Answers 513 Answers Chapter 1: Lesson Review Answers Lesson 1 1. Correct Answer: B A. Incorrect: Centralized WINS topology uses a single, centralized, high-availability WINS server or WINS server cluster. B. Correct: Full mesh WINS topology is a distributed WINS design with multiple WINS servers or clusters deployed across the enterprise. Each server or cluster rep- licates with every other server or cluster. C. Incorrect: Ring WINS topology is a distributed WINS design created by having each WINS server replicate with a specific neighboring partner, forming a circle. D. Incorrect: Hub and spoke WINS topology is a distributed WINS design in which a central WINS server is designated as the hub and additional WINS servers only replicate with the hub in the site where they are located. 2. Correct Answer: A A. Correct: You can configure the primary name server, the refresh interval, and the minimum default Time-to-Live (TTL) values for zone resource records in the zone’s SOA record. B. Incorrect: NS records identify the name servers in a DNS zone. C. Incorrect: SRV records permit AD DS to integrate with DNS and implement DDNS. These records are required for the Locator mechanism to function. D. Incorrect: Canonical name (CNAME) records map an alias or nickname to the real or canonical name that might lie outside the current zone. 3. Correct Answer: C A. Incorrect: The /createdirectorypartition switch in the dnscmd command is used to create a directory partition and will not enable a DNS server to support Global- Names zones. B. Incorrect: The /enlistdirectorypartition switch in the dnscmd command is used to add a DNS server to partition replication scope and will not enable a DNS server to support GlobalNames zones. C. Correct: The /config switch in the dnscmd command is used to enable a DNS server to support GlobalNames zones. 514 Answers D. Incorrect: The /createbuiltindirectorypartitions switch in the dnscmd command is used to create the default directory partitions and will not enable a DNS server to support GlobalNames zones. 4. Correct Answer: A A. Correct: You cannot list DNS records by using nslookup unless you have allowed zone transfers, even when the records are on the same computer. B. Incorrect: You run the command console as an administrator when using config- uration commands such as dnscmd. You do not need to do so when you are dis- playing but not changing information. C. Incorrect: You can type nslookup ls –d adatum.internal directly from the command prompt. However you can also type nslookup and then type ls –d adatum.internal from the nslookup> prompt. D. Incorrect: You can perform most operations on a server, including nslookup, by logging on through a Remote Desktop connection. Logging on to servers interac- tively is bad practice and should be avoided. 5. Correct Answer: D A. Incorrect: There is no problem with the host record for the Web server. Other users can access the internal Web site. B. Incorrect: You do not need to flush the DNS cache on the DNS server. The prob- lem is at the user’s client computer. C. Incorrect: The client computer is registered in DNS and can access other Web sites. D. Correct: A DNS cache entry on the client computer has marked the Web site URL as not resolvable. Flushing the DNS cache on the client computer solves the problem. Lesson 2 1. Correct Answer: B A. Incorrect: A site-local unicast IPv6 address identifies a node in a site or intranet. It is the equivalent of an IPv6 private address, for example, 10.0.0.1. B. Correct: A global unicast address (or aggregatable global unicast address) is the IPv6 equivalent of an IPv4 public unicast address and is globally routable and reachable on the Internet. C. Incorrect: A link-local unicast IPv6 address is autoconfigured on a local subnet. It is the equivalent of an IPv4 APIPA address, for example, 169.254.10.123. D. Incorrect: Two special IPv6 addresses exist. The unspecified address :: indicates the absence of an address and is equivalent to the IPv4 unspecified address 0.0.0.0. The loopback address ::1 identifies a loopback interface and is equivalent to the IPv4 loopback address 127.0.0.1. Neither is the IPv6 equivalent of an IPv4 public unicast addresses. Answers 515 2. Correct Answer: A A. Correct: The solicited mode address consists of the 104-bit prefix ff02::1:ff (writ- ten ff02::1:ff00:0/104) followed by the last 24 bits of the link-local address, in this case, a7:d43a. B. Incorrect: Although the 104-bit prefix is written ff02::1:ff00:0/104, the /104 indi- cates that only the first 104 bits (ff02::1:ff) are used. Hence, the solicited mode address is ff02::1:ffa7:d43a. C. Incorrect: Addresses that start with fec0 are site-local, not solicited node. D. Incorrect: Addresses that start with fec0 are site-local, not solicited node. 3. Correct Answer: D A. Incorrect: ARP is a broadcast-based protocol used by IPv4 to resolve MAC addresses to IPv4 addresses. ND uses ICMPv6 messages to manage the interaction of neighboring nodes. B. Incorrect: EUI-64 is not a protocol. It is a standard for 64-bit hardware address. C. Incorrect: DHCPv6 assigns stateful IPv6 configurations. ND uses ICMPv6 mes- sages to manage the interaction of neighboring nodes. D. Correct: ND uses ICMPv6 messages to manage the interaction of neighboring nodes. 