Professional Documents
Culture Documents
294AD TXTBK Answers
294AD TXTBK Answers
PLANNING, IMPLEMENTING, AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 ACTIVE DIRECTORY INFRASTRUCTURE (70-294)
CHAPTER 1
CHAPTER 1
Active Directory domain works better because there are more than 10 client computers.
Students should expect that domain controllers will be placed at corporate headquarters and the regional offices because the scenario states that computer settings will be sent from both locations.
3. If the company decided to configure sites, where would you expect them to be located?
ANSWER
Sites would likely be configured around regional offices and corporate headquarters because the scenario mentions routers between these locations. Routers mean IP subnets are configured.
4. What type of decisions would Southridge Video have to make about the logical structure of Active Directory?
ANSWER
Decide how many forests, domains, and OUs to create. Most likely theyd use a single forest and domain with multiple OUs. In that case, there would probably be OUs for regional offices and retail locations. They might even configure OUs for the computers and users (separately) in each regional office (depending on how fine a control they decided to use over each).
CHAPTER 1
A. Datum Corporation currently uses a Windows NT 4.0 domain model. There are five Windows NT Server 4.0 computers configured as domain controllers. A. Datum has decided to upgrade the Primary Domain Controller (PDC) to Windows Server 2003. 1. Which two types of forest functional levels will the company be able to select? Which functional level is the default?
ANSWER
Windows Server 2003 interim mode and Windows 2000. The Windows 2000 forest functional level allows Windows 2000 domain controllers in the forest. Windows Server 2003 interim mode does not. The default is Windows 2000.
2. If the company chooses the default forest functional level, which domain functional levels can the company use? Which domain functional level is the default?
ANSWER
Since the default forest functional level is Windows 2000, the options to use Windows Server 2000 mixed mode (default), Windows 2000 native mode, and Windows Server 2003 would be available.
3. If A. Datum decided to keep its Windows NT Server 4.0 backup domain controllers and didnt ever plan to have Windows 2000 domain controllers, what forest functional levels could it select to add functionality?
ANSWER
Windows Server 2003 interim mode would add functionality to the upgraded Windows NT 4.0 domain. However, if the Windows Server 2003 interim level is selected, the Windows 2000 levels are not available. The forest and domain can be raised only to the Windows Server 2003 functional level.
A multi-master model is one in which all domain controllers have equal authority to make database changes. When a change is made in one location, the change is replicated to all locations. Changes can be initiated from any domain controller in a domain. A single-master model has only one domain controller from which all database changes must originate.
1. Which of the following are valid leaf objects in Active Directory? a. Domain b. User c. Printer d. OU e. Folder f. Site
ANSWER
CHAPTER 1
Domains, OUs, and Sites are container objects. Leaf objects are stored in container objects.
2. Which of the following servers can be joined to a forest that is currently set at Windows 2003 interim mode? a. Windows 2000 b. Windows Server 2003 c. Windows NT 3.51 d. Windows NT 4.0
ANSWER
3. You are planning an Active Directory implementation for a company that currently has sales, accounting, and marketing departments. Each department head wants to manage his or her own users and resources in Active Directory. What feature will permit you to set up Active Directory to allow each manager to manage his or her own container but not any other containers?
ANSWER
Delegation of Control
4. What is required by DNS for Active Directory to function? a. Dynamic update support b. DHCP forwarding support c. SRV records support d. Active Directory integration
ANSWER
5. Active Directory information is stored on each domain controller in a file called _________________.
ANSWER
NTDS.dit
6. You are an administrator who manages a multiple-server environment. The shared folders that contain necessary files for user access are stored on different servers, making them difficult for users to find. What can you do to simplify the process of locating this data for the users?
ANSWER
a. Create a document users can reference when they are looking for a specific file. b. Add a link on your corporate Web server that includes instructions for finding shared folders. c. Tell users to call the help desk when they cannot find their data. d. Publish the shares in Active Directory, and teach them how to use the search feature on their workstation.
CHAPTER 1
7. If the user named Amy is located in the sales OU of the central.cohowinery .com domain, what is the correct syntax for referencing this user in a command line utility? a. amy.cohowinery.com b. cn=amy.ou=sales.dc=cohowinery.com c. cn=amy,ou=sales,dc=cohowinery,dc=com d. dc=com,dn=cohowinery,ou=sales,cn=amy
ANSWER
c. cn=amy,ou=sales,dc=cohowinery,dc=com
8. What is the default forest functionality set to when the first Windows Server 2003 domain controller is installed? a. Mixed mode b. Native mode c. Windows Server 2003 d. Enterprise mode
ANSWER
1. Draw an Active Directory forest with multiple noncontiguous domains and at least one child domain for each parent domain. Using your domain model, add a shortcut trust and describe when this trust would be beneficial.
ANSWER
Students should draw a forest with multiple domains using different domain names. They will then add a shortcut trust between the two child domains and discuss how this creates a direct link between the child domains, bypassing the necessity for tree-walking.
The iNetOrgPerson object for migration from Novell to Windows 2003 and the domain and forest functional levels. The iNetOrgPerson object will assist you by
CHAPTER 1
providing a common LDAP object between both Novell and Windows 2003. The domain and forest functional levels will allow you to use a phased approach as you move toward full Windows Server 2003 forest functionality.
You need to establish a cross-forest trust to accomplish your goal. To do this, you need to make sure that both networks are set for Windows Server 2003 forest functionality. If not, you will need to bring all servers up to the required specifications and then raise the forest functional level.
CHAPTER 2
CHAPTER 2
margiestravel.com
phoenix.margiestravel.com
dallas.margiestravel.com
chicago.margiestravel.com
GT02xx21
ANSWER
The figure above shows the solution for Exercise 2-1. Students will create a simple design that should reflect something similar to the solution provided here.
a and d are correct. Answer b is incorrect since DNS must support SRV resource records and not all versions do. Answer c is incorrect because the Web Edition does not support Active Directory. Answer e is incorrect. DHCP has nothing to do with Active Directory, but rather is a service used to supply TCP/IP information.
CHAPTER 2
2. What two tools allow you to begin the Active Directory installation process?
ANSWER
The two tools that allow you to begin the Active Directory installation process are the Manage Your Server Web page and the dcpromo.exe command line tool.
The first domain created on the network is referred to as the forest root domain.
4. Which of the following are key points related to the Sysvol folder structure in Active Directory? a. It contains user data that should be backed up. b. It contains replicated data such as logon scripts. c. It contains the operating system boot files. d. It must be placed on a FAT32 partition. e. It must be placed on an NTFS partition.
ANSWER
b and e are correct. Answer a is incorrect since user data should not reside in the same location as system files. Operating system boot files are stored at the root of C: by default and system files are stored in the systemroot directory. This makes answer c incorrect. If answer e is correct because of NTFS permission requirements, answer d is incorrect.
5. Before you are able to create an application directory partition, you must be a member of which group? a. Domain Users b. Domain Admins c. Schema Admins d. Enterprise Admins
ANSWER
d is the correct answer. Since application directory partition information can be configured to replicate to any domain in the forest, creating this partition is an enterprise-level task and requires enterprise permissions to do so.
6. When trying to connect to a shared folder by typing \\SERVER1\DATA at a prompt, John receives an error that SERVER1 cannot be located. List three possible reasons why this could happen and the steps you would take to verify them.
ANSWER
CHAPTER 2
3. Johns computer has an error in its DNS configuration. Use ipconfig to check
the current settings for Johns network connection. If IP is being obtained from a DHCP server, attempt a renewal of the information using ipconfig /renew. If IP is manually configured, check the properties of Johns network connection.
4. The record in DNS for SERVER1 is old and has not been updated. Check the
record in DNS to verify this is a problem. If it is, modify the record to reflect the correct information or you can use ipconfig /registerdns from SERVER1 if dynamic updates are enabled.
7. You are the administrator for a large automotive parts company. Management has just released the names of several vendors that you will need to allow access to network resources. These vendors either have Microsoft Windows NT 4.0, Windows 2000, or Windows Server 2003 domains. You have established a domain that holds all the information that vendors will need to access within your forest. The vendors want to be able to gain access to these resources without permitting access for your company to their network. What do you need to do to make this happen?
ANSWER
You need to establish an external one-way trust between the vendor resource domain in your forest and the appropriate user domain in their forest.
8. What are the default names of the application directory partitions created by the DNS installation within the Active Directory Installation Wizard?
