settings on a computer. This will not help.
C: WMI filters allow the filtering of GPO settings based on specific information which
will includes computer hardware or software installed.
D: The RSoP in planning mode will allow you to test the policy before it is applied.

070-294
QUESTION 232:
Professional, and the rest run Windows XP Professional. The functional level of the
forest is set at Windows Server 2003.
Certkiller .com contains a Research department and a Development department. The
Development department develops in-house applications which were research by the
Research department. A new Certkiller .com policy requires that the users should
only install and run applications that are tested in a test environment. You need to
configure the suitable software restriction policy.
What should you do? (Select two)
A. Set the default security level to Disallowed and enable certificate rules.
B. Set the default security level to Unrestricted.
C. Disable certificate rules.
D. Create a certificate rule with a security rule set to Unrestricted.
Answer: A, D
Explanation: You need to set the default security level to Disallowed to stop users
from running new applications. You must also enable certificate rules and set it to
Unrestricted.
Incorrect answers:
B: You should set the default security level to Unrestricted; however you need to set the
default security level to Disallowed to stop users from running new applications.
C: You should disable certificate rules; however you should restrict it and set the default
security level to Disallowed to stop users from running new applications.
QUESTION 233:
headquarters in London and branch offices in Liverpool, Madrid, Paris, Berlin and
Milan. The Certkiller .com network consists of two Active Directory domains named
uk. Certkiller .com and eu. Certkiller .com. All servers on the Certkiller .com network run
Windows Server 2003. The exhibit shows the Certkiller .com WAN.

070-294
You configure each Certkiller .com branch office as an Active Directory site. The
global catalog servers are located in the two top level Active Directory sites.
Universal group membership caching has been enabled for each Active Directory
site.
Users on the Certkiller .com network make use of an Active Directory integrated
application that reads data from the global catalog. A Certkiller .com employee
named Clive Wilson works in the Berlin branch offices. One morning Clive
complains that the application responds slowly during peak hours.
What should you do next to ensure that the response time of the application is
improved during peak hours?
A. Disable universal group membership caching in the four lower level Active Directory
sites.
B. Decrease the replication interval on the site links that connect the four lower level
Active Directory sites to the two upper level Active Directory level sites.
C. Configure global catalog servers in the four lower level sites.
D. Perform an offline defragmentation of the Active Directory database on the domain
controllers in the two top level Active Directory level sites.
Answer: C
Explanation:
The application reads data from the global catalog, however, there are Global
Catalog servers only in the two upper Active Directory level sites. Therefore, global
catalog information must be accessed across the WAN links, which is where the
problem occurs. We need to add Global Catalog servers in the four lower level
Active Directory sites.
Incorrect Answers:
A: Universalgroup membership caching is used for logon purposes. It is thus irrelevant to
this scenario.
B: Decreasing the replication interval will not improve response times. The C lower level
Active Directory sites must still access the global catalog information across the WAN
links.
D: Deframenting the Active Directory database will not improve response times
significantly; the lower level Active Directory sites must still access the global catalog
information across the WAN links.
Reference:

070-294
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam
70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17
to 1-18, 5-41 to 5-45, 5-48 to 5-50.
Michael Cross, Jeffery
A. Martin, Todd
A. Walls, Martin Grasdal, Debra Littlejohn
Shinder & Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, and
Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide &
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 547, 550-552.
QUESTION 234:
headquarters in Warsaw, and branch offices in Minsk and Athens. The
Certkiller .com network consists of a single Active Directory forest that contains
three domains named Certkiller .com, minsk. Certkiller .com and athens. Certkiller .com.
The network at each office is configured as a separate Active Directory site. Each
domain contains two Windows Server 2003 domain controllers named
Certkiller -DC01 and Certkiller -DC02 respectively. The exhibit shows the
relevant portion of the Active Directory domain structure.
A Windows Server 2003 computer on the Certkiller .com domain, named

Certkiller -SR01, contains the forest-level operations master roles and the
operations master roles for the specific domain. A Windows Server 2003 computer
Certkiller -SR02 and Certkiller -SR03 contains the operations master roles for
their specific domains. WAN connectivity between the branch offices is currently
considered as being unreliable.
You must design a strategy for global catalog server placement for the

070-294
Certkiller .com network. Your plan must include the following:

1. A strategy that will keep consistency of universal group membership information
intact.
2. A strategy that will enable each user to log on in the event single domain
controller and WAN connection failure.
Which two actions should you perform to achieve your goal in these circumstances?
(Each correct answer presents part of the solution. Choose TWO.)
A. Configure Certkiller -DC01 and Certkiller -DC02 as global catalog servers.

B. Configure only Certkiller -DC01 in each domain as a global catalog server.
C. Configure only Certkiller -DC02 in each domain as a global catalog server.
D. Enable universal group membership caching for each Active Directory site.
E. Enable universal group membership caching for the top level branch office.
F. Enable universal group membership caching for the two lower level branch offices.
Answer: A, F
Explanation: We could have global catalog server s in each site. This would ensure
that users can log on in the event of a WAN connection failure. However, we also
need to ensure the consistency of universal group membership information.
Therefore, placing global catalog servers in the remote sites are not an option.
Instead, we need to enable universal group membership caching for both remote
sites. For redundancy purposes, the main site must have more than one global
catalog.
Incorrect Answers:
B, C: For redundancy purposes, the main site must have more than one global catalog.
E: We need to enable universal group membership caching for both remote sites.
Reference:
to 1-18, 5-41 to 5-45, 5-48 to 5-50.
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 543, 547,
550-552.
QUESTION 235:
network consists of two Active Directory domains. The Certkiller .com branch offices
in Paris and Berlin are connected by a 128-Kbps WAN connection. Both the Paris
and Berlin branch offices are configured as a single domain and as an Active

070-294
Directory site. All servers on the Certkiller .com network run Windows Server 2003.
All printer location information is stored in Active Directory, and users in the two
branch offices search Active Directory, by selecting the Entire Directory option, to
locate printer information. Once morning users in the Paris branch office complain
that they experience excessively slow response time when they search Active
Directory for information on printers.
What should you do next to improve the search response times for users that work
in the Paris office?
A. Place a domain controller for the Berlin domain in the Paris office.
B. Place a domain controller for the Paris domain in the Berlin office.
C. Enable universal group membership caching in the Paris office.
D. Configure a global catalog server in the Paris office.
Answer: D
Explanation: The global catalog is the central repository of information about

Active Directory objects in a tree or forest. The domain controller that holds a copy
of the global catalog is called a global catalog server. The global catalog enables a
user to log on to a network by providing universal group membership information
to a domain controller when a logon process is initiated, and enables finding
directory information regardless of which domain in the forest actually contains the
data.
Incorrect Answers:
A: This would work but it is unnecessary. Replicating the entire Active Directory from
the Berlin office to the Paris office over the slow WAN link is a waste of resources. A
global catalog server in the Paris office would suffice.
B: This won't solve the problem at all.
C: Universal Group caching (as its name implies) caches information about universal
groups. This scenario involves searching for printers which is nothing to do with
universal groups.
Reference:
to 1-18, 5-41 to 5-45, 5-48 to 5-50.
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003,
pp. 31, 543, 547, 550-552.
QUESTION 236:

070-294
network consists of a single forest root domain named Certkiller .com that contains
one domain named us. Certkiller .com. The functional level of the forest is set at
Certkiller .com has universal groups configured to prevent part-time employees from
accessing confidential information on computers in the Certkiller .com forest.
us. Certkiller .com contains a computer named Certkiller -SR24 running Windows
2000 Server. Certkiller -SR24 is used to run an application that sends LDAP
queries to the global catalog. Certkiller -SR24 resides on a subnet which is
associated with an Active Directory site named CK_SITE01. CK_SITE01 has no
global catalog server configured. A WAN connection connects CK_SITE01 to
another Active Directory site.
You have been instructed to implement the required network configuration that will
result in the following:
1. Configure the network so that the application running on Certkiller -SR24
executes at high performance levels.
2. Configure the network to enable the application to continue running in the event
of a WAN connection failure.
3. Minimize traffic over the WAN connection
What should you do next to accomplish these goals?
A. Configure universal group membership caching for CK_SITE01.

B. Configure one or more global catalog servers in CK_SITE01.
C. Add the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures
key to the registry on all domain controllers residing in CK_SITE01.
D. Remove Certkiller -SR24 from the us. Certkiller .com domain and then add it to a
workgroup.
Answer: B
Explanation:
The application needs to read data from the global catalog. This information is
stored on the global catalog servers in the other site. This means that the application
needs to contact the global catalog servers over a WAN link. We can improve
performance by configuring a global catalog server in CK_SITE01. This will enable
the application to contact a global catalog server over fast LAN connections. It will
also enable the application to run if the WAN link fails.
Incorrect Answers:
A: Universal group caching likely has no effect on the application. Universal group
information is just a small part of the information stored in the global catalog. The
application would still need to contact a global catalog server.
C: This setting allows users to log on to a domain if the domain controller is unable to
contact a global catalog server. It will have no effect on the application.
D: The application won't be able to query the global catalog if the computer isn't a
member of the domain.

070-294
Reference:
to 1-18, 5-41 to 5-45, 5-48-5 to 50.
A. Martin, Todd
550-552.
QUESTION 237:
You work as the network administrator at Certkiller .com. The accompanying work
area displays the applicable network configuration. Certkiller .com has a branch
office in two cities. In each branch office employees make use of an application that
reads configuration data in the global catalog.
You deploy Windows Server 2003 on all domain controllers and create one Active
Directory domain. You set the functional level of the forest to Windows Server 2003.
You configure the servers with the following configuration:
1. Certkiller -SR01 - Domain controller, schema master, domain naming master
2. Certkiller -SR02 - Domain controller, relative ID (RID), PDC emulator master
3. Certkiller -SR03 - Member server, file and printer server
4. Certkiller -SR04 - Member server, Web server
5. Certkiller -SR05 - Domain controller
6. Certkiller -SR06 - Member server, file and printer server
7. Certkiller -SR07 - Member server, DHCP server
You are busy defining the global catalog server placement strategy for the network.
Your global catalog server placement strategy must ensure that the application
which reads configuration data in the global catalog, can continue to run when
multiple global catalogs fail. You must also ensure that the application has high
levels of performance during peak times.
Answer by selecting the appropriate computer or computers in the work area.

070-294
Answer:
Explanation:
Select Certkiller -SR01, Certkiller -SR02 and Certkiller -SR05.
Explanation:
Only domain controllers can function as Global Catalog servers. In this case, only
Certkiller -SR01, Certkiller -SR02 and Certkiller -SR05 are domain controllers. We
need to use all domain controllers to ensure that the application continues to function in
the event of multiple global catalog failures.
Reference:
to 1-18, 5-41 to 5-45, 5-48 to 5-50.
A. Martin, Todd
550-552.
QUESTION 238:
DRAG DROP
network consists of a single Active Directory forest that contains over 20 domains.
All servers on the Certkiller .com network run Windows Server 2003. As a company,
Certkiller .com has over 300 branch offices worldwide and the Certkiller .com
network consists of over 140,000 user objects.
You perform administrative functions for the Sales department. The Sales
department has branch offices across Europe. The Paris, Athens, and Milan branch
offices belong to the Certkiller -west.com domain and the Berlin, Warsaw, and Minsk
branch offices belong to the Certkiller -east.com domain.
The number of users using the Certkiller .com network in each branch office is

070-294
shown here:
1. Paris - 700 users
2. Athens - 10 users
3. Milan - 600 users
4. Berlin - 600 users
5. Warsaw - 5 users
6. Minsk - 10 users
Users working in the Warsaw, Milan and Paris branch offices must have access to a
directory-enabled application which stores configuration information in the global
catalog.
You must plan the domain controller placement strategy for the Certkiller .com
network. Each user must be able to log on without using cached credentials. You
must ensure that all users can access the application in the event of a WAN
connection failure. You must perform the necessary network configurations and at
the same time minimize an increase in WAN traffic.
How will you accomplish the task?
Answer by dragging the appropriate domain controller configuration or
configurations to the correct location or locations in the work area.
Answer:

070-294
Explanation:
The application stores configuration information in the Global catalog; therefore, we
need to put one Global Catalog server in each site with users who require access to the
application; in this case Warsaw, Milan, and Paris.
To be able to log on without using cached credentials, we need to enable universal group
membership caching in the Athens and Minsk offices (because they don't have Global
Catalog servers). The Minsk office connects to the Berlin office. As we have enabled
universal group membership caching in the Minsk office, we should have a Global
catalog server in the Berlin office, so that the Minskoffice domain controller can cache
the universal group membership from the Berlin office Global Catalog.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 505-509, 543,
547, 550-552.
to 1-18, 5-41 to 5-45, 5-48 to 5-50.
QUESTION 239:
network consists of six Active Directory domains. All servers on the Certkiller .com
network run Windows Server 2003. Certkiller .com has headquarters in London and
branch offices in Paris, Berlin, Milan, Madrid, and Stockholm. Each branch office
is configured as a single domain and as an Active Directory site.
Users on the Certkiller .com network use an application server that queries user
information from the global catalog. You install application servers at

070-294
Certkiller .com's headquarters in London and at three branch offices. The relevant
network configuration is shown in the exhibit.
One morning while monitoring WAN connections between the headquarters in

London and each branch office, you discover that utilization has increased from 60
percent to 90 percent. Users at the various branch offices have complained about
slow response times when accessing information on the application servers.
You need to plan placement for global catalog servers in the branch offices where
they will improve response times for the application servers. You want to
accomplish this task with a minimum increase in WAN traffic.
What should you do?
A. Place a global catalog server in London.

B. Place a global catalog server in all branch offices.
C. Place a global catalog server in Paris and Madrid only.
D. Place a global catalog server in all branch offices except Paris and Madrid.
Answer: D
Explanation: Because the application server queries Global catalog attributes, we

need to put one Global Catalog server in each site hosting an application server; in
this case Berlin, Stockholm and Milan.
Incorrect Answers:

070-294
A: There is already a Global Catalog Server in London.

B, C: Paris and Madrid do not host an application server and therefore does not require a
Global Catalog Server.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 505-509.
QUESTION 240:
Certkiller .com has headquarters in London and branch offices in Paris and Berlin.
Dedicated 256-Kbps lines connect the Certkiller .com offices.
You want to minimize logon authentication traffic across these slow WAN links. To
accomplish this goal, you create an Active Directory site for each Certkiller .com
branch office and configure the necessary site links between the various sites.
One morning users working in the Paris and Berlin branch offices complain that
they experience a long logon delay when attempting to log on to a domain controller.
You monitor network traffic and discover that all logon authentication traffic is still
being passed to the domain controllers in the London headquarters.
What should you do next to minimize logon authentication traffic across these slow
WAN links and improve overall network performance?
A. Change the replication interval so that replication occurs more frequently between the
sites.
B. Change the replication interval so that replication occurs less frequently between the
sites.
C. Create a subnet for each actual physical location. Associate the subnets with the
London site, and then move all domain controller objects to the London site.
D. Create a subnet for each actual physical location. Associate each subnet with its
respective site. Move each domain controller object to its respective site.
Answer: D.
Explanation: You have created the sites and configured site links, but you haven't
configured the sites. To configure the site you need to create a subnet object for each
physical location and associate each subnet with its site. Then move each domain
controller object to its site. This will configure active directory so that
authentication requests get sent to the 'local' domain controller rather than going
across the WAN links.
Incorrect Answers:
A: No replication will occur between the sites, because all domain controllers in the same

070-294
(default) site. The domain controller objects need to be moved to their respective sites.
B: No replication will occur between the sites, because all domain controllers in the same
(default) site. The domain controller objects need to be moved to their respective sites.
C: We don't want all the subnets to be in one site. They should be in their respective
sites.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-3 to
5-6
QUESTION 241:
Certkiller .com network contains a domain controller named Certkiller -DC01 that
contains a single site named Certkiller -S01.
You plan to add a new site named Certkiller -S02 to the Certkiller .com network. A
56-Kbps line connects the Certkiller -S01 and Certkiller -S02 sites. You want to
promote an existing Windows Server 2003 member server named Certkiller -SR24
to be a new domain controller of the domain.
What should you do next to promote Certkiller -SR24 as a new domain controller
on the Certkiller -S02 site? Your solution must also minimize the usage of the
WAN link when you perform the promotion.
A. Configure the site link cost between the Certkiller -S01 and Certkiller -S02 sites
as 50.
Promote Certkiller -SR24 to be a new domain controller in the Certkiller -S02
site.
B. Restore the backup files from the system state data on Certkiller -DC01 to a folder
on Certkiller -SR24, and then install Active Directory by running the dcpromo /adv
command.
C. Run the dcpromo command over the network to promote Certkiller -SR24 to be a
new domain controller on the Certkiller -S02 site.
D. Use an unattended installation file to promote Certkiller -SR24 to be a new domain
controller on the Certkiller -S02 site.
Answer: B
Explanation: We want to minimize the use of the WAN link. We can use the new
dcpromo /adv command to promote the DC from a backup of the system state data
of an existing domain controller.
Installing from media drastically reduces the time required to install directory
information by reducing the amount of data that is replicated over the network. Installing
from media is most beneficial in large domains or for installing new domain controllers
that are connected by a slow network link. To use the install from media feature, you first

070-294
create a backup of System State from the existing domain controller, then restore it to the
new domain controller by using the Restore to: Alternate location option.
In this scenario, we can restore the system state data to a member server, then use that
restored system state data to promote a member server to a domain controller.
Incorrect Answers:
A: Site link costs are a mechanism for controlling replication traffic. In this scenario we
need to install Active Directory, not control Active Directory replication.
C: Running the dcpromo command over the network will result in large amounts of
traffic across the WAN link. We want to reduce this.
D: We could promote Certkiller -SR24 to a domain controller by using unattended
installation, however, Active Directory would need to be synchronized with the Active
Directory on Certkiller -DC01. This synchronization would result in WAN traffic that
could be reduced by installing Active Directory from a backup.
Reference:
to 2-28
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 294-6, 298-300
QUESTION 242:
domain controllers on the Certkiller .com domain run Windows Server 2003 and all
client computers run Windows XP Professional. Certkiller .com contains two domain
controllers named Certkiller -DC01 and Certkiller -DC02. A full backup is
performed of the hard disks in both domain controllers on a daily basis.
The Administrator account is the only account contained in the Domain Admins
security group. You have recently disabled the local Administrator account in the
Default Domain Policy Group Policy object (GPO). The next morning you are
unable to log on to both Certkiller -DC01 and Certkiller -DC02 as the
Administrator from the Certkiller .com domain.
You must perform the necessary configuration that will allow you to log on to both
Certkiller -DC01 and Certkiller -DC02 as the Administrator from the
Certkiller .com domain
What should you do to achieve your goal in these circumstances?
A. Restart either Certkiller -DC01 or Certkiller -DC02 in Safe Mode and then log on
as Administrator.
Create a new account for a second administrator.

