PrepKing PrepKing-70-294 - GRATIS EXAM

PrepKing

Number: 70-294Passing Score: 700Time Limit: 240 minFile Version: 8.3

ht t p:/ / ww w .gratisexam.com/

PrepKing-70-294

Sections1. Hot Area2. Drag & Drop3. Simulatinos4. MCQs

Exam A

QUESTION 1You have a single Active Directory directory service forest named contoso.com. You create baseline securitysettings for a group of computers, and you store the settings in a database. You deploy the baseline securitysettings. You need to confirm that the security settings on one of the computers are applied correctly. What aretwo possible commands that you can run to achieve this goal? (Each correct answer presents a completesolution. Choose two.)

A. seceditB. gpupdateC. netdomD. scwcmd

Correct Answer: ADSection: MCQsExplanation

Explanation/Reference:

QUESTION 2Your company has a single Active Directory directory service domain that includes a main office and two branchoffices. Each branch office has its own Active Directory site. All user accounts are placed into organizationalunits (OUs) based on department. Multiple Group Policy objects (GPOs) are linked at the domain, the site, andthe OU levels. A user in Atlanta transfers to a different branch office and joins a different department. You moveher user account into the corresponding OU. After logging on to her new client computer, the user notices thatthe desktop settings are different from the settings she had in her previous location. You need to find out theeffect of all GPOs on the user. What should you do?

A. Use the Security Configuration and Analysis snap-in.B. Use the Resultant Set of Policy snap-in.C. Run the Secedit /analyze command.D. Run the Secedit /validate command.

Correct Answer: BSection: MCQsExplanation


QUESTION 3You have a single Active Directory directory service domain. All users in the IT department are placed into anorganizational unit (OU) named IT Users. A Group Policy object (GPO) is linked to the IT Users OU. The GPOassigns a software installation package to install the Windows Server 2003 Administration Tools Pack. Youselect the Install this application at logon option in the software installation package. A user has been removedfrom the IT Users OU, but she still has the Windows Server Administration Tools Pack on her computer. Youneed to ensure that the Windows Server 2003 Administration Tools Pack is removed from a users computerwhen the user is moved from the IT Users OU. What should you do?

A. Modify the software installation package to use the Published deployment method. Clear the Auto-install thisapplication by file extension activation check box. Redeploy the software installation package.

B. Modify the software installation package to clear the Install this application at logon option. Redeploy thesoftware installation package.

C. Modify the software installation package to select the Uninstall this application when it falls out of the scopeof management option. Retain the software installation package in the GPO.

D. Modify the software installation package to select the Uninstall this application when it falls out of the scopeof management option. Delete the software installation package from the GPO.

Correct Answer: CSection: MCQsExplanation


QUESTION 4You have a single Active Directory directory service domain. You use Group Policy to assign applications. Acomputer named Desktop1 must be moved to a different organizational unit (OU). You need to ascertain theeffect that the move will have on the applications that are assigned to the computer account. What should youdo?

A. Use the RSoP tool in logging mode on Desktop1.B. Use the RSoP tool in planning mode on Desktop1.C. Use the RSoP tool in logging mode on a domain controller.D. Use the RSoP tool in planning mode on a domain controller.

Correct Answer: DSection: MCQsExplanation


QUESTION 5You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest thatcontains a single domain named contoso.com. You have a user account named CONTOSO\admin that is amember of the Domain Admins global group. You need to create a new child domain named NA.contoso.comin the forest. You install a stand-alone Windows Server 2003 computer named DC3. You use the ActiveDirectory Installation Wizard to promote DC3 to a domain controller in the new domain. You choose to create adomain controller for a new child domain in an existing domain tree.

You enter the user name and password for CONTOSO\admin. You choose contoso.com as the parent domain,and you type NA as the name of the child domain. You receive the error message shown in the exhibit. (Clickthe Exhibit button.) You need to be able to create the new child domain. What should you do?


A. Enter the network credentials for a member of the local Administrators group.B. Add DC3 to the contoso.com domain and then run the Active Directory Installation Wizard.C. Enter the network credentials for a member of the Enterprise Admins group for the contoso.com forest.D. Enter the network credentials for a member of the Schema Admins group for the contoso.com forest.



QUESTION 6You have a single Active Directory directory service domain. You back up your domain controllers on a nightlybasis. You perform Group Policy backups on a nightly basis. A Group Policy object (GPO) is accidentallydeleted. You need to restore the GPO. What should you do?

A. Perform a nonauthoritative restore of the Active Directory database.B. Perform an authoritative restore of the Active Directory database.C. Select the Import Policy option in the Group Policy Object Editor.D. Restore the GPO by using the Group Policy Management Console.



QUESTION 7You have a single Active Directory directory service domain. You back up your domain controllers on a nightly

basis. An organizational unit (OU) is accidently deleted.

You need to restore the objects that were located in the OU. What should you do?

A. Perform a nonauthoritative restore of the domain controller.B. Perform an authoritative restore of the domain controller.C. Restore the system state data on the domain controller.D. Restore the system volume on the domain controller.



QUESTION 8You are the network administrator for Northwind Traders. The network consists of a single Active Directoryforest that contains one root domain and one child domain. The forest also contains three separate sites, asshown in the Network Diagram exhibit. (Click the Exhibit button.) The network is not fully routed and there is nodirect physical connection between Site1 and Site3. Site links are not bridged. You discover that the domaincontrollers for namerica.northwindtraders.com located in Site1 have additional accounts that are not on thedomain controllers for namerica.northwindtraders.com located in Site3. You examine the directory service log inEvent Viewer on a domain controller for namerica.northwindtraders.com. You discover the error messageshown in the Error Message exhibit. (Click the Exhibit button.) You need to resolve the condition that is causingthis error. What should you do?

A. Add a domain controller for the namerica.northwindtraders.com domain to Site2.B. Configure a site link bridge between the site links for Site1 and Site3.C. Configure at least one domain controller in each site to be a global catalog server.D. Create a site link between Site1 and Site3.



QUESTION 9You have a single Active Directory directory service domain. You have an application that adds Active DirectorySchema attributes during installation. The attributes replicate as part of global catalog replication. Your useraccount is a member of the Domain Admins, Schema Admins, and Enterprise Admins global groups. You testthe application and decide not to deploy it to production. You need to ensure that the attributes that are addedby the application are no longer available in Active Directory. Using the Active Directory Schema snap-in, whatshould you do?

A. Clear the Index this attribute in the Active Directory option for each attribute that is added by the application.B. Clear the Attribute is active option for each attribute that is added by the application.C. Clear the Replicate this attribute to the Global Catalog option for each attribute that is added by the

application.D. Clear the Allow this attribute to be shown in advanced view option for each attribute that is added by the

application.



QUESTION 10You are a network administrator for your company. The network consists of a single Active Directory domain.The company has offices in 25 cities. Each office is configured as a single site. You are responsible for one sitethat is configured as shown in the exhibit. (Click the Exhibit button.) An IP site link connects your site and thesite at the company's main office. The company replaces your router with a firewall device. The firewall isconfigured to allow HTTP, SMTP, FTP, NNTP, global catalog queries, and VPN packets to pass. You discover

that replication with other sites is not occurring. You need to ensure that you can replicate with other sites. Youneed to achieve this goal without removing or reconfiguring the firewall. What should you do?

A. Create a new SMTP site link between your site and each of the other sites.B. Configure one domain controller in your site as a global catalog server.C. Configure both domain controllers in your site to use a fixed port when replicating.D. Create a VPN between your site and the site at the main office.



QUESTION 11You are the network administrator for your company. The network consists of a single Active Directory domainwith three sites named Site1, Site2, and Site3. The sites and site links are configured to use Site2 to connectSite1 and Site3. Each site contains three Windows Server 2003 domain controllers. A domain controller in eachsite is configured as a preferred bridgehead server. All user and group accounts are created in Site1. Severalnew users start work in Site2. When they attempt to log on to the network, the logon fails. You confirm that theuser accounts are created and are visible in Site1 and Site2. You discover that the preferred IP bridgeheadserver in Site2 failed. You repair the server and confirm that replication is successful to Site2. You need toensure that the failure of a single domain controller in any site will not interfere with Active Directory replicationbetween sites. What are two possible ways to achieve this goal? (Each correct answer presents a completesolution. Choose two.)

A. Configure an IP site link between Site1 and Site3.B. Configure two domain controllers in each site as preferred IP bridgehead servers.C. Configure two domain controllers in each site as preferred SMTP bridgehead servers.D. Configure each site to have no preferred bridgehead servers.E. Configure an SMTP site link between each of the sites. Assign a cost of 200 to the SMTP site link.

Correct Answer: BD

Section: MCQsExplanation


QUESTION 12You are the network administrator for your company. Your network consists of a single Active Directory domain.The functional level of the domain is Windows Server 2003. You add eight servers for a new application. Youcreate an organizational unit (OU) named Application to hold the servers and other resources for theapplication. Users and groups in the domain will need varied permissions on the application servers. Themembers of a global group named Server Access Team need to be able to grant access to the servers. TheServer Access Team group does not need to be able to perform any other tasks on the servers. You need toallow the Server Access Team group to grant permissions for the application servers without granting theServer Access Team group unnecessary permissions. What should you do?

A. Create a Group Policy object (GPO) for restricted groups. Configure the GPO to make the Server AccessTeam group a member of the Power Users group on each application server. Link the GPO to theApplication OU.

B. Grant the Server Access Team group permissions to modify computer objects in the Application OU.C. Move the Server Access Team group object into the Application OU.D. Create domain local groups that grant access to the application servers. Grant the Server Access Team

group permissions to modify the membership of the domain local groups.



QUESTION 13You have two Active Directory directory service forests named contoso.com and fabrikam.com. All users log onto the contoso.com domain. All servers run Windows Server 2003 and are members of the fabrikam.comdomain. You create a one-way forest trust in which fabrikam.com is trusting contoso.com. Forest-wideauthentication is enabled. You need to provide only selected users with access to a server in the fabrikam.comdomain. Which two actions should you perform? (Each correct answer presents part of the solution. Choosetwo.)

A. Grant the users the Allowed to Authenticate permission on the computer object representing the server.B. Grant the users the Modify permission on the computer object representing the server.C. Change the one-way forest trust to a two-way forest trust.D. Change the properties of the forest trust from Forest-wide authentication to Selective authentication.



QUESTION 14You have a single Active Directory directory service domain. All servers run Windows Server 2003. You need tospecify the list of applications that users are permitted to run. You create a new Group Policy object (GPO) andlink it to the domain. What should you do next?

A. Configure Software Restriction Policies Group Policy settings.

B. Configure the Enable user control over installs Group Policy setting.C. Assign all approved applications.D. Publish all approved applications.

Correct Answer: ASection: MCQsExplanation


QUESTION 15You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows2000 Professional. All client computer accounts are located in an organizational unit (OU) named Workstation.A written company policy states that the Windows 2000 Professional computers must not use offline folders.You create a Group Policy object (GPO) to enforce this requirement. The settings in the GPO exist for bothWindows 2000 Professional computers and Windows XP Professional computers. You need to configure theGPO to apply only to Windows 2000 Professional computers. What are two possible ways to achieve this goal?(Each correct answer presents a complete solution. Choose two.)

A. Create a WMI filter that will apply the GPO to computers that are running Windows 2000 Professional.B. Create a WMI filter that will apply the GPO to computers that are not running Windows XP Professional.C. Create two OUs under the Workstation OU. Place the computer accounts for the Windows XP Professional

computers in one OU, and place the computer accounts for the Windows 2000 Professional computers inthe other OU. Link the GPO to the Workstation OU.

D. Create a group that includes the Windows XP Professional computers. Assign the group the Deny -Generate Resultant Set of Policy(Logging) permission.

E. Create a group that includes the Windows 2000 Professional computers. Assign the group the Deny - ApplyGroup Policy permission.

Correct Answer: ABSection: MCQsExplanation


QUESTION 16You are the network administrator for your company. The network consists of a single Active Directory domain.The domain includes an organizational unit (OU) named Processing. There are 100 computer accounts in theProcessing OU. You create a Group Policy object (GPO) named NetworkSecurity and link it to the domain. Youconfigure NetworkSecurity to enable security settings through the Computer Configuration section of the GroupPolicy settings. You need to ensure that NetworkSecurity will apply only to the computers in the Processing OU.You need to minimize the number of GPO links. What should you do?

A. Link NetworkSecurity to the Processing OU. Disable the User Configuration section of NetworkSecurity.B. Link NetworkSecurity to the Processing OU. Remove the link from NetworkSecurity to the domain.C. Modify the discretionary access control list (DACL) for NetworkSecurity to assign all computer accounts in

the Processing OU the Allow - Read and the Allow - Apply Group Policy permissions.D. Modify the discretionary access control list (DACL) for NetworkSecurity to assign the Authenticated Users

group the Deny - Apply Group Policy permission and to assign all of the computer accounts in theProcessing OU the Allow - Read and the Allow - Apply Group Policy permissions.

Correct Answer: BSection: MCQs

Explanation


QUESTION 17You have a single Active Directory directory service domain. All users are located in an organizational unit (OU)named ContosoUsers. All client computer accounts are located in an OU named ContosoComputers. You needto deploy a new application to all users. The application shortcut must be available the next time the users logon. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.Choose two.)

A. Create a Group Policy object (GPO) to publish the application. Link the GPO to the ContosoComputers OU.B. Create a Group Policy object (GPO) to assign the application. Link the GPO to the ContosoComputers OU.C. Create a Group Policy object (GPO) to publish the application. Link the GPO to the ContosoUsers OU.D. Create a Group Policy object (GPO) to assign the application. Link the GPO to the ContosoUsers OU.

Correct Answer: BDSection: MCQsExplanation


QUESTION 18You are the network administrator for your company. The network consists of a single Active Directory domainwith three sites. There is a domain controller at each site. All servers run Windows Server 2003. Each clientcomputer runs either Windows 2000 Professional or Windows XP Professional. The IT staff is organized intofour groups. The IT staff works at the three different sites. The computers for the IT staff must be configured byusing scripts. The script or scripts must run differently based on which site the IT staff user is logging on to andwhich of the four groups the IT staff user is a member of. You need to ensure that the correct logon script isapplied to the IT staff users based on group membership and site location. What should you do?

A. Create four Group Policy objects (GPOs). Create a script in each GPO that corresponds to one of the fourgroups. Link the four new GPOs to all three sites. Grant each group permissions to apply only the GPO thatwas created for the group.

B. Create a single script that performs the appropriate configuration based on the user's group membership.Place the script in the Netlogon shared folders on the domain controllers.

C. Configure a Group Policy object (GPO) with a startup script that configures computers based on IT staffgroup. Link the GPO to the three sites.

D. Create a script that configures the computers based on IT staff group membership and site. Create and linka GPO to the Domain Controllers OU to run the script.



QUESTION 19You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.All client computers run Windows Vista. The computers in the sales department are located in an organizationalunit (OU) named Sales. You use a Default Domain Policy to configure company user and computer settings.You configure a software restriction policy for the domain. The policy prevents users from running software thatis not approved. You need to allow computers in the Sales OU to run software that is not approved whilemaintaining other required settings. What should you do?

A. Configure the Sales OU to block inheritance.B. Create a new software restriction policy that reverses the settings in the Default Domain Policy. Link the

new software restriction policy to the Sales OU.C. Link the software restriction policy to the Sales OU. Disable the user configuration settings of this policy.D. Link the software restriction policy to the Sales OU. Disable the computer configuration settings of this

policy.



QUESTION 20You have a single Active Directory directory service domain. All user accounts in the sales department are in anorganizational unit (OU) named Sales. Your company has five public computers that are members of thedomain. You notice a sales tracking application on one of the public computers. You verify that this applicationis assigned to users in the Sales OU through a Group Policy object (GPO). You need to ensure that when salesdepartment users log on to the public computers, the applications that are assigned to the Sales OU are notmade available on the public computers. What should you do?