ANSWER
DomainDnsZones ForestDnsZones
9. Using nslookups /? switch, what would be the syntax needed to view all SRV records?
ANSWER
nslookup ls t SRV
10. You have just installed a new application that has modified the schema by adding a new object. Another administrator at a different location does not have this object listed on his domain controller. What is the most likely reason for this? What should he do to resolve the problem?
ANSWER
Replication has not taken place yet. He should wait for the replication process to take place. There is a normal latency when the schema is modified.
10
CHAPTER 2
The company has decided to migrate to Windows Server 2003 using Active Directory in order to take advantage of centralized administration and better security. To assist you in consulting with your customer, answer the following questions. 1. What considerations should you make during the migration planning?
ANSWER
Students should be recalling the supported workstations by Windows Server 2003 Active Directory. They should also be prepared to do their migration in phases. They should review the current server hardware and be prepared for upgrades.
Students will need to recommend upgrades to the client machines. The server hardware should also be carefully examined for compatibility and size.
They could go to Windows 2000 interim since all the domains are Windows NT based. This will allow them to use a phased approach and migrate over time.
CHAPTER 3
11
CHAPTER 3
b. The maximum number of hops that the KCC will allow between domain controllers is three. This allows a maximum replication latency of 15 minutes, since each domain controller holds a change for five minutes before forwarding it.
2. Replication that occurs between sites is called ____________ replication. a. Local b. Remote c. Intersite d. Intrasite
ANSWER
3. Company XYZ is a national company with locations in Detroit, Minneapolis, Phoenix, and Dallas. There are two connections between Detroit and Minneapolis. The first is a T-1 link and the second is a 128-Kbps link. When setting up the site links for replication, what should you do to ensure that the 128-Kbps link is used only if the T-1 is unavailable? a. Set a cost of 1 for the T-1 and a cost of 5 for the 128-Kbps link. b. Set a cost of 5 for the T-1 and 1 for the 128-Kbps link. c. Leave the costs at their default value of 100. d. Manually change the schedule to disallow replication on the 128-Kbps link until it is needed.
ANSWER
a. When setting costs, the lower number indicates a higher priority. Setting the cost of 1 for the T-1 and 5 for the 128-Kbps link indicates that the T-1 is the primary replication link. Answer b is the opposite of this, making it incorrect. Answer c would make both links have the same priority. Answer d would cause more administration than necessary.
4. You are a consultant working on a site plan for a medium-sized organization. The organization consists of a main office and three branch offices.
12
CHAPTER 3
Two of the locations have standard IP links to the main office, while the third branch office is a separate domain and uses an Internet connection for e-mail. How should you configure the site links for the three branch offices to the main office?
ANSWER
Configure RPC over IP for the two standard link branch offices and configure SMTP for the remote office that is part of a separate domain. This solution follows the guidelines that include using RPC over IP in most situations and SMTP when there is an Internet-based connection from a separate domain.
5. Assuming the same scenario as in question 4, what information will be replicated between the third branch office and the main office?
ANSWER
Global catalog, schema, and configuration information will be the only information replicated because the third branch office is using SMTP for replication. SMTP only replicates global catalog, schema, and configuration information.
6. You are the administrator for a network that has several sites. There is a site link from the main headquarters to each remote site for file transfer and replication purposes. You have been asked to create five new users on the network, and several of the users need immediate access to network applications. When asked by your manager how long replication of these new accounts will take, you answer with which of the following responses? a. Replication occurs every 180 minutes by default. b. Replication occurs at 15-minute intervals. c. Replication occurs as soon as the account is added. d. Replication occurs only between 12:00 A.M. and 6:00 A.M.
ANSWER
a. The default intersite replication schedule is set for every 180 minutes.
7. Modify the scenario in question 6 by placing all domain controllers in the same site. How would you answer your managers question now? a. Replication occurs every 180 minutes by default. b. Replication occurs at 15-minute intervals. c. Replication occurs as soon as the account is added. d. Replication occurs only between 12:00 A.M. and 6:00 A.M.
ANSWER
c. When a new account is added to the Active Directory database, the account information is immediately replicated to all domain controllers within the site. The difference between this and the answer to question 6 is that this question deals with intrasite replication instead of intersite replication.
8. What is the advantage of creating your sites and subnets prior to installing subsequent domain controllers?
ANSWER
CHAPTER 3
13
When your domain controllers are installed and an IP address is assigned, they will automatically be placed in the site associated with their network address. This will save you the step of moving them later.
There will be three new servers installed in the Canada facility with the following specifications:
Server 1: 2.4-GHz processor with 2 GB RAM will be installed as a domain controller. Server 2: 2.0-GHz processor with 1 GB RAM will be installed as a domain controller. Server 3: 2.0-GHz processor with 2 GB RAM will be installed as an application server.
There are two links between the United States and Canada facilities that will be available. They are as follows:
A T-1 link for the primary connection A 256-Kbps link for a backup connection
Bandwidth should be used during the day mainly for file transfers and e-mail. Any network maintenance that requires bandwidth should be done only between 11:00 P.M. and 4:00 A.M. on weekdays. Weekends are available anytime for maintenance procedures.
Sketch a design that will meet the previous requirements and consider the following questions: 1. Should you configure a bridgehead server at the Canada facility? If so, which server would you recommend?
ANSWER
Yes, the best choice for a bridgehead server would be Server 1 based on CPU power and RAM.
The T1 link should be configured with a lower cost than the 256-Kbps link. The numbers are relative: 100 for the T-1 would mean the 256-Kbps could be set to anything higher than 100.
14
CHAPTER 3
The schedule should be configured to only allow replication on Monday through Friday, from 11:00 P.M. until 4:00 A.M., and anytime on Saturday and Sunday. The interval should be reset to something lower than 180 minutes, since you only have a window of five hours on weekdays to complete all changes.
You can disable site link bridging and manually create the appropriate site link bridges. This solution works since the five sites are not fully routed, which is one of the reasons to create manual site links. In order to create manual site links, site link bridging must be disabled first.
CHAPTER 4
15
CHAPTER 4
d. Global catalog is the term used to refer to the central repository database that contains all Active Directory objects. All other answers are not valid terms.
2. Which of the following roles are forest-wide roles? a. PDC emulator b. Infrastructure master c. Domain naming master d. Schema master e. Global catalog
ANSWER
c and d. The two forest-wide roles are the domain naming master and schema master role. The other choices are domain-wide roles.
3. Your single-domain company is planning to add a second location that will access the domain via a frame relay connection. The frame relay service that has been used in the past in your area is unreliable, but it is the only choice you have for now. You have determined that the connection will not need to be used very frequently if you set things up properly. This location will have approximately 20 users. You plan to install a domain controller for these users to log on to and share data. What should you do at this site to allow users to log on to the network?
ANSWER
You can either make the site a global catalog server or you can enable universal group membership caching for the site.
4. Use this scenario to answer the following questions. Contoso Pharmaceuticals has 500 employees in 14 locations. The company headquarters is in Hartford, CT. All locations are part of the contoso.com domain, contain at least two servers, and are connected by reliable links. a. Which FSMO roles are most likely held at the Hartford location?
16
CHAPTER 4
ANSWER
All five FSMO roles will reside here along with at least one global catalog server.
b. While trying to add new user accounts to the domain, you receive an error that the accounts cannot be created. You are logged on as a member of the Domain Admins group. What is most likely causing the problem?
ANSWER
The RID master is down. If the domain controller you are trying to create accounts on has run out of identifiers to assign to new objects, the RID master needs to provide an additional pool to the domain controller.
Since the links are reliable, a global catalog server should be placed at each location. This will allow logons in the remote sites to be faster. The other option would be to enable each site with universal group membership caching.
5. Contoso Pharmaceuticals is expanding to include several newly acquired companies. Although they will each become part of the contoso.com forest, each of these companies wants to maintain their own decentralized management strategy. To accommodate this request, you have installed the subsidiaries as separate domain structures. One of them is named litwareinc.com. a. Which roles will this new domain need to accommodate?
ANSWER
Since it is part of the contoso.com forest, it will need to have all three domain-wide roles, which include RID master, infrastructure master, and PDC emulator roles.
b. If litware.com decides to have a small satellite office included in their domain for several users, without having logon traffic using their available bandwidth to the parent domain, what should they do?
ANSWER
They can either add a global catalog server to this site or enable universal group membership caching. Either solution will avoid logon traffic over the WAN link.
c. In contoso.com, your server functioning as the domain naming master has failed due to a power surge. You are unable to create a new child domain for a new location until this server is back online. Currently it is not expected that the domain naming master issue will be resolved in a reasonable amount of time. What steps should you take so that you can resolve this problem and create the necessary child domain?
