Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 88 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
88
Dung lượng
1,53 MB
Nội dung
Self Test Questions, Answers, and Explanations • Appendix A 815 11. Your network consists of a single domain and five OUs.The parent OU is named Corp. Corp has two child OUs, First Floor and Second Floor.The First Floor OU has one child OU, Sales.The Second Floor OU has one child OU, Administration.All of the company’s DCs are members of the Corp OU.The First Floor and Second Floor OUs contain the resources that belong to their respective floors.The Sales OU has nonadministrative com- puters, users, and groups.The Administration OU has the administration computers, users, and groups.You need to design a domainwide security policy that will accomplish the fol- lowing goals: ■ All users need to have the same password and lockout policy. ■ Audit policies are required for only the DCs. ■ The nonadministrative computers do not need the same level of security applied to them as is required for the administrative computers. ■ The number of group policies to be processed at logon needs to be minimized. You take the following actions: ■ Create a single GPO. ■ Import a security template for the DCs. ■ Link the GPO to the domain. Which of the desired results are achieved by your actions? A. All users have the same password and lockout policy. B. Audit policies are implemented on only the DCs. C. The nonadministrative computers have the same level of security applied to them as is required for the administrative computers. D. The number of group policies to be processed at logon is minimized. A and D. Answer A is correct; since the GPO has been applied to the domain, all users will have the password and lockout policy.Answer D is also correct since there will only be one GPO processed. Answer B is incorrect because one GPO applied to all computers will not allow you to create an audit policy that will only be applied to the DCs.The audit policy will apply to all computers. Answer C is incorrect because a single policy will not allow you to create different levels of security for the nonadministrative computers. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 815 816 Appendix A • Self Test Questions, Answers, and Explanations Planning an OU Structure and Strategy for Your Organization 12. Your Active Directory domain consists of one site.You have three OUs.The Corp OU is a parent OU to the Sales OU and Training OU.You have specified restrictions in various group policies and included them in GPOs. On the Corp OU, there is a linked GPO, which prevents users from using Registry editing tools.The Sales OU has a linked GPO that specifies a company logo as the desktop for all users.The Training OU has a linked GPO that disables users from modifying network connections. All other group policy set- tings are set to defaults.What restrictions (if any) will users in the Sales OU be under when they log on to the network? (Choose all that apply.) A. They cannot edit the Registry. B. They have the company logo as their desktops. C. They cannot modify network connections. D. They will have no restrictions. A and B. Settings applied through GPOs linked to OUs affect the specified users in that OU. In addition, settings are inherited from all parent objects.Therefore, users in the Sales OU cannot edit the Registry (applied at the Corp OU level), and will have the company logo as their desktops (applied at the Sales OU level). Answer C is incorrect because the GPO that sets that users cannot modify network connections has be applied to the Training OU. Since the Training OU is also a child of Corp, its setting are not applied to the Sales OU. Answer D is incorrect; the users in the Sales OU will have the settings from both the Corp OU and the Sales OU. 13. You have been tasked to ensure that network security policies are in place, and standards are implemented for users’ configurations.The network is a single Active Directory domain network.There are five OUs: Corp, Sales, Marketing, Development, and Technical. The Corp OU is a parent OU to all other OUs.You are given the following list of objec- tives to meet: ■ All users must be prohibited from editing their Registries. ■ All users must have a password of at least eight characters. ■ Users in the Sales and Marketing OUs must not be able to store more than 50MB of data on any server. ■ Users in the Development OU must change their passwords every 30 days. ■ All policy settings should only affect their intended targets. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 816 Self Test Questions, Answers, and Explanations • Appendix A 817 Which of the following solutions will accomplish all of your objectives? A. Create a GPO called Policy, with settings prohibiting users from using Regedit, and requiring passwords of at least eight characters. Link Policy to the Corp OU. Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Sales OU and to the Marketing OU. Create a GPO called Password, making users change their pass- words every 30 days. Link Password to the Development OU. B. Create a GPO called Policy, with settings prohibiting users from using Regedit, and requiring passwords of at least eight characters. Link Policy to the domain. Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp OU. Create a GPO called Password, making users change their passwords every 30 days. Link Password to the Development OU. C. Create a GPO called Policy, with settings prohibiting users from using Regedit, and requiring passwords of at least eight characters. Link Policy to the Corp OU. Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp OU. Create a GPO called Password, making users change their passwords every 30 days. Link Password to the Corp OU. D. Create a GPO called Policy. In Policy, define settings prohibiting users from using Regedit, requiring passwords of at least eight characters, setting disk quotas at 50MB, and a maximum password age of 30 days. Link Policy to the Corp OU. A.The only answer that meets all requirements is Answer A. While this solution is a long one to implement, it is the only one that applies all desired policies to their intended targets without affecting other computers or OUs. Answer B is incorrect because the disk quota setting was applied to the Corp OU.This setting will then be applied to all users, not just the users in Sales and Marketing. Answer C is incorrect because it applies the disk quotas to all users, not just those in Sales and Marketing, and it applies the change password to all users as well. Answer D is incorrect because it makes all policies apply to all users.The need to apply policy set- tings to only affect their intended targets is not met. 14. Your Active Directory domain has two OUs.The Corp OU is a parent OU to the Technical OU.You have implemented a GPO linked to the Corp OU.You do not want those settings affecting the users in the Technical OU. How can you accomplish this with minimal effort? A. On the GPO linked to the Technical OU, select Block Policy inheritance. B. On the GPO linked to the Corp OU, select Block Policy inheritance. C. On the GPO linked to the Technical OU, negate any options set in the Corp OU by choosing Disabled for those options. D. On the GPO linked to the Technical OU, select No Override. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 817 818 Appendix A • Self Test Questions, Answers, and Explanations A. By blocking policy inheritance on the Technical OU, you effectively state that all objects within that OU should start with a “clean slate,” and not be affected by any policy from a higher level.You could negate all settings in the Corp OUs GPO by selecting Disabled for all options, but that would be tedious at best.The No Override option is for administrators to prevent other admins or users from effectively using the Block Policy inheritance option at a lower level. Answer B is incorrect because Block Inheritance will not have the desired effect if it applied to the parent OU. It needs to be set on the child OU to block the policy set- tings made in the parent.Answer C is incorrect because this will require constant atten- tion and does not met the minimum effort requirement. Answer D is incorrect because setting the No Override on the Technical OU will ensure that its setting will not be overwritten by any of its child OU. It will not affect the settings that come from its parent OU. 15. John Smith is a junior network administrator for your company. His user account is JSmith.You want him to take charge of linking all network group policies to the appro- priate OUs. Because of his experience level, you do not want him to have additional con- trols over the OUs.What is the easiest way to accomplish this? A. Use the Delegation of Control Wizard. Select JSmith, and check Create, delete, and manage groups. B. Use the Delegation of Control Wizard. Select JSmith, and check Manage Group Policy links. C. Use the Delegation of Control Wizard. Select JSmith, and check Create and Modify Group Policy. D. Use the Delegation of Control Wizard. Select JSmith, and check Apply Group Policy. B. Using the Delegation of Control Wizard, you can allow users to manage group policy links. Note that by delegating this task, the administrator in question can manage links, but does not necessarily have permission to modify the GPO itself. Answers A, C, and D are incorrect because you only want him to have the ability to manage the Group Policy Links.The other options will give him more power than what is desired in this situation. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 818 Self Test Questions, Answers, and Explanations • Appendix A 819 Chapter 6: Working with Active Directory Sites Understanding the Role of Sites 1. An Active Directory environment has been configured with multiple sites and has appro- priate resources in each site.The administrator of the Active Directory environment tries to choose a protocol for the transfer of replication information between two sites.The connection between the two sites has the following characteristics: ■ The link is unavailable during certain times of the day due to an unreliable network provider. ■ The replication transmission must be carried out whether the link is available or not. ■ Replication traffic must be able to travel over a standard Internet connection. Which of the following protocols meets these requirements? A. Internet Protocol (IP) B. Simple Mail Transfer Protocol (SMTP) C. Remote Procedure Calls (RPCs) D. Dynamic Host Configuration Protocol (DHCP) B. SMTP is suitable for environments that do not have persistent connections. It uses the store-and-forward method to ensure that data is not lost if a connection cannot be established. Answer A is incorrect because IP requires a persistent connection to transfer the data. Answer C is incorrect because RPCs are used to transfer information between DCs across remote sites that require persistent connections. Answer D is incorrect because DHCP is used to allocate IP addresses and distribute TCP/IP configuration informa- tion; it is not used for replication. 