A. Add the public computer accounts to a new OU. Create and link a GPO to enable the User Group Policyloopback processing mode setting in merge mode.

B. Add the public computer accounts to a new OU. Create and link a GPO to enable the User Group Policyloopback processing mode setting in replace mode.

C. Create a new GPO and link it to the Sales OU to enable the User Group Policy loopback processing modesetting in merge mode.

D. Create a new GPO and link it to the Sales OU to enable the User Group Policy loopback processing modesetting in replace mode.



QUESTION 21Your company has a single Active Directory directory service forest with multiple domains. The Schema FSMOrole is held by one of the domain controllers in the forest root domain. The Domain Naming Master FSMO roleis held by one of the domain controllers in a child domain. All domain controllers have Windows Server 2003installed. You need to upgrade all domain controllers to Windows Server 2003 R2. Which two actions shouldyou perform? (Each correct answer presents part of the solution. Choose two.)

A. Run the adprep /forestprep command in the forest root domain.B. Run the adprep /forestprep command in all the child domains.C. Run the adprep /domainprep command in all the child domains only.D. Run the adprep /domainprep command in all domains.



QUESTION 22Your companys Windows Server 2003 environment consists of a single Active Directory directory serviceforest. The forest has multiple domains and three sites named Site1, Site2, and Site3. Site1 is the main officeand has four domain controllers. Two of the domain controllers are global catalog servers. Site2 is a branchoffice with two domain controllers. Site3 is a branch office with a slow and unreliable WAN link and two domaincontrollers. You need to improve user logon performance for users in Site2 and Site3. Which two actionsshould you perform? (Each correct answer presents part of the solution. Choose two.)

A. Enable change notification between Site1 and Site2.B. Enable change notification between Site1 and Site3.C. Implement universal group membership caching in Site2.D. Implement universal group membership caching in Site3.

Correct Answer: CDSection: MCQsExplanation


QUESTION 23Your company has offices in Toronto and Chicago. Both offices belong to an Active Directory directory servicesite named Site1. There is only one domain controller in Site1. Users in the Chicago office are experiencingslow logon times. You create a new Active Directory site for the Chicago office named Site2. You promote anew domain controller and create a site link between Site1 and Site2. You need to improve logon times for theChicago users and enable Active Directory replication between the Site1 and Site2 domain controllers. Whichtwo actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Designate the new domain controller as a preferred bridgehead server for Site1.B. Create a subnet object and associate it with Site2.C. Place the new domain controller in Site2.D. Configure a new site link bridge object.

Correct Answer: BCSection: MCQsExplanation


QUESTION 24You have a single Active Directory directory service domain. Your company has a main office and multiplebranch offices. Each office has an Active Directory site. The companys network is not fully routed. You need toensure complete replication between the Active Directory sites. What should you do?

A. Configure site links, and disable site link bridging.B. Configure site links to use the SMTP transport, and enable site link bridging.C. Configure a preferred bridgehead server for each branch office site.D. Configure a preferred bridgehead server for the main office site.



QUESTION 25You are the network administrator for Alpine Ski House. The network consists of a single Active Directory forestthat contains three domains named alpineskihouse.com, child1.alpineskihouse.com, andchild2.alpineskihouse.com. The functional level of the forest is Windows Server 2003. Each domain containsWindows Server 2003 file and print servers. All of the file and print server computer accounts are located in thedefault Computers container in each domain. There is a central operations department that is responsible foradministering the file server computer accounts in all domains. There is a separate operations department foreach domain that is responsible for administering the print server computer accounts in that domain. You needto delegate authority to create an environment to support your file and print server administration requirements.You need to create an organizational unit (OU) structure to support the delegation of authority requirements.What should you do?

A. Create a top-level OU for file server computer accounts under the alpineskihouse.com domain. Create atop-level OU for print server computer accounts under the alpineskihouse.com domain.

B. Create a top-level OU for file server computer accounts under the alpineskihouse.com domain. Create atop-level OU for print server computer accounts under each domain.

C. Create a top-level OU for file server computer accounts under each domain. Create a top-level OU for printserver computer accounts under each domain.

D. Create a top-level OU for file server computer accounts under each domain. Create a child OU for printserver computer accounts under each file server OU.



QUESTION 26You are the network administrator for your company. The network consists of a single Active Directorydomain. The relevant portion of the organizational unit (OU) structure is shown in the exhibit. (Click theExhibit button.) The company's sales division consists of an inside sales department, a mobile salesdepartment, and a telemarketing department. User objects for users in these departments are stored in theInside, Mobile, and Telemarket OUs respectively. User objects for all junior managers and senior managersare stored in the Managers OU. The company decides to train junior managers to perform basicadministrative tasks. Junior managers are responsible for enabling and disabling accounts for all salesusers except junior managers and senior managers. You need to enable junior managers to perform theassigned administrative tasks. You must not affect any existing permissions. What should you do?

A. On the Managers OU, block the inheritance of permissions. Remove all existing permissions.On the Sales OU, grant junior managers the permission to enable and disable accounts.

B. On the Sales OU, block the inheritance of permissions. Copy all existing permissions. On the Sales OU,grant junior managers the permission to enable and disable accounts.

C. On the Managers OU, block the inheritance of permissions. Copy all existing permissions. On the SalesOU, grant junior managers the permission to enable and disable accounts.

D. On the Inside, Mobile, and Telemarket OUs, block the inheritance of permissions. Copy all existingpermissions. On the Sales OU, grant junior managers the permission to enable and disable accounts.



QUESTION 27You are a network administrator for your company. The company has offices in Paris and New York. Thenetwork consists of a single Active Directory domain that contains six domain controllers, as shown in theexhibit. (Click the Exhibit button.)The Paris and New York offices are connected by an IP site link. The six domain controllers are configuredas shown in the following table.

You notice that at regular intervals the CPU utilization on some of the file and print servers increases to 100percent for a period of time. During this time, the servers become unresponsive to user requests. Youdiscover that this problem occurs during Active Directory replication.

You need to ensure that the file and print servers are responsive to user requests during Active Directoryreplication.What should you do?

A. Decrease the replication interval of the site link connecting the two offices.B. Configure Server1 and Server5 as preferred bridgehead servers.C. Increase the replication interval of the site link connecting the two offices.D. Configure Server3 and Server4 as preferred bridgehead servers.



QUESTION 28You are the network administrator for a company that has a single office. The network consists of a singleActive Directory domain and a single site. All servers run Windows Server 2003. All file and print serversand application servers are located in an organizational unit (OU) named Servers. A server support teamhandles daily support issues for the file and print servers and application servers. All of the server supportteam's user accounts are located in an OU named SST. You are responsible for managing security for thecompany's servers. You create a group named ServerSupport that includes all the user accounts of theserver support team. You need to ensure that members of the server support team can log on locally to onlythe file and print servers and the application servers. What should you do?

A. Create a Group Policy object (GPO) to grant the ServerSupport group the Allow log on locally user right.Link the GPO to the Servers OU.

B. Assign the ServerSupport group the Allow - Full Control permission for the Computers container.C. Create a Group Policy object (GPO) to grant the ServerSupport group the Allow log on locally user right.

Link the GPO to the SST OU.D. Assign the ServerSupport group the Allow - Full Control permission for the Servers OU.



Exam B

QUESTION 1Your company has a hub-and-spoke network topology. The network spans several physical locations. Eachlocation is configured as an Active Directory directory service site. There are two domain controllers in eachsite. You need to prevent the spoke sites from creating replication connections to other spoke sites in the eventthat all domain controllers in the hub site are unavailable. Which two actions should you perform? (Each correctanswer presents part of the solution. Choose two.)

A. Clear the Bridge all site links option.B. Ensure that the Bridge all site links option is selected.C. Designate a preferred bridgehead server in each site.D. Create site links between each spoke site and the hub site.



QUESTION 2Your company has a single Active Directory directory service forest with a forest root domain and a childdomain. The company has a high rate of employee turnover, and administrators create several hundred useraccounts per week. A domain controller in the child domain fails. Within several hours of the failure,administrators are unable to create new user accounts within the child domain. You need to ensure thatadministrators can create user accounts in the child domain. What should you do?

A. Seize the PDC Emulator role in the child domain.B. Seize the RID Master role in the child domain.C. Seize the Infrastructure Master role in the child domain.D. Create a new domain controller in the child domain, and configure it as a global catalog server.



QUESTION 3You are the network administrator for your company. The company consists of two subsidiaries namedContoso, Ltd., and Fabrikam, Inc. The network consists of two Active Directory forests. The WAN connectionsthat connect some domain controllers are unreliable. The domain and trust configuration is shown in theNetwork Diagram exhibit. (Click the Exhibit button.) You create shared folders on Windows Server 2003member servers in both forests. Some of the shared folders are accessible to users from both forests. For eachof the shared folders, you create a domain local group. You add global groups from domains in either forest tothe domain local group. The Fabrikam, Inc., division is sold to a different company. You delete the trustrelationship between the two forests. You notice that after the trust relationship is deleted, the membership listsfor some of the domain local groups are no longer accurate. When you view a membership list, it containsentries without user-friendly names. A sample is shown in the Membership List exhibit. (Click the Exhibitbutton.) You need to delete all the unknown groups from the membership list for the domain local groups. Youwant to achieve this goal by using the minimum amount of administrative effort, and without modifying theaccess to resources for users in the contoso.com forest. What should you do?

A. Create new domain local groups. Add the required global groups from the contoso.com forest to the domainlocal groups. Grant appropriate permissions to the domain local groups. Delete the original domain localgroups.

B. Re-create the trust relationship between contoso.com forest and the fabrikam.com forest. Delete all thefabrikam.com global group accounts from the domain local group membership lists. Delete the trust

relationship between the two forests.C. Verify all remaining trust relationships. Then delete the unknown accounts from the domain local groups.D. Delete all the affected domain local groups. Re-create the groups. Add the appropriate global groups from

the contoso.com forest to the groups. Grant appropriate permissions to the domain local groups.



QUESTION 4You have a single Active Directory directory service forest with three domains. You are monitoring ActiveDirectory replication. You need to obtain the replication status of all domain controllers. What should you do?

A. Run the repadmin /showutdvec command.B. Run the repadmin /showobjmeta command.C. Run the repadmin /replsummary command.D. Run the repadmin /showsig command.



QUESTION 5You have a single Active Directory directory service domain. The forest functional level is set to Windows 2000native. The domain functional level is set to Windows 2000 native. You are preparing to replicate additionalSchema attributes to the global catalog. You need to ensure that only a partial replication occurs when newSchema attributes are added to the global catalog. What should you do?

A. Update the domain functional level to Windows Server 2003.B. Update the forest functional level to Windows Server 2003.C. In the Active Directory Schema snap-in, select the Replicate this attribute to the Global Catalog option for

the new attributes.D. In the Active Directory Schema snap-in, select the Index this attribute in the Active Directory option for the

new attributes.



QUESTION 6You have an Active Directory directory service forest with two domains named Domain1 and Domain2. Alldomain controllers run Windows Server 2003 SP2. A user object in Domain1 that belongs to groups inDomain2 is deleted from Active Directory. You perform an authoritative restore of the user object. You need torecover group memberships for the user. What should you do?

A. Use an LDIF file and import it into Domain1.B. Use an LDIF file and import it into Domain2.

C. Use the Ntdsutil tool to recover the database.D. Use the Ntdsutil tool to perform a metadata cleanup.



QUESTION 7You have a single Active Directory directory service domain with three domain controllers named DC1, DC2,and DC3. All FSMO roles are held on DC1. All domain controllers are global catalog servers. Several users areexperiencing logon times that are longer than normal. All users are authenticating with DC1 and DC3. The DC2logs display error messages indicating that the Active Directory database partition is out of free space. Youneed to ensure that Active Directory is accessible on DC2. You add a 500-GB hard disk to DC2, back up thesystem state data, and restart DC2 in Directory Services Restore Mode. What should you do next?

A. Use Windows Explorer to move ntds.dit to the new hard disk.B. Use the Ntdsutil tool to move ntds.dit to the new hard disk.C. Create a new application directory partition.D. Perform an authoritative restore of Active Directory.



QUESTION 8You are the network administrator for Contoso Pharmaceuticals. The network consists of a single ActiveDirectory domain named contoso.com. The domain contains three Windows Server 2003 domain controllers. Adomain controller named DC2.contoso.com fails because of a hardware failure. You decide not to rebuild thedomain controller. However, because several applications refer to DC2.contoso.com by its NetBIOS name, youneed to provide a new domain controller that has the same name. You install a new Windows Server 2003computer and name it DC2. You attempt to promote the server to a domain controller in the contoso.comdomain. The promotion fails and you receive the following error message. You need to install a new domaincontroller named DC2 in the contoso.com domain. What should you do?

A. Use the WINS administrative console to remove all WINS records for DC2.contoso.com.B. Use the Ntdsutil utility to remove the metadata associated with the DC2.contoso.com domain controller

object from Active Directory.C. Use Active Directory Users and Computers to remove the DC2.contoso.com domain controller computer

account from the contoso.com domain.D. Use the DNS administrative console to remove all DNS records that refer to DC2.contoso.com.



QUESTION 9You have a single Active Directory directory service domain with two domain controllers named DC1 and DC2.DC1 and DC2 are located in two Active Directory sites. Both domain controllers run Windows Server 2003 andare configured as global catalog servers. A domain user object is deleted on DC1. Replication has not yetoccurred between DC1 and DC2. You need to recover the deleted object before the change is replicated toDC2. What should you do first?

A. Restart DC1 in Directory Services Restore Mode.B. Use the NTBackup tool on DC1.C. Disable inbound replication on DC1.D. Disable outbound replication on DC2.



QUESTION 10Your company has a single Active Directory directory service forest with three domains. A site named Site1 hasthree domain controllers named DC1, DC2, and DC3. All three domain controllers have the same directory andapplication partitions. DC3 holds the PDC Emulator Master and RID Master roles. You need to prevent DC3from performing intersite replication, and you must accomplish this goal without disrupting intrasite replication.What should you do?

A. Disable RPC port 135 on DC3.B. Disable LDAP port 389 on DC3.C. Run the repadmin /bridgeheads command.D. Configure DC1 and DC2 to be the only preferred bridgehead servers.



QUESTION 11You have a single Active Directory directory service domain with an enterprise certification authority (CA). Youare creating a new Group Policy object (GPO) to perform certificate autoenrollment. You need to ensure thatusers are notified when an autoenrollment failure occurs. What should you do?

A. Modify the certificate template by selecting the Reenroll All Certificate Holders option.B. Modify the certificate template by changing the required number of authorized signatures from 1 to 2.C. Modify the certificate template by selecting the Include symmetric algorithms allowed by the subject option.

D. Modify the certificate template by selecting the Require user input for autoenrollment option.



QUESTION 12You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.You need to use Group Policy to audit when domain controllers are restarted. How should you modify theDefault Domain Policy?

A. Enable Success and Failure on the Audit directory service access policy.B. Enable Success and Failure on the Audit process tracking policy.C. Enable Success and Failure on the Audit privilege use policy.D. Enable Success and Failure on the Audit system events policy.



QUESTION 13You have a Windows Server 2003 Active Directory directory service environment that contains anorganizational unit (OU) named Corp. All computers and users are located in the Corp OU. An existing GroupPolicy object (GPO) named HR is linked to the Corp OU. You deploy a new GPO named Software to the CorpOU. A global group named Corp Users contains all users and has the Read and the Apply Group Policypermissions for the Software GPO and to the Corp OU. You need to ensure that the settings in the SoftwareGPO are applied to all users except one specific user. The settings in the HR GPO must continue to be appliedto all users. What should you do?