ANSWER
You should seize the domain naming master role to a standby FSMO server. Prior to doing so, you will want to use repadmin.exe to determine the synchronization status.
CHAPTER 4
17
d. In one of the locations, you have Microsoft Windows 98 clients that cannot access resources in the domain. They have been functioning just fine until today. What might be causing them to not have the ability to access the domain?
ANSWER
The PDC emulator server is most likely not functioning. The PDC emulator is responsible for processing logon requests for downlevel clients such as Windows 98.
256-K frame relay Reliable Link 56K-Reliable Link Lansing Site New York Site Domain D Domain B
Table 1-5 FSMO Role Placement Server Site Domain Global Catalog Yes or No Roles Assigned
A A A B B C
18
CHAPTER 4
Table 1-5 FSMO Role Placement Server Site Domain Global Catalog Yes or No Roles Assigned
C D B B
Table 1-5 FSMO Role Placement (Suggested Solution) Server Site Domain Global Catalog Yes or No Roles Assigned
DC1 DC2 DC3 DC4 DC5 DC6 DC7 DC8 DC9 DC10
Chicago Chicago Chicago Chicago Chicago Detroit Detroit Lansing New York New York
A A A B B C C D B B
Yes
Schema master, domain naming master RID Master PDC emulator, infrastructure master
Yes
RID Master PDC emulator, infrastructure master PDC emulator, infrastructure master
Yes Yes
RID master RID master, infrastructure master, PDC emulator None None
Additional suggestion for answer: Enable universal group membership caching for Site B, since no global catalog is present in New York. In the Detroit site, you could place all roles on one of two servers and create a manual replication link between both servers. The second server can be considered a standby server in case of a role failure on the primary server.
The plan should include a recovery method for the schema master, domain naming master, infrastructure master, RID master, and PDC emulator roles. Each should have a standby list in case the role needs to be seized or transferred.
CHAPTER 5
19
CHAPTER 5
No. Built-in groups do not allow their type or scope to be changed. This behavior is by design.
4. Click the Members tab, and view and record the members of the Domain Admins group. Close the Properties window for the Domain Admins group.
d and e. Jscript and VBScript files are supported by Windows Script Host.
2. Your company has just purchased a new printer that the owner wants all employees to be able to use. You currently have only one domain with two servers running Windows Server 2003. All users have accounts to authenticate daily to the network. As the administrator, what is the simplest and most secure way to assign permissions to all of the users in your domain? a. Create a domain local group with the proper permissions assigned to the printer and place all user accounts in the domain local group. b. Create a global group and place all of the user accounts on the membership list. Assign the global group permission to access the resource directly.
20
CHAPTER 5
c. Create a global group and place all of the user accounts on the membership list. Create a domain local group and add it to the ACL of the printer assigning the necessary permissions. Place the global group in the membership list of the domain local group. d. Create a domain local group and add it to the ACL of the printer assigning the necessary permissions. Place the built-in Domain Users account in the membership list of the domain local group. e. Create a domain local group and add it to the ACL of the printer assigning the necessary permissions. Place the Everyone special identities group account in the membership list of the domain local group.
ANSWER
d. Creating a domain local group with the access permissions to the printer and adding the Domain Users group to the domain local groups membership list is the most secure and easiest method of granting access. All users added to the domain are automatically added to the domain users group. Answer E would include any guest users and the group membership list cannot be administratively modified. Microsoft recommends avoiding the use of the Everyone group as a general security guideline. Answers a, b, and c do not follow proper group usage guidelines.
3. You work for a local school district as the district wide network administrator. Currently the district has a UNIX database that contains all student records. The district board of educators would like you to use the same user names on the Windows Server 2003 network that are currently are being used on the UNIX server. They have asked you how you intend to accomplish this task. What will you tell them?
ANSWER
The best strategy for this is to export the UNIX database information to a file. This file can be edited and used either with CSVDE, LDIFDE, or WSH. As an administrator you should consider that some of the accounts may need to be modified or deleted at a later date. LDIFDE or WSH provide this flexibility.
4. Having just hired a new employee to help you with some administrative tasks, you would like this person to be responsible for network backups. Without giving more access than is necessary to perform this task, to which group should you add the new employees user account? a. Server Operators b. Administrators c. Everyone d. Backup Operators e. Domain Admins
ANSWER
CHAPTER 5
21
5. Your company network consists of four domains that include Windows NT Server 4.0, Windows 2000, and Windows Server 2003 servers. Each domain has a group of managers that need access to the same resource. You are trying to create a universal group to nest the managers global groups, but the universal group option is dimmed out. What is most likely the cause for this condition?
ANSWER
Your domain is in mixed mode due to the Windows NT Server 4.0 servers. Mixed mode does not offer universal group support.
Distribution groups cannot be assigned resource access permissions. Security groups offer both distribution list capabilities and security permission assignments.
7. What is the difference between a domain local group and a local group?
ANSWER
Domain local groups are stored in Active Directory. They can be centrally managed and can be given permission to access domain resources. Local groups are stored on the computer in which they are created, cannot be centrally managed, and cannot be given permission to domain resources.
8. You have just finished joining a newly installed Windows XP workstation into your domain. To which group will this computer be a member by default? a. Domain Controllers b. Local Computers c. Everyone d. Domain Computers e. Domain Workstations
ANSWER
The correct answer is d. All computers that are joined to an Active Directory domain are automatically made members of the Domain Computers group.
22
CHAPTER 5
10 Windows Server 2003 domain controllers 5,000 users 5,000 client computers humongousinsurance.com
west.humongousinsurance.com 3 Windows Server 2003 domain controllers 1,000 users 1,000 Windows XP computers
east.humongousinsurance.com 2 Windows Server 2003 domain controllers 3 Windows NT Server 4.0 1,000 users 1,000 computers
All domains are Windows Server 2003 domains. The forest root domain has 10 domain controllers. Five of those domain controllers are configured as DNS servers and two are configured as global catalog servers. The West domain has three domain controllers. Two of those domain controllers are configured as DNS servers. One of those domain controllers is configured as a global catalog server. The East domain has two Windows Server 2003 domain controllers and three Windows NT Server 4.0 Backup Domain Controllers (BDCs). The forest root domain is located in College Station, Texas. The East domain is located in Gainesville, Florida. The West domain is located in San Diego, California. There is also an Active Directory site configured for each of these locations. The site for College Station is named Main_Site. The Gainesville site is named East_Site. The San Diego site is named West_Site. You are one of several network administrators assigned to handle the forest root domain and College Station site. Your manager, Jean Trenary, has called a meeting of all network and desktop administrators. She wants to address several issues. Given this information, answer the following questions: 1. Jean says there are four internal auditors in the forest root domain. There are two internal auditors in each of the child domains. Each set of internal auditors has been placed in a global group within each domain. These groups are named IA_Main, IA_East, and IA_West after their respective locations. Jean wants all of the members of these groups to be able to access the same resources in every domain. What is the recommended way to configure the groups to allow the desired functionality?
ANSWER
Create a universal group to which all individual global groups can become a member. This allows each internal auditor to have access to resources granted to the universal group. Choose a name for the group that represents the entire company such as Humongous_IA.
CHAPTER 5
23
2. The network administrators from the East domain want to know why the option to create a universal group is not available in their domain. What can you tell them?
ANSWER
Universal groups are available only to domains that have a functional level of Windows 2000 native mode or later. When using the mixed mode functional level, you cannot create universal groups. In order to change the functional level, all of the existing Windows NT Server 4.0 BDCs must be removed or upgraded. Once the domain functional level is raised, the two Windows Server 2003 domain controllers will no longer replicate the domain database to Windows NT Server 4.0 BDCs.
3. The network administrators from the West domain want to know why everyone always recommends placing global groups into universal groups, instead of just placing the users directly into the universal groups. What should you tell them?
ANSWER
Universal group membership changes cause forest-wide replication. If you use global groups as members of universal groups instead of users, it is less likely that there will be membership changes to the universal groups. If you decided to place users directly into universal groups, forest-wide replication will take place each time a user was added to, or deleted from, a universal group. In most domains the user accounts are modified more frequently than the groups themselves. Once you are able to upgrade all of the domain controllers in the forest, youll be able to raise the domain functional level to Windows Server 2003, which would alleviate this issue and concern.