4. Correct Answer: A A. Correct: In configured tunneling, data passes through a preconfigured tunnel, using encapsulation. The IPv6 packet is carried inside an IPv4 packet. The encap- sulating IPv4 header is created at the tunnel entry point and removed at the tunnel exit point. The tunnel endpoint addresses are determined by configuration infor- mation. B. Incorrect: Dual stack requires that hosts and routers provide support for both pro- tocols and can send and receive both IPv4 and IPv6 packets. Tunneling is not required. C. Incorrect: ISATAP connects IPv6 hosts and routers over an IPv4 network, using a process that views the IPv4 network as a link layer for IPv6 and other nodes on the network as potential IPv6 hosts or routers. This creates a host-to-host, host-to- router, or router-to-host automatic tunnel. A preconfigured tunnel is not required. D. Incorrect: Teredo is an enhancement to the 6to4 method. It enables nodes that are located behind an IPv4 NAT device to obtain IPv6 connectivity by using UDP to tunnel packets. Teredo requires the use of server and relay elements to assist with path connectivity. It does not require a preconfigured tunnel. 5. Correct Answer: D A. Incorrect: This command displays the IPv6 configuration on all interfaces. It does not configure an IPv6 address. 516 Answers B. Incorrect: You can use this command to add the IPv6 address of, for example, a DNS server to an IPv6 configuration. You use netsh interface ipv6 set address to con- figure a static IPv6 address. C. Incorrect: This command enables you to change IPv6 interface properties but not an IPv6 address. You use netsh interface ipv6 set address to configure a static IPv6 address. D. Correct: You use netsh interface ipv6 set address to configure a static IPv6 address. 6. Correct Answers: A, D, F, and G A. Correct: IPv4 and IPv6 are both supported by Trey’s network hardware and ser- vice provider. Dual stack is the most straightforward transition strategy. B. Incorrect: Trey does not need to encapsulate IPv6 packets inside IPv4 packets. Con- figured tunneling transition is typically employed if IPv6 is not currently available. C. Incorrect: Trey saw no need to configure NAT and use private IPv4 addresses. The organization is unlikely to use site-local addresses, which are the IPv6 equivalent of private addresses. D. Correct: Trey uses public IPv4 addresses throughout its network. It is likely to use global unicast addresses in its IPv6 network. E. Incorrect: Trey’s clients run Windows Vista Ultimate, and its servers run Windows Server 2008. All Trey’s clients and servers support IPv6, and the protocol is installed by default. F. Correct: There is no guarantee that Trey’s network projectors and network print- ers support IPv6, although they probably do because the company believes in investing in cutting-edge technology. G. Correct: Network management systems need to be checked for IPv6 compatibility. H. Incorrect: High-level applications are typically independent of the Internet proto- col used. Chapter 1: Case Scenario Answers Case Scenario 1: Configuring DNS 1. You can configure a zone to support only secure dynamic updates. This ensures that only authenticated users and clients can register information in DNS. 2. You can configure zone replication to occur only with DNS servers that have NS records and are on the Name Servers list. Alternatively, you can manually specify a list of servers and configure zone replication so that zone information is replicated only to these servers. 3. When a Windows Server 2008 server is configured as an RODC, it replicates a read-only copy of all Active Directory partitions that DNS uses, including the domain partition, Answers 517 ForestDNSZones, and DomainDNSZones. Therefore, DNS zone information on RODCs updates automatically (provided the writable DC is configured to allow this). 4. Create an IPv6 reverse lookup zone. Case Scenario 2: Implementing IPv6 Connectivity 1. Site-local IPv6 addresses are the direct equivalent of private IPv4 addresses and are routable between VLANs. However, you could also consider configuring every device on your network with an aggregatable global unicast IPv6 address. NAT and CIDR were introduced to address the problem of a lack of IPv4 address space, and this is not a prob- lem in IPv6. You cannot use only link-local IPv6 addresses in this situation because they are not routable. 2. Both IPv4 and IPv6 stacks are available. In this scenario, dual stack is the most straight- forward transition strategy. 