070-294
Restart the domain controller you are using and then use the new account to disable the
restrictions on the local Administrator accounts.
B. Restore the entire hard disk on either Certkiller -DC01 or Certkiller -DC02 by
using the most recent backup available before you made changes.
Restart the domain controller you are using and then wait for Active Directory
replication to complete.
C. Restart either Certkiller -DC01 or Certkiller -DC02 and then use a Windows
Server 2003 CD to run the Recovery Console.
Stop the GPC service and then restart the domain controller you are using.
D. Restart either Certkiller -DC01 or Certkiller -DC02 in Directory Services Restore
Mode.
Perform an authoritative restore operation of the Domain Controllers OU in Active
Directory by using the most recent backup available before you made changes.
Restart the domain controller you are using.
Answer: A
Explanation: The default domain group policy object is disabling the Administrator
accounts. When you restart a domain controller in safe mode, the group policy isn't
applied, so the administrator account isn't disabled. You need to start the computer
in Safe Mode with Networking. This will enable you to access Active Directory
Users and Computers. You can't modify existing objects, but you can create a new
administrative account. Then you can reboot in normal mode and log in using the
new administrative account and the new account to remove the restrictions on the
local Administrator accounts.
Incorrect Answers:
B: It is not necessary to restore the entire hard disk. Furthermore, this won't work,
because the GPO would plicate to the restored server and you'd be back to square one.
C: This will prevent all GPOs in the Group Policy Container (GPC) for being applied
and would constitute a serious security risk.
D: The default domain group policy would still apply to the restored domain controller
objects, so the administrator account will be disabled.
Reference:
to 10-12, 11-6
QUESTION 243:
network consists of a single Active Directory domain with two Active Directory sites
named Certkiller -S01 and Certkiller -S02 respectively. Both Active Directory
sites contain two member servers named Certkiller -SA04 and Certkiller -SA05.
Multiple domain controllers are located in Certkiller -S01, and one domain
controller is located in Certkiller -S02. All domain controllers have a similar

070-294
hardware configuration, consisting of a single processor and a hard disk. All

domain controllers are backed up on a daily basis.
On the domain controller located in Certkiller -S02, you create new user accounts.
You discover that the hard disk on this domain controller has failed. To resolve the
issue, you install a new hard disk on the failed domain controller, and then use the
most recent available backup to restore the domain controller. You find that the
new user accounts which you have created on the domain controller have gone
missing. You must manually recreate each user account that was lost.
What should you do next to ensure that data loss in Active Directory will be
minimized in the event of hard disk failures?
A. Configure one of the member servers as an additional domain controller in

Certkiller -S02.
B. Install an additional hard disk in each of the domain controllers, and then move the
Active Directory log files to the new installed hard disk.
C.
Install an additional hard disk in each of the domains and then move the Active Directory
database file to the new installed hard disk.
D. Configure a new site link between Certkiller -S01 and Certkiller -S02.
Answer: A
Explanation: To ensure redundancy in the Certkiller -S02 site in the event of a

failure to the domain controller, we should add another domain controller to the
site. We could do this by promoting one of the member servers in the
Certkiller -S02 site to a domain controller.
Incorrect Answers:
B, C: The placement of the Active Directory log files or database will not ensure that the
Active Directory information is available should the new hard drives fail.
D: Creating a new site link will not ensure redundancy in the Certkiller -S02 site
Reference:
to 2-26
QUESTION 244:
network consists of a single Active Directory forest that contains one forest root
domain named Certkiller .com and two child domains named us. Certkiller .com and
uk. Certkiller .com. The functional level of the forest is set at Windows 2000 native.
A Windows 2000 domain controller named Certkiller -DC01 resides on the
Certkiller .com domain. Certkiller -DC01 is currently running Service Pack 4 or
later. You take Certkiller -DC01 offline and remove all associations to
Certkiller -DC01 from the Configuration container within Active Directory. You

070-294
then upgrade all other domain controllers on the network to Windows Server 2003
and raise the functional level of the Active Directory forest to Windows Server 2003.
You must now deploy and integrate Certkiller -DC01 into your updated Active
Directory fiorest structure. You want to deploy Certkiller -DC01 as an additional
domain controller of the us. Certkiller .com domain.
A. Upgrade Certkiller -DC01 to Windows Server 2003. Add the computer account for
Certkiller -DC01 to the Computers container of the us. Certkiller .com domain.
B. Run the
dcpromo /forceremoval command to demote Certkiller -DC01 to a Windows 2000
member server. Upgrade Certkiller -DC01 to a Windows Server 2003 member server.
Run the dcpromo command to promote Certkiller -DC01 to be a new domain
controller on the us. Certkiller .com domain.
C. Run the dcpromo /forceremoval command to demote Certkiller -DC01 to a
Windows 2000 member server. Add the computer account of Certkiller -DC01 to the
Domain Controllers organizational unit (OU) of the us. Certkiller .com domain.
D. Upgrade Certkiller -DC01 to Windows Server 2003. Add the computer account of
Certkiller -DC01 to the Domain Controllers organizational unit (OU) of the
Answer: B
Explanation: Once the forest functional level is raised to Windows Server 2003, you
cannot add a Windows 2000 domain controller to the forest. We would need to
upgrade the Windows 2000 domain controller to Windows Server 2003. However,
we must first demote the Windows 2000 domain controller and then upgrade it to
Windows Server 2003. Add it to the network and then promote it.
Incorrect Answers:
A, D: If we upgrade the Windows 2000 domain controller to Windows Server 2003 while
it is disconnected from the network, the upgraded computer will assume that it is the first
domain controller for the domain. It will then old the RID, Global Catalog and Schema
Master roles. This will cause a conflict when we eventually add the domain controller to
the network.
C: Once the forest functional level is raised to Windows Server 2003, you cannot add a
Windows 2000 server to the forest.
Reference:
to 4-37
QUESTION 245:
network consists of a single Active Directory forest that contains six domains and

070-294
over 25 remote sites located in various cities worldwide. The functional level of each
domain is set at Windows 2000 native. Each domain contains over 45,000 users.
Unreliable 56-Kbps WAN connections currently connect each remote site to the
Certkiller .com network. Each remote site has one or more domain controllers and
one global catalog server. All domain controllers run Windows Server 2003.
You plan to install new Active Directory-enabled applications on the Certkiller .com
network. Each of the applications will either be changing the existing attributes in
the global catalog, or will be adding new attributes to the global catalog. You are
planning to perform all these changes during off-peak times.
You must change the existing Active Directory infrastructure to ensure that it is
prepared for the modifications that you are planning to make. You want to
minimize any possible network disruption that could result from installing these
new applications. Your Active Directory infrastructure modifications must not
disrupt user access to resources.
A. Decrease the tombstone lifetime attribute's setting in the Active Directory Schema
NIDS-Service object class.
B. Remove the global catalog server role from the global catalog servers in each of the
remote sites.
C. Raise the functional level of the Active Directory forest to Windows Server 2003.
D. Configure universal group membership caching in each of the remote sites.
Answer: C
Explanation: To prepare for the new application the best option is to raise the forest
functional level. This will enable us to deactivate any wrong schema class, and
create DNS and Active Directory partitions for the new applications
Domain controllers running Windows Server 2003 do not permit the deletion of classes
or attributes, but they can be deactivated if they are no longer needed or if there was an
error in the original definition. A deactivated class or attribute is considered defunct. A
defunct class or attribute is unavailable for use; however, it is easily reactivated.
If your forest has been raised to the Windows Server 2003 functional level, you can reuse
the object identifier (governsId and attributeId values), the ldapDisplayName, and the
schemaIdGUID that were associated with the defunct class or attribute. This allows you
to change the object identifier associated with a particular class or attribute.
If your forest has been raised to the Windows Server 2003 functional level, you can
deactivate a class or attribute and then redefine it.
Incorrect Answers:
A: The tombstone lifetime is the number of days that a deleted object will remain in the
Active Directory before it's deleted. The garbage collector runs every 12 hours on each
server to delete objects whose tombstone lifetimes have expired. However, we are not
deleting Active Directory objects in this scenario.
B: The sites are linked to the company network through unreliable WAN connections.
Removing the Global Catolog from these sites will result in log on problems for users as
well as the application's access to Active Directory.

070-294
D: Universal group membership caching can be used to improve logon times for users. It
will not affect the application's access to Active Directory.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.
A. Callahan & Lisa Justice,
Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, p. 1539
QUESTION 246:
network consists of a single Active Directory forest that contains one domain named
Certkiller .com. The functional level of the forest is set at Windows Server 2003.
Certkiller .com recently bought a new company named SoftwareTesting. The
SoftwareTesting network consists of a single Active Directory forest that contains a
root domain named softwaretesting.com and a child domain named
us.softwaretesting.com. The functional level of the forest is set at Windows Server
2003 and the functional level of the domain is set at Windows 2000 native.
You have been tasked with removing the us.softwaretesting.com domain. You must
move all user accounts from the us.softwaretesting.com domain to the Certkiller .com
domain, and must ensure that all users in the us.softwaretesting.com can log on to
the Certkiller .com domain. Users must be able to use their current user names and
passwords to log on to the Certkiller .com domain.
You plan to use the Active Directory Migration Tool to move the user accounts from
us.softwaretesting.com to the Certkiller .com domain. You want to make all required
changes without modifying any permissions and logon scripts for all other users.
A. Create a two-way Windows Server 2003 external trust relationship between the
Certkiller .com domain and the us.softwaretesting.com domain.
B. Create a one-way Windows Server 2003 external trust relationship in which the
Certkiller .com domain trusts the us.softwaretesting.com domain.
C. Create a temporary two-way external trust relationship between the Certkiller .com
domain and the us.softwaretesting.com domain.
D. Create a temporary one-way external trust relationship in which the
us.softwaretesting.com domain trusts the Certkiller .com.
Answer: C
Explanation: To use ADMT, we need a two way trust between the Certkiller .com
domain and the us.softwaretesting.com domain.
Incorrect Answers:
A: This would enable users in softwaretesting.com to log in to Certkiller .com and users in
Certkiller .com to log in to softwaretesting.com.
B: This would enable users in softwaretesting.com to log in to Certkiller .com domain.
D: The trust must be a two-way trust.
Reference:

070-294

A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 618, 619-621,
629-641
QUESTION 247:
network consists of a single Active Directory forest that contains one domain named
Certkiller .com. The functional level of the domain is set at Windows Server 2003. A
file server named Certkiller -SR21 is located on the Certkiller .com domain.
Certkiller .com owns a subsidiary company named TestQueen.com. The
TestQueen.com network consists of a single Windows NT 4.0 domain named
testqueen.com.
Users in both the Certkiller .com and testqueen.com domains must be able to save files
on Certkiller -SR21. You must perform the configurations that will enable users in
the testqueen.com domain to access files on Certkiller -SR21. No domain
administrators of the testqueen.com domain should be able to grant users in the
Certkiller .com domain permissions to servers on the testqueen.com domain.
A. Upgrade the testqueen.com domain to Windows Server 2003 and then configure this
domain as the root domain of a second tree in the existing forest.
B. Upgrade the testqueen.com domain to Windows Server 2003 and then configure this
domain as the root domain of a new forest. Create a two-way forest trust relationship.
C. Create a one-way external trust relationship in which the Certkiller .com domain trusts
the testqueen.com domain.
D. Create a one-way external trust relationship in which the testqueen.com domain trusts
the Certkiller .com domain.
Answer: C
Explanation:
Users in the testqueen.com domain need to access resources on Certkiller -SR21in
the Certkiller .comdomain. Users in the Certkiller .com domain do not need access to
resources in the testqueen.com domain. Therefore, we need a one-way external trust
relationship in which the Certkiller .com domain trusts the testqueen.com domain.
Incorrect Answers:
A: It is not necessary to upgrade the testqueen.com domain. Furthermore, this solution
would enable users in the Certkiller .com domain to access resources in the testqueen.com
domain (testqueen.com administrators could grant permissions to the Certkiller .com users
to access resources).
B: It is not necessary to upgrade the testqueen.com domain. Furthermore, this solution

070-294
would enable users in the Certkiller .com domain to access resources in the testqueen.com
domain (testqueen.com administrators could grant permissions to the Certkiller .com users
to access resources).
D: This solution would enable users in the Certkiller .com domain to access resources in the
testqueen.com domain (testqueen.com administrators could grant permissions to the
Certkiller .com users to access resources), but users in the testqueen.com domain would not
be able to access resources on Certkiller -SR21 (in the Certkiller .com domain).
Reference:
to 4-48
QUESTION 248:
company consists of two subsidiary companies named TestQueen.com and
TestSon.com. The Certkiller .com network consists of two Active Directory forest
named testqueen.com and testson.com. The functional level of both of the forests is
set at Windows Server 2003. There is a two-way forest trust relationship configured
between the forests.
You must ensure that all users in the testqueen.com domain can access resources on
the testson.com domain. You must also ensure that all users in the testson.com
domain can access only those resources on a server named Certkiller -SR03 in the
testqueen.com domain.
How should the forest trust relationship and network be configured to accomplish
these tasks?
Choose three actions that you should perform to accomplish these tasks. Each
correct answer presents only part of the solution.
A. On a domain controller in the testqueen.com forest, configure the properties of the

incoming forest trust relationship to use selective authentication.
B. On a domain controller in the testqueen.com forest, configure the properties of the
incoming forest trust relationship to use forest-wide authentication.
C. On a domain controller in the testson.com forest, configure the properties of the
incoming forest trust relationship to use selective authentication.
D. On a domain controller in the testson.com forest, configure the properties of the
incoming forest trust relationship to use forest-wide authentication.
E. Change the discretionary access control list (DACLs) on Certkiller -03 to allow
access to the Other Organization security group.
F. Change the discretionary access control lists (DACLs) on Certkiller -03 to deny
access to This Organization security group.
Answer: A, D, E
Explanation: When all domains in two forests trust each other and need to

070-294
authenticate users, establish a forest trust between the forests. When only some of
the domains in two Windows Server 2003 forests trust each other, establish one-way
or two-way external trusts between the domains that require interforest
authentication.
Using Active Directory Domains and Trusts, you can determine the scope of
authentication between two forests that are joined by a forest trust. You can set selective
authentication differently for outgoing and incoming forest trusts. With selective trusts,
administrators can make flexible forest-wide access control decisions.
If you use forest-wide authentication on an incoming forest trust, users from the outside
forest have the same level of access to resources in the local forest as users who belong to
the local forest.
Incorrect Answers:
B: If you use forest-wide authentication on an incoming forest trust, users from the
outside forest have the same level of access to resources in the local forest as users who
belong to the local forest. However, users in the testson.com forest must be able to access
only resources on a server named Certkiller -SR03. We should therefore use selective
authentication for the testson.com forest to access the testqueen.com.
C: Users in the testqueen.com forest must be able to access all resources in the
testson.com forest, in other words, they need forest-wide access.
Reference:
to 4-49
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, p. 254
QUESTION 249:
network consists of a single Active Directory domain, with five Active Directory
sites that are located in various cities. The sites have been configured to comply with
Certkiller .com' site configuration design policy. The Certkiller .com network and
Active Directory site configuration is shown in the exhibit.

070-294
The Certkiller .com' updated site configuration design policy stipulates that site link
bridges must be configured. The site links that connect Certkiller -S01,
Certkiller -S02, and Certkiller -S03 must be transitive. All other site links must
be nontransitive.
How must you configure the site link bridges to meet the requirements of the
updated site configuration design policy?
Choose the action or actions you should perform. Choose all answers that apply.
A. Access the IP object properties and disable automatic site link bridging.
B. Configure new site links between each of the five Active Directory sites.
C. Remove each of the five sites from the default site link.
D. Create a new site link bridge and then add the site links connecting Certkiller -S01,
Certkiller -S02, and Certkiller -S03 to that site link bridge.
E. Create a new link bridge and then add the site links connecting Certkiller -S03,
Certkiller -S04, and Certkiller -S05 to that site link bridge.
Answer: A, C, D.
Explanation:
A: We must disable automatic site link bridging in the IP object properties, to prevent all
site links being transitive.
C: The exhibit suggests this has already been done; at least some of the sites have been
removed, and site links have been manually added. But, we should do this just to be sure.
D: The design requires the site links connecting Certkiller -S01, Certkiller -S02, and
Certkiller -S03 to be transitive. Therefore, we should create a new site link bridge and
add the site links connecting Certkiller -S01, Certkiller -S02, and Certkiller -S03 to
the site link bridge.
Incorrect Answers:
B: This would mean that every site is connected to each of the other sites.
E: This would make the site links connecting Certkiller -S03, Certkiller -S04, and
Certkiller -S05 transitive.
Reference:
A. Martin, Todd

070-294
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 449-452, 458,
458-459
MS Windows server 2003 Deployment Kit: Designing and Deploying Directory and
Security Services: - Setting Site Link Properties
QUESTION 250:
network consists of a single Active Directory domain named Certkiller .com with two
Active Directory sites configured. Each Active Directory site has two domain
controllers named Certkiller -DC01 and Certkiller -DC02 respectively. One
domain controller in each of the sites is configured as a global catalog server.
You deploy another domain controller named Certkiller -DC03, which is equipped
with a faster processor, in each site. The new Certkiller .com administration policy
states that Active Directory replication should be handled by the servers that are
equipped with the faster, most powerful CPUs in each site.
How will you accomplish the task of configuring intersite replication to meet the
requirements of new Certkiller .com administration policy?
A. Configure each of the new domain controllers as global catalog servers.

B. Configure each of the new domain controllers as a preferred bridgehead server for IP
transport.
C. Configure each of the new domain controllers as a preferred bridgehead server for
SMTP transport.
D. Configure an additional IP site link between the two sites, and then assign a lower site
link cost to this new site link than the site link cost for the initial site link.
Answer: B
Explanation:
Directory information is replicated both within and among sites. Active Directory
replicates information within a site more frequently than across sites. This balances the
need for up-to-date directory information with the limitations imposed by available
network bandwidth.
You can customize how Active Directory replicates information using site links to
specify how your sites are connected. Active Directory uses the information about how
sites are connected to generate Connection objects that provide efficient replication and
fault tolerance.
You provide information about the cost of a site link; times when the link is available for
use and how often the link should be used. Active Directory uses this information to
determine which site link will be used to replicate information. Customizing replication
schedules so replication occurs during specific times, such as when network traffic is
low, will make replication more efficient.
Ordinarily, all domain controllers are used to exchange information between sites, but
you can further control replication behavior by specifying a bridgehead server for
inter-site replicated information. A bridgehead server is dedicated for inter-site

070-294
replication. You can also establish a bridgehead server when your deployment uses proxy
servers, such as for sending and receiving information through a firewall.
Incorrect Answers:
A: The global catalog is the central repository of information about Active Directory
objects in a tree or forest. The domain controller that holds a copy of the global catalog is
called a global catalog server. The global catalog enables a user to log on to a network by
providing universal group membership information to a domain controller when a logon
process is initiated, and enables finding directory information regardless of which domain
in the forest actually contains the data. It does not control replication.
C: You can use either IP or SMTP as the protocol for replication traffic. However, SMTP
replication requires an Enterprise Certification Authority (ECA) because Public Key
encryption and certificates are used to verify identity of domain controllers and provide
digital signatures.
D: We can control the flow of replication traffic by creating a new site link with a lower
cost. Replication will then occur across the site link with the lower cost. However, this
option does not specify that the new site link must be between MainDC3 and
BranchDC3.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 6, pp.
453-455
MS Windows Server 2003 Deployment Kit - Designing and Deploying Directory and
Security Services - Active Directory Replication Concepts
QUESTION 251:
network consists of a single Active Directory domain named Certkiller .com, with
three sites named CK-SITE01, CK-SITE02, and CK-SITE03 respectively.
Each site consists of three Windows Server 2003 domain controllers, with one
domain controller configured as the preferred bridgehead server. All sites and site
links use CK-SITE02 to connect to CK-SITE01 and CK-SITE03. Administrators in
CK-SITE01 create all user accounts and all group accounts. Certkiller .com is
expanding its business, with the result that new users are employed to work in
CK-SITE02.
One morning new users in CK-SITE02 complain that they cannot log on to the
Certkiller .com network. Each logon attempt fails. You verify that the user account
of each of these employees are created and does exist in CK-SITE01 and
CK-SITE02. After investigating the issue further, you find that the bridgehead
server in CK-SITE02 has failed.
You must repair the bridgehead server and then verify that Active Directory
replication is occurring successfully to CK-SITE02. You also want to ensure that a

070-294
failure of a single domain controller in any site does not have an impact on Active
Directory replication between the sites.
What should you do to achieve your goal in these circumstances? Choose two
complete solutions. Each correct answer presents a complete solution to achieving
your goal.
A. Create an IP site link between CK-SITE01 and CK-SITE03.