4. Jean approves a plan to hire assistants for each domain to create and manage user accounts. How can you give the assistants the immediate ability to help in this way, without making them domain administrators?
ANSWER
Place the assistants in the Account Operators group of the domains for which they are expected to be assistants.
5. Two employees have been hired to back up data, maintain the Windows Server 2003 domain controllers, and manage printers for the Main_Site. Which Built-in groups will give these users the permissions they require to manage the domain controllers? How should you set up their accounts and group memberships?
ANSWER
These users will need permissions assigned to the Backup Operators, Account Operators, and Server Operators. You should create a global group specifically for these users. For example, you can create the Maintenance_Main global group. Make that group a member of the Backup Operators, Account Operators, and Server Operator domain local groups. Then place the user accounts for these new employees in that new global group.
24
CHAPTER 5
The correct answers are: Batch files used to create simple scripts using .bat and .cmd files. Batch files can be used to add or remove users from Active Directory using commands such as dsadd. CSVDE used to import or export Active Directory objects. Files are saved with a .csv extension and require a header record. Example of usage: You have an Excel spreadsheet containing names of people you wish to add to Active Directory. LDIFDE used to import, export, modify, or delete Active Directory objects. Uses a line-separated file format. Example of usage: You have the need to create new users and modify existing entries. WSH Used for just about any scripting need. Supports VBScript and Jscript files. Wscript.exe runs the script from a Windows desktop interface by doubleclicking the script file, while Cscript runs the script from a command prompt. Example of usage: Create, delete, and modify users, customize their logon/logoff scripts, set all parameters for user objects such as home directories, drive mappings, and so on.
Part II. Using the Internet as your resource, find an example of one of the script types and write a short description of the script and what it accomplishes.
ANSWER
Sample scripts can be located by using a search engine and Active Directory Scripts as your keyword.
CHAPTER 6
25
CHAPTER 6
ANSWER
Students will use their own names to develop a naming standard and password strategy. They should not use the example already printed earlier in the text. This exercise can be shared in groups and analyzed for the differences between strong and weak passwords.
b. Certificate Services are required for smart card functionality. Answer a, Secondary Logon Service, is required for Run As; answer c, Domain Name Service, is required for name resolution; and answer d, PKI Service, is not a service, but rather a system of digital signing entities, such as CAs, used to verify the identity of a user.
2. Based on strong password characteristics, what is wrong with the password TiGer01? What would you recommend changing to make this password stronger?
ANSWER
26
CHAPTER 6
The password contains a complete dictionary word. It should contain at least one symbol if possible. Suggested solutions include: T!g3r01, TlG3r_01.
3. One of your employees is unable to gain access to the network because she left her smart card at home. Keeping in mind that your network has fairly high security guidelines, which of the following choices is the most secure solution for this situation? a. In Active Directory Users And Computers, reset her account so that it does not require the use of a smart card, and assign her a password that does not expire. b. In Active Directory Users And Computers, reset her account to not require the use of a smart card and assign her a password that expires at the end of the business day. c. Create a temporary user account and password for this user and assign all necessary permissions for her to access her resources. d. Create a temporary smart card for her with a certificate that expires at the close of the business day.
ANSWER
d. Issuing a temporary smart card will provide the benefits of maintaining the security of the network, without username/password combinations. All other options are valid, but not as secure. In addition, they require that the administrator remembers to reset the account so the user can gain entry using a smart card on the next business day.
4. You are the main administrator for an enterprise environment consisting of four domains in separate locations. Your network is becoming increasingly difficult to manage due to the number of users in separate geographic locations. Each location has people who are willing to learn to maintain their part of the network. In addition, as departments grow, you want each department to have control over their user accounts and resources. The CEO has asked you to come up with a plan to set up decentralized administration. What will you include in your plan?
ANSWER
A plan for delegating control of each domain to a sub-administrator. In addition, you should make sure there are OUs defined for each department. You may need to consider revising the current configuration by moving users and resources within their respective departments. Then you will need to delegate control of each departmental OU so that they can be managed independently.
5. Which tool must you use to move a user object from one domain to another domain? a. Active Directory Users And Computers b. Drag and drop c. Movetree d. Dsmove
ANSWER
CHAPTER 6
27
c. Movetree must be used to move objects between domains. All other options can be used to move objects within the same domain structure.
6. You are attempting to use the Run As program to open Active Directory Users And Computers, but you receive an error message and are unable to do this. What should you check? a. Check to make sure you are logged on locally. b. Check to make sure certificate services is functioning properly. c. Check to make sure that the Log On Locally policy has not been changed. d. Check to make sure the Secondary Logon service is running.
ANSWER
d. The Secondary Logon service must be running for you to create a second connection using another set of credentials.
7. What must you have in order to be able to create a smart card on behalf of a user in your organization? a. An enrollment certificate b. A token-style card c. An administrator user account d. Full control in the Active Directory domain
ANSWER
a. You must have an enrollment certificate in order to create smart cards on behalf of users in your organization.
8. List the hardware requirement for each workstation from which you wish to gain smart card access to your network.
ANSWER
9. List an administrative benefit of being able to move objects from one OU to another within your domain.
ANSWER
You may wish to place users in a container and then delegate control of the container to a sub-administrator. You may also wish to group users according to their needs for group policy implementation.
10. Which of the following statements should be considered most important when planning your OU structure? a. Delegation of administrative tasks b. Group Policy implementation c. User access to resources d. Ease of user navigation
ANSWER
28
CHAPTER 6
a. Delegation of administration should be the most important consideration when planning your OU structure. All other answers are incorrect for the following reasons:
Group policies have multiple methods in which they can be assigned and managed, and therefore offer more flexibility. User access to resources is not a consideration since containers do not serve as security principals. Users do not use the OU structure to find resources.
The forest should use decentralized administration. This will allow you to assign each domain administrator the rights to manage his or her own domain.
2. How will you achieve the goal set forth by the accounting and human resource departments?
ANSWER
You should run the Delegation Of Control Wizard from the accounting and human resource containers and assign the appropriate user or group permission to manage their container.
Since one of the main goals is to create a high-security network and protect against intruders, you should propose the use of smart cards for authentication.
CHAPTER 6
29
you have implemented strong passwords and educated your users on the importance of following company policy, you feel that you need to convince upper management that smart cards will alleviate your problems. In order to do this, you will need to come up with the following information:
A list of benefits to a smart card program A list of items to be added to the budget for implementation and support of this new program A rough implementation plan that lists the basic steps required to implement this new technology
Address each one of these points in a plan for this new program.
ANSWER
Students should come up with a list of points that includes the following smart card benefits:
Users no longer have to remember complex passwords. All information is stored on the smart card making it difficult for anyone, except the intended user, to use or access. Security operations such as cryptographic functions are performed on the smart card, rather than on the network server or local computer. This provides a higher level of security for sensitive transactions. Smart cards can be used from remote locations such as a home office to provide authentication services. The risk of remote attacks using a username and password combination is significantly reduced by smart cards.
Students should come up with a list of necessary budget items to implement this technology. This list should include at a minimum the following items:
If you do not have Certificate Services installed in your environment, you must do so. Depending on how you choose to structure the CAs, this may require an additional server. PC/SC compliant smart cards and readers. You should plan for one reader for each workstation in addition to one smart card per user. You will need to determine the type of reader that is best for your corporate needs and then research projected costs. You must set up at least one computer as a smart card enrollment station. Depending on the company security policies and guidelines, this may be a separate workstation requiring a budget line item. You should also plan budget dollars for support and maintenance.
Students should create a rough plan that identifies the phases and appropriate order for implementing smart cards into the environment. This plan should include the overall tasks as follows:
Set up Certificate Services. This may include implementing an offline root CA. Create template for certificate enrollment. Set appropriate permissions for certificate autoenrollment. Set up a smart card enrollment station and install the smart card reader. If you will be creating smart cards with certificates on behalf of each user, make sure the person responsible for creating smart cards for users is set up as an Enrollment Agent.
30
CHAPTER 6
Enable user accounts in Active Directory for smart card authentication. Set up smart card readers at each workstation and train users on required log on procedure.
CHAPTER 7
31
CHAPTER 7
If Advanced Features already has a check mark next to it, clicking it again hides the Advanced Features view options. Make sure there is a check mark next to Advanced Features before proceeding to step 2.