A. Remove the specific user from the Corp Users group.B. Remove the Corp Users group permissions from the Software GPO.C. Add the specific user to the Access Control List (ACL) for the Software GPO and apply the Deny Apply

Group Policy permission.D. Add the specific user to the Access Control List (ACL) for the Software GPO and remove the Allow Read

and Apply Group Policy permission.



QUESTION 14Your network consists of Windows XP computers joined to an Active Directory directory service domain. Allusers are located in a single organizational unit (OU). Several Group Policy objects (GPOs) are linked to thisOU. A new GPO is created and must be linked to the OU. You need to ensure that the new GPO settings takeprecedence over settings from other GPOs. What should you do?

A. Set the new GPOs link to Enforced.

B. Configure the new GPO to have the lowest link order.C. Implement loopback processing in Replace mode.D. Implement loopback processing in Merge mode.



QUESTION 15You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. All client computers run Windows XP Professional and are members ofthe domain. Only designated IT support staff have administrative rights on client computers. The companyrequires all client computers to run antivirus software. The company licenses an antivirus application that isinstalled on a file server named Server1. An unattended installation can be performed on each client computerby running the setup command from a shared folder on Server1. Several users report that when they attempt toinstall the antivirus application, they receive the following error message: "You do not have sufficient privilegeson this computer to perform this action." You verify that the antivirus application is not installed on any clientcomputers. You need to ensure that all client computers have the antivirus application installed. You want toaccomplish this task by using the minimum amount of administrative effort. What should you do?

A. Create a Group Policy object (GPO) linked to the domain. Use the GPO to launch a logon script that runsthe setup command to install the antivirus application if it is not currently installed. Instruct all users to restarttheir client computers.

B. Create a Group Policy object (GPO) linked to the domain. Use the GPO to launch a startup script that runsthe setup command to install the antivirus application if it is not currently installed. Instruct all users to restarttheir client computers.

C. Create a batch file that runs the setup command. Send this batch file in an e-mail message to all users.Instruct all users to run this batch file.

D. Use Remote Assistance to to run the setup command on each client computer.



QUESTION 16You have a single Active Directory directory service domain. All client computers run either Windows Vista orWindows XP. You create and configure a Group Policy object (GPO) named Secure Client Computer. Youneed to ensure that the Secure Client Computer GPO is automatically applied to current and future WindowsXP client computers. What should you do?

A. Create a WMI filter that limits the scope of the Secure Client Computer GPO to the Windows XP operatingsystem. Link the WMI filter to the GPO. Link the GPO to the domain.

B. Create a global security group that contains all of the Windows XP client computers. Edit the permissions ofthe Secure Client Computer GPO to allow the global security group the Read and Apply Group Policypermissions. Link the Secure Client Computer GPO to the domain.

C. Use the Delegation of Control Wizard at the domain level, and delegate the Generate Resultant Set ofPolicy (Planning) right to the Windows XP client computers. Link the Secure Client Computer GPO to thedomain.

D. Use the Delegation of Control Wizard at the domain level, and delegate the Generate Resultant Set ofPolicy (Logging) right to the Windows XP client computers. Link the Secure Client Computer GPO to thedomain.



QUESTION 17You have a single Active Directory directory service domain. You need to grant a user the followingpermissions:To create Group Policy objects (GPOs) in the domainTo modify all existing and new GPOs in thedomainYou add the users user account to the Group Policy Creator Owners group. What should you do next?

A. Use the Group Policy Management Console to delegate the Write gpLink permission for the Group PolicyObjects container.

B. Use the Group Policy Management Console to delegate the Create GPOs permission for the Group PolicyObjects container.

C. Use the Group Policy Management Console to grant the user account the Full Control permission for thedomain.

D. Use the Group Policy Management Console to grant the user account the Edit, delete, and modify securitypermission for all preexisting GPOs.



QUESTION 18You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.You are configuring a software restriction policy. You need to allow users to run only a defined set ofexecutables. What should you do?

A. Set the default security level to Unrestricted. Define additional rules.B. Set the default security level to Disallowed. Define additional rules.C. Set the default security level to Unrestricted. Define designated file types.D. Set the default security level to Disallowed. Define enforcement options.



QUESTION 19You have a single Active Directory directory service domain. You have a certification authority (CA) that runs onWindows Server 2003. Your company requires users to log on to their portable computers with two-factorauthentication. You need to prepare your CA for two-factor authentication. Which certificate template shouldyou publish on the CA?

A. Domain Controller AuthenticationB. Authenticated SessionC. Key Recovery AgentD. Smart Card Logon



QUESTION 20You are the network administrator for your company. The network structure is shown in the exhibit. (Click theExhibit button.) The functional level of both forests is Windows Server 2003. All three domains are ActiveDirectory domains. Domain3 contains a computer named Server1. A shared folder on Server1 is namedShare1. Users in an organizational unit (OU) named Accounts in Domain2 need access to Share1. However,whenever the users in the Accounts OU attempt to connect to Share1, they receive an error message statingthat access was denied. You need to ensure that users in the Accounts OU can connect to Share1. Whatshould you do?

A. Create a universal distribution group in Domain2 that includes all users in the Accounts OU. Create adomain local security group in Domain3. Grant access to \\Server1\Share1 to the domain local securitygroup. Make the universal distribution group a member of the domain local security group.

B. Create global security group in Domain2 that includes all users in the Accounts OU. Create a domain localsecurity group in Domain3. Grant access to \\Server1\Share1 to the domain local security group. Make theglobal security group a member of the domain local security group.

C. Create a shared folder in the Accounts OU for \\Server1\Share1.D. Create a one-way external trust relationship in which Domain2 trusts Domain3.



QUESTION 21You are the network administrator for your company. The network consists of a single Active Directory domain.The following table shows the types and quantities of Windows Server 2003 Web and database servers in the

domain. The computer accounts for the Web and database servers are located in the default Computerscontainer. The domain also includes many organizational units (OU) that contain other computer accounts.Your company plans to use Group Policy objects (GPOs) to centrally apply security settings to the Web anddatabase server computers. The settings need to be applied as follows: Some security settings need to apply toall Web and database servers. Some security settings need to apply to the nonproduction servers only. Somesecurity settings need to apply to the production servers only and must not be overridden. Other securitysettings need to apply to specific server types only. You need to create an organizational unit (OU) structure tosupport the GPO requirements. You want to create as few GPOs and links as possible while using only thedefault security permissions for GPO links. You also want to limit the number of GPO links to one link per GPO.What should you do?

A. Create two top-level OUs named Web and Database under the domain. Create two child OUs namedNonproduction and Production under both the Web OU and the Database OU.

B. Create two top-level OUs named Nonproduction and Production under the domain. Create two child OUsnamed Web and Database under both the Nonproduction OU and the Production OU.

C. Create a top-level OU named Servers under the domain. Create two child OUs named Web and Databaseunder the Servers OU. Create two child OUs named Nonproduction and Production under both the Web OUand the Database OU.

D. Create a top-level OU named Servers under the domain. Create two child OUs named Nonproduction andProduction under the Servers OU. Create two child OUs named Web and Database under both theNonproduction OU and the Production OU.



QUESTION 22You have a single Active Directory directory service domain. All client computers run either Windows XP orWindows Vista and are in an organizational unit (OU) named Client Computers. You create a new Group Policyobject (GPO) named Secure Desktop to apply security settings. You link the GPO to the Client Computers OU.You examine a users client computer and find that the security settings have not been applied. You need toensure that the security settings in the GPO are applied immediately after linking the GPO to the OU. Whatshould you do?

A. Run the gpupdate /force command on all domain controllers.B. Run the gpupdate /force command on the client computers.C. Run the secedit /validate command on all domain controllers.D. Run the secedit /validate command on the client computers.



QUESTION 23You are the network administrator for Southridge Video. The network consists of a single Active Directorydomain named southridgevideo.com. The domain contains one domain controller. All servers run WindowsServer 2003. All client computers run Windows XP Professional. The company uses Group Policy objects(GPOs) to configure user and computer settings. The Active Directory database and the SYSVOL shared folderare stored on separate hard disks. The hard disk containing the SYSVOL folder fails. Some Group Policysettings are still applied, but new users do not receive the Group Policy settings. You replace the failed disk.You discover that there are no valid backups of the SYSVOL folder. You have a list of GUIDs and friendlynames for each GPO. On the new disk, you create a new shared folder named SYSVOL in the same locationas the previous SYSVOL folder. You need to configure the network so hat the user and computer settings willbe applied to all users. Which three courses of action should you take? (Each correct answer presents part ofthe solution. Choose three.)

A. In the SYSVOL folder, create a folder named southridgevideo.com. In the southridgevideo.com folder,create a folder named Policies.

B. In the SYSVOL folder, create a folder named System State. In the System State folder, create a foldernamed Policies.

C. In the Policies folder, create a folder for each GPO. Name the folders by using the friendly name of eachGPO. In the folder for each GPO, create a folder named MACHINE and a folder named USER.

D. In the Policies folder, create a folder for each GPO. Name the folders by using the GUID of each GPO. Inthe folder for each GPO, create a folder named MACHINE and a folder named USER.

E. Use Active Directory Users and Computers to open each GPO. Close each GPO without changing anysettings.

F. Use Active Directory Users and Computers to open each GPO. Change at least one setting in each GPObefore closing it.

Correct Answer: ADFSection: MCQsExplanation


QUESTION 24Your company uses a third-party application that is packaged as a Windows Installer file (MSI) and deployedthrough a Group Policy object (GPO). You are deploying an update to all client computers that have theapplication installed. You place the MSI file in a shared folder on a file server. You need to ensure that when thenew version is installed, users do not lose any personal settings that they made in the existing version. Whatshould you do?

A. Create a software installation package in the same GPO by using the MSI file. Configure the new packageas a required upgrade to the original package.

B. Create a software installation package in the same GPO by using the MSI file. Remove the originalpackage, and select the Immediately uninstall the software from users and computers setting.

C. Configure a Windows Installer GPO by enabling the Enable user to patch elevated products setting.D. Configure a Windows Installer GPO by enabling the Enforce upgrade component rules setting.



QUESTION 25You have a single Active Directory directory service domain. You use a Group Policy object (GPO) to applysecurity settings to your client computers. You configure the startup type for system services settings in a newGPO, and you link the GPO to an organizational unit (OU). You discover that the startup type for systemservices on one of the client computers has not been updated. You need to ensure that the Group Policysettings are applied to the client computer. What should you do?

A. Restart the client computer.B. Instruct the user to log off and then log on to the client computer.C. On the client computer, run the Gpupdate.exe command with the /Force parameter.D. On the client computer, run the Gpupdate.exe command with the /Target:computer parameter.



QUESTION 26You are the network administrator for your company. The company consists of two subsidiaries namedContoso, Ltd., and Fabrikam, Inc. The network consists of a single Active Directory forest that containsthree domains. The domain and site configuration is shown in the exhibit. (Click the Exhibit button.) Acomputer named DC1.asia.contoso.com is a domain controller in the asia.contoso.com domain. DC1.asia.contoso.com is also a global catalog server and the preferred bridgehead server for AsiaSite. The ActiveDirectory database on on DC1.asia.contoso.com contains 1 GB of data. The Asia departments in thecompany are implementing an Active Directory-enabled application. You expect size of the database onDC1.asia.contoso.com to increase by 200 MB. Active Directory stops responding on DC1.asia.contoso.com.You discover that the hard disk has less than 5 MB of space remaining. You need to configure DC1.asia.contoso.com so that Active Directory can restart. You also need to configure the server so that additionalspace is available on the hard disk for the additional data that will be added to the Active Directory database.What should you do?

A. Install another hard disk in DC1.asia.contoso.com. Use the Ntdsutil utility to move the database to thenew hard disk.

B. Configure another server in the site to operate as a preferred bridgehead server. Configure DC1.asia.contoso.com so that it no longer operates as a preferred bridgehead server.

C. Install another hard disk in DC1.asia.contoso.com. Use the Ntdsutil utility to move the transaction logs tothe new hard disk.

D. Delete all log files that are located in the NTDS folder.



QUESTION 27You are a network administrator for Fabrikam, Inc. The network consists of a single Active Directory domainnamed fabrikam.com. All servers run Windows Server 2003. All client computers run Windows XPProfessional. The company restricts all users so that they can use only authorized applications. All domainusers are authorized to use the Microsoft Office suite of applications. Members of a security group namedCRM Users are also authorized to use a customer relationship management (CRM) application. Youconfigure Group Policy objects (GPOs) as shown in the exhibit. (Click the Exhibit button.) The OfficeApplications GPO has only the Microsoft Office applications listed as allowed applications. The CRMApplication GPO has only the CRM application listed as an allowed application. The CRM Application GPOhas security settings so that it applies only to members of the CRM Users security group. Users who aremembers of the CRM Users security group report that they cannot run the CRM application. You need toreconfigure the domain to meet the following requirements: All users must be able to run the MicrosoftOffice applications. Members of the CRM Users security group must be able to run the CRM application. Allusers must be prevented from running unauthorized software.Which two actions should you take? (Eachcorrect answer presents part of the solution. Choose two.)

A. Reorder the GPOs so that the CRM Application GPO is higher in the list than the Office ApplicationsGPO.

B. Add the Microsoft Office applications to the list of allowed applications in the CRM Application GPO.C. Create a new OU. Move the user accounts for all members of the CRM Users security group into this

OU. Link the CRM Application GPO to this OU. Enable the Block Policy inheritance setting for this OU.Unlink the CRM Application GPO from the domain.

D. Disable the No Override setting for the CRM Application GPO. Leave the CRM Application GPO linkedto the domain.



QUESTION 28You are the network administrator for your company. The network consists of a single Active Directorydomain. The company's written domain administration policy requires that help desk employees must havethe ability to reset passwords. The help desk employees must be able to reset passwords for all useraccounts except for members of the Domain Admins global group and members of the Executives globalgroup. The help desk employees must not have any other administrative rights in the domain. All help deskemployees are members of the Help Desk global group. All members of the Domain Admins group arelocated in an organizational unit (OU) named AdminsOU. All members of the Executives group are locatedin an OU named ExecutiveOU. All other user accounts are located in an OU named EmployeesOU. The

relevant portion of the OU design for the domain is shown in the exhibit. (Click the Exhibit button.) You needto configure the permissions for the help desk employees as defined by the written domain administrationpolicy. What should you do?

A. Assign the Help Desk global group the right to reset passwords in the OU named AllUsersOU.B. Assign the Help Desk global group the right to reset passwords in the OU named EmployeesOU.C. Assign the Help Desk global group the right to manage user accounts at the domain level.

Deny the help desk employees the right to reset passwords in the OU named AdminsOU and the OUnamed ExecutiveOU.

D. Assign the Help Desk global group the right to manage user accounts in the OU named AllUsersOU.Block the inheritance of permissions at the OU named AdminsOU and the OU named ExecutiveOU.



Exam C

QUESTION 1You have a single Active Directory directory service forest named contoso.com. You have a domain controllernamed DC1 in the Domain Controllers organizational unit (OU). You change a public key Group Policy setting inthe Default Domain Controllers Policy. You need to apply the public key Group Policy change to DC1immediately. What should you do?

A. Run the secedit command.B. Run the gpupdate command.C. Log off of DC1. Log on to DC1.D. Stop and restart the Netlogon service.



QUESTION 2You have a Windows Server 2003 Active Directory directory service environment that has two domaincontrollers, two Terminal Services servers, and two file servers. You deploy an application to the TerminalServices servers and the file servers by using a Group Policy object (GPO). The application is installed on thefile servers. However, it is not installed on the Terminal Services servers. You need to install the application onthe Terminal Services servers. What should you do?

A. Manually install the application on each of the Terminal Services servers.B. Enable the Enforced option on the GPO.C. Enable loopback processing with the Merge Mode option in the GPO.D. Enable loopback processing with the Replace Mode option in the GPO.