B. In each site, configure two domain controllers as preferred IP bridgehead servers.
C. In each site, configure two domain controllers as preferred SMTP bridgehead servers.
D. Configure each site so that it has no preferred bridgehead servers.
E. Configure an SMTP site link between each of the sites, and then assign a cost of 200
to the SMTP site link.
Answer: B, D
Explanation: Directory information is replicated both within and among sites.

Active Directory replicates information within a site more frequently than across
sites. This balances the need for up-to-date directory information with the
limitations imposed by available network bandwidth.
You customize how Active Directory replicates information by using site links to specify
how your sites are connected. Active Directory uses the information about how sites are
connected to generate Connection objects that provide efficient replication and fault
tolerance. Active Directory uses this information to determine which site link will be
used to replicate information. Customizing replication schedules so replication occurs
during specific times, such as when network traffic is low, will make replication more
efficient.
You can further control replication behavior by specifying a bridgehead server for
inter-site replicated information. The bridgehead server is a specific server you want to
dedicate for inter-site replication, rather than using any server available. You can also
establish a bridgehead server when your deployment uses proxy servers, such as for
sending and receiving information through a firewall.
Incorrect Answers:
A: Site1 is linked to CK-SITE03 through CK-SITE02. Adding a direct site link between
CK-SITE01 and CK-SITE03 will create an alternative path for replication between
CK-SITE01 and CK-SITE03. This however does not address redundancy for CK-SITE02.
C, E: You can use either IP or SMTP as the protocol for replication traffic. However,
SMTP replication requires an Enterprise Certification Authority (ECA) because Public
Key encryption and certificates are used to verify identity of domain controllers and
provide digital signatures.
Reference:
to 1-24, 5-3 to 5-8, 5-25 to 5-37

070-294
QUESTION 252:
Certkiller .com has its headquarters in Chicago and a branch office in Dallas. Each
office is configured as an Active Directory site, and the branch office is connected to
the Chicago headquarters by a 256Kbps WAN connection. The Chicago
headquarters contains two domain controllers named Certkiller -DC01 and
Certkiller -DC02. The Dallas branch office also contains two domain controllers
named Certkiller -DC03 and Certkiller -DC04.
You plan to install two new servers named Certkiller -DC05 and
Certkiller -DC06 on the Certkiller .com network. You plan to install
Certkiller -DC05 in the Chicago headquarters and Certkiller -DC06 in the
Dallas branch office. You want to configure intersite replication to move through
these new servers so that overall network performance is improved.
A. Configure Certkiller -DC05 and Certkiller -DC06 as global catalog servers.

B. Configure Certkiller -DC05 and Certkiller -DC06 as a preferred bridgehead server
for the IP transport.
C. Configure Certkiller -DC05 and Certkiller -DC06 s a preferred bridgehead server
for the SMTP transport.
D. Use the Active Directory Sites and Services console to configure an additional IP site
link between the two Active Directory sites.
Assign a lower site link cost to this site link than the site link cost of the initial site link.
Answer: B
Explanation: Directory information is replicated both within and among sites.

Active Directory replicates information within a site more frequently than across
sites. This balances the need for up-to-date directory information with the
limitations imposed by available network bandwidth.
You customize how Active Directory replicates information by using site links to specify
how your sites are connected. Active Directory uses the information about how sites are
connected to generate Connection objects that provide efficient replication and fault
tolerance. Active Directory uses this information to determine which site link will be
used to replicate information. Customizing replication schedules so replication occurs
during specific times, such as when network traffic is low, will make replication more
efficient.
You can further control replication behavior by specifying a bridgehead server for
inter-site replicated information. The bridgehead server is a specific server you want to
dedicate for inter-site replication, rather than using any server available. You can also
establish a bridgehead server when your deployment uses proxy servers, such as for
sending and receiving information through a firewall.

070-294
Incorrect Answers:
A: The global catalog is the central repository of information about Active Directory
objects in a tree or forest. The domain controller that holds a copy of the global catalog is
called a global catalog server. The global catalog enables a user to log on to a network by
providing universal group membership information to a domain controller when a logon
process is initiated, and enables finding directory information regardless of which domain
in the forest actually contains the data. It does not control replication.
C:
You can use either IP or SMTP as the protocol for replication traffic. However, SMTP
replication requires an Enterprise Certification Authority (ECA) because Public Key
encryption and certificates are used to verify identity of domain controllers and provide
digital signatures.
D: We can control the flow of replication traffic by creating a new site link with a lower
cost. Replication will then occur across the site link with the lower cost. However, this
option does not specify that the new site link must be between Certkiller -DC05 and
Certkiller -DC06.
Reference:
A. Martin, Todd
453-455
MS Windows Server 2003 Deployment Kit - Designing and Deploying Directory and
Security Services - Active Directory Replication Concepts
QUESTION 253:
network consists of a single Active Directory domain named Certkiller .com with three
sites named CK-SITE01, CK-SITE02, and CK-SITE03 respectively.
The site links are currently configured to connect CK-SITE01 and CK-SITE03
through CK-SITE02. Network administrators at CK-SITE01 configure all user
accounts and group accounts.
The following table illustrates the current site link configuration.
One morning users at CK-SITE03 complain that it takes over a day for
modifications made to Active Directory at CK-SITE01 to appear in the domain at
CK-SITE03.
What should you do next so that modifications made to Active Directory at
CK-SITE01 between 8:00 P.M. - 6:00 A.M appear in the domain at CK-SITE03 at

070-294
8:00 A.M. the following day?
A. Change the replication interval for the site link between CK-SITE01 and CK-SITE02
to be 30 minutes.
B. Change the replication schedule for the site link between CK-SITE02 and CK-SITE03
to replicate between 6:00 P.M. and 1:00 A.M.
C. Change the site link cost between CK-SITE02 and CK-SITE03 so that it is 200.
D. Change the replication schedule for the site link between CK-SITE01 and CK-SITE02
to replicate between 9:00 P.M. and 2:30 A.M.
Answer: D
Explanation: In this scenario, when an administrator in CK-SITE01 makes a

change to Active Directory, this information is replicated to CK-SITE02 between
1:00 A.M. and 6:00 A.M the next morning. This information is then replicated to
CK-SITE03 between 8:00 P.M. and 1:00 A.M that evening. Users in CK-SITE03 will
thus see the changes when they start work the following morning.
We should change the replication schedule for the site link between CK-SITE01 and
CK-SITE02 to occur earlier. Then, when an administrator in CK-SITE01 makes a change
to Active Directory, this information is replicated to CK-SITE02 between 9:00 P.M. and
2:30 A.M that evening. This information is then replicated to CK-SITE03 between 8:00
P.M. and 1:00 A.M. Users in CK-SITE03 will then see the changes when they start work
the next morning.
Incorrect Answers:
A: Replication is configured to occur on a schedule. Reducing the replication interval
will thus not resolve this problem.
B: When an administrator in CK-SITE01 makes a change to Active Directory, this
information is replicated to CK-SITE02 between 1:00 A.M. and 6:00 A.M the next
morning. If this information is then replicated to CK-SITE03 between 6:00 P.M. and 1:00
A.M that evening, users in CK-SITE03 will still see the changes only when they start
work the following morning.
C: Site link costs will influence the path along which replication occurs when we have
redundant links. In this case, CK-SITE01 is connected to CK-SITE03 through
CK-SITE02. There is thus no alternative or redundant links.
Reference:
5-8
QUESTION 254:
network consists of a single Active Directory domain named Certkiller .com with six
sites configured. The site configuration is shown in the exhibit.

070-294
You discover that the current site link connecting CK-SITE03 and CK-SITE04
experiences over 80 percent utilization during normal operational hours. This
network bandwidth is required for a mission-critical business application.
You must configure the network so that Active Directory replication has no impact
on this mission-critical business application. You also want to ensure that
replication traffic no longer moves over the site link connecting CK-SITE03 and
CK-SITE04 during normal operational hours. Your solution must not affect
replication connecting all other from occurring minimally at three hourly intervals
during the day.
A. Modify the replication schedule for the site link connecting CK-SITE03 and
CK-SITE04 to replicate only during non-business hours.
B. Disable automatic site link bridging.
Create a site link bridge that bridges the site links connecting CK-SITE01, CK-SITE02,
and CK-SITE03.
Create a site link bridge that bridges the site links connecting CK-SITE04, CK-SITE05,
and CK-SITE06.
C. Configure a domain controller in CK-SITE03 and a domain controller in CK-SITE04
as the preferred bridgehead servers.
D. Modify the site link cost between CK-SITE03 and CK-SITE04 so that it is 1,000.
Change the other site link costs to 100.
Answer: A
Explanation: In Active Directory, the replication process ensures that changes made to a
replica on one domain controller are synchronized to replicas on all other domain
controllers within the domain. Creating, modifying, moving, or deleting an object
triggers replication between domain controllers. Active Directory replicates information
in two ways: intrasite (within a site) and intersite (between sites). This means that if you
configure replication schedule between CK-SITE03 and CK-SITE04 to be during
non-business hours, then you will ensure that replication traffic does not cross the
network connection between business hours.
Incorrect Answers:
B: Replication needs to occur between CK-SITE03 and CK-SITE04. Disabling automatic
sitelink bridging will not prevent this.
C: This will limit replication to occur only between these two servers. However, we must

070-294
prevent replications from occurring during business hours.

D: When we have redundant links, we can use site link costs to determine which links are
used for replication traffic. However, there is no alternative route between CK-SITE03
and CK-SITE04.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 449-452, 458,
458-459.
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5: 4,
10
QUESTION 255:
named Certkiller .com, us. Certkiller .com and uk. Certkiller .com. The functional level of
the forest is set at Windows Server 2003.
All domains contain Windows Server 2003 file and print servers that have computer
accounts contained in the default Computers container in their specific domains.
The central administration department administers the file server computer
accounts in each of the domains. Other administration departments administer the
print server computer accounts in a specific domain.
You must delegate authority to create a structure to support the file and print
server administration requirements. You start this task by creating the
organizational unit (OU) structure that will support the delegation of authority
requirements.
A. Configure a top-level OU for all file server computer accounts under the Certkiller .com
domain.
Configure a top-level OU for all print server computer accounts under the Certkiller .com
domain.
B. Configure a top-level OU for all file server computer accounts under the Certkiller .com
domain.
Configure a top-level OU for all print server computer accounts under each domain.
C. Configure a top-level OU for all file server computer accounts under each domain.
Configure a top-level OU for all print server computer accounts under each domain.
D. Configure a top-level OU for all file server computer accounts under each domain.
Configure a child OU for all print server computer accounts under each file server OU.

070-294
Answer: C
Explanation: The central operations department is responsible for administering

the file server computer accounts in all domains and there is a separate operations
department for each domain that is responsible for administering the print server
computer accounts in that domain. Thus, we need two top-level OUs.
Incorrect Answers:
A, B: OUs cannot transcend domains therefore the OU structure needs to be implemented
at the child domain level, not at the Certkiller .com domain.
D: There is no need for child OUs as the central operations department is not responsible
for the print server accounts.
Reference:
6-9, 6-16 to 6-23
QUESTION 256:
functional level of the domain is set at Windows Server 2003.
Milan, Madrid, and Stockholm. All branch offices have their own computer
center that contains domain controllers and servers with an associated Active
Directory site. All domain controllers have computer accounts in the default
Domain Controllers organizational unit (OU). All other computer accounts are
located in the default Computers container.
A central IT department at the London headquarters manages all domain
controllers and resource servers in all branch offices. A local IT department exists
at each branch office. The local IT department manages all client computers within
their specific branch offices, and also perform backups on the servers in their
computer centers.
You want to use delegation of authority to meet the requirements for managing
computer accounts. You must create the necessary OU structure for computer
accounts to support your delegation of authority requirements. You also want to
minimize the amount of administrative effort required to maintain the OU
structure.
A. Create a top-level OU under the Certkiller .com domain for each branch office.
Add the computer accounts of all computers in each branch office to the OU for that
specific branch office.
B. Create a top-level OU named HeadquartersComputers under the Certkiller .com domain.
Create a child OU for each branch office and place the child OUs under
HeadquartersComputers.

070-294
C. Add all of the client and resource server computer accounts of each branch office to
the proper child OU for that specific branch office.
D. Create a top-level OU named Certkiller Servers under the Certkiller .com domain.
Add the computer accounts of resource servers and the computer accounts of the domain
controllers in all offices to the Certkiller Servers OU.
Create another OU named Certkiller ClientComputers under the Certkiller .com domain.
Add the computer accounts of all client computers in all branch offices to the
Certkiller ClientComputers OU.
E. Create a top-level OU named Certkiller Servers under the Certkiller .com domain.
Create a separate child OU for each branch office under Certkiller Servers.
Place the computer accounts of all resource servers in each branch office in the proper
child OU for that specific branch office.
Create an OU named Certkiller ClientComputers under the Certkiller .com domain.
Create a separate child OU for each branch office under Certkiller ClientComputers.
Place the computer accounts of all client computers in each branch office in the proper
F. Create a top-level OU named Certkiller Servers under the Certkiller .com domain.
Create a separate child OU for each branch office under Certkiller Servers.
Place the computer accounts of all resource servers and the computer accounts of all
domain controllers in each branch office in the proper child OU for that specific branch
office.
Create an OU named Certkiller ClientComputers under the Certkiller .com domain.
Create a separate child OU for each branch office under Certkiller ClientComputers.
Place the computer accounts of all client computers in each branch office in the proper
Answer: E
Explanation: We have a central IT department that is responsible for administering

all resource servers and domain controllers in all locations. The local IT department
in each office is responsible for administering all client computers within the
individual department's office only, as well as running backups on the servers in
their data centers.
Therefore, we need a top-level OU under the Certkiller .com domain so that the central IT
department can administer all resource servers and domain controllers in all locations.
Incorrect Answers:
A, C: All computer accounts are located in the default computers container in the
domain. Therefore it is not necessary to move them to the top level OU. Also, we need to
allow the local IT department in each office to administer all client computers within the
individual department's office, as well as running backups on the servers in their data
centers.
B: The local IT department in each office is responsible for administering all client
computers within the individual department's office only, and is responsible for running
backups only on the servers in their data centers. Placing the client computers as well as
the resource computers in the same OU will allow the local IT department to administer
the resource servers as well.

070-294
D: The local IT department in each office is responsible for running backups on all the
servers in their data centers, not just the resource servers. Therefore, the child OU for
each office under the Certkiller Servers OU must contain the computer accounts of all
resource servers and domain controllers in each office to the appropriate child OU for
that office.
Reference:
6-9, 6-16 to 6-23
QUESTION 257:
You work as the network administrator at Certkiller .com. Certkiller .com has
headquarters in London and branch offices in Paris, Berlin, Milan, and Madrid. A
single IT security department is located at the London headquarters. The central IT
security department manages all user accounts in all Certkiller .com branch offices.
All users have user accounts in the default Users container. A local IT department
resets passwords only in the specific branch office wherein the department is
located.
You have been tasked with creating an Active Directory domain named
Certkiller .com. The domain must have a functional level set at Windows Server 2003.
You must create an organizational unit (OU) structure that will support the existing
delegation of authority requirements. You also want to minimize the amount of
administrative effort required to maintain the new OU structure
A. Create a top-level OU named Users under the Certkiller .com domain.

Create a separate child OU for each branch office under the Users OU.
Place the user accounts of all employees in each branch office in the appropriate child
OU for that specific branch office.
B. Create a top-level OU named Certkiller Headquarters under the Certkiller .com domain.
Place the user accounts of all users that work in the main office in the
Certkiller Headquarters OU.
Create a separate child OU for each branch office under the Certkiller Headquarters OU.
Place the user accounts of all users in each branch office in the child OU that you created
for that specific branch office.
C. Create a top-level OU named Users under the Certkiller .com domain.
Create a child OU named CenntralITSecurity under the Users OU.
Place the user accounts of users working in the central IT security department in the
CenntralITSecurity OU.
Create a child OU named LocalIT under the Users OU.
Place the user accounts of users working in the local IT department in the LocalIT OU.
D. Create a top-level OU named Users under the Certkiller .com domain.
Create a child OU named CenntralITSecurity under the Users OU.
Place the user accounts of users working in the central IT security department in the

070-294
CenntralITSecurity OU.
Answer: A
Explanation: Two OU levels will fit the requirement. You can delegate control for
central security on the OU "Users" and each office can be administered by the local
IT team.
Incorrect Answers:
B: All user accounts are located in the default Users container in the domain. Therefore it
is not necessary to move them to the top level OU
C, D: There is not need for a CenntralITSecurity OU as administrators at each branch
office are responsible for administrating user accounts in their respective branch.
Reference:
6-9, 6-16 to 6-23
Walter Glenn, and Michael T. Simpson; MCSE Self-Paced Training Kit (Exam 70-297);
Designing a Microsoft Windows Server 2003 Active Directory and Network
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4-11
QUESTION 258:
functional level of the domain is set at Windows Server 2003. All servers on the
Certkiller .com network run Windows Server 2003. The relevant portion of the
organizational unit (OU) structure is shown in the exhibit.
Certkiller .com has an X.500 directory service enabled product that supports a
finance and research application running on the network. The application is used by

070-294
only those users working in the Sales department and in the Research and
Development department.
Specific InetOrgPerson objects are configured in Active Directory for all finance
and research users. Users working in the Sales department and in the Research and
Development department log on to the domain; using their specific InetOrgPerson
objects as their user accounts. The InetOrgPerson objects for users in the Finance
department are stored in the Finance OU, and the InetOrgPerson objects for users
in the Research and Development department are stored in the Research OU.
Currently, Microsoft Identity Integration Server copies all changes made to objects
from Active Directory to the X.500 directory service enabled product. A
Certkiller .com administrator named Rory Allen is a member of the IT department.
Rory must manage all objects for users that need to access to the X.500 directory
service enabled product.
How must you configure Active Directory to enable Rory to perform this task?
Choose the action or actions that you should perform. Choose all answers that
apply.
A. On the Certkiller .com domain, assign Rory the permission to manage user objects.
B. On the Certkiller .com domain, assign Rory the permission to manage InetorgPerson
objects.
C. On the Finance OU, block the inheritance of permissions.
D. On the Research OU, block the inheritance of permissions.
E. On the Accounts OU, block the inheritance of permissions.
Answer: B, E
Explanation: The administrator needs to manage the InetorgPerson objects. We

could delegate this task to the administrator or we can use permissions at the
domain level to accomplish this. However, the permissions shouldn't apply to the
Accounts OU, so we'll have to block the inheritance of the permissions for the
Accounts OU.
Incorrect Answers:
A: Bill needs to manage the InetorgPerson objects, not he user objects.
C, D: User accounts are located in the Finance OU and the Research OU. Blocking
inheritance to these OUs would mean that the permissions will not apply to these OUs.
Reference:
to 9-20, 9-23 to 9-26
QUESTION 259:
DRAG DROP

070-294
Certkiller .com operation and support functions are separated into two distinct
sectors named Certkiller Operations and Certkiller Support.
A local IT team provides a user support function to all users, irrespective of the
sector to which the user belongs. The Finance department has its own IT staff and
maintains its own IT staff irrespective of location.
You must implement a top-level organizational unit (OU) structure that supports
the delegation of administrative control requirements.
Select the top-level OU or OUs you should create by dragging the appropriate
top-level OU or OUs to the correct location or locations in the work area.
Answer:
Explanation:
The local IT team at each location is responsible for user support at their location,
regardless of the user's division. An OU for each location will enable the local IT team to
manage resources in that location (except for Finance resources).