2. In the left console pane, expand the System folder. 3. In the System folder of the left console pane, locate the Policies folder, and expand it by clicking the plus sign (+). This opens the folder and you should now see the two default policies. 4. Copy the names of the two GUIDs that you see here. 5. Locate and open the Sysvol share for your domain from your computer. (Hint: You can do this from the Run dialog box using a UNC name.) 6. Open the folder that represents your domain name. 7. Open the Policies folder. You should now see at least two folders with GUID names. Copy the GUID folder names you see. 8. Compare these names with the names you copied in step 4.
QUESTION What do you conclude? Why do you think this is true? ANSWER
The GUIDs are the same. They represent the two default policies that were created when Active Directory was installed.
A nonlocal GPO is processed after the local Group Policy, and it is modifying the wallpaper setting that is part of the workstation.
32
CHAPTER 7
a. site, domain, OU, local b. domain, site, OU, local c. local, domain, site, OU d. local, site, domain, OU
ANSWER
d. Local policies are processed first, followed by site, domain, and then OU policies.
3. You have just completed the installation of Active Directory on the first domain controller in a new forest. How can you confirm that the two default policies have been created?
ANSWER
Using the Advanced Features view in Active Directory Users And Computers, you can view the GPC. There are two policies represented by GUIDs. In addition, in the Systemroot\Sysvol\SYSVOL\Domainname\Policies folder, there are two subfolders named according to the same GUID numbers as in the GPC.
4. While studying the Group Policy folder structure, you notice that there is a Registry.pol file in one of the policies \Machine subfolder, but not in another policys \Machine subfolder. What is the difference between these two policies?
ANSWER
The first group policy that has the Registry.pol file has a setting that has been configured within the Administrative Templates subnode of the Computer Configuration node, while the second policy does not have any modified Administrative Templates settings.
6. You are the administrator for an Active Directory network with several policies that are being applied at each OU. You have just implemented several workstations that can be used by any user who needs access to the network from one of the conference rooms. During your testing of these stations, you notice that when you log on as the different users, the workstation is modified based on the users policy settings. This creates a problem since you do not want individual user settings to affect these workstations. What should you do to stop this from happening, but still allow multiple users to use their normal logon names for these computers?
ANSWER
CHAPTER 7
33
Enable the Loopback setting and set it to Replace. This causes the policies to reprocess the computer policy and replace any user settings that were part of the individual user policies.
7. Since you implemented group policies throughout your organization, some users have complained that it takes a long time to log on to the network. When your manager comes to you and asks for an explanation for the performance degradation, what will you tell him?
ANSWER
Policy processing is transparent to the user. However, the user desktop is not delivered until all policies and scripts have been processed. The delay is most likely being caused by the processing of multiple policies to secure the network and provide a consistent desktop to the users.
8. You have created a policy for your organization at the site level that includes several security settings that no other policies within your Active Directory structure should override. What can you do to ensure this will happen? a. Set the container to Block Policy Inheritance. b. Set the policy to No Override. c. Set the Loopback policy setting to Enabled. d. Set the Policy to Block Policy Inheritance and also No Override.
ANSWER
b. No Override prevents any of the settings from being overwritten by other policies lower in the Active Directory structure.
9. You have created a container that holds all of the administrator user accounts. This container should not have any of the group policies applied to it from any of the parent containers. How do you accomplish this?
ANSWER
On the administrator accounts container, set the container properties to Block Policy Inheritance.
10. You are fairly new to using group policies and administrative templates. What features are available to help you understand what each setting in Administrative Templates will do?
ANSWER
The Extended tab in Group Policy, Administrative Templates Help, and the Explain tab in a particular settings Properties dialog box are available to provide explanation about the Administrative Templates settings.
34
CHAPTER 7
implementation and your boss has several key policies that you need to decide where to place. Using Figure 7-11, complete Table 7-2 documenting how you can accommodate the following goals.
You need to have an e-mail application installed and configured on all desktops company wide. You need to implement account security for all accounts, but the West location password guidelines will be slightly different from the East location guidelines. All locations in the West OU should have several options in Internet Explorer modified. The Detroit departments should both have NetMeeting configured.
contoso.com
West
East
Phoenix
Denver
Detroit
Chicago
Accounting
FT07xx11
Sales
Figure 7-11
ANSWER
Table 1-2 Scenario 1 Group Policy Plan Location Policy Goals and Special Settings
Domain policy setting that installs the company-wide e-mail application to all desktops. Add a policy that implements the user account password security guidelines for all locations in this region. Add a policy that implements the user account password security guidelines for all locations in this region. Include the Internet Explorer modifications in this policy. Add a policy that implements the NetMeeting configurations.
Detroit
CHAPTER 7
35
of your corporate network, you have some policies that you want to become part of their environment, and others that you do not want to implement at this time. As you discuss this with your IT team, your manager asks you to explain which features in Windows Server 2003 allow you to provide the Group Policy flexibility needed by the new Active Directory structure. List several of the features in Windows Server 2003 Group Policy that will allow Coho Winery, Inc. to achieve their post-acquisition goals. Be prepared to discuss your answers in class.
ANSWER
You should discuss the No Override and Block Policy Inheritance features. In addition, you should discuss the importance of a carefully planned OU structure that facilitates Group Policy implementation.
36
CHAPTER 8
CHAPTER 8
The current size of the log file will vary depending on the number of entries it contains. The maximum size by default for the Application log on a computer running Windows Server 2003 is 16 MB. By default, when the log file fills up, the oldest events will be overwritten.
The current size of the Security log file will vary depending on the number of entries it contains. The maximum, default size of the security log file is 16 MB. By default, when the log file fills up, the oldest events will be overwritten.
The current size of the System log file will vary depending on the number of entries it contains. The maximum, default size of the security log file is 16 MB. By default, when the log file fills up, the oldest events will be overwritten.
The answer to this question will vary based on installed services. For example, if your server is running DNS, a DNS log will be available. This is true for other services such as Active Directory, File Replication, and DHCP. Student answers will vary depending on what is configured on their servers.
CHAPTER 8
37
The article is number 298444 and it is titled, A Description Of The Group Policy Update Utility.
4. In this article, find the description of the /force switch and briefly describe it here.
ANSWER
The gpupdate /force command will force all policy settings to be reapplied. By default, only policy settings that have changed are applied.
b and d. By auditing failure events in the Logon Events category, you can monitor logon failures that might indicate that an unauthorized person is trying to access a user account by entering random passwords or by using password-cracking software. By auditing failure events in the Account Logon category, you can monitor logon failures that might indicate an unauthorized person is trying to access a domain account by using brute force.
2. Since you have expanded your organization and are now following a decentralized approach to network management, you want to make sure that you track when Active Directory objects are created or removed, in addition to when changes to certificate services take place such as denial of certificate requests and so on. How can you do this?
ANSWER
You need to configure an audit policy to Audit Account Management and Audit Object Access. These two settings log activity to the Security log of the domain controller.
3. Due to new corporate policies that have stronger security guidelines for your network, you decide to increase the minimum password length, enforce strong passwords, and make sure user accounts are locked after three invalid logon attempts within a 15-minute time frame. These settings
38
CHAPTER 8
should apply to all domain users on your network. Where do you configure these settings?
ANSWER
These settings can be defined in the Default Domain Policy GPO under the Computer Configuration\Windows Settings\Security Settings\Account Policies node.
The Security log contains information on security events that are specified in the audit policy.
5. You are the administrator for a mid-sized accounting firm with approximately 50100 users and three servers in a single domain environment. Over the past few months, you have been monitoring the amount of available drive space weekly and have noticed that users seem to be using more and more space. You want to somehow control the amount of space each user has access to on the servers, so that you do not run into trouble later. You want users to each have a limit of 500 MB and receive notification when they have only 50 MB left. Some users only use minimal space, while others, such as the marketing department, use quite a bit of space. What should you do?
ANSWER
You should implement a disk quota policy that ensures enough space is included to serve the high-storage needs of marketing users. This will allow more than what is needed for the typical user and have a limit that will accommodate high-storage users in the marketing department. If the marketing users need more than 500 MB, the limit should be raised accordingly.
6. Based on your answer to question 5, list the steps you will take to accomplish this.
ANSWER
. 1. Open Group Policy Object Editor for your Domain Policy GPO.
2. Expand the Computer Configuration/Administrative Templates/System/Disk Quo-
tas extension.
3. Enable Disk Quotas and set the Default Quota Limit And Warning Level setting.
7. Consider that you have enabled the Autoenrollment settings on the Default Domain Policy GPO so users begin using their smart cards immediately. To test your configuration, you immediately attempt to use your smart card from your workstation by inserting it into the reader. When you try to log on, your attempt fails. What could be causing this to occur?