3. As with DHCP for IPv4, you should configure a dual-scope DHCPv6 server on each sub- net. The scope for the local subnet on each server should include 80 percent of the full IPv6 address range for that subnet. The scope for the remote subnet on each server should include the remaining 20 percent of the full IPv6 address range for that subnet. Chapter 2: Lesson Review Answers Lesson 1 1. Correct Answer: B A. Incorrect: Data autonomy does not require a resource forest. Resource forests pro- vide service isolation to protect areas of the network that need to maintain a state of high availability. B. Correct: To achieve data autonomy, you can join an existing forest. C. Incorrect: Data autonomy does not require a new organizational forest. An organi- zational forest provides service autonomy, service isolation, or data isolation. D. Incorrect: Data autonomy does not require a new restricted access forest. A restricted access forest is used for data isolation. 2. Correct Answer: C A. Incorrect: A restricted access forest will not provide service autonomy. A restricted access forest is used for data isolation. B. Incorrect: A resource forest will not provide service autonomy. Resource forests provide service isolation that is used to protect areas of the network that need to maintain a state of high availability. C. Correct: An organizational forest will provide service autonomy. 518 Answers D. Incorrect: Joining an existing forest will not provide service autonomy. Joining an existing forest is used to provide data autonomy. 3. Correct Answers: A, B, C, and D A. Correct: When deciding whether to upgrade existing domains or deploy new domains, determine whether the existing domain model still meets the needs of the organization. B. Correct: The amount of downtime that can be incurred is an important consider- ation because the downtime varies between both methods. C. Correct: Time constraints are an important consideration because the time required varies between both methods. D. Correct: The budget is an important consideration because the costs vary between both methods. 4. Correct Answer: A A. Correct: To minimize the impact of a problematic schema change, you must dis- able outbound replication on the server that holds the schema master operations master role. B. Incorrect: Disabling inbound replication on the server that holds the schema mas- ter operations master role will not minimize the impact because the problematic schema change will be replicated out by the server that holds this role. C. Incorrect: Deactivating the user class will not minimize the impact of a problem- atic schema change. Deactivating the user class will cause a forest-wide impact. D. Incorrect: Restarting the computer that holds the schema master operations mas- ter role into Directory Services Restore Mode (DSRM) will not enable you to make the schema change. Schema changes cannot be made in DSRM. 5. Correct Answer: B A. Incorrect: The forest functional level cannot be raised to Windows Server 2008 because there are domain controllers in the forest that have Windows Server 2003 installed on them. These domain controllers must be upgraded to Windows Server 2008, and the domain functional level must be raised to Windows Server 2008 before the forest functional level can be raised to Windows Server 2008. B. Correct: To install an RODC, raise the forest functional level to Windows Server 2003, which is the minimal forest functional level required for RODCs. C. Incorrect: The adprep /forestprep command has already been run in this forest because there are Windows Server 2008 domain controllers in the forest. D. Incorrect: The adprep /domainprep /gpprep command has already been run in this forest because there are Windows Server 2008 domain controllers in the forest. Answers 519 Lesson 2 1. Correct Answer: A A. Correct: The single site model has all domain controllers in the same site and uses intrasite replication. B. Incorrect: The multiple sites model uses intersite replication, not intrasite replica- tion, because domain controllers are distributed across one or more sites. C. Incorrect: The hub and spoke replication topology has multiple sites and uses intersite replication, not intrasite replication. D. Incorrect: The full mesh replication topology has multiple sites and uses intersite replication, not intrasite replication. 2. Correct Answer: C A. Incorrect: The single site model has all domain controllers in the same site and, therefore, does not provide efficient replication when the network consists of faster network connections between major computing hubs and slower links connecting branch offices. B. Incorrect: There is no replication topology referred to as the ring replication topol- ogy in terms of AD DS replication. C. Correct: The hub and spoke replication topology provides the most efficient rep- lication when the network consists of faster network connections between major computing hubs and slower links connecting branch offices. D. Incorrect: The full mesh replication topology is used when each site connects to every other site. The propagation of change orders for replicating AD DS can impose a heavy burden on the network and is not efficient when the network con- sists of faster network connections between major computing hubs and slower links connecting branch offices. 