QUESTION 3Your company has a single Active Directory directory service domain with three domain controllers. You need tomove domain-wide FSMO roles to a different domain controller. Which tool should you use?

A. Active Directory Domains and Trusts snap-inB. Active Directory Sites and Services snap-inC. Active Directory Users and Computers snap-inD. Active Directory Schema snap-in



QUESTION 4

You are the network administrator for the Baldwin Museum of Science. The network consists of a single ActiveDirectory forest. The forest functional level is Windows 2000. The forest consists of a forest root domain namedbaldwinmuseumofscience.com and two child domains named child1.baldwinmuseumofscience.com, andchild2.baldwinmuseumofscience.com. The functional level of all three domains is Windows 2000 native. Alldomain controllers in the forest run Windows 2000 Server. Your user account that has administrative privilegesis in the child1.baldwinmuseumofscience.com domain and is a member of the following groups: SchemaAdmins, Domain Admins, and Domain Users. You need to successfully run the adprep.exe /forestprepcommand. What should you do?

A. Run the adprep.exe /forestprep command on the PDC emulator for the baldwinmuseumofscience.comdomain.

B. Restart the schema master in Directory Services Restore Mode and run the adprep.exe /forestprepcommand.

C. Add your user account that has administrative privileges to the Enterprise Admins group. Run theadprep.exe /forestprep command on the schema master.

D. Run the adprep.exe /domainprep command on the PDC emulator for the baldwinmuseumofscience.comdomain. Then run the adprep.exe /forestprep command on the schema master.

E. Run the adprep.exe /domainprep command on the infrastructure master in each domain. Then run theadprep.exe /forestprep command on the schema master.



QUESTION 5You are the network administrator for Blue Yonder Airlines. You plan to create an Active Directory domainnamed blueyonderairlines.com that will have a functional level of Windows Server 2003. Your company has onemain office and four branch offices, which are all located in one country. A central security department in themain office is responsible for creating and administering all user accounts in all offices. Each office has a localhelp desk department that is responsible for resetting passwords within the individual department's office only.All user accounts are located in the default Users container. You need to create an organizational unit (OU)structure to support the delegation of authority requirements. You want to minimize the amount ofadministrative effort required to maintain the environment. What should you do?

A. Create a top-level OU named BlueYonderAirlines_Users under the blueyonderairlines.com domain. Createa separate child OU for each office under BlueYonderAirlines_Users. Move the user accounts of allemployees in each office to the child OU for that office.

B. Create a top-level OU named Main_Office under the blueyonderairlines.com domain. Move the useraccounts of all users in the main office to the Main_Office OU. Create a separate child OU for each branchoffice under the Main_Office OU. Move the user accounts of all users in each branch office to the child OUfor that office.

C. Create a top-level OU named BlueYonderAirlines_Users under the blueyonderairlines.com domain. Createa child OU named Central_Security under BlueYonderAirlines_Users. Move the user accounts of the centralsecurity department users to the Central_Security OU. Create a child OU named Help_Desk underBlueYonderAirlines_Users. Move the user accounts of the help desk users to the Help_Desk OU.

D. Create a top-level OU named BlueYonderAirlines_Users under the blueyonderairlines.com domain. Createa child OU named Central_Security under BlueYonderAirlines_Users. Move the user accounts of the centralsecurity department users to the Central_Security OU. Create a separate child OU underBlueYonderAirlines_Users for each office. Move the user accounts of the help desk users in each office tothe child OU for that office.



QUESTION 6You have a single Active Directory directory service domain. You have three Active Directory sites. Sitereplication is scheduled to occur during business hours only. You plan to make a schema change afterbusiness hours. You need to ensure that replication occurs for all sites during the schema change. What shouldyou do?

A. Set the Ignore schedules setting for the IP transport.B. Clear the Ignore schedules setting for the IP transport.C. Enable the KCC for all site objects.D. Disable the KCC for all site objects.



QUESTION 7You are a network administrator for your company. The network consists of a single Active Directory forest thatcontains one root domain and multiple child domains. The functional level of all child domains is WindowsServer 2003. The functional level of the root domain is Windows 2000 native.You configure a Windows Server2003 computer named Server1 to be a domain controller for an existing child domain. Server1 is located at anew branch office, and you connect Server1 to a central data center by a persistent VPN connection over aDSL line. Server1 has a single replication connection with a bridgehead domain controller in the central datacenter.You configure DNS on Server1 and create secondary forward lookup zones for each domain in theforest.You need to minimize the amount of traffic over the VPN connection caused by logon activities.What aretwo possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

A. Configure the DNS zones to be Active Directory-integrated zones.B. Configure Server1 to be the PDC emulator for the domain.C. Configure Server1 to be a global catalog server.D. Configure universal group membership caching on Server1.



QUESTION 8Your company has a single Active Directory directory service forest with a forest root domain and a childdomain. The company has a main office and several branch offices. You are planning to remove the childdomain. All of the domain controllers in the forest root domain are located in the main office, and all FSMOroles are on separate domain controllers. The last domain controller in the child domain is named DC1 and islocated in a branch office. You attempt to remove Active Directory from DC1, but you receive an error messagestating that the operation could not be completed. You need to remove Active Directory from DC1. What shouldyou do?

A. Restore connectivity to the domain controller that holds the Domain Naming Master role.B. Restore connectivity to the domain controller that holds the Schema Master role.C. Restore connectivity to the domain controller that holds the Infrastructure Master role.

D. Restore connectivity to the domain controller that holds the PDC Emulator role.



QUESTION 9You are the network administrator for Contoso Pharmaceuticals. Your network consists of a single ActiveDirectory forest that contains three domains. The forest root domain is named contoso.com. The domaincontains two child domains named usa.contoso.com and europe.contoso.com. The functional level of the forestis Windows Server 2003. Each domain contains two Windows Server 2003 domain controllers named DC1 andDC2. DC1 in the contoso.com domain performs the following two operations master roles: schema master anddomain naming master. DC1 in each child domain performs the following three operations master roles: PDCemulator master, relative ID (RID) master, and infrastructure master. DC1 in each domain is also a globalcatalog server. The user account for Nancy Buchanan in the europe.contoso.com domain is a member of theMedicine Students security group. Because of a namechange, the domain administrator of europe.contoso.comchanges the Last name field of Nancy's user account from Buchanan to Anderson. The domain administrator ofusa.contoso.com discovers that the user account for Nancy is still listed as Nancy Buchanan. You need toensure that the user account for Nancy Anderson is correctly listed in the Medicine Students group. Whatshould you do?

A. Transfer the PDC emulator master role from DC1 to DC2 in each domain.B. Transfer the infrastructure master role from DC1 to DC2 in each domain.C. Transfer the RID master role from DC1 to DC2 in each domain.D. Transfer the schema master role from DC1 to DC2 in the contoso.com domain.



QUESTION 10Your company has offices in three locations. The company has an Active Directory directory service domainwith three Active Directory sites representing the physical locations. The sites are named Site1, Site2, andSite3. You configure domain controllers in Site1 and Site3. There is no network connectivity between Site1 andSite3. You want to enable replication of all objects between the three sites. What should you do?

A. Configure a domain controller in Site2. Create site links between Site1 and Site2 and between Site2 andSite3.

B. Select the Bridge all site links option. Create a site link bridge.C. Create a site link between Site1 and Site2.D. Create a site link between Site1 and Site3.



QUESTION 11Your company has an Active Directory directory service forest with a forest root domain and a child domain.

You have two Active Directory sites named Site1 and Site2. The two sites represent physical locations that areconnected by a WAN link. All domain controllers are located in Site2. All users log on to the child domain.Several users in Site1 use computers that run Windows NT 4.0 operating systems. You configure a newdomain controller for each domain, and you place the new domain controllers in Site1. You need to ensure thatall users in Site1 can change their passwords in the event of a WAN link failure. What should you do?

A. Transfer the root domain PDC Emulator role to a domain controller in Site1.B. Transfer the child domain PDC Emulator role to a domain controller in Site1.C. Transfer the root domain Infrastructure Master role to a domain controller in Site1.D. Transfer the child domain Infrastructure Master role to a domain controller in Site1.



QUESTION 12Your company has a Windows Server 2003 environment with a single Active Directory directory service forest.The forest has multiple domains and two sites named Site1 and Site2. Site1 has six domain controllers. Two ofthe domain controllers are global catalog servers. Site2 has three domain controllers. The WAN link betweenSite1 and Site2 is slow. You are preparing the environment for an Active Directory application that requiresuniversal group membership to make authorization decisions. Application servers will be located in Site1 andSite2. You need to prepare the Active Directory environment for the introduction of the Active Directoryapplication. What should you do?

A. Increase the number of domain controllers in Site2 to four.B. Enable universal group membership caching in Site1.C. Add additional global catalog servers to Site1.D. Configure at least one of the domain controllers in Site2 to be a global catalog server.



QUESTION 13Your company has a single Active Directory directory service domain with several top-level organizational units(OUs). There is one OU for each of the major departments, and an OU named Network Security. All useraccounts are placed into their respective department OUs. You create a group named Help Desk, and youplace the user accounts for help desk technicians into this group. You need to allow the help desk techniciansto administer all user accounts except the accounts in the Network Security OU. Your solution must also allowthe help desk technicians to administer accounts in future new top-level OUs without requiring the necessaryrights to be manually assigned. What should you do?

A. At the domain level, assign the Help Desk group the Create, delete, and manage accounts permission. Atthe Network Security OU, block permission inheritance.

B. At the domain level, assign the Help Desk group the Create, delete, and manage accounts permission. Atthe Network Security OU, block Group Policy inheritance.

C. At the department-level OUs, assign the Help Desk group the Create, delete, and manage accountspermission. At the Network Security OU, block permission inheritance.

D. At the department-level OUs, assign the Help Desk group the Create, delete, and manage accountspermission. At the Network Security OU, block Group Policy inheritance.



QUESTION 14You have a single Active Directory directory service domain. Your company has a main office and multiplebranch offices configured in a hub-and-spoke network topology. Each office has an Active Directory site. Youneed to ensure replication to all sites while preventing direct replication between branch offices. What shouldyou do?

A. Manually create and configure site links, and select the Bridge all site links option.B. Manually create and configure site links, and clear the Bridge all site links option.C. Configure all site links to use the IP intersite transport.D. Configure all site links to use the SMTP intersite transport.



QUESTION 15You are the network administrator for Northwind Traders. The network consists of a single Active Directoryforest. The functional level of the forest is Windows Server 2003. The forest consists of a forest root domainnamed northwindtraders.com and a child domain named child1.northwindtraders.com. Thechild1.northwindtraders.com domain contains all of the user accounts for the network. Your company acquiresa company named Contoso, Ltd. The Contoso, Ltd., network consists of a single Active Directoryforest that contains a forest root domain named contoso.com and a child domain named child1.contoso.com.All domain controllers run Windows 2000 Server. Both domains contain user accounts and resource servers.The domains and existing trust relationships are shown in the exhibit. (Click the Exhibit button.) You need tocreate the minimum number of trust relationships required for the users in the child1.northwindtraders.comdomain to access resources in both domains in the contoso.com forest. What should you do?

A. Create a one-way trust relationship in which the northwindtraders.com domain trusts the contoso.comdomain.

B. Create a one-way trust relationship in which the contoso.com domain trusts the northwindtraders.comdomain.

C. Create a one-way trust relationship in which the child1.northwindtraders.com domain trusts the contoso.comdomain. Create a one-way trust relationship in which the child1.northwindtraders.com domain trusts thechild1.contoso.com domain.

D. Create a one-way trust relationship in which the contoso.com domain trusts the child1.northwindtraders.comdomain. Create a one-way trust relationship in which the child1.contoso.com domain trusts thechild1.northwindtraders.com domain.



QUESTION 16Your company has a single Active Directory directory service forest with four domains. The domains are namedcontoso.com, corp.contoso.com, fabrikam.com, and corp.fabrikam.com. Users in the corp.contoso.com domainfrequently access resources that are located in the corp.fabrikam.com domain. You need to improve user logontimes from the corp.contoso.com domain to the corp.fabrikam.com domain. What should you do?

A. Enable universal group caching in sites where corp.contoso.com domain controllers are located.B. Enable universal group caching in sites where corp.fabrikam.com domain controllers are located.C. Create a shortcut trust from the corp.fabrikam.com domain to the corp.contoso.com domain.D. Create a shortcut trust from the corp.contoso.com domain to the corp.fabrikam.com domain.



QUESTION 17You have a single Active Directory directory service domain. Web servers are located in an organizational unit(OU) named Web. You need to enforce strong passwords for administrators who log on to domain controllers.You must enforce account lockout policy for administrators who log on locally to Web servers. What should youdo?

A. Configure password and account lockout policy settings in the Default Domain Controllers Policy.B. Configure password and account lockout policy settings in the Default Domain Policy.C. Configure password policy settings in the Default Domain Controllers Policy. Configure account lockout

policy settings in a new Group Policy object (GPO), and then link the GPO to the Web OU.D. Configure password policy settings in the Default Domain Policy. Configure account lockout policy settings

in a new Group Policy object (GPO), and then link the GPO to the Web OU.



QUESTION 18You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.The sales department uses Windows Vista client computers. The finance department uses Windows XP clientcomputers. All client computers are in the Clients organizational unit (OU). A software restriction policy is linkedto the Clients OU. You are planning a new certificate autoenrollment Group Policy object (GPO) namedAutoEnroll for the sales department client computers. You need to ensure that the AutoEnroll GPO applies toonly the Windows Vista client computers. What should you do?

A. Link the AutoEnroll GPO to the domain. Create a WMI filter. Link the AutoEnroll GPO to the WMI filter.B. Link the AutoEnroll GPO to the domain. Create a WMI filter. Link the Default Domain GPO to the WMI filter.C. Link the AutoEnroll GPO to the Clients OU. Create a WMI filter. Link the software restriction GPO to the

WMI filter.D. Move the Windows XP client computers into a new OU. Link the AutoEnroll GPO to the domain.



QUESTION 19You have a single Active Directory directory service forest with two domains named contoso.com andcorp.contoso.com. The domain functional level of each domain is set to Windows 2000 mixed. You need toenable users from both domains to access resources in both domains. What should you do?

A. Create universal distribution groups in corp.contoso.com and add users from both domains.B. Create a universal distribution group in contoso.com and add users from both domains.C. Create global security groups in both domains and add users to the newly created security groups in their

respective domain.D. Create a domain local security group in contoso.com and add users from both domains.



QUESTION 20You have a single Active Directory directory service domain. You create a new Group Policy object (GPO) toenforce several Internet Explorer settings for users. Several users change their local Internet Explorer settingsfrom the settings that are defined in the GPO. You need to ensure that if users locally change the InternetExplorer settings, the settings are changed back to those defined in the GPO. What should you do?

A. In the GPO, select the Process even if the Group Policy objects have not changed check box.B. In the GPO, select the Disable customizing browser toolbars check box.C. Configure the GPO to disable the Security page in Internet Explorer.D. Configure the GPO to enable the Do not allow resetting Internet Explorer settings setting.



QUESTION 21You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. All client computers run Windows XP Professional. Except for IT staff,users are not local administrators on client computers. The company obtains a new application for orderprocessing. This application must be installed on each client computer. The application is contained in an .msifile. You copy the .msi file to a shared folder on a file server. You assign the Authenticated Users group the Allow - Read permission for the shared folder. To deploy the application, youinstruct users to double-click the .msi file in the shared folder. When users attempt to install the application,they receive an error message, and setup fails. You need to configure the network so that the application canbe installed successfully. What are two possible ways to achieve this goal? (Each correct answer presents acomplete solution. Choose two.)

A. Modify the Default Domain Policy Group Policy object (GPO) and assign the new application to all clientcomputers.

B. Grant the users the permissions required to create temporary files in the shared folder that contains the .msifile.

C. Modify the Default Domain Policy Group Policy object (GPO) and disable the Prohibit User Installs setting inthe Windows Installer section of the computer settings.