ANSWER
Your policy has not been refreshed. You must restart your computer in order for the new settings to apply.
8. The CEO of your company has been speaking with a friend who informed him that he can have his files from his laptop redirected to the server. He has created a file system structure on his local hard drive that
CHAPTER 8
39
is stored in C:\Data\Workfiles. He would like you to redirect them to the server and have them available for offline use. What is your response to this request?
ANSWER
You first need to explain that as the structure is currently set up, you cannot redirect it. You must move the \data\workfiles structure to his My Documents folder. Then you can redirect these files and make them available for offline use.
This situation is perfectly suited to using Folder Redirection. Group Policy offers the ability to redirect many different special folders on a client system to an alternate location. In this case, this involves redirecting users My Documents folders to a network share.
2. How can you address the situation concerning the sensitive data editors use?
ANSWER
40
CHAPTER 8
Redirecting the files is an excellent start, since the files are then stored on the network and backed up regularly. If the editors documents are deemed more valuable, one thing to consider is using Advanced Redirection. Basic Redirection redirects all users documents to the same file share, typically storing the documents in a folder below that share. By using Advanced Redirection, it is possible to redirect files to different locations based on the security group membership of the user. You may choose to redirect the editors documents to a file server that is more secure and reliable. You may also ask that the editors use EFS encryption on their documents.
3. How would you address the users with mobile computers so that they could work on their files while traveling?
ANSWER
An excellent strategy would be to augment the Folder Redirection policy by configuring the files to be available offline as well. When these users are connected to the local area network (LAN), accessing their My Documents folder would show the contents of the redirected location on the network file server. When users are on the road, they are still able to access their My Documents folder, but they are accessing the copies of the documents cached locally. Any changes they might make, or any new documents they create, are synchronized with the network the next time they are connected to the LAN.
4. Linda warns that some users may have huge amounts of data already stored in the My Documents folder on their local computer. How might this affect your recommendations?
ANSWER
At the very least, you must ensure that there is adequate storage available on the network file servers. Furthermore, you should consider the effect on the network when the users log on for the first time after you implement this policy. The default behavior when the redirection is first implemented is to move the existing contents of the local My Documents folder to the network file server. This is usually a good idea.
CHAPTER 8
41
2. Do the Windows 98 computers support this new technology? Why or why not?
ANSWER
No, only Windows XP Professional and Windows Server 2003 computers support the Autoenrollment Group Policy option.
3. What technology needs to be implemented as infrastructure support for this new program?
ANSWER
An Enterprise CA needs to be installed on one of the Windows Server 2003 computers, a certificate template needs to be configured, each user needs to have Read ACE on the template, and the Default Domain GPO needs to be set to allow autoenrollment.
42
CHAPTER 9
MANAGING SOFTWARE
CHAPTER 9
MANAGING SOFTWARE
CHAPTER EXERCISES
Exercise 9-1: Using Msiexec to Deploy Software Applications and Patches
To learn the syntax for deploying software from the command line, complete the following steps: 5. Continue exploring the options for Msiexec by expanding the plus signs (+) next to each option. You can print the output of this Help screen by clicking the Print icon above the right window pane.
QUESTION Based on what you have learned in this exercise, what would be the correct syntax for advertising the C:\SharedApps\WPapp.msi to all users and applying the C:\SharedApps\WPapp.mst transform to it when it is installed? ANSWER
The correct syntax for advertising the C:\SharedApps\WPapp.msi to all users and applying the C:\SharedApps\WPapp.mst transform to it when it is installed is as follows:
msiexec /jm C:\SharedApps\wpapp.msi /t C:\SharedApps\wpapp.mst
The Unrestricted Properties window description reads as follows: Software access rights are determined by the access rights of the user.
QUESTION In your own words, what does the message here mean? ANSWER
The description means that the Unrestricted property allows any software application to run as long as the user has the appropriate file system permissions. Any rules defined begin under this premise.
CHAPTER 9
MANAGING SOFTWARE
43
2. Which file type is used by Windows Installer? a. .inf b. .bat c. .msf d. .msi
ANSWER
d. Windows Installer uses .msi files to provide information on applications to be installed using Group Policy.
3. As part of your efforts to deploy all new applications using Group Policy, you discover that several of the applications you wish to deploy do not include the proper package files. What are your options?
ANSWER
You can repackage the software using a third-party tool or you can create a .zap file for deployment.
If you choose to repackage the application, you must create a snapshot of a computer that is identical to the computers that obtain the software via Group Policy. If you choose to use a .zap file, the application can be published only, not assigned. In addition, .zap files do not support automatic repairs, automatic removal, unattended installations, or custom installations.
5. Your company has just purchased 200 new workstations that need to be deployed to user desktops as soon as possible. At a recent departmental meeting, it was suggested that, rather than installing all applications on each workstation, users should be responsible for installing their own programs. What feature in Windows Server 2003 will allow users to choose and install necessary programs to their computers?
ANSWER
Group Policys Software Installation Properties can be used from within the User Configuration node. Applications should be published to permit selections to appear in Add or Remove Programs in Control Panel. This will allow users to add the programs they need to their workstations by installing them from a shared distribution point. It is important to note that for this to work, the Add or Remove Programs option in Control Panel should not be blocked in some other Group Policy.
6. List the order of precedence from highest to lowest for software restriction policy rules.
ANSWER
44
CHAPTER 9
MANAGING SOFTWARE
The order of precedence for software restriction policies is: hash, certificate, Internet zone, and path rules.
7. In an effort to thwart e-mail viruses on your network, you want to prevent users from running executable files in e-mail attachments. Explain how you would restrict this activity and list any issues that may affect your solution.
ANSWER
You can create a software restriction policy with a path rule set to Disallowed on the directory where e-mail attachments are stored. However, if your e-mail program allows attachments to be saved to another location and then launched, this may not entirely prevent the problem.
8. What two Default Security Levels can be used with a software restriction policy?
ANSWER
Disallowed and Unrestricted are the two default software restriction policy security levels. Unrestricted is the original default setting when a new policy is created.
9. You are the administrator for a Windows Server 2003 domain. Your company has just purchased a new application that will be used by all employees to create forms. You want to make sure that this application is installed the next time users log on to the network. Explain the steps you would follow to make this happen.
ANSWER
First, you need to make sure there is a software distribution point created on the server from which the software will be deployed. Then copy the application files and Windows Installer files to the software distribution point. Give users Read permissions to the folder where these files reside. Create a Group Policy for the domain. In the Software Installation folder under the User Configuration\Software Settings node of the policy, add the package file used to deploy the application and set this package to Assigned. On the Deployment tab of the Properties window for the package, make sure there is a check mark on the Install This Application At Logon option.
10. Using the same scenario as question 9, is it possible to have the programs install automatically when the computer restarts, as opposed to when a user logs on?
ANSWER
CHAPTER 9
MANAGING SOFTWARE
45
decided that using software restriction policies in conjunction with standard user access permissions will help to fulfill the necessary security requirements. You are preparing an implementation plan that is based on user needs and security requirements. Users should not be able to access any programs with the exception of those that are pertinent to their jobs. In addition, the user needs within the organization are as follows:
Users only need access to e-mail and a patient database. The patient database has its own built-in security access system that is configured for each user based on their needs within the program. All user accounts are located in containers based on their office location.
Software restriction policy settings should not affect settings that are already in place within existing GPOs. If problems arise with restriction policies, they should be easy to rectify, without affecting other security areas. Administrator accounts should not be affected by software restrictions. Other applications should not be affected by any of the restrictions.
List the key points that should be part of your implementation plan based on the information provided here.
ANSWER
Create a GPO for an OU with a select group of users that can test the settings. Set the Default Security Level for the software restriction policy to Disallowed. Create individual path rules that point to the patient database and the e-mail application and set these to Unrestricted so that they can function properly. Set the Enforcement option within the software restriction policy so that the policy applies to users, but not to administrators. Test the GPO on the pilot group of users to make sure that all functionality and restrictions are present. Be sure that administrators are not affected and that all other applications function properly for the users. When testing is complete and the policy is solid, link this policy to the domain. Do not modify any existing policies. Maintain a separate policy for the software restriction policies to allow them to be disabled or deleted, without affecting any other settings.