3. Correct Answer: A A. Correct: The server that holds the PDC emulator operations master role should be placed in the location represented by the hub site because this site would have the largest number of users in a hub and spoke replication topology. B. Incorrect: The server that holds the PDC emulator operations master role should not be placed in a spoke site because those locations have fewer users than the hub site. The PDC emulator should always be placed in a location where it services the highest number of users. C. Incorrect: The server that holds the PDC emulator operations master role cannot be placed in every location represented by a spoke site because there can be only one PDC emulator per domain. D. Incorrect: The server that holds the PDC emulator operations master role should not be placed on the server that holds the global catalog server role in a spoke site 520 Answers because a spoke sites have fewer users than the hub site. The PDC emulator should always be placed in a location where it services the highest number of users. 4. Correct Answer: A A. Correct: When the forest model consists of multiple domains, and not all domain controllers are global catalog servers, the infrastructure master role must be placed on a server that is not a global catalog server. B. Incorrect: When the forest model consists of multiple domains, and not all domain controllers are global catalog servers, the infrastructure master role cannot be on a server that is a global catalog server because in this scenario, a global cata- log server will not receive any updates for the objects the infrastructure master role holder needs to know about. C. Incorrect: There can be only one infrastructure master role holder per domain. Therefore, the infrastructure master role holder cannot be placed on every global catalog server in the forest. D. Incorrect: Placing the infrastructure master role holder on a single server in the forest root domain will suffice for the forest root domain. However, because there is one infrastructure master role holder per domain, this is not a complete solution. Chapter 2: Case Scenario Answers Case Scenario 1: Designing the AD DS Forest 1. No. Joining the Wingtip Toys computers to the Tailspin Toys forest will not provide ser- vice isolation and will allow the Tailspin Toys administrators to manage the entire forest. 2. Yes. Creating a new organizational forest for Wingtip Toys will meet the service isolation requirements and separate the administration capabilities between Tailspin Toys and Wingtip Toys administrators. Case Scenario 2: Designing AD DS Sites 1. No. Not all locations are connected to a central location. Therefore, the hub and spoke topology will not work. 2. Yes. Using a hybrid topology will work. The U.S., Canada, Mexico, and Italy locations will be using a hub and spoke in this hybrid, with the U.S. location as the hub. The Argentina location will connect directly to the Mexico location, which necessitates a hybrid topology. Answers 521 Case Scenario 3: Designing the Placement of Domain Controllers 1. No. A global catalog server will also act as a writable domain controller. Therefore, if this server is compromised through lack of physical security, it can be used to further com- promise AD DS and AD DS data. 2. Yes. An RODC in the Argentina location will be the best solution because physical secu- rity cannot be guaranteed in this location, and RODCs are read-only. Chapter 3: Lesson Review Answers Lesson 1 1. Correct Answer: B A. Incorrect: You must run adprep /forestprep on the DC hosting the schema master role. B. Correct: You must run adprep /forestprep on the DC hosting the schema master role. C. Incorrect: You must run adprep /forestprep on the DC hosting the schema master role. D. Incorrect: You must run adprep /forestprep on the DC hosting the schema master role. E. Incorrect: You must run adprep /forestprep on the DC hosting the schema master role. 2. Correct Answer: D A. Incorrect: You should run adprep /domainprep /gpprep on the computer hosting the infrastructure master role, not on the computer hosting the PDC emulator role. B. Incorrect: You should run adprep /domainprep /gpprep on the computer hosting the infrastructure master role. C. Incorrect: You should run adprep /domainprep /gpprep on the computer hosting the infrastructure master role, not on the computer hosting the RID master role. D. Correct: You should run the adprep /domainprep /gpprep command on the infra- structure master when preparing a domain for the introduction of a Windows Server 2008 DC when the forest has already been prepared. E. Incorrect: You should run adprep /domainprep /gpprep on the infrastructure mas- ter, not on the domain naming master. There is only one domain naming master per forest. [...]