D. Modify the Default Domain Policy Group Policy object (GPO) and enable the Always install with elevatedprivileges setting in the Windows Installer section of the computer settings.



QUESTION 22You have a single Active Directory directory service domain. Users work in one of four departments. You areplanning to implement a Standard Desktop policy. You will test this Standard Desktop policy on the users in theHR department prior to applying it to the rest of the companys users. You create a Group Policy object (GPO)named Standard Desktop and apply the desired settings to the GPO. You need to ensure that the StandardDesktop GPO is applied only to users in the HR global security group. What should you do?

A. Edit the Standard Desktop GPO settings by adding a Restricted Group policy that includes only the HRglobal security group.

B. Edit the Standard Desktop GPO properties by removing the Authenticated Users group from the AccessControl List (ACL), and by adding the HR global security group. Assign the Read and Apply Group Policypermissions to the HR global security group. Link the GPO to the domain.

C. Create an organizational unit (OU) named Standard Desktop Policy. Add the HR global security group to theAccess Control List (ACL) of the OU. Assign the Generate Resultant Set of Policy (Planning) permission tothe HR global security group. Link the GPO to the Standard Desktop Policy OU.

D. Create an OU named Standard Desktop Policy. Place the HR global security group in the Standard DesktopPolicy OU. Link the GPO to the Standard Desktop Policy OU.



QUESTION 23You are the network administrator for your company. The network consists of a single Active Directory domain.

All servers run Windows Server 2003. All client computers run Windows XP Professional with the most recentservice pack. All client computers have computer accounts in an organizational unit (OU) namedCompanyComputers. The company requires all computers to be kept up-to-date with service packs andhotfixes from Microsoft. Administrators will manually update servers as required. You need to configure thenetwork so that client computers are automatically updated as new critical updates are issued. What are twopossible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

A. Create a Group Policy object (GPO) linked to the domain. Configure the GPO so that client computersautomatically download and install updates from Microsoft update servers from the Internet.

B. Create a Group Policy object (GPO) linked to the CompanyComputers OU. Configure the GPO so thatclient computers automatically download and install updates from Microsoft update servers from theInternet.

C. Create a Group Policy object (GPO) linked to the domain. Configure the GPO so that client computersautomatically download and install updates from an internal server on which you install and configureSoftware Update Services.

D. Create a Group Policy object (GPO) linked to the CompanyComputers OU. Configure the GPO so thatclient computers automatically download and install updates from an internal server on which you install andconfigure Software Update Services.



QUESTION 24You have a single Active Directory directory service forest with two domains named contoso.com andcorp.contoso.com. You need to grant a user in the contoso.com domain the permission to create Group Policyobjects (GPOs) in the corp.contoso.com domain. What should you do?

A. Delegate the Manage Group Policy links permission in the corp.contoso.com domain to the user.B. Add the user to a domain local group in the corp.contoso.com domain, and grant the domain local group the

permission to create GPOs in the corp.contoso.com domain.C. Add the users user account to the Group Policy Creator Owners group in the contoso.com domain.D. Grant the Group Policy Creator Owners group in the corp.contoso.com domain the Full Control permission

for the GPOs in the corp.contoso.com domain.



QUESTION 25Your Windows Server 2003 environment consists of a single Active Directory directory service forest withmultiple domains. The forest functional level is set to Windows 2000 Server. Your company has a main officeand four branch offices. Each office has two domain controllers. The domain controllers in the main office areglobal catalog servers. In the branch offices, searches for some printers in Active Directory are slow. You needto improve the performance of Active Directory printer searches in the four branch offices. What should you do?

A. Enable universal group membership caching in each branch office.B. Increase the number of domain controllers in each branch office.C. Add global catalog services to each branch office.D. Upgrade the forest functional level to Windows Server 2003.



QUESTION 26You are the network administrator for your company. The network consists of a single Active Directorydomain. All servers run Windows Server 2003. All client computers run Windows XP Professional. Thecompany has one office in New York and another office in Ottawa. Each office is configured as an ActiveDirectory site. Each site contains two domain controllers. The network is configured to display a legal noticeon the computer screens of all users before they log on to their client computers. At the request of the legaldepartment, you make changes to the wording of the notice by changing the settings in a Group Policyobject (GPO). The GPO is linked to the domain. The legal department reports that not all users arereceiving the new notice. You discover that users in the Ottawa office receive the new notice, but users inthe New York office receive the old notice. The problem continues for several days. You need to ensure thatthe new notice appears correctly on all computers in the network. What should you do?

A. Force replication of Active Directory between the two sites.B. Log on to one of the domain controllers in the New York site, and seize the infrastructure master role.C. Create a new security group that contains the computer accounts for all computers in the New York site.

Grant permissions to this security group to read and apply the GPO.D. Temporarily assign one of the domain controllers in the New York site to the Ottawa site.

Wait 24 hours, and then reassign the domain controller to the New York site.



QUESTION 27You are the network administrator for your company. The network consists of a single Active Directorydomain. The domain contains Windows Server 2003 print servers and printer objects. A group namedPrinterSupport needs to be able to manage the printers and print queues in the domain. The PrinterSupportgroup also needs to manage the printer objects in Active Directory. The PrinterSupport group does not needto perform any other tasks. You need to grant the PrinterSupport group only the permissions that it needs.Which action or actions should you take? (Choose all that apply.)

A. Make the PrinterSupport group a member of the Print Operators group in the Built-in container.

B. Make the PrinterSupport group a member of the Power Users group on each print server.C. Make the PrinterSupport group a member of the HelpServicesGroup group on each print server.D. Make the PrinterSupport group a member of the Print Operators group on each print server.



QUESTION 28You are the network administrator for a bank that has a main office and many small branch offices. The

bank's network consists of a single Active Directory domain. All servers run Windows Server 2003. Thedomain has an organizational unit (OU) for each branch office. Group Policy objects (GPOs) linked to theseOUs are used to configure bank resources. Under each branch office's OU, there is an OU namedUserAccounts that contains user accounts and an OU named Workstations that contains client computeraccounts. A single administrative user at each branch office provides desktop support and administration forthe branch office. The number of support calls for the branch office administrators recently increasedbecause users are making configuration changes to their computers. You need to restrict desktop featuresand administrative tools for all users except the administrative user in each branch office. You create a GPOthat applies the desktop restrictions. What else should you do?

A. Link the GPO to each branch office's Workstations OU. Create an OU underneath each branch office'sWorkstations OU and move the administrative user's computer account into the new OU. Block GPOsfrom applying to the new OU.

B. Link the GPO to each branch office's UserAccounts OU. Create an OU underneath each branch office'sUserAccounts OU and move the administrative user's account into the new OU.Block GPOs from applying to the new OU.

C. Link the GPO to each branch office's Workstations OU. Filter the GPO on the administrative user'scomputer for each branch office, so that the computer does not apply the new GPO.

D. Link the GPO to each branch office's UserAccounts OU. Filter the GPO on the administrative user'saccount for each branch office, so that the user account does not apply the new GPO.



Exam D

QUESTION 1Your company has a single Active Directory directory service forest with a forest root domain and a childdomain. The child domain is set to the default domain functional level. You install a second domain controller inthe child domain by promoting a server named SVR1. You need to rename SVR1 to DC2, and you must ensurethat there will be no interruption in the ability of client computers to authenticate to DC2, except during reboot.What should you do?

A. Raise the domain functional level of the child domain to Windows 2000 native. Use System Properties onSVR1 to rename SVR1 to DC2.

B. Raise the domain functional level of the child domain to Windows Server 2003. Run the netdom commandto rename SVR1 to DC2.

C. Raise the domain functional level of the child domain to Windows 2000 native. Run the dcpromo commandon SVR1 to remove Active Directory directory service. Use System Properties to rename SVR1 to DC2. Runthe dcpromo command to re-install Active Directory.

D. Raise the domain functional level of the child domain to Windows Server 2003. Create a DNS CNAMErecord for DC2.contoso.com that points to SVR1.contoso.com.



QUESTION 2You have an Active Directory directory service forest with a forest root domain. The root domain has two childdomains named na.corp.contoso.com and asia.prod.contoso.com. You have an Active Directory site for eachdomain. All sites are connected through the DEFAULTIPSITELINK site link. You need to minimize the time thatis required to authenticate users when they access resources in the other domain. What should you do?

A. Create a shortcut trust between the child domains.B. Create a shortcut trust from the forest root domain to each of the child domains.C. Decrease the replication interval for the DEFAULTIPSITELINK site link.D. Create a batch script to replicate changes between the sites. Schedule the script to run on a regular basis.



QUESTION 3Why is a data source required?

A. Data source contains data required for impact event enrichment.B. Data source contains data required for calculating server downtime.C. Data source contains data required for services and other related service information.D. Data source contains data required for LDAP configurations, including login attempts and errors.



QUESTION 4You are the network administrator for Fabrikam, Inc. Your network consists of a single Active Directory forestthat contains one domain named fabrikam.com. The functional level of the forest is Windows Server 2003.Fabrikam, Inc., acquires a company named Contoso, Ltd. The Contoso, Ltd., network consists of a singleActive Directory forest that contains a root domain named contoso.com and a child domain namedusa.contoso.com. The functional level of the forest is Windows 2000. The functional level of theusa.contoso.com domain is Windows 2000 native. A business decision by the company requires theusa.contoso.com domain to be removed. You need to move all user accounts from the usa.contoso.comdomain to the fabrikam.com domain by using the Active Directory Migration Tool. You need to accomplish thistask without changing the logon rights and permissions for all other users. You need to ensure that users inusa.contoso.com can log on to fabrikam.com by using their current user names and passwords. What shouldyou do?

A. Create a two-way Windows Server 2003 external trust relationship between the fabrikam.com domain andthe contoso.com domain.

B. Create a one-way Windows Server 2003 external trust relationship in which the fabrikam.com domain truststhe contoso.com domain.

C. Create a temporary two-way external trust relationship between the fabrikam.com domain and theusa.contoso.com domain.

D. Create a temporary one-way external trust relationship in which the usa.contoso.com domain trusts thefabrikam.com domain.



QUESTION 5You have a single Active Directory directory service forest with one domain. You have an existing top-levelorganizational unit (OU) named Sales. You are planning to create a new top-level OU named Training. TheSales and Training OUs must have the same security and auditing settings. You need to identify the securitypermissions and audit settings for the Sales OU so that you can delegate the same permissions for the TrainingOU. What should you do first?

A. Use the Delegation of Control Wizard.B. Use the Security Configuration Wizard.C. Run the dsacls command.D. Run the xcacls command.



QUESTION 6You have an Active Directory directory service environment with a single forest and multiple domains. Youcreate a new domain named sales.west.corp.contoso.com. E-mail addresses [email protected]. Users log on to the domain using their e-mail address. Logging on istedious for users in the new domain due to the lengthy logon names. You need to shorten users logon names.What should you do first?

A. Create a new UPN suffix named Sales.B. Create a shortcut trust between the new domain and the forest root domain.C. Enable routing of the Sales NetBIOS name.D. Create a new DNS alias (CNAME) record named Sales and point it at sales.west.corp.contoso.com.



QUESTION 7You have a single Active Directory directory service domain with three domain controllers named DC1, DC2,and DC3. DC3 experiences a hardware failure and shuts down unexpectedly. You decide to not rebuild DC3but to build a new server to replace DC3. You need to ensure that DC3 is removed from the Active Directorydomain naming context. What should you do?

A. Use the Ntdsutil tool to perform a metadata cleanup.B. Delete the NTDS settings from the DC3 object.C. Use the adsiedit tool to delete all objects in the

CN=LostAndFoundConfig,CN=Configuration,DC=Contoso,DC=Com container.D. Move the DC3 object into the CN=LostAndFoundConfig,CN=Configuration,DC=Contoso,DC=Com

container.



QUESTION 8You have a single Active Directory directory service domain. You back up your domain controllers on a nightlybasis. One of your domain controllers fails. You are unable to restart the domain controller in Directory ServicesRestore Mode. You need to restore the domain controller without losing any Active Directory changes that weremade after the domain controller failed. Which two actions should you perform? (Each correct answer presentspart of the solution. Choose two.)

A. Restart the domain controller in Safe Mode.B. Reinstall the operating system on the domain controller.C. Perform an authoritative restore of the domain controller.D. Perform a nonauthoritative restore of the domain controller.



QUESTION 9Your company has a single Active Directory directory service forest with multiple domains. Several userprincipal name (UPN) suffixes exist in the directory. You need to review and modify the UPN suffixes. Whichtool should you use?

A. Active Directory Users and Computers snap-inB. Active Directory Sites and Services snap-inC. Active Directory Schema snap-inD. Active Directory Domains and Trusts snap-in



QUESTION 10You have two Active Directory directory service domains. Domain controllers are configured as shown in thefollowing table. DC2 fails with an unrecoverable error. You need to move DC2s FSMO roles. What should youdo?

A. Transfer DC2s FSMO roles to DC1.B. Transfer DC2s FSMO roles to DC3.C. From DC1, seize DC2s FSMO roles.D. From DC3, seize DC2s FSMO roles.



QUESTION 11You are the network administrator for your company. The network consists of a single Active Directory domain.All client computers run Windows XP Professional. All user accounts for the sales department users arelocated in an organizational unit (OU) named Sales. The client computers are located in the default Computerscontainer. All users in the sales department require that a sales application be installed on their clientcomputers. You create a new Group Policy object (GPO). You create a software installation package and usethe GPO to assign the package to computers. You link the GPO to the Sales OU. Users in the salesdepartment report that the application is not installed on any client computers. You need to install theapplication on all client computers in the sales department. You need to ensure that the application is installedonly on the client computers used by users in the sales department. What should you do?

A. Modify the GPO to specify that Windows Installer packages will be installed by using elevated permissions.B. Modify the GPO so that the application is assigned to user accounts.C. Enable loopback processing for the GPO.D. Link the GPO to the Computers container.



QUESTION 12You have a Windows Server 2003 Active Directory directory service environment that includes Windows XPclient computers. You publish an application by using a Group Policy object (GPO). You need to immediatelyupdate the Windows XP client computers so that you can install the application. What should you do?

A. Run the secedit /refreshpolicy command.B. Run the secedit /configure command.C. Run the gpupdate /force command.D. Run the gpresult /v command.



QUESTION 13You have a single Active Directory directory service domain. You configure security settings for your clientcomputers in a new Group Policy object (GPO), and you link the GPO to an organizational unit (OU). A newcomputer is moved to the OU. The Group Policy settings are not being applied to the new computer. You needto find out why the Group Policy settings are not being applied to the new computer. What should you do?

A. Use RSoP in logging mode.B. Use the Local Security Policy snap-in.C. Run the GPResult.exe command on the domain controller.D. Run the Gpupdate.exe command on the domain controller.



QUESTION 14You have a single Active Directory directory service domain. All client computers run Windows XP. Youconfigure security settings for the client computers in a new Group Policy object (GPO), and you link the GPOto the domain. The security settings are not being applied to one of the client computers. You need to find outwhy the security settings are not being applied to the client computer. On the client computer, what should youdo?

A. Use the RSoP tool in logging mode.

B. Use the Local Security Policy snap-in.C. View the Application event log.D. View the Security event log.



QUESTION 15You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. You deploy an application by using a Group Policy object (GPO) thatpublishes an .msi file. Users report some instabilities in the application that cause data loss. The softwarevendor releases a patch that fixes the problem. The patch is released as an .msp file. You need to ensure thatusers do not lose data when running the application. Which two actions should you take? (Each correct answerpresents part of the solution. Choose two.)