46
CHAPTER 9
MANAGING SOFTWARE
Table 1-3 Wide World Importers Network Structure Office/OU Users Computers Operating Systems Used
Windows 2000 Professional Windows 2000 Professional and Windows XP Professional Windows 2000 Professional and Windows XP Professional Windows 2000 Professional and Microsoft Windows NT version 4.0 Workstation Windows XP Professional Windows 2000 Professional and Windows XP Professional Windows NT version 4.0 Workstation Windows 2000 Professional Windows 2000 Professional and Windows XP Professional
The California and New York offices are connected by a dedicated T-1 line. There are dedicated 256-Kbps fractional T-1 lines connecting the Florida office both to the California and New York offices. Several of the Marketing users have mobile computers, and a portion of their time is spent traveling the world. Access to the main network is accomplished by dialing in to a local Internet service provider (ISP), and then establishing a Layer Two Tunneling Protocol (L2TP) virtual private network (VPN) to the California office. There are three domain controllers and one file server at each location. The wide area network (WAN) links are used heavily during the day, but Wide World does not plan to upgrade them any time soon. It is important that the software deployment strategy you suggest does not adversely affect the WAN links during business hours. Max has indicated that he wants more control over software deployment and wants to leverage his investment in Windows Server 2003. The main software requirements of the company include Office XP for all users, a third-party program used by Marketing, an application used by Finance for billing and accounting, and a proprietary shipping application developed for Wide World Importers. While all users utilize Office XP, they dont all use the same applications. Many users utilize only Outlook and Word, while others also make use of Access and PowerPoint. Still others use Excel on a daily basis. Given the concerns of Wide World Importers as outlined above, answer the following questions: 1. Utilizing GPO for software deployment, how can you configure the network in a manner that will not negatively impact the business by saturating the WAN links during deployment?
ANSWER
On a single local area network (LAN), it is common to set up a single software distribution point to store the applications to be deployed using Group Policy. Bandwidth cannot be totally disregarded, but it is much less of an issue locally, since high bandwidth is assumed. When WAN links are involved, the best way to prevent a deployment scenario where the client is installing the software over the WAN link is to provide a software distribution point at each office. Once that is accomplished,
CHAPTER 9
MANAGING SOFTWARE
47
you could keep the GPOs separate for each office, with each GPO pointing to the local software distribution point. A more elegant solution is to configure the three software distribution points as replica links in a Microsoft distributed file system (Dfs) topology. This way, all software deployment can reference the same software distribution point, and client machines will automatically be referred to the software distribution point in their own site.
2. With respect to the marketing, finance, and shipping applications, what are some of the options and considerations when deciding how to deploy these applications?
ANSWER
Although you could deploy all three applications at the domain level, and use security filtering by adding access control entries (ACEs) to the GPO to limit the deployment to the appropriate users, the solution would require extra administrative work. For example, you would have to implement security groups that align with the deployment goals. The best option, since these applications map nicely to the OU structure of the company, is to deploy the applications at the appropriate OUs. For example, if a single GPO is used for deployment, the sales program could be linked to all three Marketing OUs. The other consideration is whether to assign or publish this application. You must determine whether the applications are optional or mandatory. If these applications are optional, publishing to users would make the most sense. Users would have to take the initiative in choosing to go to Add Or Remove Programs in Control Panel and install the application. Considering that these custom applications were developed specifically to be used by these departments, the company will likely consider them mandatory. Assuming that is the case, you should assign them. If users move from computer to computer in the organization, you may decide that assigning them to the users is most appropriate. If each user has his or her own computer, assigning the applications to the appropriate computers is the best solution.
3. How do you recommend resolving the issue that many users utilize different parts of the Office XP suite of applications?
ANSWER
Transforms are files that end with an extension of .mst. These files are deployed along with the .msi file to alter the configuration. This is an option to address this complication. It could be quite an administrative burden to develop .mst files for each of the different configurations utilized, and then deploy multiple GPOs with each of the different configurations. It is important to understand transforms and when they are appropriate. In this case, however, there was no indication that having extra software available would cause trouble. Consider assigning Office XP to users at the domain level. This makes all file extension associations on the client systems and advertises the applications by making all of the Start menu shortcuts available. Essentially, all of the applications are set to install on first use. If some users never launch Excel, for example, then the program files to run Excel are simply not brought down for that user. In this case, a complicated set of transforms would seem to be a waste of administrative effort.
4. A small number of the client systems are running Windows NT version 4.0 Workstation. How would you advise Wide World Importers regarding software installation for these systems?
48
CHAPTER 9
MANAGING SOFTWARE
ANSWER
Group Policybased software installation does not apply to Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Me, or Microsoft Windows NT systems. It might make sense to upgrade these systems to Windows 2000, Windows Server 2003, or Windows XP as appropriate. If, for some reason, these options dont work for the company, installing the software manually or using some other network management tool, such as Microsoft Systems Management Server, are the remaining options.
5. The shipping application is a proprietary application that does not have an .msi file associated with it. How would you recommend using Group Policy to deploy this application to the Shipping department?
ANSWER
There are two options for deploying an application that does not natively have an .msi file available. The simplest, but least flexible, is to create a Zero Administration Package or .zap file. This allows an administrator to publish this application to users, so they can select to install that application from Add Or Remove Programs in Control Panel. However, a .zap file does not take advantage of Windows Installer features, such as installing with elevated privileges, automatic rollback, and automatic repair of damaged or missing program files. A .zap file also cannot be assigned to users or computers, only published to users. The other option is to use a third-party application to repackage the program into an .msi file.
CHAPTER 10
49
CHAPTER 10
The following tabs are available in the right console pane: Linked Group Policy Objects, Group Policy Inheritance, and Delegation.
The following tabs are available in the right console pane for this policy: Scope, Details, Settings, and Delegation.
The Settings tab provides a detailed report that shows each policy setting and the values assigned to that particular setting. This report can be saved in HTML format or printed for documentation purposes.
6. In the left console pane, expand the Group Policy Objects node.
QUESTION What policies are listed here? ANSWER
By default, the Default Domain Controllers Policy and the Default Domain Policy are listed here. Any other policies that are listed are due to previous exercises or demonstrations.
GPResult returns RSoP data for the current logged-on user. Information includes security group memberships and applied policies and filters.
50
CHAPTER 10
5. Use the GPResult Help screen output from step 1 and write the necessary syntax to obtain the desired information. This command is not intended to function in the current environment. This step helps to understand the syntax of the command.
ANSWER
You can set up a test environment that will allow you to apply existing policies and new policies to test users and computers. If this is not possible, you can use RSoP in Planning mode or GPMCs Group Policy Modeling Wizard to create result reports.
2. After deploying several new restrictive policies, you are unable to access Control Panel from your workstation, even though you are logged on as Administrator. You suspect that the policy settings are forcing this behavior. What can you do so that the restrictive policy settings will not affect your Administrator account?
ANSWER
On the restrictive GPOs, you can set the Apply group policy permissions for the Administrator group to Deny. This will disallow the application of the group policy settings for any users that are members of the Administrators group.
3. During a recent training session, you learned about WMI filters. Upon returning to your office and exploring your group policy structure, you implement a filter for a software deployment policy so that the software will be deployed only to computers that have enough drive space and memory. The software deploys to all computers that meet the criteria with the exception of those running Microsoft Windows 98 and Microsoft Windows 2000 Professional. Why is the software not being deployed to these computers even though they have the appropriate drive space and memory availability?
ANSWER
One reason is that group policies created in Windows Server 2003 are not compatible with Windows 98 computers. Additionally, WMI filters are ignored on computers running Microsoft Windows 2000.
Windows XP Professional with SP1 and Windows Server 2003 will support the installation of GPMC.
CHAPTER 10
51
5. What is the difference between the import and the copy features that are available in GPMC?
ANSWER
The import feature allows settings from a GPO stored in the file system to be brought into an existing GPO. All existing settings will be erased when the import takes place. The copy feature copies settings from an existing GPO to a new GPO.
6. As the administrator for a newly installed Windows Server 2003 network, you would like to use GPMC to plan and manage your entire GPO structure. Where should you look for this tool?
ANSWER
GPMC is available as a free download from the Microsoft download link at http://www.microsoft.com/downloads.
7. Once GPMC is installed, what changes will you see in the existing tools such as Active Directory Users And Computers?
ANSWER
GPMC changes the group policy tab in the Properties windows for a container to reflect that policies are no longer managed here. Instead, the tab indicates the presence of GPMC and provides a button from which it can be launched.