... both Organizational unit (OU) PPP Point-to-Point Protocol is a data-link pro- tocol that is used for transmitting data PPTP Point-to-Point Tunneling Protocol is a VPN protocol based on PPP PXE Preboot Execution Environment Allows compatible network clients to start an operating system from a network source rather than from local media such as a hard disk or CD-ROM Password settings container (PSC)... role for delegating data management E Correct: Microsoft recommends the Security Group Administrators management role for delegating data management F Correct: Microsoft recommends the Application-Specific Administrators role for delegating data management G Incorrect: Microsoft recommends the Replication Management Administrators management role for delegating service management, not data management... use the Security Configuration and Analysis tool to apply template files rather than XML-formatted, role-based security policies B Incorrect: You cannot use the Microsoft Baseline Security Analyzer tool to apply security policies C Correct: You can use the scwcmd command-line tool to apply an XML-formatted, role-based security policy remotely D Incorrect: You cannot use Windows Server Update Services... Incorrect: Microsoft recommends the Security Policy Administrators management role for delegating service management, not data management C Incorrect: Microsoft recommends the Service Administration Managers management role for delegating service management, not data management Answers 525 D Correct: Microsoft recommends the Resource Administrators management role for delegating data management E Correct: Microsoft. .. between AD DS and UNIX-based computers C Incorrect: Subsystem for UNIX-based Applications enables you to run POSIXcompliant applications on a computer running Windows Server 2008 D Correct: Active Directory Federation Services enables you to implement a singlesign-on solution for a group of related Web applications 2 Correct Answer: B A Incorrect: AD FS provides a single-sign-on solution for Web applications... Incorrect: Microsoft System Center Virtual Application Server is not a clusteraware application C Correct: Microsoft recommends that you use Network Load Balancing as a highavailability solution for the Microsoft System Center Virtual Application Server component of an application virtualization solution D Incorrect: A terminal server farm does not function as a high-availability solution for the Microsoft. .. administrator from modifying Active Directory C Correct: Administrator Role Separation allows the branch office administrator the privilege of managing the underlying server operating system but not Active Directory D Incorrect: BitLocker provides encryption of entire volumes on a drive in a system but does not stop a logged-on branch office administrator from administering Active Directory 2 Correct... competitor, these servers should all be Windows Server 2008 Server Core servers 2 All DCs should be RODCs due to the unskilled administrators and the risk of exposure from the hacker attacks 532 Answers 3 The junior administrators should be granted local administrator privileges using Administrator Role Separation Case Scenario 2: Contoso Trucking, Part 2 1 Initialize BitLocker on the drives in Syracuse... the password attribute from all users Supply the IFM media to the administrator in Saskatchewan 2 Configure Administrator Role Separation for the administrator in Saskatchewan Create an OU named Saskatchewan Place all Saskatchewan users and computers into the Saskatchewan OU Delegate the appropriate level of privilege to the junior administrator in Saskatchewan Chapter 7: Lesson Review Answers Lesson... possible to manage 10 VMs using this product, the built-in Hyper-V tools are more than adequate to such a task Because one answer in this set requires SCVMM 2007, this answer is not the most compelling D Incorrect: Automating server deployment is accomplished through Windows Deployment Services (WDS) rather than SCVMM 2 Correct Answer: A A Correct: It is possible to install the Hyper-V role only on an . consists of the 104 -bit prefix ff02::1:ff (writ- ten ff02::1:ff00:0 /104 ) followed by the last 24 bits of the link-local address, in this case, a7:d43a. B. Incorrect: Although the 104 -bit prefix is. nodes on the network as potential IPv6 hosts or routers. This creates a host-to-host, host-to- router, or router-to-host automatic tunnel. A preconfigured tunnel is not required. D. Incorrect:. ff02::1:ff00:0 /104 , the /104 indi- cates that only the first 104 bits (ff02::1:ff) are used. Hence, the solicited mode address is ff02::1:ffa7:d43a. C. Incorrect: Addresses that start with fec0 are site-local,