070-294
The Finance department has its own IT support staff. The Finance department maintains
its own IT support team regardless of location. An OU for Finance resources will enable
the Finance support team to manage the Finance resources.
Reference:
6-9, 6-16 to 6-23
QUESTION 260:
As a company, Certkiller .com is made up of various business sectors, with each
business sector having its own respective top-level organizational unit (OU) in the
Certkiller .com domain. Each specific business sector manages its own OU structure,
and the OU of each business sector contains an IT administrative group for that
respective business sector. The administrators of each business sector are approved
by Domain Admins group members.
Each member of the IT administrative group is assigned the Allow - Read
permission for the OU object of their respective business sector. All IT
administrative group members are also assigned the Allow - Full Control
permission for all child objects of the OU structure of only their respective business
sector.
You must configure the OU structure so as to prevent the administrators of each
business sector from adding administrators to their individual IT administrative
group. Your solution must not affect the ability that members of the Domain
Admins group have to manage the IT administrative groups.
A. Configure a new OU underneath the OU of each business sector, and then move the
appropriate administrative groups into the new individual OUs.
Block the inheritance of permissions on the OUs.
Remove all permissions applied from the parent OU.
B. Assign the Domain Admins group the Allow - Full Control permission for the IT
administrative groups in the OU of each business sector.
C. Configure a new OU at the same level in the OU structure as the OUs of the respective
business sectors.
Move the IT administrative groups of the business sectors into this new OU.
D. Configure a new Restricted Groups Group Policy object (GPO) and link this GPO to
the OU of each business sector.
Answer: C
Explanation: We need to ensure that members of the Domain Admins group are
able to manage the business sectors OUs and we need to prevent administrators of

070-294
individual business sectors from adding additional administrators in their IT

administrative group. We can accomplish this by placing the IT administrative
groups of the sectors into a top-level OU that is managed by the Domain Admins
group.
Incorrect Answers:
A: Creating an OU under each business sector will make the new OU a child OU of the
sector. This will allow the administrators of the business sector to manage the new OU.
B: Assigning the Domain Admins group the Allow - Full Control permission for the IT
administrative groups in the OU of each sector won't prevent the sector administrators
from also managing the OU.
D:
Creating a Restricted Groups Group Policy object (GPO) and linking the GPO to the OU
of each sector will prevent the administrators from adding more administrators to their IT
administrative groups but this won't allow the Domains Admins group to manage the IT
administrative groups.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp.
10-20, 10-40 to 10-41
QUESTION 261:
network consists of a single Active Directory domain named Certkiller .com. An
organizational unit (OU) named Management contains the security groups named
Executives, Senior Managers, and Team Leaders. All user accounts that are
members of these three security groups are in the Management OU.
You create a new Group Policy object (GPO) and configure the GPO to disable the
display options beneath the User Configuration section of the GPO. You link the
GPO to the Management OU.
You must perform the following configurations with regard to the new GPO and the
Management OU:
1. You must apply the GPO to all user accounts that are members of the Senior
Managers group.
2. You must ensure that the GPO is not applied to user accounts that are members
of the Executives group.
3. You must prevent the GPO from applying to a user account that is a member of
the Team Leaders group, unless that specific user account is also a member of the
Senior Managers group.
A. Edit the discretionary access control list (DACL) settings of the GPO to assign the
Executives and Team Leaders security groups the Deny - Read and the Deny - Apply
Group Policy permissions.
Modify the DACL of the GPO to assign the users who are in both the Executives and

070-294
Team Leaders security groups the Allow - Read and the Allow - Apply Group Policy
permissions.
B.
Edit the discretionary access control list (DACL) settings of the GPO to assign the
Executives and Team Leaders security groups the Deny - Read and the Deny - Apply
Group Policy permissions.
Create a new security group named Mixed Users that contains all the user accounts from
the Senior Managers group and the specific user accounts from the Team Leaders group
to which you want the GPO to apply.
Modify the DACL of the GPO to assign the Mixed Users security group the Allow -
Read and the Allow - Apply Group Policy permissions.
C. Edit the discretionary access control list (DACL) settings of the GPO to assign the
Executives security group the Deny - Read and the Deny - Apply Group Policy
permissions.
Modify the DACL settings of the GPO to remove the Authenticated Users special group.
Modify the DACL settings of the GPO to add the Senior Managers group and assign the
Allow - Read and the Allow - Apply Group Policy permissions.
D. Edit the discretionary access control list (DACL) settings of the GPO to assign the
Executives security group the Deny - Read and the Allow - Apply Group Policy
permissions.
Modify the DACL settings of the GPO to assign the Team Leaders security group the
Deny - Read and the Deny - Apply Group Policy permissions.
Answer: C
Explanation: You need to prevent the GPO from applying to any user account that
is a member of the Executives group. We can achieve this by modifying the
discretionary access control list (DACL) settings of the GPO to assign the
Executives security group the Deny - Read and the Deny - Apply Group Policy
permissions. We need to remove the authenticated users group so that the policy
doesn't apply to anyone that isn't a member of any of the three groups.
You need to ensure that the GPO applies to all user accounts that are members of the
Senior Managers group. We can achieve this by modifying the DACL settings of the
GPO to add the Senior Managers group and assign the Allow - Read and the Allow -
You need to prevent the GPO from applying to any user account that is a member of the
Team Leaders group, unless the user account is also a member of the Senior Managers
group. The Team Leaders group isn't listed in the DACL. Therefore, no user in the Team
Leaders group will receive the GPO. Team Leaders users will only receive the GPO if
they are also a member of the Senior Managers group, because the Senior Managers
group have the Allow - Read and the Allow - Apply Group Policy permissions.
Incorrect Answers:
A, B, D: Assigning the Team Leaders security groups the Deny - Read and the Deny -
Apply Group Policy permissions will prevent the members that are members of both the
Team Leaders and Senior Managers group from receiving the GPO.
Reference:

070-294
10-20, 10-40 to 10-41
QUESTION 262:
servers on the Certkiller .com network run Windows Server 2003.
A Group Policy object (GPO) named UserRightsAndPermissions is linked to the
Certkiller .com domain. The UserRightsAndPermissions GPO has these user settings
configured:
1. Prevent user configuration of offline files.
2. Remove Add or Remove Programs in Control Panel.
3. Remove Display in Control Panel.
The user accounts of employees working in the Marketing department are stored in
an organizational unit (OU) named MarketingUsers. You must allow users that
have their user accounts in the MarketingUsers OU, to remove programs using Add
or Remove Programs in Control Panel. You must ensure that all other GPO policy
settings still apply.
A. Enable the Block Policy Inheritance setting on the MarketingUsers OU.

B. Create a new GPO and disable the Remove Add or Remove Programs setting. Link the
new GPO to the MarketingUsers OU.
C. Assign the user accounts in the MarketingUsers OU the Deny - Apply Group Policy
permission for the UserRightsAndPermissions GPO.
D. Assign the user accounts in the MarketingUsers OU the Deny - Write GPlink
permission for the UserRightsAndPermissions GPO.
Answer: B
Explanation: A GPO linked to an OU will override the settings from a GPO linked
to the domain. Therefore, we can create a GPO the disables the Remove Add or
Remove Programs setting and link it to the MarketingUsers OU.
Incorrect Answers:
A: The question states that the other settings from the domain GPO must apply.
Therefore, we cannot block policy inheritance.
C: The question states that the other settings from the domain GPO must apply. Denying
the users the Apply Group Policy permission will prevent the settings from the domain
GPO from being applied.
D: This setting has no effect on the application of the GPOs.
Reference:

070-294
to 10-24
QUESTION 263:
network consists of a single Active Directory domain named Certkiller .com that
contains three sites. Each site has a domain controller configured. All servers on the
Certkiller .com network run Windows Server 2003. Half the client computers run
The IT staff members of Certkiller .com are organized into four distinct groups, and
work at the three Certkiller .com sites.
The IT staff computers are configured by using scripts that must run differently
based on the following factors:
1. Site location: Which site the IT staff member is logging on to
2. Group membership: Which IT group the IT staff member belongs to
You must ensure that the correct logon script is applied to IT staff members based
on both group membership and site location.
A. Create four new Group Policy objects (GPOs).

Create a new script in each new GPO that corresponds to one of the four IT staff groups.
Link the four new GPOs to all three Certkiller .com sites.
Grant each group the necessary permission to apply only the GPO that was created for
that specific group.
B. Create a script that performs the appropriate configuration based on group
membership of the IT staff member.
Place the new script in the Netlogon shared folders on the Certkiller .com domain
controllers.
C. Configure a new Group Policy object (GPO) with a startup script that configures
computers based on IT staff group membership.
Link the GPO to the three Certkiller .com sites.
D. Create a script that configures the computers based on both IT staff group membership
and site location.
Create a GPO and link it to the Domain Controllers OU to run the new script.
Answer: A
Explanation: The easiest way to filter which users or computers a GPO should
apply to is to set permissions on the GPO. A user or computer needs the Allow -
Read and Apply Group Policy permissions in order to apply the GPO. In this
question, we have four groups, each with different requirements. By creating four
different GPOs and linking them to each of the three sites, we can manage who
receives the GPO by configuring the permissions on the GPOs.
Incorrect Answers:
B: The script needs to be linked to an Active Directory container.

070-294
C: It's easier to use GPO permissions to determine which users or computers should
receive a GPO.
D: It's easier to use GPO permissions to determine which users or computers should
receive a GPO. Furthermore, the GPO is linked to the wrong container in this answer.
Reference:
10-20, 10-40 to 10-41
QUESTION 264:
named Certkiller .com and us. Certkiller .com. All servers on the Certkiller .com network
run Windows Server 2003. The domain and organizational unit (OU) structure is
shown in the accompanying work area.
All domain controllers on the Certkiller .com network are located in the Domain
Controllers OU of their specific domain. The Domain Controllers OUs do not
contain other computer and user accounts. Users that work in the Research and
Development department have their user accounts in the Certkiller -north.com
domain. All other user accounts and resources are located in the Certkiller -south.com
domain.
Certkiller .com's written security policy requires that all users in the Research and
Development department must have, and use complex passwords, that consist of
minimally 9 characters. The written security policy must be enforced for users in
the Research and Development department only. No other domain users or local
accounts must be impacted by these password restrictions. The users in the
Research and Development department that need to comply with the security policy
have user accounts in an OU named Research in the us. Certkiller .com domain.
You create a new Group Policy object (GPO) that contains the required settings to
comply with the requirements of Certkiller .com's written security policy.
Where should you link the GPO to ensure that the settings are applied to users in
the Research and Development department only? The settings must not impact
other domain users or local accounts.
Answer by selecting the appropriate location or locations in the work area.

070-294
Answer:
Explanation:
Select the us. Certkiller .com domain.

Password restrictions for domain user accounts must always be set at domain level.
Password policies applied at OU level will only apply to local user accounts. In this
scenario, Certkiller -north.com contains only research users so applying the policy at the
domain level will not affect any other others.
Reference:

070-294
to 10-44
QUESTION 265:
You must test Group Policy objects (GPOs) on an organizational unit (OU) named
Analysis. The Analysis OU contains the Windows XP Professional client computer
which you are using as your test computer.
The Certkiller .com domain contains a security group named Administrators. You
create a Group Policy Object (GPO) with the configuration settings necessary to
grant the Administrators group the Change the system time user right.
You use your test computer and find that the GPO settings has not taken effect.
What should you do next to apply the GPO settings immediately?
A. Log off your test computer and then log on to the test computer.
B. Log off your test computer and create a test user account in the Analysis OU. Log on
as the test user account.
C. Run the gpresult command on your test computer.
D. Run the gpupdate /force command on your test computer.
Answer: D
Explanation: GPOs are applied when users log on and when the computer is booted
up. GPOs are set to reapply refreshed at a given interval. However, you can use the
gpupdate /force command to apply the GPO immediately with out having to reboot
the computer.
Incorrect Answers:
A, B: The computer configuration settings are applied when the computer boots, not at
log on.
C: The Gpresult command-line tool allows you to create and display an RSoP query,
which can be used to analyze the cumulative effects of GPOs, through the command line.
It also provides general information about the operating system, user, and computer.
Reference:
to 10-17, 10-44, 11-4, 11-6, 11-19 to 11-22
www.microsoft.com/technet/treeview/default.asp?url=/
technet/prodtechnol/winxppro/proddocs/refrGP.asp
QUESTION 266:

070-294
All file servers on the Certkiller .com network have computer accounts in an
organizational unit (OU) named FileServers. All domain users have user accounts in
an OU named Certkiller Users. The My Documents folder is redirected to a shared
folder on a file server named Certkiller -SR03 for all users and administrators.
You have received instruction from the CIO to limit the amount of disk space that
can be used by each user on Certkiller -SR03. You have been instructed to limit
disk space usage on Certkiller -SR03 to 2 GB per user. This must apply to all users
other than administrators.
What should you do next to ensure that all users, other than administrators, can
only use a maximum of 2 GB of storage on Certkiller -SR03?
A. Create a Group Policy object (GPO) and link it to the Certkiller Users OU. Enable disk
quotas in the GPO.
B. Create a Group Policy object (GPO) and link it to the Certkiller Users OU. Enable a
size limit on user profiles in the GPO.
C. Create a Group Policy object (GPO) and link it to the FileServers OU. Enable disk
quotas in the GPO.
D. Create a Group Policy object (GPO) and link it to the FileServers OU. Enable a
default cache size for offline files in the GPO.
Answer: B
Explanation:
To prevent users, computers, and groups from creating an unlimited number of
objects in Active Directory, Windows Server 2003 has added quotas. Active
Directory quotas are used to limit how many objects are owned in a particular
directory partition. While quotas can be applied to almost every user, computer,
and group, Domain Administrators and Enterprise Administrators are exempted
from these limits. The quotas that are used to limit the ability of a user, computer,
or group from creating too many objects in Active Directory should not be confused
with disk quotas, which are also available on Windows Server 2003 servers
(regardless of the functionality level being used).
The new Active Directory quotas (not to be confused with disk quotas) are defined as the
number of objects that can be owned by a given user in a given directory partition.
Domain Admins and Enterprise Administrators are exempt from the quota, and they do
not apply at all to the schema partition. Replicated operations do not count toward the
quota; only the original operations do. Quota administration is performed through a set of
command-line tools, including dsadd, dsmod, dsget, and dsquery. No graphical interface
exists for quota administration.
Disk quotas can be used to limit the amount of hard disk space that can be used on a
volume that's formatted in NTFS. The NTFS file system is more advanced than other file
systems such as FAT or FAT32, which can also be used to format volumes. By using
disk quotas on an NTFS volume, administrators can prevent users from filling up the hard
disk with an unlimited number of files.

070-294
Incorrect answers:
A: Making use of disk quotas will not have the desired effect.
C: The FileServers OU is the wrong organizational unit to link the GPO to.
D: First, this is the wrong to link the newly created GPO to this particular organizational
unit and furthermore, the GPO should not be one of enabling a default cache size for
offline files.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 1, p. 69 &
Chapter 4, p. 250
QUESTION 267:
You must change the default storage location of the My Documents folder for all
user accounts. You create a Group Policy object (GPO) to redirect the My
Documents folder to \\ Certkiller -SR07\USERFILES\%USERNAME%. You select
the Redirect the folder back to the local user profile location when policy is removed
option. The Documents folders of a number of users are excessively large and use
too much disk space on Certkiller -SR07. The Certkiller .com network does not
make use of roaming user profiles.
One morning several users complain that they experience slow response times for
shared files. You must ensure that the My Documents folder for each user is stored
and maintained on the specific user's client computer. Your configuration to
accomplish this task must not affect any other policies.
Which of the following two solutions enable you to accomplish the task? Choose two
answers. Each correct answer presents a complete solution.
A. In the GPO, modify the redirection setting to Not configured and then run the
gpupdate command on Certkiller -SR07.
B. In the GPO, modify the redirection setting to Not Configured. Add an xcopy command
in each user's logon script to move the files.
C. Copy all settings in the GPO other than the redirection setting, to a new GPO, and then
delete the existing GPO.
D. Change the specified path to %USERPROFILE%\My Documents in the GPO.
E. Configure all shared folders on Certkiller -SR07 to automatically make all files
available offline. Once the files are cached on the client computer, delete those files from
Certkiller -SR07.
Answer: A, D

070-294
Explanation: There is no roaming profile so we can remove the redirection setting.

The gpupdate will ensure that the altered GPO is applied immediately.
Incorrect Answers:
B: The xcopy command will copy the files from Certkiller -SR07 to the local
computer. This will consume network bandwidth. It is thus not the best answer.
C: We don't need to create a new GPO, just change the one setting.
E: The files will still be stored on Certkiller -SR07 but will be available for use on the
local computer when the computer is disconnected from the network. This won't ensure
that the files are stored on the local computer.
Reference:
to 11-48
QUESTION 268:
DRAG DROP
servers on the Certkiller .com network run Windows Server 2003. The user accounts
of the support team reside in an organizational unit (OU) named SupportTeam. All
other user accounts reside in an OU named Users.
Certkiller .com's new written security policy requires that no users must be allowed
to use offline files. The new security policy also requires only support team members
to be allowed to edit the registry. These new security policy requirements must be
applied immediately.
You must make all the changes necessary to comply with the new security policy.
You want to use the minimum amount of administrative effort to meet the
requirements of the security policy.
What should you do to accomplish these goals?
Answer by dragging the appropriate action or actions to the correct location or
locations in the work area.

070-294
Answer:
Explanation:
All users, including support team members, are not allowed to use offline files and only
support team members are allowed to edit the registry.
This means we need an OU at the domain level that disables the registry editing tools,
and one that prevents the use of offline tools. These GPOs will ensure that all users,
including support team members, are not allowed to use offline files. It will also disable
the use of registry editing tools for all users. Therefore, we need another GPO that allows
the use of the registry editing tools for the SupportTeam OU. GPOs are applied at the
domain level before the OU level so the GPO applied at the OU level will override the
GPO applied at the domain level.