2. Julie installs a Windows Server 2003 server that will be used during the installation of the Active Directory structure for her organization. She installs the DNS server, creates the domain, and configures it for dynamic updates.When she attempts to install the first DC, she gets a message that the DC for the domain is not available. She decides to continue the installation and fix the problem later.What problem will she need to fix later? A. The DNS server needs to be restarted. B. The server she is installing needs to point to the DNS server. C. The Active Directory-integrated DNS must be used while installing Active Directory. D. The DNS server needs to be configured for dynamic updates and not to the zones. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 819 820 Appendix A • Self Test Questions, Answers, and Explanations B. In this case, the most likely cause is that the new DC is not pointing at the right DNS server. Answer A is incorrect because the switch between modes does not require restarting. Answer C is incorrect because the Active Directory-integrated DNS is not mandatory when installing Active Directory. Answer D is incorrect because the DNS service can host both dynamic and nondynamic zones. In this question, it is set on the zone level. 3. Robin is managing an Active Directory environment of a medium-sized company. He is troubleshooting a problem with the Active Directory. One of the administrators made an update to a user object and another reported that he had not seen the changes appear on another DC. It was more than a week since the change was made. Robin checks the problem by making a change to another Active Directory object.Within a few hours, the change appears on a few DCs, but not on all of them.Which of the following are possible causes for this problem? A. Connection objects are not properly configured. B. Robin has configured one of the DCs for manual updates. C. There might be different DCs for different domains. D. Creation of multiple site links between the sites. A. Misconfiguring the connection objects of the Active Directory might cause a failure in updates. Answer B is incorrect because configuration of the DCs for manual updates does not cause failure in updates. Answer C is incorrect because the presence of different DCs for different domains does not cause failure in updates.Answer D is incorrect because creation of multiple site links between the sites does not cause failure in updates. Relationship of Sites to Other Active Directory Components 4. James is a systems administrator for an Active Directory environment that consists of three sites. He wants to set up site links to be transitive.Which of the following Active Directory objects is responsible for representing a transitive relationship between sites? A. Additional sites B. Additional site links C. Bridgehead servers D. Site link bridges D. Site link bridges are designed to allow site links to be transitive.They enable site links to use other site links for transporting replication information between sites. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 820 Self Test Questions, Answers, and Explanations • Appendix A 821 Answer A is incorrect because additional sites do not ensure that all DCs are kept up to date at a given point in time. Answer B is incorrect because additional site links do not allow site links to be transitive.Answer C is incorrect because this does not allow site links to use other site links to transfer replication information between sites. 5. Michael, a systems administrator of a medium-sized company, suspects that Active Directory replication traffic is consuming a high amount of network bandwidth. He wants to determine the amount of network traffic that is generated through replication. He plans to carry out the following procedures: ■ Find out replication data transfer statistics. ■ Find out details on multiple Active Directory DCs at the same time. ■ Find out other performance statistics, such as server CPU utilization. Which of the following administrative tools is most useful for meeting these requirements? A. Active Directory Users and Computers B. Active Directory Domains and Trusts C. Event Viewer D. Performance D.The Performance administrative tool enables Michael to measure and record perfor- mance values related to Active Directory replication. Answer A is incorrect because Active Directory Users and Computers cannot be used to track the replication traffic of a network.Answer B is incorrect because Active Directory Domains and Trusts cannot be used to monitor multiple servers at the same time and to view other performance-related statistics.Answer C is incorrect because Event Viewer cannot be used to track the amount of network bandwidth the replica- tion traffic is consuming. 6. Steffi is an administrator of a medium-sized organization responsible for managing Active Directory replication traffic. She finds an error in the replication configuration. How can she look for specific error messages related to replication? A. Use the Active Directory Sites and Services administrative tool B. Use the Computer Management tool C. View the System log option in Event Viewer D. View the Directory Service log option in Event Viewer D.The Directory Service event log contains error messages and information related to replication. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 821 822 Appendix A • Self Test Questions, Answers, and Explanations Answer A is incorrect because this tool doesn’t maintain the error messages. Answer B is incorrect because the information related to replication is not tracked by the Computer Management tool. Answer C is incorrect because the System log does not contain the error messages and information related to replication. Creating Sites and Site Links 7. George is in charge of managing Active Directory replication traffic for a medium-sized organization that has installed a single Active Directory domain.The current setup is con- figured with two sites and consists of default settings that are ideal for replication. Each site consists of 20 DCs. Recently, the administrators have found that the Active Directory traffic is using a large amount of available network bandwidth between the two sites. George now has the task of meeting the following requirements: ■ Decrease the network traffic between DCs in the two sites. ■ Decrease the amount of change to the current site topology. ■ Make no changes to the current physical network infrastructure. George decides that it would be highly efficient to set up specific DCs in each site that will receive the majority of replication traffic from the other site.Which of the following solutions will meet the requirements? A. Form additional sites that are intended only for replication traffic, and move the cur- rent DCs to these sites. B. Establish multiple site links between the two sites. C. Establish a site link bridge between the two sites. D. Configure one server at each site to act as an ideal bridgehead server. D. Bridgehead servers gather the replication information for a site and transfer this information to other DCs within the site.This plan enables George to ensure that the replication traffic between the two sites is passed through the bridgehead servers, and replication traffic will flow properly between the DCs. Answer A is incorrect because the replication traffic between the additional sites is passed through the current DCs, and replication traffic will not flow properly between the DCs due to the formation of additional sites. Answer B is incorrect because the establishment of multiple site links between the two sites increases the amount of change to the current site topology. Answer C is incorrect because it requires changes to the current physical network infrastructure. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 822 Self Test Questions, Answers, and Explanations • Appendix A 823 8. James is in charge of managing the Active Directory environment for a medium-sized organization. He has to write down the procedures for creating a site for a new adminis- trator who is starting up a new office for his organization.Which of the following is the best method for creating a site? A. Create the site, select the site link, add the subnets, and then move in the DCs. B. Move the DCs, create the site, add the subnets, and then select the site links. C. Create a temporary site link bridge, add the DCs, rename the site that’s created, and then add subnets. D. Create the subnets and then create a site by grouping them. Next, create the links and then move in the DCs. A.You have to create the site first. Answers B, C, and D are incorrect because you are asked for the site link that the site will be part of during the creation of that site.This means that you select the site link as you create it.You can then add subnets and DCs in any order. 9. Sofia, an administrator of a medium-sized organization, has created the site links and site link bridges for the Active Directory network.The replication between the sites is working fine, and all the sites are receiving the updates to the Active Directory. She describes the network she is working on to a colleague, and he tells her that she didn’t have to configure site link bridges.Why didn’t Sofia have to create site link bridges? A. The KCC will create the site link bridges for you. B. The sites will be automatically bridged. C. The Domain Naming Master will handle this for you. D. The GC will handle this for you. B.You do not have to configure site link bridges manually, since they will be automati- cally bridged while creating them. Answer A is incorrect because the KCC won’t actually create site link bridges. Answer C is incorrect because the Domain Naming Master deals with domains. Answer D is incorrect because the GC has nothing to do with this. Understanding Site Replication 10. Peter, an administrator of an organization, has formed a Windows 2003 Active Directory structure. He has installed a single domains containing 700 users and computers.The orga- nization is split into two offices with a 56 Kbps link between them. Peter creates two sites, one for each office, and a site link between them using SMTP.The replication between the sites doesn’t seem to be working.What should Peter do? www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 823 824 Appendix A • Self Test Questions, Answers, and Explanations A. He has to configure an enterprise CA. B. He has to configure Microsoft Exchange. C. He has to configure an SMTP-based mail system. D. He must have a connection faster than 56 Kbps. A. If you are using SMTP for your site links, you need to have an enterprise CA.The authority will be used to sign the SMTP packets being sent. Answers B and C are incorrect because the SMTP packets are sent between servers in the sites involved in the site link and do not actually use mail servers. Answer D is incorrect because SMTP (e-mail) can run over a modem that is capable of 56 Kbps. 11. A company uses a single-master domain model, with resource domains for each of its divisions. It has registered two domains under the names www.dotnetforce.com and www.w3force.com. In this situation, which Active Directory information will be repli- cated between DCs in the dotnetforce.com and the w3force.com domains? A. Domain-naming context B. Schema-naming context C. Configuration-naming context D. GC E. SYSVOL B, C, and D.The schema- and configuration-naming contexts are replicated to all DCs in a forest.The GC is replicated to all GC servers in a forest. Answers A and E are incorrect because both the domain-naming context and SYSVOL replication occur only between DCs in the same domain. 