You will need to delegate the creation of GPOs to the local administrators at each location.
2. Users in each location are currently all in one OU. There are certain group policies that should only apply to users in some departments and not others. What options should you consider that will allow for group policies to only be applied to the necessary users?
ANSWER
One solution is to create groups, add the appropriate users to the groups, create the policies, and use permissions to filter their application. A second and probably better choice is to create additional OUs for each department and move the user accounts into their respective departmental OUs. Creating policies on the departmental OUs can then be done to implement the desired settings.
52
CHAPTER 10
Using the filtering solution first suggested can become cumbersome to manage and difficult to troubleshoot.
3. Although you have created a domain-wide policy that enforces restrictions on administrative tools, you do not want those settings to apply to users for which you have delegated administrative permissions on each locations OU. What are your options to solve this?
ANSWER
If you wish to enforce other settings within the domain-wide policy to all users, you cannot use permissions to deny the application of the policy. One method is to separate the policy settings that restrict tools or application access from the other security settings. In other words, create separate policies based on main goals. Creating one policy that does it all is not the best solution because you cannot filter based on specific settings. Another method would be to consider creating a separate OU for administrative users and then using the Block Policy Inheritance setting.
CHAPTER 11
53
CHAPTER 11
The Dependencies tab provides information on the dependencies required by the selected service, in addition to the services that depend on the selected service.
A performance object is a logical collection of performance counters associated with a resource or monitored service. A performance counter is a value that applies to a performance object.
An alert detects when a predefined counter value rises above or falls below the configured threshold, and notifies a user by means of the Messenger service. Alerts enable you to define a counter value that triggers actions, such as sending a network message, running a program, making an entry in the Application log, or starting a log.
4. You are the network administrator for a small legal firm that is using a single-server Windows Server 2003 network. You are preparing to back up your server for the first time and you need to ensure that the Active Directory database, in addition to the Certificate Services database, is backed up. What type of backup will you need to perform?
ANSWER
Perform a normal backup and make sure that you include the System State data. For Windows Server 2003 operating systems, the System State data is com-
54
CHAPTER 11
prised of the registry, COM+ Class Registration database, system boot files, files under Windows File Protection, and the Certificate Services database if the server is a certificate server. If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the System State data. To back up Active Directory, you must back up the System State data.
5. Describe a normal restore, when you might use it, and the tool that you must understand to perform it.
ANSWER
A normal restore is performed in a situation in which you want to restore a domain controller to a previous working state. In a multiple domain controller environment, a domain controller that is restored using a normal restore obtains any changes that it did not have at the time of backup through replication of data from other domain controllers. Each restored directory partition is updated with data from its replication partners. The Backup And Restore Wizard or the Ntbackup command line utility can be used to perform a normal restore.
6. Describe an authoritative restore, when you might use it, and the tool that you must understand to perform it.
ANSWER
An authoritative restore can be used to retrieve Active Directory information that has changed and has been overwritten throughout the domain after replication. For example, if an OU was deleted and needed to be restored, an authoritative restore allows an administrator to restore the OU. The OU is restored and replicated throughout the domain. Any domain controllers still containing the old OU are overwritten by the restored OU.
7. Which method of restore should you use if a domain controller has completely failed?
ANSWER
Primary restore.
8. As part of your weekly monitoring review, you discover that the disk that holds the Sysvol volume is extremely low on space. You recently removed the global catalog role that was originally assigned to this server in hopes of recovering some of the space. It seems that you need to find another solution for your low drive space problem. You determine that until you upgrade the server, you have no other location to which you can move the Active Directory database and Sysvol contents. What can you do to try to recover some of the space?
ANSWER
You could try moving any files, such as data files that are not pertinent to Active Directory and the operating system, to another drive. However, the best solution in this situation is to perform an offline defragmentation. Although you recently moved the global catalog role to another server, the space that was used by this service is not automatically reclaimed. You must perform an offline defragmentation to reclaim this space. This may be enough space until you can upgrade your server as planned.
CHAPTER 11
55
Performance monitoring can be used to identify and troubleshoot issues. However, monitoring performance is difficult if you do not know what acceptable or normal levels of any given counter should read. You can only determine what is normal and acceptable on a particular network by taking a performance measure when everything operates normally. After you collect that data, you should periodically check performance. Use the collected information to establish a baseline of performance data that indicates what normal operating conditions are for your network. That way, when something changes, you will hopefully be able to identify what is no longer normal.
2. Margie tells you that some of her domain controllers have multiple hard disks. She tells you that the additional physical hard disks are not being used. She wants to know if they can be used in some way to improve the performance of Active Directory. What would you tell her?
ANSWER
You could improve performance by moving the Active Directory database (ntds.dit) to the second physical hard disk. You could further improve performance by moving the Active Directory log files to a third physical hard disk. This could be done using the Ntdsutil tool.
3. Margie says that her local domain controllers operate slowly sometimes. She theorizes that this could be due to the other domain controllers synchronizing information with her local domain controllers. What could you monitor to help solve Margies problem?
ANSWER
You would certainly use System Monitor in this case. In addition to the typical server performance monitors, such as Server, Memory, and Pages/Sec, you should look at DRA Inbound Objects Applied/Sec, which indicates how much replication update activity is occurring on the server as a result of changes generated on other servers.
56
CHAPTER 11
4. Margie sends you to Cairo, Egypt, to troubleshoot a few domain controllers in her Egypt location. You find some event messages concerning replication events, but you would like to see more detailed information than what is in the log now. What can you do?
ANSWER
Increase the logged information by increasing the diagnostic logging levels for replication events, and also possibly the KCC, in the registry of the domain controllers. You can also use the Replication Monitor (Replmon) or Repadmin command line tools to learn more about replication performance. You can also use the Ntfrsutl tool to query the FRS services on local and remote domain controllers to determine whether they are functioning correctly.
CHAPTER 12
57
CHAPTER 12
The preparation steps required include documenting the existing domain, performing a backup, identifying versions and service packs on the network, assessing hardware requirements, delegating a DNS zone for the new Windows Server 2003 domain, and relocating the LMRepl file replication service.
4. If you are planning to migrate sIDHistory for a Windows 2000 to Windows Server 2003 migration, what steps do you need to take for this to function?
ANSWER
You must create a new empty local group in the source domain named SourceDomain$$$, enable auditing of success and failure for Audit account management on both domains in the Default Domain Controllers Policy, and modify the registry to allow access to the SAM database. These tasks can be automated with ADMT.
ClonePrincipal performs a copy operation and leaves the original object in the source domain, while Movetree performs a move operation and destroys the original object.
ADMT is included on the Windows Server 2003 media and is available for download from the Microsoft Download Center Web site.
7. What type of trust should you create in order to migrate users and computers from a different forest to a local one?
ANSWER
58
CHAPTER 12
8. From which computer in a Windows 2000 domain should the adprep /domainprep and adprep /forestprep commands be run?
ANSWER
Adprep /domainprep should be run from the domain controller holding the infrastructure master FSMO role. Adprep /forestprep should be run from the domain controller holding the schema master FSMO role.
2. What must you do before you run the upgrade from the installation media for Windows Server 2003 on the first Windows 2000 domain controller?
ANSWER
In addition to backing up the data, you must prepare the forest and domain by using the adprep /forestprep and adprep /domainprep commands.
3. The Kansas City facility is closing. The users are relocated either to New York or to San Francisco. The data and all user accounts must be transferred from the existing domain to the new domain structure. Where in the Active Directory structure do you put the Kansas City users and what tool do you use to get them there?
ANSWER
The Kansas City users can be relocated to OUs within the New York or San Francisco child domains. ADMT is used to perform this procedure.
CHAPTER 12
59
4. You must take what considerations into account for the upgrade of the Windows NT 4.0 domains?
ANSWER
Windows NT 4.0 domain controllers must be updated with Service Pack 4, or later. Additionally, you must run the winnt32 /checkupgradeonly command to ensure that the hardware meets the requirements for Windows Server 2003.
5. If you find that the BDC within one of the Windows NT 4.0 domains is the best candidate for the first upgrade procedure, what must you do to upgrade this server first?
ANSWER
Assuming that both the PDC and BDC involved are online, you must promote this BDC to a PDC. This promotion automatically demotes the current PDC.
6. When you finish upgrading and migrating all of the desired domain controllers, what must you do to take advantage of Windows Server 2003 features such as Universal Group Membership Caching?
ANSWER
You must raise the forest functional level to Windows Server 2003.