070-294
Reference:
to 10-41
QUESTION 269:
Certkiller .com has its headquarters in Chicago and a branch office in Dallas and
Miami. The Certkiller .com domain has an organizational unit (OU) for each branch
office. Group Policy objects (GPOs) linked to these OUs configures Certkiller .com
resources.
Each branch office OU has an OU named Users and an OU named Desktops. User
accounts are located in the Users OU and client computer accounts are located in
the Desktops OU. Each branch office has a user that has been assigned
administrative rights. The branch office administrator provides desktop and
administration support for the Certkiller .com branch office.
One morning you notice that the quantity of support calls for Certkiller .com's
branch office administrators have increased. You discover that there are users who
are making configuration changes to their client computers.
You must immediately prevent all users other than the branch office administrators
from using administrative tools and desktop features. You create a new GPO that
applies the desktop restrictions.
A. Link the GPO to the Desktops OU of each branch office.

Create an OU under each branch office's Desktops OU and then move the branch
administrative user's computer accounts into the new OU.
Block GPOs from applying to the new OU.
B. Link the GPO to the Users OU of each branch office.
Create an OU under each branch office's Users OU and move the branch administrative
user's account into the new OU.
Block GPOs from applying to the new OU.
C. Link the GPO to the Desktops OU of each branch office.
Filter the GPO on the branch administrative user's computer for each branch office to
ensure that the computer does not apply the new GPO.
D. Link the GPO to the Users OU of each branch office.
Filter the GPO on the branch administrative user's account for each branch office to
ensure that the user accounts does not apply to the new GPO.
Answer: D
Explanation: We need to restrict desktop features and administrative tools for all

070-294
users other than the administrative user in each branch office. We have already
created a GPO that applies the desktop restrictions. We now need to link the GPO
to each branch office's Users OU which contains all user accounts for the branch.
We can ensure that this GPO doesn't apply to the administrator by assigning the
Deny -Apply Group policy to the administrator account in each branch.
Incorrect Answers:
A, C: The GPO must be linked to the users not the computers.
B: Simply assigning the Deny -Apply Group policy to the administrator account will
ensure that the administrator can't have the GPO settings.
Reference:
to 10-41
QUESTION 270:
computers run Windows XP Professional. The Certkiller .com network contains a
domain controller named Certkiller -DC01. Certkiller .com applies Group Policy
objects (GPOs) to configure both user and computer settings. Separate hard disks
are used to store the Active Directory database and the SYSVOL shared folder.
One morning you discover that the hard disk which stores the SYSVOL folder has
failed. You find that there are still some Group Policy settings applied but notice
that new users are not receiving Group Policy settings.
You replace the failed hard disk and find that no valid backups of the SYSVOL
folder exist. You do however have a list of GUIDs and friendly names for each GPO.
You create a new SYSVOL folder on the new hard disk. You use the same location
as the previous SYSVOL folder.
You must configure the Certkiller .com network to ensure that user and computer
settings are applied to all domain users.
Which three actions should you perform to accomplish the task? Choose three
answers. Each answer presents only part of the solution.
A. In the SYSVOL folder, create a new folder and name it Certkiller .com.
In the Certkiller .com folder, create a new folder and name it Policies.
B. In the SYSVOL folder, create a new folder and name it System State.
In the System State folder, create a new folder and name it Policies.
C. In the Policies folder, create a folder for each GPO.
Name the folders appropriately by using the friendly names you have of each GPO.
In the folder of each GPO, create two folders, one named MACHINE and one named
USER.
D. In the Policies folder, create a new folder for each GPO.
Name the folders appropriately by using the GUID of each GPO.

070-294
In the folder of each GPO, create two folders, one named MACHINE and one named
USER.
E. Open Active Directory Users and Computers and then open each GPO.
Close each GPO without changing any computer and user settings.
F. Open Active Directory Users and Computers and then open each GPO.
Edit at least one setting in each GPO before you close the GPO.
Answer: A, D, F
Explanation: A globally unique identifier (GUID) is a 128-bit hexadecimal number that

is guaranteed to be unique within the enterprise. GUIDs are assigned to objects when the
objects are created. The GUID never changes, even if you move or rename the object. A
GUID is unique across all domains, meaning that you can move objects from domain to
domain and they will still have a unique identifier.
Ensure the integrity of the computer's Group Policy by performing one of the following:
(i) If you authoritatively restored the entire Active Directory database, copy the Sysvol
directory on the alternate location over the existing one after the Sysvol share is
published. (ii) If you authoritatively restored specific Active Directory objects, copy only
the policy folders (identified by the GUID) corresponding to the restored policy objects
from the alternate location after the Sysvol share is published. Then, copy them over the
existing ones. When authoritatively restoring either the entire Active Directory database
or selected objects, it is important that you copy the Sysvol and policy data from the
alternate location after the Sysvol share is published. If the computer is in a replicated
domain, it may take several minutes before the Sysvol share is published because it needs
to synchronize with its replication partners. If all computers in the domain are
authoritatively restored and restarted at the same time, then each will be waiting
(indefinitely) to synchronize with each other. In this case, restore one of the domain
controllers first so that its Sysvol share can be published; then restore the other
computers nonauthoritatively. Thus options A, D and F will ensure that all settings will
be applied to all users in the given circumstances.
Incorrect answers:
B: The folder that should be created should be Certkiller .com and not system state folder
C: Making use of the friendly name of each GPO will not have the desired effect.
E: You need to change at least one setting in each GPO before closing it.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 32,
3: 52
QUESTION 271:

070-294
Users in the Processing department of Certkiller .com use their client computers to
access a database application and e-mail. The client computers used in the
Processing department are all configured the same.
Certkiller .com's written security policy does not allow users in the Processing
department to install and run new applications. Users in the Processing department
must be prevented from changing the desktop settings on their computers.
You must ensure that the requirements of Certkiller .com's written security policy
are enforced for users in the Processing department. Your solution must not
prevent users in other departments from changing their computers.
A. Add all of the computer accounts for processing computers to an organizational unit
(OU) named Processing Department Computers.
Create a new Group Policy object (GPO) that contains the relevant restrictions in the
User Configuration section.
Link the GPO to the Processing Department Computers OU.
B. Add all user accounts for processing users to an organizational unit (OU) named
Processing Department Users.
Create a new Group Policy object (GPO) that contains the relevant restrictions in the
User Configuration section.
Link the GPO to the Processing Department Users OU.
C. Add all of the user accounts for processing users to a security group named Processing
Department Users.
Change the default user rights assignment on the processing department computers to
ensure that the Processing Department Users group has only the Allow log on locally
right.
D. Add all of the user accounts for processing users to a security group named Processing
Department Users.
Configure these accounts to ensure that users use a common roaming profile stored on a
file server.
Assign the Processing Department Users group the Allow - Full Control permission
for the roaming profile folder.
Answer: B
Explanation: To restrict processing department users from running certain

applications and changing their desktops, we need to configure the required
restrictions in a GPO and have it applied to all processing department users. This
can be achieved by placing all processing department users in an OU and applying
the GPO to that OU.
Incorrect Answers:
A: The GPO should apply to the users, not the computers.
C: We need to restrict the users from running additional applications or changing their
desktop settings; this isn't achieved simply by restricting them to the local computer.
D: A roaming profile will not prevent users from running unauthorized applications.
Furthermore, granting Allow - Full Control permission for the roaming profile folder

070-294
would allow them to change their desktop settings.

Reference:
to 10-20, 10-40 to 10-41
QUESTION 272:
You have received instruction from the CIO to make ten Windows XP Professional
computers available in a public area. Visitors of the company will use these
computers to browse public Web sites. Each of these computers must only have a
Web browser as an installed application.
To implement these requirements you make all ten Windows XP Professional
computers members of the Active Directory domain. You create a new
organizational unit (OU) named Public Computers and add the computer accounts
of the ten computers to this OU. You configure each computer to automatically log
on using a user account named Public User whenever the computer starts. You
ensure that the Public User account does not have administrative rights on the
Certkiller .com domain and on the computer.
You must configure each of the ten computers so that they can only access public
Web sites. The computers must be prevented from running other applications. All
other users and computers on the Certkiller .com network must not be affected by
these restrictions.
Which of the following two actions can you take to accomplish the task? Choose two
correct answers. Each answer presents a complete solution.
A. Create a new Group Policy object (GPO) and link it to the Certkiller .com domain.
Configure the user settings in the new GPO to allow only Internet Explorer to run.
Configure the computer settings in the new GPO to enable loopback mode.
B. Create a new Group Policy object (GPO) and link it to the Public Computers OU.
Configure the new GPO to apply only to the Public User account.
C. Create a new Group Policy object (GPO) and link it to the Public Computers OU.
Configure the GPO so that it contains a Public Groups policy which places all users in
the local Guests group of each of the ten Windows XP Professional computers.
D. Create a new Group Policy object (GPO) and link it to the Certkiller .com domain.
Configure the new GPO to apply only to the Public User account.
E. Create a new Group Policy object (GPO) and then link it to the Public Computer OU.
Configure the computer settings in the new GPO to enable loopback mode.

070-294
Answer: D, E
Explanation: The computers are configured to automatically log on the Public User
account each time the computers start. We can configure a GPO to allow only
Internet Explorer to run. We can link the GPO to the domain and use security
permissions to ensure that the policy applies only to the Public User account. This
will ensure that the GPO only affects the restricted computers.
The restricted computers are in the Public Computers OU. Therefore, another solution
would be to link the GPO to the Public Computers OU, thus ensuring that no other
computers are affected by the GPO. Although the Internet Explorer settings are in the
user part of a GPO, and this solution applies the GPO to computers (not users), we can
apply the user settings to the Public User account by using loopback mode.
For loopback processing, you can choose whether to replace or merge user-specific
policy. The replace mode replaces all of a user's normal policy settings with those
defined in the user configuration of the GPOs that apply to the computer object (the
loopback settings). Merge mode merges the user's normal policy settings and the
loopback settings. In the case where a policy item in the user's normal policy conflicts
with the loopback settings, the loopback settings are applied.
Incorrect Answers:
A: If we apply the GPO to the domain and use loopback mode, the settings will apply to
all the computers in the domain. We should restrict the GPO to only the Public
Computers.
B: We would need to use loopback mode to apply the GPO to the Public User. This
ensures that users receive their policy regardless of the machine they use to log in.
C: The computers are configured to log on the Public User account, not the guest
account. In Windows Server 2003, the guest account is disabled by default.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.
A. Callahan & Lisa Justice,
Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, p. 784
QUESTION 273:
computers run Windows XP Professional. A file servers on the Certkiller .com
network have computer accounts in an organizational unit (OU) named FileServers.
All users of the Certkiller .com domain have accounts in an OU named Certkiller Users
The My Documents folder is redirected to a shared folder on a file server named
Certkiller -SR02 for all users and administrators.
You have received instruction from the CIO to limit the amount of disk space that
can be used by each user on Certkiller -SR02. You have been instructed to limit
disk space usage on Certkiller -SR02 to 2 GB per user. This must apply to all users
other than administrators.
What should you do next to ensure that all users, other than administrators, can

070-294
only use a maximum of 2 GB of storage on Certkiller -SR02?
A. Create a Group Policy object (GPO) and link it to the Certkiller Users OU. Enable disk
quotas in the GPO.
B. Create a Group Policy object (GPO) and link it to the Certkiller Users OU. Enable a
size limit on user profiles in the GPO.
C. Create a Group Policy object (GPO) and link it to the FileServers OU. Enable disk
quotas in the GPO.
D. Create a Group Policy object (GPO) and link it to the FileServers OU. Enable a
default cache size for offline files in the GPO.
Answer: B
Explanation:
To prevent users, computers, and groups from creating an unlimited number of
objects in Active Directory, Windows Server 2003 has added quotas. Active
Directory quotas are used to limit how many objects are owned in a particular
directory partition. While quotas can be applied to almost every user, computer,
and group, Domain Administrators and Enterprise Administrators are exempted
from these limits. The quotas that are used to limit the ability of a user, computer,
or group from creating too many objects in Active Directory should not be confused
with disk quotas, which are also available on Windows Server 2003 servers
(regardless of the functionality level being used).
The new Active Directory quotas (not to be confused with disk quotas) are defined as the
number of objects that can be owned by a given user in a given directory partition.
Domain Admins and Enterprise Administrators are exempt from the quota, and they do
not apply at all to the schema partition. Replicated operations do not count toward the
quota; only the original operations do. Quota administration is performed through a set of
command-line tools, including dsadd, dsmod, dsget, and dsquery. No graphical interface
exists for quota administration.
Disk quotas can be used to limit the amount of hard disk space that can be used on a
volume that's formatted in NTFS. The NTFS file system is more advanced than other file
systems such as FAT or FAT32, which can also be used to format volumes. By using
disk quotas on an NTFS volume, administrators can prevent users from filling up the hard
disk with an unlimited number of files.
Incorrect answers:
A: Making use of disk quotas will not have the desired effect.
C: The CompanyServers OU is the wrong organizational unit to link the GPO to.
D: First, this is the wrong to link the newly created GPO to this particular organizational
unit and furthermore, the GPO should not be one of enabling a default cache size for
offline files.
Reference:
A. Martin, Todd

070-294
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 1, p. 69 &
Chapter 4, p. 250
QUESTION 274:
computers run Windows XP Professional. All computers are members of
Certkiller .com.
Half the client computers are portable computers, and the rest are desktop
computers. The portable computers comprise of laptop computers and tablet
computers. The client computer accounts reside in a different organizational units
(OUs) based on department, together with desktop computer accounts.
Certkiller .com's new written security policy no longer allows portable computer to
be left unattended and remain logged on to Certkiller .com network, other than when
they are protected by a password. Because desktop computers are only found in
secured offices, the new Certkiller .com written security policy must not be enforced
for desktop computers.
How will you accomplish the task of ensuring that only portable computers comply
with Certkiller .com's new written security policy.
A. Create a new Group Policy object (GPO) that indicates a logon script and link it to the
domain.
Configure the logon script to read the Oeninfo.info file for manufacturer and model
information and then set the screen saver properties when the manufacturer and model
number signifies a portable computer.
B. Create a new Group Policy object (GPO) that indicates a logon script and link it to the
domain.
Configure the logon script to run a WMI query for manufacturer information and update
the user's profile information in Active Directory when the user is using a portable
computer.
C. Create a Group Policy object (GPO) that indicates a password-protected screen saver
and link it to the domain.
To apply the GPO to only portable computers, define a WMI filter to query for hardware
chassis type information.
D. Create a Group Policy object (GPO) that indicates a password-protected screen saver
and link it to the domain.
To apply the GPO to only portable computers, define a WMI filter to query for the
specific edition of Windows XP Professional installed on the computer.
Answer: C
Explanation:
We can use a WMI filter to query for the hardware chassis type information to

070-294
ensure that the GPO applies only to the portable computers.

Incorrect Answers:
A: This is a very difficult and impractical way of doing it.
B: Updating the user profile would not achieve anything.
D: The desktops would probably have the same version of XP as the laptops.
Reference:
to 10-21, 11-6
QUESTION 275:
Professional. All client computers have accounts in an organizational unit (OU)
named ClientComputers.
Certkiller .com's written security policy does not allowWindows 2000 Professional
computers to use offline folders. To comply with the security policy you create a new
Group Policy object (GPO). However, the current settings configured in the GPO
apply to Windows 2000 Professional computers and Windows XP Professional
computers.
Which of the following two configurations should you perform to ensure that the
new GPO apply only to Windows 2000 Professional computers? Choose two
answers. Each correct answer presents a complete solution.
A. Create a new WMI filter that will apply the GPO to computers running Windows 2000
Professional.
B. Create a WMI filter that will apply the GPO to computers not running Windows XP
Professional.
C. Create two new OUs underneath the ClientComputers OU.
Add the computer accounts of the Windows XP Professional computers to one OU, and
add the computer accounts of the Windows 2000 Professional computers to the other OU.
Link the GPO to the ClientComputers OU.
D. Create a new group that contains the Windows XP Professional computers.
Assign the group the Deny - General Resultant Set of Policy (Logging) permission
to the group.
E. Create a new group that contains the Windows 2000 Professional computers.
Assign the group the Dent - Apply Group Policy permission to the group.
Answer: A, B
Explanation: WMI filters are ignored by Windows 2000 clients but not by Windows
XP clients. Thus, the Windows XP clients will evaluate the filter to see if the GPO

070-294
should apply to them or not, while the Windows 2000 clients will just apply the GPO
without evaluating the WMI filter.
Incorrect Answers:
C: This looks like a good idea. However, applying the GPO to the ClientComputers OU
will (by inheritance) apply the GPO to the two child OUs.
D: This won't prevent the application of the GPO.
E: This answer is close, but incorrect. This will prevent the GPO applying to the
Windows 2000 clients. If the group contained the Windows XP clients, then it would
work.
Reference:
to 10-21, 11-6
QUESTION 276:
Exhibit
The global group named Service Center Staff contains the user accounts of all users
working in the Certkiller .com Service Center department. An organizational unit

070-294
(OU) named ServiceCenterStaff contains the Service Center Staff global group.
A Group Policy object (GPO) named Administration Tools Pack is used to assign
the Windows Server 2003 Administration Tools Pack to users and is linked to the
OU named Administration OU. Users in the Service Center department need these
administrative tools to perform their duties.
You discover that the administrative tools are not installed on the client computers
of service center staff. You open the Group Policy Management Console (GPMC) to
find out how Group Policy is applied to the ServiceCenterStaff OU. You notice that
inheritance of GPOs is currently blocked for the ServiceCenterStaff OU.
You must ensure that the administrative tools are installed on the client computers
used in the Service Center department. Your solution must only fix the current
problem and must not modify the Service Center department's client computers
unnecessary.
A. Link the Admin Tools Pack GPO to the ServiceCenterStaff OU.

B. Link the Admin Tools Pack GPO to the Certkiller .com domain.
C. Modify the Admin Tools Pack GPO to apply to the Service Center Staff global group.
D. Create a new GPO that will assign the Windows Server 2003 Administration Tools
Pack to client computers and then link the new GPO to the ServiceCenterStaff OU.
Answer: A
Explanation: The question stated that Block Policy Inheritance is enabled for the
ServiceCenterStaff OU. Given the exhibit that shows the OU structure of Certkiller and
also that the Admin Tools Pack GPO is linked to the Administrators OU, you should then
link the Admin Tools Pack GPO to the ServiceCenterStaff OU to ensure that
administrative tools are also installed on the ServiceCenterStaff OUs client computers
without changing the client computers in any other way.
Incorrect answers:
B: That GPO should be linked to the ServiceCenterStaff OU and not the domain. If
linked to the domain then it will apply to unnecessary computers as well. The question
states that the administrative tools installed should be used by the service desk users'
client computers and that these computers should not be modified in any other way.
C: A global group can contain accounts and groups from the domain in which it is
created, and be assigned permissions to resources in any domain in a tree or forest.
Because it only applies to the domain in which it's created, this type of group is
commonly used to organize accounts that have similar access requirements. Having the
Admin Tools Pack GPO only applied to the Service Center Staff global group would not
necessarily have the desired effect then.
D: There is no need to create a new GPO since there is already a GPO called Admin
Tools Pack that serves the same purpose.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 9:

070-294
18-19
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 2, p. 134
QUESTION 277:
network consists of a two Active Directory forests. One Active Directory forest is
used for production and the other is used for testing purposes. Each forest contains
one domain named us. Certkiller .com and uk. Certkiller .com. The functional level of
each forest is set at Windows Server 2003.
You are busy testing Group Policy objects (GPOs) that manage administrative
templates in the test forest. The GPOs that you are testing are going to be used to
manage administrative templates in the production forest. Testing of the new GPOs
involves changes to both the Default Domain Policy GPO and the Default Domain
Controllers Policy GPO.
You want to restore the settings of Default Domain Policy GPO and Default Domain
Controllers Policy GPO for the test domain to that of the production forest. You
want to use the minimum amount of administrative effort to do this.
Which of the following two actions should you use to accomplish this task? Choose
two answers. Each correct answer presents only part of the complete.
A. Execute the dcgpofix /both command in the test forest's domain.