A. Copy the .msp file to the folder where the application source files exist.B. Create a .zap file for the patch and deploy the .zap file.C. Rename the .msp file to an .mst file.D. Apply the patch to the application source files.E. Redeploy the GPO that installs the application.

Correct Answer: DESection: MCQsExplanation


QUESTION 16Your network consists of Windows XP and Windows Vista computers joined to an Active Directory directoryservice domain. All users and computers are located in a single organizational unit (OU). You create a newGroup Policy object (GPO) and link it to the OU. The new GPO settings are not being applied to the WindowsVista computers. You need to identify which policy settings are in effect on all computers. What are twopossible tools that you can use to achieve this goal? (Each correct answer presents a complete solution.Choose two.)

A. Resultant Set of Policy (RSoP)B. Group Policy Results (GPResult.exe)C. GPUpdate.exeD. Event Viewer



QUESTION 17You have a Windows Server 2003 Active Directory directory service forest with two domains namedcontoso.com and corp.contoso.com, and two sites named Site1 and Site2. Site1 has two domain controllers forthe contoso.com domain. Site2 has two domain controllers for the corp.contoso.com domain. Replication traffic

is creating network congestion. Your environment contains a large number of universal security groups. Youexamine the universal groups and find that they contain global security groups and individual user accountsfrom both domains. The universal group memberships change frequently. You need to reduce the ActiveDirectory replication traffic. You must maintain the ability to assign groups from one domain access toresources in the other domain. What should you do?

A. Remove the global groups from the universal groups.B. Move the individual user accounts from the universal groups to the appropriate global groups.C. Convert the global groups to universal groups.D. Convert the universal groups to global groups.



QUESTION 18You have a single Active Directory directory service domain. User accounts are in an organizational unit (OU)named Employees. A Group Policy object (GPO) named Secure Employees is linked to the Employees OU.Member servers are in an OU named Servers. A GPO named Secure Member Servers is linked to the ServersOU. You need to ensure that when users attempt to log on to member servers with their Active Directorycredentials, and the users incorrectly enter their password three times, the users are automatically locked out.What should you do?

A. Configure the Account Lockout settings in the Secure Employees GPO.B. Configure the Account Lockout settings in the Default Domain Policy GPO.C. Configure the Account Lockout settings in the Secure Member Servers GPO.D. Configure the Account Lockout settings in the Default Domain Controllers Policy GPO.



QUESTION 19Your company has a single Active Directory directory service forest with seven domains. Company policy statesthat users must log on using their user principal names (UPNs). User logon names follow thefirstname.lastname naming convention. You are preparing to allow users in a domain namedNE.sales.contoso.com to log on using firstname.lastname@nesales. You need to ensure that all users in theNE.sales.contoso.com domain have the ability to log on using firstname.lastname@nesales, whilemaintaining existing network access. What should you do?

A. Create a UPN suffix named nesales in the contoso.com forest. Rename the NE.sales.contoso.com domainto nesales.contoso.com.

B. Create a UPN suffix named nesales.contoso.com in the contoso.com forest. Rename theNE.sales.contoso.com domain to nesales.contoso.com.

C. Create a UPN suffix named nesales in the contoso.com forest. Modify the user accounts in theNE.Sales.contoso.com domain to use the UPN suffix nesales.

D. Create a UPN suffix named nesales.contoso.com in the contoso.com forest. Modify the user accounts in theNE.Sales.contoso.com domain to use the UPN suffix nesales.contoso.com.

Correct Answer: C



QUESTION 20Your network consists of Windows XP computers. All computers are joined to a single Active Directory directoryservice domain and located in a single Active Directory site. You create a new Group Policy object (GPO) andlink it to the site. The policy configures default screensaver settings. User accounts of users in the researchdepartment are located in an organizational unit (OU) named Research. You need to allow users in theresearch department to configure a different screensaver setting on their computers. What should you do?

A. Move the user accounts of users in the research department to the Users container.B. Configure a local security policy on all computers in the research department to allow users to modify their

screensaver settings.C. Add users in the research department to a domain group. Allow the group the Apply Group Policy

permission for the GPO.D. Add users in the research department to a domain group. Deny the group the Apply Group Policy

permission to the GPO.



QUESTION 21Your company plans to distribute an application to all of its client computers by using Group Policy. You save afile named setup.msi to a local folder on the domain controller. You assign the Authenticated Users group theRead and Read & Execute permissions for the folder. You create a new Group Policy object (GPO) and a newComputer Configuration software installation package, and you point the package to the setup.msi file in thelocal folder. You link the GPO to an organizational unit (OU) that contains a computer object for a test clientcomputer. When you log on to the test client computer, you notice that the application is not installed. You needto ensure that the application is installed on the test computer. What should you do?

A. Modify the permissions on the folder that contains the setup.msi file so that authenticated users have theList Folder Contents permission. Log off the client computer and then log on.

B. Modify the permissions on the folder that contains the setup.msi file so that authenticated users have theList Folder Contents permission. Restart the client computer.

C. Place the setup.msi file into a shared folder. Modify the software installation package to point to the sharedfolder. Log off the client computer and then log on.

D. Place the setup.msi file into a shared folder. Modify the software installation package to point to the sharedfolder. Restart the client computer.



QUESTION 22Your network consists of Windows XP computers in a single Active Directory directory service domain. Allcomputers are located in a single Active Directory site. You need to design and deploy a new Group Policyobject (GPO) that automatically installs a custom application on computers. What are two possible ways to

achieve this goal? (Each correct answer presents a complete solution. Choose two.)

A. Link the GPO to the domain and assign the application.B. Link the GPO to the site and assign the application.C. Link the GPO to the domain and publish the application.D. Link the GPO to the site and publish the application.



QUESTION 23You are the network administrator for your company. Your network consists of a single Active Directory domain.Three security groups named Accountants, Processors, and Management are located in an organizational unit(OU) named Accounting. All of the user accounts that belong to these three groups are also in the AccountingOU. You create a Group Policy object (GPO) and link it to the Accounting OU. You configure the GPO todisable the display options under the User Configuration section of the GPO. You need to achieve the followinggoals: You need to ensure that the GPO applies to all user accounts that are members of the Processorsgroup. You need to prevent the GPO from applying to any user account that is a member of the Accountantsgroup. You need to prevent the GPO from applying to any user account that is a member of the Managementgroup, unless the user account is also a member of the Processors group.What should you do?

A. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants andManagement security groups the Deny - Read and the Deny - Apply Group Policy permissions. Modify theDACL of the GPO to assign the users who are in both the Accountants and Management security groupsthe Allow - Read and the Allow - Apply Group Policy permissions.

B. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants andManagement security groups the Deny - Read and the Deny - Apply Group Policy permissions. Create anew security group named Mixed that contains all the user accounts from the Processors group and thespecific user accounts from the Management group to which you want the GPO to apply. Modify the DACLof the GPO to assign the Mixed security group the Allow - Read and the Allow - Apply Group Policypermissions.

C. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants securitygroup the Deny - Read and the Deny - Apply Group Policy permissions. Modify the DACL settings of theGPO to remove the Authenticated Users special group. Modify the DACL settings of the GPO to add theProcessors group and assign the Allow - Read and the Allow - Apply Group Policy permissions.

D. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants securitygroup the Deny - Read and the Allow - Apply Group Policy permissions. Modify the DACL settings of theGPO to assign the Management security group the Deny - Read and the Deny - Apply Group Policypermissions.



QUESTION 24Your company has a single Active Directory directory service forest. All user accounts are located in the Userscontainer. You need to create a number of organizational units (OUs) that will be used to store user accounts.What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choosetwo.)

A. Use the Active Directory Sites and Services snap-in.B. Use the Active Directory Users and Computers snap-in.C. Use the Dsadd command-line tool with the OU parameter.D. Use the Dsmod command-line tool with the OU parameter.

Correct Answer: BCSection: MCQsExplanation


QUESTION 25You are the network administrator for your company. The network consists of a single Active Directory forest.The forest consists of 19 Active Directory domains. Fifteen of the domains contain Windows Server 2003domain controllers. The functional level of all the domains is Windows 2000 native. The network also consistsof a single Microsoft Exchange 2000 Server organization. You need to create groups that can be used only tosend e-mail messages to user accounts throughout the company. You want to achieve this goal by using theminimum amount of replication traffic and minimizing the size of the Active Directory database. You need tocreate a plan for creating e-mail groups for your company. What should you do?

A. Create global distribution groups in each domain. Make the appropriate users from each domain membersof the global distribution group in the same domain. Create universal distribution groups. Make the globaldistribution groups in each domain members of the universal distribution groups.

B. Create global security groups in each domain. Make the appropriate users from each domain members ofthe security group in the same domain. Create universal security groups. Make the global security groups ineach domain members of the universal security groups.

C. Create universal distribution groups. Make the appropriate users from each domain members of a universaldistribution group.

D. Create universal security groups. Make the appropriate users from each domain members of a universalsecurity group.



QUESTION 26You are the network administrator for your company. The network consists of a single Active Directorydomain. All servers run Windows Server 2003. The company decides to make five Windows XPProfessional computers available in a public area for use by visitors. These computers are to be used onlyfor browsing public Web sites. A Web browser is the only application that will be run on these computers.You make these computers members of the Active Directory domain. You create a new organizational unit(OU) named Restricted Computers and place the five computer accounts in this OU. You configure thesecomputers to automatically log on a user named Restricted User each time the computer is started. TheRestricted User account does not have administrative rights on the computer or on the domain. You need toconfigure the five computers so that they can access public Web sites but cannot run other applications.The restrictions must not affect other users or computers on the network. What are two possible ways toachieve this goal? (Each correct answer presents a complete solution. Choose two.)

A. Create a Group Policy object (GPO) and link it to the Restricted Computers OU. Configure the usersettings in the GPO to allow only Internet Explorer to run. Configure the GPO to apply only to theRestricted User account.

B. Create a Group Policy object (GPO) and link it to the Restricted Computers OU. Configure the usersettings in the GPO to allow only Internet Explorer to run. Configure the computer settings in the GPO to

enable loopback mode.C. Create a Group Policy object (GPO) and link it to the domain. Configure the user settings in the GPO to

allow only Internet Explorer to run. Configure the computer settings in the GPO to enable loopbackmode.

D. Create a Group Policy object (GPO) and link it to the domain. Configure the user settings in the GPO toallow only Internet Explorer to run. Configure the GPO to apply only to the Restricted User account.



QUESTION 27You are a network administrator for your company. The network consists of a single Active Directory forestthat contains one domain. The company has its main office and one branch office in San Francisco. Thecompany has additional branch offices in Chicago, New York, and Toronto. Administrators at the main officeare responsible for managing all objects in the domain. Administrators at each branch office are responsiblefor managing user and computer objects for employees who work in the same branch office as theadministrator. Administrators for the San Francisco branch office are also responsible for managing userand computer objects for employees who work in the main office. These users are managed as a singleunit. You want administrators to be authorized to make changes only to the objects for which they areresponsible. You need to plan an organizational unit (OU) structure that allows the delegation of requiredpermissions. You want to achieve this goal by using the minimum amount of administrative effort. Which OUstructure should you use?

Figure A

Figure B

Figure C

Figure D

A. Figure AB. Figure BC. Figure C

D. Figure D



QUESTION 28You are the network administrator for your company. The network consists of a single Active Directorydomain. The domain contains an organizational unit (OU) named Research. All users who have useraccounts in the Research OU use portable computers that run Windows XP Professional. You create aGroup Policy object (GPO) named PowerManagement and link it to the Research OU. You configure thePowerManagement GPO to enable the Prompt for password on resume from hibernate/suspend policy. Auser named Marie has a user account in the Research OU. Marie reports that she is not prompted for apassword when her computer resumes from hibernation. You need to ensure that Marie immediately haspassword protection for her portable computer when resuming from hibernation mode. What should you do?

A. Instruct Marie to run the gpresult command from her computer.B. Instruct Marie to send a Remote Assistance invitation to you. Take control of Marie's computer and run

the secedit /analyze command.C. Instruct Marie to send a Remote Assistance invitation to you. Take control of Marie's computer and run

the gpresult command.D. Instruct Marie to run the gpupdate command from her computer.



Exam E

QUESTION 1You have a single Active Directory directory service domain. A domain controller named DC1 cannot replicatewith other domain controllers. DC1 holds no FSMO roles. You notice that the time on DC1 is 11:30 AM whilethe time on all the other domain controllers is 11:00 AM. You need to ensure that DC1 can immediatelyreplicate with other domain controllers. What should you do?

A. Modify the time on DC1 to match the time on the PDC emulator.B. Restart the Windows Time Service on the PDC emulator.C. Update the Windows firewall settings on the PDC emulator to allow outbound TCP/NTP traffic.D. Update the Windows firewall settings on DC1 to allow inbound TCP/NTP traffic.



QUESTION 2You are a network administrator for Litware, Inc. The network consists of a single Active Directory domainnamed sales.litwareinc.com. The Active Directory database is contained on a Windows Server 2003 domaincontroller named DC1. The hard disk that contains the Active Directory database fails. You restart DC1 inDirectory Services Restore Mode. When prompted to log on, you type [email protected] asyour user name and enter your domain password. Your logon attempt fails. You need to log on to DC1 tocomplete the restore operation. What should you do?

A. Type sales\administrator as your user name and enter your domain password.B. Type administrator as your user name and enter the password that was associated with the local

administrator account before you installed Active Directory.C. Type administrator as your user name and enter your domain password.D. Type administrator as your user name and enter the password that you supplied during the installation of

Active Directory.



QUESTION 3Your company has a single Active Directory directory service forest with three domains and multiple sites.Youneed to manually create intersite connections for a site named Site1. You need to ensure that the KCCcontinues to generate the intrasite replication topology within each Active Directory site. Which commandshould you run?

A. repadmin /siteoptions /site:Site1 +IS_AUTO_TOPOLOGY_DISABLEDB. repadmin /siteoptions /site:Site1 -IS_AUTO_TOPOLOGY_DISABLEDC. repadmin /siteoptions /site:Site1 +IS_RAND_BH_SELECTION_DISABLEDD. repadmin /siteoptions /site:Site1 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED



QUESTION 4You are the network administrator for your company. The network consists of a single Active Directory domainwith two sites named Site1 and Site2. Site1 contains two domain controllers. Site2 contains one domaincontroller. Each site contains two member servers. All domain controllers are backed up every night. Each ofthe domain controllers is installed with a similar hardware configuration, which includes a single processor anda single hard disk. You create several user accounts on the domain controller in Site2. The hard disk on thatdomain controller fails. You install a new hard disk on the domain controller and restore the domain controllerfrom the most recent backup tape. You notice that the new user accounts you created on the domain controllerdo not appear. The only way that you can restore the user accounts is to re-create them. You need to configurethe domain controllers so that the loss of data in Active Directory is minimized during a similar hard disk failure.What should you do?

A. Configure an existing member server as an additional domain controller in Site2.B. Install an additional hard disk in each domain controller. Move the Active Directory log files to the new hard

disk.C. Install an additional hard disk in each domain controller. Move the Active Directory database file to the new

hard disk.D. Configure a new site link between Site1 and Site2.



QUESTION 5Your company has a main office in Chicago and a branch office in New York. The company has a single ActiveDirectory directory service forest with four domains. Two of the domain controllers are described in the followingtable. An application has a server component and a client component. When the server component is installed,several schema classes and attributes are added. A user in the ne.sales.contoso.com domain installs the clientcomponent on his client computer. You then install the server component. Thirty minutes after you install theserver component, the user attempts to run the client component, but receives an error message stating thatthe schema objects cannot be found. You verify that the objects are present on DC1. The users logon server isDC4. You need to ensure that the user can immediately run the client component. What should you do?

A. Open the Active Directory Domains and Trusts snap-in on DC1. Create a shortcut trust betweencontoso.com and ne.sales.contoso.com.