12. Steffie, an system administrator, has implemented two sites that are connected by a site link.The Cost property is set to 100, and the Replicate Every property is set to 50 min- utes. How often will the replication occur? A. Every 5 minutes B. Every 50 minutes C. Every 180 minutes D. The replication frequency cannot be determined. B.The Replicate Every property for the site link is set to 50 minutes, which deter- mines how often replication will occur. Answer A is incorrect because the Replicate Every property is not set to 5 minutes. Answer C is incorrect because the Replicate Every property is not set to 180 minutes. Answer D is incorrect because the Replicate Every property is used to determine the frequency. www.syngress.com 256_70-294_Appx.qxd 9/5/03 1:06 PM Page 824 [...]... location C Create three domains: Sacramento with LA, Portland, and Seattle as OUs; Fiji as a subdomain, and New York as another subdomain D Create two domains: Sacramento with LA, Portland, Seattle, and New York as OUs; Fiji as a subdomain D.There are very few technical reasons to have more than one domain Administratively, the Fiji location manages its own users and resources and probably has a lot of... Install a DNS server that supports RFC 2136 (dynamic updates) C Cancel ADIW Install a Windows 2000 DNS server using the defaults D Cancel ADIW Install a Windows 2000 DNS server Create a primary zone called BusyBee.biz and enable dynamic updates E Cancel the ADIW Install a Windows 2000 DNS server Create a primary zone called BusyBee.biz and don’t enable dynamic updates A, B, and D A DC requires a DNS server. .. Answers, and Explanations • Appendix A 15 Heather has been hired to come into your company and install a customized Directoryenabled application Only the users in your branch office located in Fresno, California use this application.Your headquarters is in Santa Rosa, California, and you created a site for each location and set up directory replication over the slow WAN link to occur only at night Access... you can have the appropriate name and configuration for the class How do you do this? A You must deactivate the class that was added with the mistake and then rename it.You then can create a new class with the appropriate name and configuration B You must delete the class that has the mistake and simply create the appropriate Class object C You must wait 24 hours before you can delete any new classes... state from a DC in San Francisco B Promote the server to a DC using ADIW C Ship the server to San Francisco and have the dcpromo run there and then ship it back D Set up a VPN and then run dcpromo from San Francisco A A backup of a Windows Server 2003 DC can be restored onto any other server, making it a DC In this case, restoring a backup from a healthy DC in San Francisco is the quickest and easiest... in the schema.You can then delete the class and create the corrected Class object D You can go in and fix the existing Class object without having to recreate the object A. You can deactivate the object and then rename it, allowing you to create a new class with the appropriate name and configuration Answers B and C are incorrect because classes and attributes in schema cannot be deleted Answer D is incorrect... A • Self Test Questions, Answers, and Explanations Managing Operations Masters 11 James comes to work on Monday and opens the Active Directory for Users and Computers His task today is to create three new users and create a new group James attempts this and it fails repeatedly He knows that one DC went down over the weekend, but he is not connected to that DC and can see all the objects in Active Directory. .. is also incorrect because a third domain is not needed for New York .Windows Server 2003 domains manage Active Directory replication very efficiently across WANs, and the IS manages the resources from Sacramento, so there are no political or administrative reasons to keep New York as a separate domain www.syngress.com 256 _70-294 _Appx.qxd 9/5/03 1:06 PM Page 831 Self Test Questions, Answers, and Explanations... the Sales domain to the branch office and configure it as a GC server www.syngress.com 825 256 _70-294 _Appx.qxd 826 9/5/03 1:06 PM Page 826 Appendix A • Self Test Questions, Answers, and Explanations C Add a DC from all five domains to the branch office and configure one DC as a GC server D Add a DC for the Sales domain at the branch office E Define the branch office as a site B and E By defining the branch... Directory- enabled application Answer A is incorrect because Exchange does not have its own schema; rather, it is Directory enabled.This means that is modifies the schema of Active Directory, so the schemas cannot be incompatible Answers B and C are incorrect because neither the RID nor the Domain Naming FSMO affect the installation of an Active Directory- enabled application installation.The RID FSMO keeps a pool . location. C. Create three domains: Sacramento with LA, Portland, and Seattle as OUs; Fiji as a subdomain, and New York as another subdomain. D. Create two domains: Sacramento with LA, Portland,. perfor- mance and accessibility, you will create sites at each major management location and link them all for Active Directory replication. Each management location only has 10 to 30 people, and. ADIW. Install a Windows 2000 DNS server. Create a primary zone called BusyBee.biz and enable dynamic updates. E. Cancel the ADIW. Install a Windows 2000 DNS server. Create a primary zone called BusyBee.biz