B. Use the Group Policy Management Console (GPMC) to back up the Default Domain
Policy GPO and Default Domain Controllers Policy GPO from the production forest's
domain.
C. Use the Group Policy Management Console (GPMC) and a migration table to import
the Default Domain Policy GPO and Default Domain Controllers Policy GPO to the test
forest's domain.
D. Back up the original GptTmpl.inf files for the Default Domain Policy GPO and
Default Domain Controllers Policy GPO from the production forest.
E. Restore the backed up GpTmpl.inf files to the test forest's domain.
F.
Increment the version in the Gpt.ini files for the Default Domain Policy GPO and Default
Domain Controllers Policy GPO.
Answer: B, C
Explanation: We can use the Group Policy Management Console (GPMC) to back
up the GPOs from the production domain and import them into the test lab. The
GPMC lets administrators manage Group Policy for multiple domains and sites
within one or more forests, all in a simplified user interface (UI) with drag-and-drop

070-294
support. Highlights include new functionality such as backup, restore, import, copy,
and reporting of Group Policy objects (GPOs). These operations are fully
scriptable, which lets administrators customize and automate management.
When we do the restore process, we need to restore both policies Domain and DCS.
Therefore, for the DC's we will need to use a migration table, to migrate the security
principals.
If we install GPMC in the default path we need to execute from C:\Program
Files\GPMC\Scripts
The script: CreateMigrationTable.wsf. This script Creates migration tables that can be
edited and used to map paths and security principals to new values when importing and
copying GPOs across domains.
Incorrect answers:
A: The Dcgpofix command restores Group Policy Objects (GPOs) to the state they where
in when initially installed. By restoring these GPOs to their original states, any changes
that were made to them are lost. This is not what is required in this scenario.
D: There is no need to backup files for the Default Domain Policy and the Default
Domain Controllers Policy GPO from the production forest. This will result in
unnecessary administrative effort.
E: Since the test domain is used to test the settings and what is needed is to apply these
settings to the production domain then all that is necessary is to back up the Default
Domain Policy and Default Domain Controllers Policy GPOs from the production
domain by using the Group Policy Management Console (GPMC) and then to import it
into the test domain.
F: This option will result in too much administrative effort being applied when all that is
needed is to back up the Default Domain Policy and Default Domain Controllers Policy
GPOs from the production domain by using the Group Policy Management Console
(GPMC) and then to import it into the test domain.
Reference:
A. Martin, Todd
MS White Paper: Migrating GPOs Across Domains with GPMC
http://www.microsoft.com/windowsserver2003/docs/MigGPOs.doc
QUESTION 278:
named Certkiller -north.com, Certkiller -south.com, and Certkiller -east.com respectively.
The functional level of the forest is set atWindows Server 2003.
The Certkiller -north.com and Certkiller -south.com domains each contain resource
server computer accounts, client computer accounts, and user accounts. A resource
server computer only provides a single service of database server, file server, or

070-294
print server. The Certkiller -east.com domain contains computer accounts for domain
controllers and user accounts that have administrative rights.
You have received instruction from the CIO to use Group Policy objects (GPOs) to
centrally apply the following security settings to resource server computers:
1. Specific security settings need to apply to all resource server computers. These
settings must not be overridden.
2. Specific security settings need to apply to only certain server roles.
You decide to implement an organizational unit (OU) structure that will support
these requirements. You want to create the least amount of GPOs and links
required.
A. Create a top-level OU for each server role underneath the Certkiller -east.com domain.
Create a top-level OU named Server under the Certkiller -north.com domain.
Create a top-level OU named Server under the Certkiller -south.com domain.
B. Create a top-level OU named Server under the Certkiller -north.com domain.
Create a child OU for each server role under the Servers OU.
Create a top-level OU named Server under the Certkiller -south.com domain.
C. Create a top-level OU named Server under the Certkiller -east.com domain.
D. Create a top-level OU for each server role under the Certkiller -north.com domain.
Create a top-level OU for each server role under the Certkiller -south.com domain.
Answer: B
Explanation: With a top-level OU named Server, we can apply group policies to all
the resource servers. With child OUs for each server role, we can apply group
policies to individual server roles. Two domains have resource servers,
Certkiller -north.com and Certkiller -south.com. We need to create the OU structure in
each of these two domains.
Incorrect Answers:
A: We need an OU for each server role in Certkiller -north.com and Certkiller -south.com,
because the resource servers are in those domains.
C: We need a top level OU for all the resource servers in Certkiller -north.com and
Certkiller -south.com, so we can apply group policies to all the servers.
D: We need a top level OU for all the resource servers in Certkiller -north.com and
Certkiller -south.com, so we can apply group policies to all the servers.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 406, 408-411,
576-584

070-294
QUESTION 279:
computers run Windows XP Professional. All server computers are located in an
organizational unit (OU) named Server and all client computers are in located an
organizational unit (OU) named ClientComputer.
Certkiller .com's written security policy does not allow servers to run the SMTP
service and the Telnet service. These services must be disabled on all servers.
What should you do next to disable the SMTP service and the Telnet service on all
servers?
A. Use gpedit.msc and create a Group Policy object (GPO) to apply a logon script which
will disable the SMTP service and the Telnet service.
Link the GPO to the Server OU.
B. Use gpedit.msc and create a Group Policy object (GPO). Import the Hisecws.inf
security template.
C. Use gpedit.msc to create a Group Policy object (GPO) that sets the startup type of the
SMTP service and the Telnet service to Disabled.
D. Use gpedit.msc and create a Group Policy object (GPO) that apply a startup script to
stop the SMTP service and the Telnet service.
Answer: C
Explanation: The servers have been moved to an OU. This makes it easy for us to
configure the servers using a group policy. We can simply assign a group policy to
the Server OU to disable the services.
Incorrect Answers:
A: The logon script would only run when someone logs on to the servers. It's likely that
the servers will be running with no one logged in.
B: The Hisecws.inf security template is designed for workstations, not servers.
D: The startup script would only run when the servers are restarted. A group policy
would be refreshed at regular intervals.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 13:
85-86
QUESTION 280:

070-294
You configure a certification authority (CA) to issue smart card authentication
certificates for users of the Certkiller .com network. All users that perform
administrative functions must have two accounts. One account will be used for
standard computer usage, and the other account will have administrative privileges
to perform administrative operations and tasks.
You issue one smart card for each user for standard computer usage, and then
enroll each user for a smart card authentication certificate.
You must decide how smart card access for users who have administrative duties
will be performed.
A. For each user that has administrative duties, issue an additional smart card.
Enroll the administrative account of these users for a smart card authentication
certificate.
Instruct all administrative account users to use this smart card when logging on to
perform administrative duties.
B. Enroll the administrative account of users for a smart card authentication certificate.
When prompted, store the authentication certificate on the existing smart card.
Instruct all administrative account users to use this smart card when logging on to
perform all tasks.
C. Configure Group Policy to autoenroll administrative account users for certificates.
Instruct all administrative account users to log on by using their nonadministrative
accounts.
D. Issue a master card to users who have to perform administrative duties.
Instruct these users to use the master card when logging on to perform administrative
duties.
Answer: B
Explanation: It is possible to store multiple certificates on a smart card. The user

can select an account when he/she logs on.
Incorrect Answers:
A: It is not necessary to issue additional smart cards. A single smart card can store
multiple certificates.
C: This answer won't work. The users need to log on using their administrative accounts
to do administrative work. A certificate needs to be created for the administrative account
and stored on a smart card.
D: It is not necessary to issue additional smart cards. A single smart card can store
multiple certificates. Furthermore, this answer seems to suggest having multiple smart
cards with a single "master" certificate mapped to a single "master" administrative
account.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn

070-294
Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003
Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress
Publishing, Inc., Rockland, MA 02370 Chapter 12, pp. 898
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining
a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond,
Washington, 2004, Chapter 11
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 3, pp. 14-18
QUESTION 281:
servers on the Certkiller .com network run Windows Server 2003. You install
Certificate Services on two Windows Server 2003 computers. You configure one as
an offline root certification authority (CA) and configure the other as an enterprise
subordinate CA in the domain.
Users in the Auditing department use a public key infrastructure (PKI) enabled
application to save confidential auditing data. The Auditing department's users
must have a certificate that supports client authentication to access to the PKI
enabled application. The user objects of all users working in the Auditing
department reside in an organizational unit (OU) named Auditing.
To configure the Auditing department's users for autoenrollment, you create a new
Group Policy object (GPO) and link it to the Auditing OU. Using a duplicate of the
User certificate template, you assign permission to allow autoenrollment for users in
the Auditing department. You name the certificate template Users and configure it
to prompt the user during the certificate enrolment process.
A Certkiller .com user named Andy Reid is a member of the Auditing department.
One morning Andy complains that when he attempts to access and use the Auditing
application, he receives a message informing him that he does not have the required
client authentication certificate.
What should you do next to ensure that Andy can access and use the Auditing
application?
A. Configure Andy's user object to include an e-mail address.

B. Add Andy's user object to the Cert Publishers domain local group.
C. On Andy's computer, use the Web enrolment tool to connect to the subordinate CA.
Download a copy of the subordinate CA's certificate.
D. On Andy's computer, use the Web enrolment tool to connect to the subordinate CA.
Download the latest available certificate revocation list (CRL).
Answer: D

070-294
Explanation: CAs can revoke as well as issue certificates. After a certificate is revoked,
it needs to be published to a CRL distribution point. Clients check the CRL periodically
before they can trust a certificate. Following this reasoning it could be that his certificate
could have been revoked. To make sure that he can use the auditing application he should
make use of the Web enrolment tool to connect to the subordinate CA and download the
latest CRL.
Incorrect answers:
A: This is probably a case of a revoked CA and editing Andy's user object to include an
e-mail address will not address the issue at hand.
B: This will not ensure that Andy will be able to make use of the marketing application.
C: You should not be downloading a copy of the subordinate CA's certificate; it is a
matter of downloading the latest CRL from the subordinate CA.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn
Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003
Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress
Publishing, Inc., Rockland, MA, Chapter 12, p. 909
QUESTION 282:
network consists of a single Active Directory domain and two sites named
CK-SITE03 and CK-SITE04 respectively. All servers on the Certkiller .com network
run Windows Server 2003.
Certkiller .com has two branch offices which are connected through a 256-Kbps
leased line. Each branch office is set up to use one of the sites. A site link also
connects CK-SITE03 and CK-SITE04. Both CK-SITE03 and CK-SITE04 contain
users but only CK-SITE03 contains domain controllers.
You create a new Group Policy object (GPO) to redirect the My Documents folder
and link the GPO to the domain. Users in CK-SITE03 have their folders redirected
successfully. Users in CK-SITE04 report that their folders are not being redirected.
What should you do next to ensure that all users in CK-SITE04 have their folders
redirected successfully?
A. Merge CK-SITE03 and CK-SITE04 to form a single site.

B. Modify the GPO so that loopback processing in Merge mode is enabled.
C. Remove the link for the new GPO from the domain.
Link the GPO to CK-SITE03 and to CK-SITE04.
D. Configure a new GPO that disables Group Policy slow link detection.
Link the new GPO to CK-SITE04.
Answer: D
Explanation: The users in CK-SITE04 receive their GPOs from domain controllers
in CK-SITE03. The bandwidth of the link between the two sites is less than 500Kbps

070-294
which is the 'slow link' threshold. Therefore, if slow link detection is enabled, the
policy won't apply. To apply the policy to users in CK-SITE04, we need to disable
slow link detection.
Incorrect Answers:
A: Combining the two sites will make administration more complex.
B: Merge mode merges the user's normal policy settings and the loopback settings. This
is not relevant to this scenario.
C: Linking the GPO at the OU level won't accomplish anything because the GPO is
applied to the domain already.
Reference:
to 11-48
QUESTION 283:
Certkiller .com domain contains an organizational unit (OU) named TerminalServers
that stores all Windows Server 2003 computer accounts running Terminal Services.
The Certkiller .com domain also contains a global group named Marketing. Users that
have user accounts in the Marketing global group connect to terminal servers to
access software marketing applications.
You create a Group Policy object (GPO) and configure it to publish a software
installation package that installs the latest marketing application. You link the GPO
to the TerminalServers OU.
A Certkiller .com user named Rory Allen is a member of the Marketing department.
One morning Rory complains that the application is not installed on any of the
terminal servers. You log on to a server running Terminal Services and try and use
Add or Remove Programs in Control Panel. You receive this error message
"Applications are not available to install from the network in this mode."
What must you do next to ensure that the new marketing application is installed on
the computers running Terminal Services?
A. Edit the GPO and configure the software installation package to be assigned
underneath the Computer Configuration section in the GPO underneath Software
Settings.
B. Edit the GPO and configure the software installation package to be assigned
underneath the User Configuration section in the GPO underneath Software Settings.
C. Edit the discretionary access control list (DACL) settings of the GPO.
Assign the Authenticated Users group both the Deny - Read and the
Allow - Apply Group Policy permissions.
D. Edit the discretionary access control list (DACL) settings of the GPO.
Assign the computer accounts stored in the TerminalServers OU both the Allow -
Read and the Allow - Apply Group Policy permissions.

070-294
Answer: A
Explanation: In order for the Software application to be available through a

Terminal Session, the software application must be installed on the server itself.
If the GPO assigns the software installation package under user configuration the
software will not get installed onto the Terminal Server.
Incorrect Answers:
B: We need the application applied to the computer not the user.
C, D: This doesn't make sense.
Reference:
10-20, 10-40 to 10-41, 12-3 to 12-10, 12-13 to 12-28, 12-34 to 12-39
QUESTION 284:
You must install a new application on only those computers where it is required but
after it is installed, any user that logs on to the computer can use the application.
You use the Windows Installer package to install the new application and copy the
.msi file to a shared folder on a file server named Certkiller -SR14. Members of
the Domain Admins group are the only users that have the Allow - Full Control
permission for the shared folder on Certkiller -SR14.
You have received instruction from the CIO to automate application installation.
You must ensure that users do not install unauthorized copies of the application. To
meet these requirements you create a new security group and assign the Allow -
Read permission for the shared folder that contains the .msi file for this new group.
Which two of the following actions must you perform? Choose two answers. Each
answer presents only part of the complete solution.
A. Add all users of the application to the security group.

B. Make all unauthorized computers members of the security group.
C. Create a Group Policy object (GPO) that assigns the application to users and link the
GPO to the domain.
Configure permissions on the GPO so that it applies only to the security group.
D. Create a Group Policy object (GPO) that publishes the application to users and link
Configure permissions on the GPO so that it applies only to the security group you
created.
E. Create a Group Policy object (GPO) that assigns the application to computers and link

070-294
Configure permissions on the GPO so that it applies only to the security group you
created.
Answer: A, C
Explanation: A security group is a collection of users who have specific rights and
permissions to resources. Rather than giving rights to perform certain tasks to individual
users, and then setting permissions as to what resources that user can access, the rights
and permissions are applied to the group. Any users who are members of the group then
acquire this same level of security access. In doing so, collections of users are handled as
a single unit, rather than as individuals. Thus to ensure that you accomplish the task at
hand and staying within the requirements of the company, you should make all users of
this particular application members of a security group and then create a GPO that will
assign the application to these users. Obviously you need to link the GPO to the domain
and then set the relevant permissions to apply to only the newly created security group.
Incorrect Answers:
B: If we created a security group that contains all unauthorized computers, we would
need to apply the Deny - Apply Group Policy permission to that security group. The
latter is not one of the options.
D: We need to assign the application to users, not publish it. Assigned applications
appear on the user's desktop, or start menu, which is part of the user profile. This means
that the application will not be available to other users who log on to the computer.
E: Assigning the application to computers would be wrong since it is users that you need
to take into account and it could be that users have roaming profiles which might cause
them to use all computers besides their own as well.
Reference:
A. Martin, Todd
131-133
to 12-10, 12-13 to 12-28, 12-34 to 12-39
QUESTION 285:
All servers on the Certkiller .com network are located in an organizational unit (OU)
named Certkiller Servers. Client computers are located in various organizational

070-294
units (OUs) based on Certkiller .com department. All users on the Certkiller .com
domain have user accounts in an organizational unit (OU) named Certkiller Users.
You must deploy a new application for all client computers on the Certkiller .com
domain. You must ensure that the application is not installed on any servers.
Installation of the new application must not affect any existing policies.
A. Use gpedit.msc to create a Group Policy object (GPO) that assigns the new application
to all client computers. Link the GPO to the Certkiller .com domain.
Configure both the Domain Controllers OU and the Servers OU to block policy
inheritance.
B. Use gpedit.msc to create a Group Policy object (GPO) that assigns the new application
to all client computers. Link the GPO to the Certkiller .com domain.
Configure permissions on the GPO to ensure that all servers and domain controller
accounts are denied the permissions to both read and apply this GPO.
C. Use gpedit.msc to create a Group Policy object (GPO) that assigns the new application
to users and link it to the Certkiller .com domain.
inheritance.
D. Use gpedit.msc to create a Group Policy object (GPO) that assigns the application to
the users and link it to the Certkiller .com domain.
Configure permissions on the GPO to ensure that all server and domain controller
accounts are denied the permissions to both read and apply the GPO.
Answer: B
Explanation: The software can be installed on all the client computers, but not the
domain controllers or member servers. Because the client computers are in various
OUs, it would be easier to link the GPO at the domain level. The OUs containing the
client computers would then inherit the GPO settings.
To prevent the GPO applying to the domain controllers and servers, we can simply deny
the permissions to read and apply the GPO for the domain controller and server computer
accounts.
Incorrect Answers:
A: It is likely that some domain level policies should apply to the domain controllers and
the servers. Therefore, blocking policy inheritance isn't recommended.
C: It is likely that some domain level policies should apply to the domain controllers and
D: This won't stop the software being installed on the servers, because the software
installation would be defined in the user section of the group policy.
Reference:
to 12-10, 12-13 to 12-28, 12-34 to 12-39

070-294
QUESTION 286:
functional level of the domain is set at Windows 2000 mixed. Half the client
computers run Windows XP Professional and the rest run Windows 2000
Professional, or Windows NT Workstation 4.0
The
Certkiller .com domain contains an organizational unit (OU) named Sales. All client
computers in the Sales department have computer accounts in the Sales OU.
You must automatically install a new software package to only the Windows 2000
Professional client computers in the Sales OU. You create a Group Policy object
(GPO) and link it to the Sales OU
A. Edit the GPO to assign the software package under the Computer Configuration
section, underneath Software Settings.
Configure the discretionary access control list (DACL) of the GPO to assign the
Authenticated Users group the Allow - Read and the Deny - Apply Group Policy
permissions.
B. Edit the GPO to assign the software package under the Computer Configuration
Create a WMI filter to include only Windows 2000 Professional.
C. Edit the GPO to assign the software package under the Computer Configuration
Disable the Computer Configuration settings on this GPO.
D. Edit the GPO to publish the software package under the User Configuration section,
underneath Software Settings.
Configure the discretionary access control list (DACL) of this GPO to assign only the
Windows 2000 Professional computer accounts the Allow - Read and the Allow -
Answer: B
Explanation: This question is tricky because Windows 2000 clients cannot process
WMI filters. They will ignore the filters and install the software. However, the
Windows XP clients will process the WMI filter and so will not install the software.
The NT clients will not process the group policy at all, and so will not install the
software. This fulfils the requirements in the question.
Incorrect Answers:
A: This will deny the group policy, so the policy will not apply to anyone.
C: This will disable the part of the GPO with the required settings. Therefore, the
software won't install on any computers.
D: The software needs to be assigned to the computers, not the users. This answer could
work if the software was assigned under the Computer Configuration section, but it's an
impractical way of doing it.