B. Open the Active Directory Users and Computers snap-in on DC1. Create a new computer object namedDC4 in the Domain Controllers organizational unit (OU). Add a Kerberos name mapping named DC1 in theproperties of DC4.

C. Open the Active Directory Sites and Services snap-in on DC1. Create a connection object between DC1and DC4. Manually initiate replication from DC1 to DC4.

D. Open ADSIEDIT.msc. Modify CN=NTFRS Subscriptions,CN=DC1,OU=DomainControllers,DC=contoso,DC=com to include DC4 in the repsTo and repsFrom attributes.



QUESTION 6You are the network administrator for the Baldwin Museum of Science. The network consists of a single ActiveDirectory forest that contains one domain named baldwinmuseumofscience.com. You need to deploy a newdomain named NA.baldwinmuseumofscience.com as a child domain of baldwinmuseumofscience.com. Youinstall a new stand-alone Windows Server 2003 computer named DC1. You plan to make DC1 the first domaincontroller in the NA.baldwinmuseumofscience.com domain. You configure DC1 with a static IP configuration.You run the Active Directory Installation Wizard on DC1. The wizard prompts you for the network credentials touse to join the NA.baldwinmuseumofscience.com domain to the forest. You enter the appropriate credentialsfor an account in the baldwinmuseumofscience.com domain. You receive an error message stating that adomain controller in the baldwinmuseumofscience.com domain cannot be located. You need to be able topromote DC1 to a domain controller as the first domain controller of the child domain in the existing forest.What should you do?

A. Configure the client WINS settings on DC1 to use a WINS server that contains entries for thebaldwinmuseumofscience.com domain controllers.

B. Configure the client DNS settings on DC1 to use a DNS server that is authoritative for thebaldwinmuseumofscience.com domain.

C. Configure the DNS Server service on DC1 to have a zone for NA.baldwinmuseumofscience.com.D. Configure DC1 to be a member server in the baldwinmuseumofscience.com domain.



QUESTION 7You are the network administrator for Blue Yonder Airlines. The company has offices in Toronto, New York, andChicago. The network connections are shown in the exhibit. (Click the Exhibit button.) The network consists oftwo Active Directory domains. User objects for users in the Toronto office and the New York office are stored inthe blueyonderairlines.com domain. User objects for users in the Chicago office are stored in theproduction.blueyonderairlines.com domain. Active Directory is configured as shown in the following table. Usersin the New York office frequently report that they cannot log on to the network, or that logging on takes a verylong time. You notice increased global catalog queries to servers in the Toronto office during peak logon times.You need to improve logon performance for users in the New York office without increasing WAN traffic that is due to replication. What should you do?

A. Configure the domain controller in the New York office as a global catalog server.B. Configure Active Directory to cache universal group memberships for the Toronto office.C. Install an additional domain controller in the New York office.D. Configure Active Directory to cache universal group memberships for the New York office.



QUESTION 8You have a single Active Directory directory service domain. You have several domain security policies inplace. The relevant part of the network consists of the servers shown in the following table. You create twoglobal security groups named Sales Admins and Research Admins. You add the users in the sales andresearch departments into their respective groups. You need to allow the sales and research departments toadminister their own Active Directory user, computer, and group objects, while maintaining the existing securitypolicies of the company. What should you do?

A. Create child domains for the sales and research department, and migrate the user and computer accountsfrom each department into their respective domains. Add the users from the Sales Admins group andResearch Admins group to the Domain Admins group in their respective domains.

B. Create two organizational units (OUs) named Sales and Research, and move the resources of eachdepartment into their respective OUs. At the Sales OU, assign the Full Control permission to the SalesAdmins group. At the Research OU, assign the Full Control permission to the Research Admins group.

C. On SRV1, create a local group named Sales Administrators. Add the Sales Admins global group to thislocal group. On SRV2, create a local group named Research Administrators. Add the Research Adminsglobal group to this local group.

D. Create two organizational units (OUs) named Sales and Research. Create two Group Policy objects (GPOs)named Sales and Research, and link each GPO to its respective OU. In each GPO, select the Enablecomputer and user accounts to be trusted for delegation setting, and select the Sales Admins group in theSales GPO and the Research Admins group in the Research GPO.



QUESTION 9Your company has a single Active Directory directory service forest named contoso.com. A partner organizationhas a forest named fabrikam.com. You create a forest trust relationship between contoso.com andfabrikam.com. You need to enable selective authentication between contoso.com and fabrikam.com. Whichtool should you use?

A. NetdomB. NltestC. DsaclsD. Ntdsutil



QUESTION 10Your company has a single Active Directory directory service domain. The company has five Active Directorysites on the West coast and five Active Directory sites on the East coast. The West coast sites and the Eastcoast sites are in two separate hub-and-spoke configurations that are separated by a firewall. All ActiveDirectory replication between the West coast and East coast occurs between a single West coast domaincontroller named WestDC1 and a single East coast domain controller named EastDC1. You need to ensurethat if WestDC1 fails, other West coast domain controllers continue to replicate with each other, but not withEast coast domain controllers. What should you do?

A. Create site links between the West coast hub site and the West coast spoke sites.B. Create a site link bridge between the West coast hub site and the East coast hub site.C. Clear the Bridge all site links option and create a site link bridge for all the East coast sites.D. Clear the Bridge all site links option and create a site link bridge for all the West coast sites.



QUESTION 11Your company has a single Active Directory directory service forest with three domains. You plan to modify theActive Directory schema. You need to identify the schema master for the forest. What should you do?

A. Run the regsvr32 schmmgmt.dll command. Use the Active Directory Domains and Trusts snap-in.B. Run the regsvr32 schmmgmt.dll command. Use the Active Directory Users and Computers snap-in.C. Use the Dsget command-line tool.D. Use the Dsquery command-line tool.



QUESTION 12Your company has a main office and a single branch office. The two offices are connected through a WAN link.You have Active Directory directory service site objects for each office. Domain controllers are associated withthe appropriate site objects. Users in the main office are currently authenticated by domain controllers in thebranch office. You need to ensure that users in the main office are authenticated by the domain controllers inthe main office. What should you do?

A. Clear the Bridge all site links option.B. Configure a preferred bridgehead server for the site for the main office.C. Associate the subnets for the main office with the site for the main office.D. Associate the subnets for the branch office with the site for the branch office.



QUESTION 13Your company has a single Active Directory directory service forest with a forest root domain and four childdomains. The child domains are based on geographic location.You are designing an Active Directory delegationstrategy that must meet the following requirements: The Directory Services team must have rights to all ActiveDirectory objects in every domain in the forest.Administrators for each geographic location must have rights toall Active Directory objects in their child domain.All users must be granted the least privileges necessary toperform their job. You need to design an administrative model for your forest. Which two solutions should youadd into your design? (Each correct answer presents part of the solution. Choose two.)

A. Add the members of the Directory Services team to the Server Operators group for every domain.B. Add the members of the Directory Services team to the Enterprise Admins group.C. Add the administrators for each geographic location to the Server Operators group for every domain.D. Add the administrators for each geographic location to the Domain Admins group for their geographic

locations domain.



QUESTION 14You are the network administrator for your company. Your network consists of a single Active Directory domain.All servers run Windows Server 2003. You use Group Policy objects (GPOs) to distribute software. Yourcompany uses two different applications to view graphics. Users are allowed to choose which program they willuse based on the features and formats they require. Only the users are allowed to decide which of these twoapplications will be installed. You need to configure the GPOs to install either graphics application based on theuser's choice. What should you do?

A. Publish both applications with file extension activation.B. Publish both applications without file extension activation.C. Assign both applications to install on demand.D. Assign both applications to complete a full installation.



QUESTION 15You are the network administrator for your company. The network consists of a single Active Directory domain.The domain includes an organizational unit (OU) named TerminalServers and a global group namedAccounting. The TerminalServers OU contains all of the Windows Server 2003 computer accounts runningTerminal Services. Members of the Accounting group connect to terminal servers to access their softwareapplications. You create a Group Policy object (GPO) and link it to the TerminalServers OU. You configure theGPO to publish a software installation package that installs the most recent tax application. Users in theAccounting group report that the new tax application is not installed on any of the terminal servers. You log onto one of the servers running Terminal Services and attempt to use Add or Remove Programs in Control Panel.When you select Add New Programs, you receive the following error message: "Applications are not availableto install from the network in this mode." You need to ensure that the new tax application is installed on thecomputers running Terminal Services. What should you do?

A. Modify the GPO and configure the software installation package to be assigned under the ComputerConfiguration section of the GPO under Software Settings.

B. Modify the GPO and configure the software installation package to be assigned under the UserConfiguration section of the GPO under Software Settings.

C. Modify the discretionary access control list (DACL) settings of the GPO to assign the Authenticated Usersgroup the Deny - Read and the Allow - Apply Group Policy permissions.

D. Modify the discretionary access control list (DACL) settings of the GPO to assign the computer accounts inthe TerminalServers OU the Allow - Read and the Allow - Apply Group Policy permissions.

Correct Answer: A



QUESTION 16Your company has a single Active Directory directory service forest named contoso.com. A partner organizationhas a forest named fabrikam.com. Both forests are set to the Windows 2000 forest functional level. Domainsnamed contoso.com and fabrikam.com are set to Windows 2000 Native Mode. You plan to create a forest trustrelationship between contoso.com and fabrikam.com. You need to be able to configure selective authenticationfor the trust relationship. What should you do?

A. Raise the forest functional level on contoso.com and fabrikam.com to Windows Server 2003.B. Raise the domain functional level on contoso.com and fabrikam.com to Windows Server 2003.C. Raise the domain functional level and the forest functional level on contoso.com to Windows Server 2003.D. Raise the domain functional level and the forest functional level on fabrikam.com to Windows Server 2003.



QUESTION 17Your company has a single Active Directory directory service forest with multiple domains. The company has amain office with 1,000 users and a single branch office with 500 users. Each office is a separate ActiveDirectory site. The main office Active Directory site has two domain controllers with Global Catalog services.Company employees must be able to work in both offices. You need to plan the placement and configuration ofdomain controllers. What should you do?

A. Deploy two additional domain controllers in the main office Active Directory site.B. Deploy global catalog servers in the branch office Active Directory site.C. Enable change notification on the site link between the main office Active Directory site and the branch

office Active Directory site.D. Disable change notification on the site link between the main office Active Directory site and the branch

office Active Directory site.



QUESTION 18You have a single Active Directory directory service domain. All servers run Windows Server 2003. You createseveral new Group Policies. You need to determine the end result of these Group Policies before applying thesettings. What should you do?

A. Use Resultant Set of Policy (RSoP) in Planning mode.B. Use Resultant Set of Policy (RSoP) in Logging mode.C. Use Event Viewer to view the system log.D. Use Event Viewer to view the application log.



QUESTION 19You have a single Active Directory directory service domain. You create organizational units (OUs) namedCorporate and Support. You move the corporate user and computer accounts into the Corporate OU. Youmove the accounts of computers in the support department into the Support OU. You need to ensure that usershave one screensaver while using computers that are in the Corporate OU, and a separate screensaver whileusing computers that are in the Support OU. What should you do?

A. Create a new parent OU for the Corporate and Support OUs and name the parent OU Users. Move all userobjects to the Users OU, and then create and link a Group Policy object (GPO) with the screensaver settingto the Users OU.

B. Create and link a Group Policy object (GPO) with the screensaver setting to the Support OU and select theBlock Inheritance option.

C. Create and link a Group Policy object (GPO) with the screensaver setting to the Corporate OU, create andlink a GPO with the screensaver setting to the Support OU, and then enable loopback processing inReplace mode on the Support OUs GPO.

D. Create and link a Group Policy object (GPO) with the screensaver setting to the Support OU and select theEnforced option.



QUESTION 20You are a network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. The functional level of the domain is Windows Server 2003. Theorganizational unit (OU) structure is shown in the exhibit. (Click the Exhibit button.) Your company uses anX.500 directory service enabled product to support a sales and marketing application. The application is usedonly by users in the sales department and the marketing department. The application uses InetOrgPersonobjects as user accounts. InetOrgPerson objects have been created in Active Directory for all Sales andMarketing users. These users are instructed to log on by using their InetOrgPerson object as their useraccount. Microsoft Identity Integration Server is configured to copy changes to InetOrgPerson objects fromActive Directory to the X.500 directory service enabled product. All InetOrgPerson objects for marketingemployees are located in the Marketing OU. All InetOrgPerson objects for sales employees are located in theSales OU. Mikhail is another administrator in your company. Mikhail is responsible for managing the objects forusers who require access to the X.500 directory service enabled product. You need to configure ActiveDirectory to allow Mikhail to perform his responsibilities. Which action or actions should you take? (Choose allthat apply.)

A. On the domain, grant Mikhail the permission to manage user objects.B. On the domain, grant Mikhail the permission to manage InetOrgPerson objects.C. On the Sales OU, block the inheritance of permissions.D. On the Marketing OU, block the inheritance of permissions.E. On the Dev OU, block the inheritance of permissions

Correct Answer: BESection: MCQsExplanation


QUESTION 21You are the network administrator for your company. The network consists of a single Active Directory domain.All user accounts for users in the engineering department are located in an organizational unit (OU) namedEngineering. These users' client computers are all located in an OU named EngineeringWorkstations, which isa child OU if the Engineering OU. All users in the engineering department are members of a global groupnamed Engineers. You create a Group Policy object (GPO) that assigns a software installation package tousers in the Engineering OU. To comply with the licensing requirements for the application, the application mustbe uninstalled from a user's computer when that user is moved out of the Engineering OU. A user namedFrancesca is transferred out of the engineering department. The user account for Francesca is moved into anOU named Research. Francesca reports that the application is still installed on her computer. You must ensurethat the application is automatically uninstalled from Francesca's computer. The application must remain on thecomputers of all users who are still in the Engineering OU. What should you do?

A. Move Francesca's user account back into the Engineering OU. Configure the software installation packageso that the software is uninstalled when Francesca's user account falls out of the scope of management.Ensure that Francesca logs on to the network. Move Francesca's user account back into the Research OU.

B. Move Francesca's user account back into the Engineering OU. Modify the GPO so that the softwareinstallation package is removed. Ensure that Francesca logs on to the network. Move Francesca's useraccount back to the Research OU.

C. Move the client computer object for Francesca's computer out of the EngineeringWorkstations OU.D. Remove Francesca from the Engineers global group.



QUESTION 22You are the network administrator for your company. The network consists of a single Active Directory domainwith two sites. The two sites are named Site1 and Site2. All servers run Windows Server 2003. The companyhas two offices, and each office is configured as one of the sites. A 256-Kbps leased line connects the twooffices. In addition, a site link connects the two sites. The site link is configured to replicate during off-peakhours. There are domain controllers in both sites. Site1 contains all of the operations master role holders. Youplan to create Group Policy objects (GPOs) for each site. Some GPOs will be used to resolve potential supportissues for a specific site, and so you need to minimize any delay in the propagation of GPOs. You need toensure that GPOs are applied to users in the appropriate site with minimal delay. What should you do?

A. Configure the Group Policy Object Editor and Active Directory Users and Computers snap-ins to connect tothe infrastructure master.

B. Configure the Group Policy and Active Directory snap-ins to connect to a domain controller in the site wherethe GPO must be applied.

C. Create a remote procedure call (RPC) connection object between the two sites.D. Create a GPO that disables Group Policy slow link detection. Link the GPO to both sites.



QUESTION 23You have a single Active Directory directory service domain. User accounts and computer accounts in thefinance department are located in an organizational unit (OU) named Finance. The users in the financedepartment use local databases that are saved to either the My Documents folder or to the users desktop. Thefinance users each have a primary client computer, but they frequently log on to a secondary client computer.Users report that the databases that they use when they are logged on to their primary client computer are notavailable when they log on to their secondary client computer. You need to ensure that the finance users haveaccess to their databases regardless of which client computer they log on to. Logon times and logoff timesmust not increase as a result of this change. What should you do?