070-294
Reference:
to 10-21, 11-6
QUESTION 287:
All domain controllers have computer accounts in an organizational unit (OU)
named Domain Controllers. All servers other than domain controllers have
computer accounts in an organizational unit (OU) named Servers. Client computers
have computer accounts in various OUs based on department. All users on
the Certkiller .com domain have user accounts in an organizational unit (OU) named
Users.
You have received instruction from the CIO to install Microsoft Excel on all client
computers used by users on the domain. Microsoft Excel must not be installed on
domain controllers and on other application servers on the Certkiller .com network.
What should you do next to install the Microsoft Excel on all client computers used
by users on the domain? No policies or settings must be affected by your installation
of the application.
A. Create a Group Policy object (GPO) that has Microsoft Excel listed in the software
installation section of the computer settings section.
Link the new GPO to the Certkiller .com domain.
inheritance.
B. Create a Group Policy object (GPO) that has Microsoft Excel listed in the software
installation section of the computer settings section.
Configure permissions on the GPO to ensure that domain controller and server accounts
are denied the permissions to both read and apply the GPO.
C. Create a Group Policy object (GPO) that has Microsoft Excel listed in the software
installation section of the user settings section.
Configure both the Domain Controllers OU and Servers OU to block policy inheritance.
D. Create a Group Policy object (GPO) that has Microsoft Excel listed in the software
installation section of the user settings section.
Configure permissions on the GPO to ensure that domain controller and server accounts
are denied the permissions to both read and apply the GPO.
Answer: B

070-294
Explanation: The software can be installed on all the client computers, but not the
domain controllers or application servers. Because the client computers are in
various OUs, it would be easier to link the GPO at the domain level. The OUs
containing the client computers would then inherit the GPO settings.
To prevent the GPO applying to the domain controllers and servers, we can simply deny
the read and apply GPO permission for the domain controller and server computer
accounts.
Incorrect Answers:
A: It is likely that some domain level policies should apply to the domain controllers and
C: It is likely that some domain level policies should apply to the domain controllers and
D: This won't stop the software being installed on the servers, because the software
installation would be defined in the user section of the group policy.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 600-604
to 12-28
QUESTION 288:
Users on the Certkiller .com domain currently have their user accounts configured as
local administrators to enable them to install software. The Desktop Help
department provide support to all users. Members of the Desktop Help department
have user accounts in a group named Desktop Help.
You want to prevent only users from running registry editing tools. You create a
software restriction policy that will not allow users to run registry editing tools and
apply the policy to all user accounts in Certkiller .com.
A Certkiller .com employee named Rory Allen works in the Desktop Help
department. One morning Rory complains that when he attempts to run registry
editing tools, he is displayed with an error message that states the following:
"Windows cannot open this program because it has been prevented by a software
restriction policy. For more information, open Event Viewer or contact your system
administrator".

070-294
What should you do next to ensure that Rory and all other members of the Desktop
Help department can run registry editing tools?
A. Modify the software restriction policy to be enforced for all users other than local
administrators.
B. Add users as members of the Power Users group and not as members the
Administrators group.
C. Use a logon script to copy the registry editing tools to the root of drive C.
Assign the Domain Admins group the Allow - Read permission for the registry
editing tools in the new location.
D. Filter the software restriction policy to prevent the Desktop Help group from applying
the software restriction policy.
Answer: D
Explanation: We can prevent the software restriction policy from applying to the
Desktop Helpgroup by simply assigning the support group the Deny - Read and/or
the Deny - Apply group policy permission.
Incorrect answers:
A: The users are local administrators. The policy must apply to the local administrators.
B: The policy applies to all users. It will still apply to the support group. Changing the
local users group membership will have no effect on the policy.
C: The software restriction policy is using a hash rule to prevent the use of the registry
editing tools. It doesn't matter where the tools are located, they still won't run.
Reference:
A. Martin, Todd
591-593
QUESTION 289:
Certkiller .com consists of Windows Server 2003 computers and Windows XP
Professional client computers. The domain also has two organizational units (OUs)
named Research, and Finance respectively. Each OU has Group Policy Objects
(GPOs) linked to it.
You must move the Research OU underneath the Finance OU in the organizational
unit structure. You must determine which objects in the Research OU are adversely
affected by GPOs that are currently linked to the Finance OU
How will you accomplish the task under these circumstances? You do not want to
disrupt users from performing their daily tasks

070-294
A. Use Resultant Set of Policy (RSoP) in Logging mode for the Finance OU.
Review the policy results for users in this OU.
B. Use Resultant Set of Policy (RSoP) in Logging mode for the Research OU.
Review the policy results for the users in this OU.
C. Use Resultant Set of Policy (RSoP) in Planning mode for the Finance OU.
Choose the Research OU to simulate policy settings.
D. Use Resultant Set of Policy (RSoP) in Planning mode for the Research OU.
Choose the Finance OU to simulate policy settings.
Answer: D
Explanation:
We need to view the effective group policy without actually applying the group
policy and disrupting the users. For this, we can use RSoP in planning mode. In this
mode, you can determine how policy settings are applied to a target, and then
analyze the results before deploying a change to Group Policy.
In logging mode, you can assess which policy settings have been applied or failed to
apply to a particular target (users or computers in Active Directory). Group Policy
client-side extensions have a WMI interface that writes information (known as logging
mode data) about their policy settings to a CIMOM database. You can use the RSoP user
interface to query the CIMOM database for policy information
Incorrect Answers:
A: We need to use planning mode, not logging mode.
B: We need to use planning mode, not logging mode.
C: We need to test the effects of applying the Finance OU policies to the Research OU,
not vica versa.
Reference:
A. Martin, Todd
MS Knowledge Base article 323276: HOW TO: Install and Use RSoP in Windows
Server 2003
Server Help: RSoP overview
QUESTION 290:
network consists of a single Active Directory domain named Certkiller .com. All client
computers on the Certkiller .com network run Windows XP Professional.
Certkiller .com has its headquarters in Chicago and a branch office in Dallas. At the
Dallas branch office you create a Group Policy object (GPO) named GPO1. GPO1
is configured to redirect the Start menu for Dallas branch office users to a shared

070-294
folder on a file server named Certkiller -SR01.

A Certkiller .com employee named Andy Booth works in the Dallas branch office.
One morning Andy complains that the programs which he usually uses no longer
exist on his Start menu. After investigating the issue, you find that the programs
have appeared on the Start menu the previous day. This morning when users logged
on, the programs are missing.
You log on to Andy's client computer and find that all the programs are available
on the Start menu. You check that all users can access the shared folder on
Certkiller -SR01.
What should you do next to determine why the Start menu has changed for users in
the Dallas branch office?
Choose two actions that you can perform to complete the task. Each correct answer
presents a complete solution. Choose two correct answers.
A. In the Group Policy Management Console (GPMC), select Certkiller -SR01 and a
user account that is in the Domain Admins global group and then run Resultant Set of
Policy (RSoP) in planning mode.
B. In the Group Policy Management Console (GPMC), select one of the user accounts
experiencing the issue and then run Resultant Set of Policy (RSoP) in logging mode.
C. Use one of the client computers that have the problem and run the gpresult command.
D. Use one of the client computers that have the problem and run the gpupdate command.
E. Use one of the client computers that have the problem and run the secedit command.
Answer: B, C
Explanation: We need to view the effective group policy settings for the users or the
computers that the users are using. We can use gpresult of RSoP. Gpresult displays
Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer.
RSoP provides details about all policy settings that are configured by an Administrator,
including Administrative Templates, Folder Redirection, Internet Explorer Maintenance,
Security Settings, Scripts, and Group Policy Software Installation.
Incorrect Answers:
A: We need to test the effective policy from a user's computer, not the file server.
D: Gpupdate is the tool used to refresh the policy settings in Windows XP and Windows
Server 2003.
E:
Secedit is the tool used to refresh the policy in Windows 2000 professional and server
editions.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 11-3,
11-19 to 11-22
A. Martin, Todd

070-294
QUESTION 291:
You create a Group Policy object (GPO) named GPO1. GPO1 is configured to
redirect the Start menu for users to a shared folder on a file server named
Certkiller -SR02. A Certkiller .com employee named Dean Austin complains that
the programs he normally uses are no longer available on the Start menu.
You log on to a client computer on the domain and find that each of the programs is
available on the Start menu. You verify that all users can access the shared folder
on Certkiller -SR02. You think that some GPOs were modified and that this is the
cause of the problem.
What should you do next to determine why the Start menu no longer contains all the
programs required by users?
A. Run the gpresult command on Certkiller -SR02.

B. Run the gpresult command on a client computer that has the problem.
C. Run the gpupdate command on a client computer that has the problem.
D. Run the secedit command on a client computer that has the problem.
Answer: B
Explanation:
Because you can apply overlapping levels of policies to any computer or user, the
Group Policy feature generates a resulting set of policies at logon. Gpresult displays
the resulting set of policies that were enforced on the computer for the specified user
at logon.
Incorrect Answers:
A: We need to run the gpresult command on one of the affected client computers, not the
server that hosts the shared folder.
C: The gpudate command refreshes the group policies applied to a computer or user. We
need to use the gpresult command to determine the result of all the policies that apply to
the computer.
D: The secedit command is the command line version of the Security Configuration and
Analysis utility. This has nothing to do with the effects of group policies.
Reference:
A. Martin, Todd

070-294
QUESTION 292:
You create a baseline security template named SecurityBaseline.inf. Different
operations groups are responsible for creating and configuring security templates
containing security settings that meet specific operational requirements.
You receive the following security templates from each of the operational groups:
1. You receive the Security.inf template that applies to resource servers from the
Security operations group.
2. You receive the File.inf template that applies to file servers from the File and
Print operations group.
3. You receive the DB.inf template that applies to database servers from the
Database operations group.
All of the operations groups come to an agreement that should there be conflicting
settings; the following priority order must be used to establish the resultants setting:
1. Security.inf - Priority 1
2. SecurityBaseline.inf - Priority 2
3. Server role templates - Priority 3
You must create the Group Policy object(s) (GPOs) required to apply the new
security settings. You want to achieve this goal by using the least amount of
administrative effort required when changes are requested by the different
operations group.
A. Create a GPO and import these templates in the following order: SecurityBaseline.inf,
Security.inf.
Create a GPO for each of the server roles.
Import only the specific template for that particular server role into each respective
GPO.
B. Create a GPO and import these templates in the following order: Security.inf,
SecurityBaseline.inf.
Create a GPO for each of the server roles.
Import only the specific template for that particular server role into each respective
GPO.
C. Create a GPO for each server role and import these templates in the following order:
SecurityBaseline.inf, specific server role template, Security.inf.
D. Create a GPO and import these templates in the following order: Security.inf, DB.inf,
File.inf, SecurityBaseline.inf.
Answer: A

070-294
Explanation: Windows Server 2003 processes GPOs from the bottom of the list to
the top of the list, with the topmost GPO having the final authority. Because policies
contained in GPOs will, by default, overwrite policies of previously applied, we
would need to import the SecurityBaseline.inf before the Security.inf template.
Incorrect Answers:
B: Because policies contained in GPOs will, by default, overwrite policies of previously
applied; we would need to import the SecurityBaseline.inf before the Security.inf
template.
C, D: Because we need to import templates specific to each of two server roles, we need
a separate GPO for each server role.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and
70-296, Chapter 5
QUESTION 293:
network consists of a two Active Directory forests. One Active Directory forest is
used for production and the other is used for testing purposes. Each forest contains
one domain named us. Certkiller .com and uk. Certkiller .com. The forest used for testing
contains a single domain controller named Certkiller -DC01.
You are busy testing Group Policy objects (GPOs) that manage administrative
templates in the test forest. The GPOs that you are testing are going to be used to
manage administrative templates in the production forest. You create a user
account named Test account in the test forest and assign it the Deny - Apply Group
Policy permission. You find that logging on to the test forest takes much longer than
what be considered acceptable in the production forest.
What should you do next to reduce logon times in the test forest?
A. Assign the Test account the Deny - Read permission for all unused GPOs.
B. Assign the Test account the Deny - Write gpoLink permission for the test domain.
C. Create a new GPO and configure the Negative DC Discovery Cache Setting value as
60 seconds. Apply the GPO to client computers.
D. Create a new GPO and configure the Group Policy refresh interval for computers
setting to have an update rate of 120 minutes. Apply the GPO to the client computers.
Answer: A
Explanation: Group Policy is still processed but not applied when the Deny - Apply
Group Policy permission is assigned. The Deny - Read permission will ensure that
the GPO is not processed. This will improve logon times.
Incorrect Answers:
B: There is not Write gpoLink permission.
C: The Negative DC Discovery Cache Setting specifies the amount of time the DC

070-294
locator retains that a domain controller could not be found in a domain. When a
subsequent attempt to locate the domain controller occurs within the time set in this
setting, DC Discovery immediately fails, without attempting to find the domain
controller.
D: Setting the group policy refresh interval won't prevent the GPO from being processed
at logon.
Reference:
10-20, 10-40 to 10-41
QUESTION 294:
All employees that work in the Sales department are members of the Sales global
group, and have user accounts in an organizational unit (OU) named Sales. The
client computers used by these users are contained in an organizational unit (OU)
named SalesComputers. The SalesComputers OU is a child of the Sales OU.
You must assign a new software installation package to all user accounts in the Sales
OU. You create a Group Policy object (GPO) that will assign the software
installation package. You must ensure that when a user is removed from the Sales
OU, the application is uninstalled from that specific user's client computer.
One morning you discover that a user named Mia Hamm, whose user account you
have recently removed from the Sales OU and added to the Finance OU, still has the
Sales application installed on her computer.
What should you do next to ensure that the application is automatically uninstalled
from the Mia's computer? All other users working in the Sales department must
still have the application installed on their computers.
A. Move Mia's user account back to the Sales OU.

Configure the software installation package to ensure that the software is automatically
uninstalled when Mia's user account no longer falls within scope of management.
Verify that Mia can log on to the Certkiller .com domain.
Move Mia's user account back to the Finance OU.
B. Move Mia's user account back to the Sales OU.
Modify the GPO to ensure that the software installation package is removed.
Verify that Mia can log on to the Certkiller .com domain.
Move Mia's user account back to the Finance OU.
C. Remove the client computer object for Mia's computer from the SalesComputers OU.
D. Remove Mia from the Sales global group.
Answer: A

070-294
Explanation: The Uninstall The Applications When They Fall Out Of The Scope Of
Management option can be used to remove the application if it no longer applies to
users or computers. However, the application must first apply to the user or
computer. Therefore we should move Mia's user account back into the Sales OU so
that the application applies to her again and Mia must log on to the network for the
GPO to apply. Then we can move Mia's user account back into the Finance OU. The
application will no longer apply to Mia and will be uninstalled.
Incorrect Answers:
B: Modifying the GPO so that the software installation package is removed will result in
the application being removed for all users in the Sales OU.
C: The application applies to users not computers; therefore the location of Mia's
computer is irrelevant.
D: The GPO is applied at the OU. The Sales global group is not in the Sales OU.
Reference:
to 12-10, 12-16 to 12-20
QUESTION 295:
You have recently deployed a new application by configuring a Group Policy object
(GPO) which publishes an .msi file. One morning users complain that instabilities in
the new application have resulted in data loss when they run the application. You
obtain a patch, in the form of an .msp file, from the application vendor that will fix
the instabilities problem.
Which two actions must you perform to ensure that users no longer lose data when
they run the new application? Each correct answer presents only part of the
solution. Choose two answers.
A. Move the .msp file to the folder that contains the application source files.
B. Create a .zap file for the patch and then deploy this .zap file.
C. Rename the .msp file so that is an .mst file.
D. Apply the patch you have received to the application source files.
E. Redeploy the GPO that installs the new application.
Answer: D, E
Explanation: Patches in the .msp format must be allied to the source files which are
then applied to the appropriate container by redeploying the GPO that installs the
application.
Incorrect Answers:
A: The patch file must be applied to the source files, merely copying it to the source

070-294
folder won't work.

B, C: The patch is released as an .msp file. There is no need to repackage it as a .zap file,
which is not as flexible as a .msp file, or a .mst file.
Reference:
to 12-8, 2-34 to 12-39
QUESTION 296:
computers run Windows XP Professional. All client computers are contained in an
organizational unit (OU) named Certkiller Desktops. All users on the Certkiller .com
domain have user accounts in an organizational unit (OU) named Certkiller Users.
You have received instruction from the CIO to make an application available to all
users on the Finance department. Users will need to access the application
irrespective of the computer they use. The new application will be sent to the
relevant users by a hyperlink within in an e-mail message.
A new software update has become available for the application and you must
update the application on all client computers that have the application installed.
A. Create a GPO and configure it to install the software update by using a WMI filter.
Link this GPO to the Finance OU.
B. Create a GPO and configure it to require the installation of the software update. Link
this GPO to the Certkiller Desktops OU.
C. Create a .zap file for the software update, and then configure a GPO to install the .zap
file. Link this GPO to the Finance OU.
D. Create a GPO and configure it to enable automatic updates and to install the software
update. Link this GPO to the Certkiller Desktops OU.
Answer: B
Explanation: Configuring a GPO that requires the installation of the software

update and linking that GPO to the Certkiller Desktops OU will install the update
only on workstations on which the application is installed. If the application is not
installed, the update will not be installed.
Incorrect Answers:
A: WMI filtering can be used to restrict the GPO scope to certain groups.
C: The manager requires the application regardless of what computer he uses. We should
therefore link the GPO to the computer container.
D: Automatic updates can only be configured for Windows Updates, not for applications.
Reference:

070-294
to 10-21, 11-6, 12-3 to 12-10, 12-13 to 12-28, 12-34 to 12-39
QUESTION 297:
You create a new Group Policy object (GPO) and configure it to publish an .msi file
that installs a new financial application. The new application is deployed with the
intention of replacing the existing financial application. Users can still continue to
use the old application or they can choose to start using the new application.
You want to prevent support issues and must ensure that both financial applications
are not installed at the same time.
How will you configure user accounts to enable users to migrate to the new financial
application?
A. Configure a new GPO to publish the new financial application. Configure the link for
this GPO so that it has a higher priority than the GPO that installs the old financial
application.
B. Configure a new GPO to assign the new financial application. Disable the GPO that
installs the old application.
C. Configure a new GPO to publish the new financial application. Configure the GPO to
upgrade and replace the old application with the new application, but do not make it a
requirement.
D. Copy the .msi file for the new financial application to the same location as the .msi
file for the old financial application.
Answer: C
Explanation:
We need to publish the application rather than assign it. If we assigned it, the new
application will automatically install. The users must be able to use the old
application if they want to. Publishing the application will give the users the choice.
They can install the new application by using the Add/Remove Programs control
panel applet. To prevent users running the old version and the new version, we can
configure the published application to replace the old version.
Incorrect Answers:
A: This will not cause the new application to replace the old application when it is
installed.
B: If we assigned it, the new application will automatically install. The users must be
able to use the old application if they want to.
D: This will not install the new application or replace the old one.
Reference:

070-294
to 12-10, 12-13 to 12-28, 12-34 to 12-39
QUESTION 298:
computers run Windows XP Professional. The computer accounts of all client
computers are located in an organizational unit (OU) named Workstations.
A new Certkiller .com security policy requires that all computers must be kept
updated with the latest service packs and hotfixes available from Microsoft. You
must ensure that all client computers are automatically updated when new service
packs and hotfixes become available.
Which two actions can you perform to accomplish this task? Choose two answers.
Each action presents a complete solution.
A. Create a Group Policy object (GPO) and configure it to ensure that client computers
automatically download and install updates from Microsoft update servers from the
Internet. Link the GPO to Certkiller .com domain.
B. Create a Group Policy object (GPO) and configure it to ensure that client computers
automatically download and install updates from Microsoft update servers from the
Internet. Link the GPO to Workstations OU.
C. Create a Group Policy object (GPO) and configure it to ensure that client computers
automatically download and install updates from an internal server on which Software
Update Services is configured. Link the GPO to the Certkiller .com domain.
D. Create a Group Policy object (GPO) and configure it to ensure that client computers
automatically download and install updates from an internal server on which Software
Update Services is configured. Link the GPO to the Workstations OU.
Answer: B, D
Explanation: To ensure that computers download and install the updates, we must
configure a GPO to download and apply the updates either from the Microsoft
updates server, or from the internal server on which you install and configure
Software Update Services. The GPO must apply to only client computers as
administrators will manually update server computers as required. All client
computers are in the Workstations OU therefore we should link the GPO to the OU.
Incorrect Answers:
A, C: The GPO must apply only to client computers as the administrators will manually
update server computers as required. Therefore the GPO should be linked to the
Workstations OU and not the domain.
Reference:

070-294

to 10-41
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290):
Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft
Press, Redmond, Washington, 2004, pp. 9-14 to 9-16
QUESTION 299:
network consists of a single Active Directory domain named Certkiller .com with
Active Directory sites. All domain controllers reside in the Active Directory sites.
The Certkiller .com domain contains an organizational unit (OU) named Finance,
which contains two child OUs named Paid and Outstanding respectively.
You have received instruction from the CIO to disable the Windows Update service
on all computers in the domain, other than for those computers in the Finance OU.
Computers in the Finance OU must continue to have the Windows Update service
installed. You want to use the least number of Group Policy object (GPOs) required
to accomplish the task.
A. Create a new GPO and configure it to disable Windows Update under the User
Configuration section of the GPO.
Link the GPO to the Certkiller .com domain.
On the Finance OU, enable the Block Policy inheritance setting.
B. Create a GPO and configure it to disable Windows Update under the User
Link the GPO to the Certkiller .com domain.
Enable the No Override setting on the GPO.
C. Create a GPO and configure it to disable Windows Update under the User
Link the GPO to each Active Directory site.
On the Finance OU, enable the Block Policy inheritance setting.
D. Create a GPO and configure it to disable Windows Update under the User
Link the GPO to all three Active Directory sites.
Enable the No Override setting on the GPO.
Answer: A
Explanation:
You want to Windows update to run only on computers in the Finance OU. To do
this you must create two GPOs: one for the domain and one for the Finance OU.
Configure the domain GPO to disable Windows Update and block policy
inheritance on the GPO for the Finance OU. Windows Update is enabled by default
so blocking inheritance will ensure that it is still applied to the Finance OU.

070-294
Incorrect Answers:
B: The no override option on the domain GPO will ensure that the settings in the domain
GPO are not blocked at the lower level GPOs. This will mean that Windows Update is
disabled for the entire domain.
C: This will work but creating a GPO at the domain level to disable Windows Update
would require less administrative effort. This is thus not the best option.
D: Creating a GPO at the domain level to disable Windows Update would require less
administrative effort. Also, the no override option on the Active Directory sites will
ensure that the settings in the domain GPO are not blocked at the lower level GPOs. This
will mean that Windows Update is disabled for all the sites.
Reference:
to 10-41
QUESTION 300:
network consists of a single Active Directory domain named Certkiller .com. All Web
You must create a new baseline image for the Certkiller .com Web servers. You use
Sysprep to create the image and install Windows Server 2003 on a few new Web
servers by using the baseline image.
Following this, a new service pack is issued which you must install on all Web
servers. You want to use the least amount of administrative effort to deploy the new
service pack on the Web servers.
A. Move the service pack installation files to a shared folder.

Deploy the service pack on each Web server from the shared folder.
B. Create a new organizational unit (OU) named Servers.
Configure a Group Policy object (GPO) to assign the service pack package to users.
Link the GPO to the Servers OU.
Add all Web servers to the Servers OU.
C. Create a new organizational unit (OU) named Servers.
Configure a Group Policy object (GPO) to assign the service pack package to computers.
Link the GPO to the Servers OU.
Add all Web servers to the Servers OU.
D. Create a Cmdlines.txt file for use with the baseline Sysprep image in order to run the
service pack package.
Answer: C
Explanation: A service pack is a software update package provided by Microsoft for

one of its products. A service pack contains a collection of fixes and enhancements

070-294
packaged into a single self-installing archive file.

To distribute a service pack, create a shared folder and either extract the service pack to
that folder or copy the contents of the service pack CD to the folder. Then, using the
Active Directory Users And Computers snap-in, create or select an existing GPO. Click
Edit and the Group Policy Object Editor console appears, focused on the selected GPO.
Expand the Computer Configuration\Software Settings node. Right-click Software
Installation and choose New, then Package. Enter the path to the service pack's
Update.msi file. Be certain to use a UNC format (for example, \\Server\Share) and not a
local volume path, such as Drive:\Path. In the Deploy Software dialog box, select
Assigned. Close the Group Policy Object Editor console. Computers within the scope of
the GPO-in the site, domain, or OU branch to which the policy is linked-automatically
deploy the service pack at the next startup.
You can create a baseline security configuration in a GPO directly, or import a security
template into a GPO. Link the baseline security GPO to OUs in which member servers'
computer objects exist.
Incorrect Answers:
A: Installing the service pack on each server would require a lot of administrative effort.
B: Service packs must be applied to the computers not the users.
D: Service packs can be applied without running the Sysprep image.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining
a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond,
Washington, 2004, Glossary.
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290):
Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft
Press, Redmond, Washington, 2004, Chapter 9
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and
70-296, Microsoft Press, Redmond, Washington, 2004, Chapter 9.
QUESTION 301:
Professional.
Certkiller .com contains a Marketing department and a Research department. Some
of the users in the Research department are located in a global group named
TestCritic, which has access to resources that reside on 10 servers in the
Certkiller .com domain. The global group, TestCritic has rights throughout the
network to perform their duty. The resources consist of critical data. A
Certkiller .com user named Andy Booth has asked for permissions to access the
resources on the 10 servers.
After verifying with the managers, you want to grant Andy Booth membership in

070-294
TestCritic. You do not want Andy Booth's new settings to influence the security of
the network.
What should you do?
A. View Andy Booth's effective policies if he was a member of the TestCritic group by
using the Result Set of Policy in Planning mode.
B. View Andy Booth's effective policies if he was a member of the TestCritic group by
using the GPResult tool.
C.
View Andy Booth's effective policies if he was a member of the TestCritic group by
using the Result Set of Policy in Logging mode
D. View Andy Booth's effective policies if he was a member of the TestCritic group by
using the Security Templates snap-in.
Answer: A
Explanation The planning mode of the RSoP you will see if Andy Booth would violate
the security. The planning mode allows you to simulate situation to see how the group
policy will be affected.
Incorrect answers:
B: This tool will return the list of policies that are affecting users and computers that
Andy Booth is logging on to.
C: The RSoP in logging mode is used to view the policies that are affecting a user or a
computer.
D: The Security Templates snap-in are predefined security settings which are based on
the computer role.
QUESTION 302:
network consists of a single Active Directory domain named Certkiller .com. . The
domain contains an organizational unit (OU) named Certkiller TerminalServers.
You must apply new security settings to the Certkiller .com domain and to the
Certkiller TerminalServers OU. You create a new Group Policy object (GPO) named
Certkiller Security and link this GPO to the Certkiller .com domain. You create another
GPO named Certkiller ServerSecurity and link this GPO to the
Certkiller TerminalServers OU.
One morning users complains that after the new GPOs were linked, they can no
longer access any approved Web sites when they run Internet Explorer on a
terminal server.
What should you do next to determine which GPO is causing the issue?
A. Run the secedit /analyze command on one of the terminal servers.

B. Run the query termserver command on one of the domain controllers.
C. Log on to a domain controller and then run Resultant Set of Policy (RSoP) using
planning mode on your client computers.
D. Log on to a domain controller and then run Resultant Set of Policy (RSoP) using

070-294
logging mode on your client computers.
Answer: D
Explanation: Use RSoP in logging mode to view the actual policy settings for a user on
a computer. You can use RSoP in logging mode to discover which policy settings are
actually in effect for a particular user or computer, and find the specific GPOs that
applied those settings. You can also use the presult.exe command-line tool to generate
RSoP logging data in a text format. Since the GPOs have been applied to the
Certkiller TerminalServers OU, you should run RSoP in logging mode against a terminal
server.
Incorrect Answers:
A: The secedit /analyze command allows you to analyze the security settings on a
computer by comparing them against the baseline settings in a database. It is not used to
troubleshoot GPO application.
B: The query termserver command displays a list of all terminal servers on the network.
C: Use the Resultant Set of Policy (RSoP) tool in planning mode to see the effects of
group policy settings prior to implementation. However, the GPOs have been applied to
the Certkiller TerminalServers OU, not the client computers. We should run RSoP against
the terminal servers.
Reference:
A. Martin, Todd
DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 9, pp. 629,
631
to 11-24
QUESTION 303:
Users that work in the Sales department have user accounts in an organizational
unit (OU) named Sales. You create a GPO to have Certkiller 's logo displayed as the
desktop wallpaper on all client computers in the Sales OU. You link the GPO to the
Sales OU.
A Certkiller .com user named Kara Lang is a member of the Sales department. One
morning Kara complains that Certkiller 's logo is not being displayed as the desktop
wallpaper on her client computer. You investigate the issue and conclude that a
policy which has higher precedence is in conflict with the new GPO linked to the
Sales OU.

070-294
Which two actions can you perform to determine why the desktop wallpaper is not
being applied to the client computers in the Sales OU? Choose two answers. Each
correct answer presents a complete solution to accomplishing your task.
A.
Run Resultant Set of Policy (RSOP) in planning mode. Expand the Administrator
Templates and examine the information of the Active Desktop Wallpaper.
B. Run Resultant Set of Policy (RSOP) in logging mode. Expand the Administrator
Templates and examine the properties of the Active Desktop Wallpaper.
C. Execute the gpupdate /Target: User command from your computer.
D. Execute the gpresult /Z command on a client computer in the Sales department.
Answer: B, D.
Explanation: We need to view the effective group policy settings for the users or the
computers that the users are using. We can use gpresult or RSoP. The gpresult
command displays Group Policy settings and Resultant Set of Policy (RSoP) for a
user or a computer.Resultant Set of Policy (RSoP) is an addition to Group Policy
provides details about all policy settings that are configured by an Administrator,
including Administrative Templates, Folder Redirection, Internet Explorer
Maintenance, Security Settings, Scripts, and Group Policy Software Installation.
RSoP consists of two modes: Planning mode and logging mode. With planning mode,
you can simulate the effect of policy settings that you want to apply to a computer and
user. Logging mode reports the existing policy settings for a computer and user that are
currently logged on.
Incorrect answers:
A: Running RSoP in planning mode will simulate the effect of policy settings that you
want to apply to a computer and user. This does not allow you to see the existing policy
settings for that computer or user.
C: The gpupdate command will refresh a new policy that needs to be applied
immediately. This is not what is required.
Reference:
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 5
QUESTION 304:
Users that work in the Marketing department use portable computers running
Windows XP Professional, and have user accounts in an organizational unit (OU)
named Marketing. You need to configure additional security for users that use
portable computers. You want to enable the Prompt for password on resume from
hibernate /suspend policy. You create a Group Policy object (GPO) named
PortableSecurity to enable the Prompt for password on resume from hibernate
/suspend policy and link the GPO to the Marketing OU.

070-294
A Certkiller .com employee named Ally Wagner works in the Marketing department.
One morning Ally complains that when her computer resumes from hibernation,
she is not prompted to provide a password.
You must ensure that Ally Wagner and all other Marketing department users are
prompted for a password when their computers resume from hibernation.
A. Get Ally to run the gpupdate command from her client computer.
B. Get Ally to run the gpresult command from her client computer.
C. Get Ally to send a Remote Assistance invitation to you.
After taking control of Ally's computer, run the secedit /analyze command.
D. Get Ally to send a Remote Assistance invitation to you.
After taking control of Ally's computer, run the gpresult command.
Answer: A
Explanation: Although the GPO has been configured, some laptops may have not
been online to be updated with the GPO policy or there could have been network
connectivity problems that prevented some laptops from getting the policy. All
problems aside, Ally's laptop should get the update at the next GPO refresh interval
or Ally can get refresh immediately by running the gpupdate command from her
computer.
Incorrect answers:
B: The gpresult command will yield a text report of the resultant set of policy, i.e. the
policy that is already applied. You rather want to enforce a new GPO and that can be
done through the use of the gpupdate command that enforces a GPO without having to
restart the computer.
C: This command is usually utilized when analyzing system security on a large number
of computers. This will not ensure that Ally will have immediate password protection for
her portable computer when resuming from hibernation mode. She needs to have the
GPO updated on her computer.
D: This would be the wrong command to use (see B explanation). First sending Remote
Assistance invitation is not an immediate process as is required by the question.
Reference:
A. Martin, Todd
to 10-21, 11-4, 11-6, 11-19 to 11-22

070-294
QUESTION 305:
computers run Windows XP Professional. Only employees that work in the IT
department are local administrators on client computers.
You must install a new application on all client computers. The new application is
stored in an .msi file. You copy the .msi file to a shared folder on a file server named
Certkiller -SR08, and assign the Authenticated Users group the Allow - Read
permissions for the shared folder. You instruct users to install the new application
on their client computers by double-clicking the .msi file in the shared folder.
Users complain that when they try to install the new application the setup process
fails and they receive an error message. You must ensure that users can successfully
install the new application on their client computers.
Which two of the following actions can you perform to accomplish the task? Choose
two answers. Each correct answer presents a complete solution to the issue.
A. Change the Default Domain Policy Group Policy object (GPO) and then assign the
new application to all client computers on the network.
B. Grant domain users the necessary permissions so that they can to create temporary
files in the shared folder that stores the .msi file.
C. Change the Default Domain Policy Group Policy object (GPO) by disabling the
Prohibit User Installs setting in the Windows Installer section under the computer settings
section.
D. Change the Default Domain Policy Group Policy object (GPO) by enabling the
Always install with elevated privileges setting in the Windows Installer section under the
computer settings section.
Answer: A, D
Explanation: The software installation fails because the users don't have the
necessary permissions to install the software. We can solve this problem by either
assigning the application to the users in a group policy, or by using a group policy to
enable the Always install with elevated privileges setting in the Windows Installer
section of the computer settings.
Incorrect Answers:
B: Users don't have the necessary permissions to install the software. Granting users
permissions to create temporary files in the shared folder won't overcome this problem.
C: We need to enable the Always install with elevated privileges setting rather than
disable the Prohibit User Installs setting.
Reference:
A. Martin, Todd

070-294
Group policy help: Step-by-Step Guide to Software Installation and Maintenance
http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp

070-294 Actualtests Planning, Implementing, and Maintaining A Microsoft Windows Server 2003 Active Directory Infrastructure v10 10 07 305q

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

070-294 Actualtests Planning, Implementing, and Maintaining A Microsoft Windows Server 2003 Active Directory Infrastructure v10 10 07 305q

Uploaded by

Copyright:

Available Formats

Exam : 070-294

Title : Planning, Implementing, and Maintaining

A. At each site you should configure a server as a global catalog server.

Actualtests.com - The Power of Knowing

A. The Dallas office should get a global catalog server.

Actualtests.com - The Power of Knowing

A. The value of the replication interval should be increased.

Explanation: When operational in a multi-domain forest, the global catalog in a site

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

global catalog placed locally.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

A. You should install a global catalog in the Dallas office.

Actualtests.com - The Power of Knowing

Each office is configured as a separate site.

Actualtests.com - The Power of Knowing

A. You should configure Certkiller -DC08 as a global catalog server.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

as separate sites on the Certkiller .com forest.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

What should you do?

Actualtests.com - The Power of Knowing

A. You should place an additional domain controller in the Newcastle office.

Actualtests.com - The Power of Knowing

A: There is no need to place an additional domain controller in Newcastle. There is not

A. It is a PDC emulator role

Actualtests.com - The Power of Knowing

: The PDC emulator unavailability will result in an inability to change passwords on

Actualtests.com - The Power of Knowing

Active Directory Schema snap-in.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

A. You need to check the PDC emulator.

Explanation: The Infrastructure master is responsible for updating object references in

A. Place it on a domain controller in the London site.

Actualtests.com - The Power of Knowing

D. Place it in the site where most users are located.

Actualtests.com - The Power of Knowing

Explanation: The PDC emulator is responsible for synchronization with Windows NT

Actualtests.com - The Power of Knowing

A. Place the Infrastructure master in any of the sites.

Actualtests.com - The Power of Knowing

A. A missing PDC emulator master role.

Actualtests.com - The Power of Knowing

A. Place the PDC emulator on a domain controller in all the sites.

Actualtests.com - The Power of Knowing

A. You need to create a parent and child domain.

Actualtests.com - The Power of Knowing

A. Implement DNS on the network.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

A. There is no preliminary action required prior to renaming the root domain.

Actualtests.com - The Power of Knowing

for Chicago and one for Dallas.

Explanation: One of the requirements is different security policies to control password

Actualtests.com - The Power of Knowing

A. You should delegate a DNS subdomain named research.testlab.com to a new DNS