A. Create a new Group Policy object (GPO). Configure a Shared Folders policy to enable the Allow sharedfolders to be published setting. Link the GPO to the Finance OU.

B. Create a new Group Policy object (GPO). Configure a Folder Redirection policy. Link the GPO to theFinance OU.

C. Configure roaming profiles for the finance users.D. Configure home directories for the finance users.



QUESTION 24You have a single Active Directory directory service domain with Windows XP client computers. Some usersreceive their DNS suffix search orders by using DHCP, and some users configure their DNS suffix searchorders manually. You link a new Group Policy object (GPO) to the domain to specify a DNS suffix search orderfor client computers. Some users report that they are not receiving the new DNS suffix search order from the

GPO. You need to ensure that all users receive the DNS suffix search order from the GPO. What should youdo?

A. Remove the DNS suffix search order from the DHCP server scope.B. Remove the manually entered DNS suffix search order on the client computers.C. Modify the GPO to enable dynamic DNS registration.D. Enforce the link on the GPO.



QUESTION 25You are the network administrator for your company. The network consists of a single Active Directory domain.The domain contains an organizational unit (OU) named Sales. You create three Group Policy objects (GPOs)that have four configuration settings, as shown in the following table. The ScreenSaver GPO has the NoOverride setting enabled. The Sales OU has the Block Policy inheritance setting enabled. The priority for GPOslinked to the Sales OU specifies first priority for the Display and Wallpaper GPO and second priority for theWallpaper GPO. For user accounts in the Sales OU, you want the Screen Saver tab to be hidden and thedesktop wallpaper to be Autumn.jpg. You log on to a test computer by using a user account from the Sales OU,but you do not receive the settings you wanted. You need to configure the settings to hide the Screen Saver taband set the desktop wallpaper to Autumn.jpg for the user accounts in the Sales OU. You want to avoid affectinguser accounts in other OUs. What should you do?

A. Enable the No Override setting for the Display and Wallpaper GPO.B. Disable the No Override setting on the ScreenSaver GPO. Reorder the Wallpaper GPO to be first in the list.C. Create a GPO and link it to the Default-First-Site-Name. Configure the GPO to set the Active Desktop

Wallpaper to c:\WINNT\web\wallpaper\autumn.jpgD. Disable the Block Policy inheritance setting on the Sales OU. Change the Display and Wallpaper GPO to

set the Active Desktop Wallpaper to c:\WINNT\web\wallpaper\autumn.jpg



QUESTION 26You are the network administrator for your company. The network consists of a single Active Directorydomain with three sites named Site1, Site2, and Site3.Site links are configured between the sites so that Site1 and Site3 are connected by using Site2. The sitelinks are configured as shown in the following table.

All user and group accounts are managed by network administrators at Site1. Users at Site3 report that ittakes more than a day for changes made to Active Directory at Site1 to be visible in the domain at Site3.You must ensure that the changes made to Active Directory at Site1 between 8:00 A.M. and 6:00

A. M. are visible at Site3 when the business opens at 8:00 A.M. the next day.What should you do?

B. Modify the site link cost between Site2 and Site3 to be 200.C. Modify the replication schedule for the site link between Site2 and Site3 to replicate between

6:00 P.M. and 1:00 A.M.D. Modify the replication interval for the site link between Site1 and Site2 to 30 minutes.



QUESTION 27You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forestthat contains a single domain named contoso.com. You have a user account named CONTOSO\admin thatis a member of the Domain Admins global group. You need to create a new child domain named NA.contoso.com in the forest. You install a stand-alone Windows Server 2003 computer named DC3. You usethe Active Directory Installation Wizard to promote DC3 to a domain controller in the new domain. Youchoose to create a domain controller for a new child domain in an existing domain tree. You enter the username and password for CONTOSO\admin. You choose contoso.com as the parent domain, and you typeNA as the name of the child domain. You receive the error message shown in the exhibit. (Click the Exhibitbutton.) You need to be able to create the new child domain. What should you do?

A. Add DC3 to the contoso.com domain and then run the Active Directory Installation Wizard.B. Enter the network credentials for a member of the local Administrators group.C. Enter the network credentials for a member of the Schema Admins group for the contoso.com forest.D. Enter the network credentials for a member of the Enterprise Admins group for the contoso.com forest.



QUESTION 28You are a network administrator for your company. The network consists of a single Active Directorydomain. All servers run Windows Server 2003. You use a Group Policy object (GPO) to change the defaultstorage location of the My Documents folder for all user accounts. The GPO redirects the My Documentsfolder to \\SERVER1\USERFILES\%USERNAME%. The Redirect the folder back to the local user profilelocation when policy is removed option is selected. The network does not use roaming user profiles. The MyDocuments folders of several users are very large and consume too much disk space on Server1. As aresult, users report slow response times for shared files. You need to ensure that the My Documents folderfor each user is stored and maintained on the user's client computer. You must not affect any other policies.What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.Choose two.)

A. Copy all settings in the GPO except the redirection setting to a new GPO. Delete the existing GPO.B. Change the redirection setting in the GPO to Not configured. Run the gpupdate command on Server1.C. In the GPO, change the specified path to %USERPROFILE%\My Documents.D. Configure all shared folders on Server1 to automatically make all files available offline. After the files are

cached on the client computers, delete the files from the server.

Correct Answer: BC

Exam F

QUESTION 1You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.You have two physical locations, which correspond to two Active Directory sites. A domain controller isdeployed to each location. A high-speed WAN link connects the two sites. Network utilization is low.Administrators create and edit Group Policy objects (GPOs) to configure security settings, login scripts,roaming profiles, and software installation. You need to ensure that all Group Policy processing continues in theevent of a local domain controller outage. What should you do?

A. Configure synchronous processing for login scripts.B. Enable Fast Logon Optimization on all GPOs.C. Disable Fast Logon Optimization on the Default Domain Policy.D. Disable slow link detection on all GPOs.



QUESTION 2You are the network administrator for Consolidated Messenger. The network consists of a single ActiveDirectory forest that contains three domains named consolidatedmessenger.com,child1.consolidatedmessenger.com, and child2.consolidatedmessenger.com. The functional level of the forestis Windows Server 2003.Both child1.consolidatedmessenger.com and child2.consolidatedmessenger.comcontain employee user accounts, client computer accounts, and resource server computer accounts. Thedomain named consolidatedmessenger.com contains only administrative user accounts and computeraccounts for two domain controllers. Each resource server computer provides a single service of file server,print server, Web server, or database server.Your company plans to use Group Policy objects (GPOs) tocentrally apply security settings to resource server computers. Some security settings need to apply to allresource servers and must not be overridden. Other security settings need to apply to specific server roles only.You need to create an organizational unit (OU) structure to support the GPO requirements. You want to createas few GPOs and links as possible.What should you do?

A. Create a top-level OU for each server role under the consolidatedmessenger.com domain. Create a top-level OU named Servers under the child1.consolidatedmessenger.com domain. Create a top-level OUnamed Servers under the child2.consolidatedmessenger.com domain.

B. Create a top-level OU named Servers under the child1.consolidatedmessenger.com domain. Create a childOU for each server role under the Servers OU. Create a top-level OU named Servers under thechild2.consolidatedmessenger.com domain. Create a child OU for each server role under the Servers OU.

C. Create a top-level OU named Servers under the consolidatedmessenger.com domain. Create a child OUfor each server role under the Servers OU.

D. Create a top-level OU for each server role under the child1.consolidatedmessenger.com domain. Create atop-level OU for each server role under the child2.consolidatedmessenger.com domain.



QUESTION 3You are the network administrator for your company. Your network consists of a single Active Directory domain.All the user accounts, groups, and application servers of the human resources (HR) department are located in

an organizational unit (OU) named HR. The managers in the HR department need access to the applicationservers to perform administrative tasks. A local group named HRManagers exists on each application server.The HRManagers local groups supply the permissions that the HR managers require. For security reasons, thecompany wants user accounts for managers in the HR department to be the only members of the HRManagersgroups. You need to ensure that membership of the HRManagers group on each application server is assecure as possible. What should you do?

A. Create a Group Policy object (GPO) that configures restricted groups for each HRManagers group. Link theGPO to the HR OU.

B. Create a new OU for application servers under the HR OU, and move the servers to the new OU. Blockpermissions inheritance at the new OU.

C. Create a universal group named HRManagers and make the user accounts for HR managers members ofthat group. Make the HRManagers universal group a member of the HRManagers local group on eachapplication server.

D. Create a script that adds the user accounts for managers in the HR department to the HRManagers localgroups. Configure the script to act as the startup and shutdown script for the application servers.



QUESTION 4You are a network administrator for Litware, Inc. The network consists of a single Active Directory forest thatcontains two domains named litwareinc.com and dev. litwareinc.com. All domain controllers run WindowsServer 2003. The functional level of the forest is Windows Server 2003. Litware, Inc., acquires a companynamed Graphic Design Institute. The Graphic Design Institute network consists of a single Active Directoryforest that contains a single domain named graphicdesigninstitute. com. All domain controllers run WindowsServer 2003. The functional level of the forest is Windows Server 2003. Users in the litwareinc.com domainrequire access to file and print resources stored on a computer named server1.graphicdesigninstitute.com.Users in the graphicdesigninstitute.com domain require access to all computers in the litwareinc.com forest.You must provide administrators with the ability to grant users access to the required resources. What shouldyou do?

A. Create a two-way forest trust relationship between the litwareinc.com domain and thegraphicdesigninstitute.com domain. In the litwareinc.com domain, enable forest-wide authentication for thegraphicdesigninstitute.com domain. In the graphicdesigninstitute.com domain, enable selectiveauthentication for the litwareinc.com domain.

B. Create a two-way external trust relationship between the litwareinc.com domain and thegraphicdesigninstitute.com domain.

C. Create a one-way forest trust relationship in which the graphicdesigninstitute.com domain trusts thelitwareinc.com domain. In the litwareinc.com domain, enable forest-wide authentication for thegraphicdesigninstitute.com domain.

D. Create a one-way external trust relationship in which the litwareinc.com domain trusts thegraphicdesigninstitute.com domain. Create a second incoming external trust relationship on thegraphicdesigninstitute.com domain. Specify that the trust relationship is between the dev.litwareinc.comdomain and the graphicdesigninstitute.com domain.



QUESTION 5

You have a single Active Directory directory service domain. There is a branch office that connects to the mainoffice through a low-bandwidth WAN link. The first domain controller is named DC1 and is located in the mainoffice. The branch office has a single server named Server1. Server1 runs Windows Server 2003. You arepreparing to install Active Directory on Server1. You back up the system state of DC1, and you send the backupto the administrator at the branch office. You need to make Server1 anadditional domain controller in your domain, while minimizing the bandwidth usage between the two offices.What should you do?

A. Restore the system state data from DC1 to an alternate location on Server1. Run the dcpromo commandwith the /adv parameter, and select the From these restored backup files option.

B. Restore the system state data from DC1 to the original location on Server1. Run the dcpromo commandwith the /adv parameter, and select the From these restored backup files option.

C. Create a new Active Directory site. Create an unattended installation file with the CriticalReplicationOnlyparameter. Run the dcpromo command with the /answer parameter.

D. Create a new Active Directory site. Create an unattended installation file with the SiteName parameter toplace Server1 into the new site. Run the dcpromo command with the /answer parameter.



QUESTION 6You have a single Active Directory directory service domain. You are preparing to create a child domain. Youruser account is in a global security group named Server Administrators. The Server Administrators group is inthe local Administrators group on all servers. You need to install Active Directory on a server named Server1 tocreate the new child domain. What should you do?

A. Have your user account added to the Domain Admins group.B. Have your user account added to the Schema Admins group.C. Have your user account added to the Enterprise Admins group.D. Have your user account added to the Incoming Forest Trust Builders group.



QUESTION 7You are the network administrator for Alpine Ski House. The network consists of a single Active Directoryforest that contains five domains. The functional level of the forest is Windows 2000. You have not configuredany universal groups in the forest. One domain is a child domain named child1.alpineskihouse.com thatcontains two domain controllers and 50 client computers. The functional level of the domain is Windows Server2003. The network includes an Active Directory site named Site1 that contains two domain controllers. Site1represents a remote clinic, and the location changes every few months. All of the computers inchild1.alpineskihouse.com are located in the remote clinic. The single WAN connection that connects theremote clinic to the main network is often saturated or unavailable. Site1 does not include any global catalogservers. You create several new user accounts on the domain controllers located in Site1. You need to ensurethat users in the remote clinic can always quickly and successfully log on to the domain. What should you do?

A. Enable universal group membership caching in Site1.B. Add the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures key to the

registry on both domain controllers in Site1.

C. Add the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures key to theregistry on all global catalog servers in the forest.

D. Raise the functional level of the forest to Windows Server 2003.



QUESTION 8You have a single Active Directory directory service domain. Your domain controllers are configured as shownin the following table. File and print services are on servers in Site1. Microsoft Exchange Server is installed onservers in Site2. The HR and user provisioning applications will be placed on servers in Site3. You are planningplacement of the RID Master FSMO role. You need to ensure proper functionality of these applications withintheir sites during an extended WAN outage. On which domain controller should you place the RID Master role?

A. DC1B. DC2C. DC3D. DC4




QUESTION 9Your company has a main office and 30 branch offices. You are planning the implementation of Active Directorydirectory service. You need to implement a solution that allows local administrators in the branch offices toadminister user accounts in their own locations while preventing the administrators from administering anyother resources in their location. You must ensure that administrators in the main office have the ability toadminister all user accounts, in all locations. Main office administrators must not have the ability to edit thecontents of the default Users container. What should you do?

A. Create a forest root domain for the main office, and create a child domain for each branch office. Add the

main office administrators to the Enterprise Admins group in the root domain, and add the branch officeadministrators to the Domain Admins group in the appropriate child domain.

B. Create a forest root domain for the main office, and create a child domain for each branch office. Add themain office administrators to the Domain Admins group in the root domain, and add the branch officeadministrators to the Account Operators group in the appropriate child domain

C. Create a single domain. Create a separate organizational unit (OU) for the main office and for each branchoffice. At the domain level, grant the main-office administrators the ability to create, delete, and manageuser accounts. On the branch OUs, grant the location-specific administrators the ability to create, delete,and manage user accounts.

D. Create a single domain. Create an organizational unit (OU) for the main office users and child OUs for eachof the branch offices. At the main office OU, grant main-office administrators the ability to create, delete,and manage user accounts. On each child OU, grant the location-specific admin the ability to create, delete,and manage user accounts.



QUESTION 10You have a Windows Server 2003 Active Directory directory service environment. Group Policy objects (GPOs)are linked to parent organizational units (OUs), and user and computer objects are located in child OUs. Whenusers log on to their client computers, Folder Redirection policies are applied as expected. However, whenusers log on to a kiosk computer, a different Folder Redirection setting is applied. You need to ensure thatusers receive the same Folder Redirection policy regardless of which computer they log on to. What should you do?

A. Disable loopback processing in the GPOs.B. Enable loopback processing by selecting the Merge Mode option in the GPOs.C. Enable loopback processing by selecting the Replace Mode option in the GPOs.D. Select the Block Inheritance option on the OU where the kiosk computer is located.



QUESTION 11You have a Windows Server 2003 Active Directory directory service environment with an organizational unit(OU) named Corp. An OU named HR exists under the Corp OU. several Group Policy objects (GPOs) arecurrently linked to the HR OU. You need to link a new GPO to the Corp OU, and you must ensure that the newGPO is not applied to users in the HR OU. What should you do?

A. Change the link order so that the new GPO has the lowest precedence.B. Enable loopback processing in Replace mode in the new GPO.C. Link the GPO to only the Corp OU, and select the Enforced option.D. Configure the HR OU to block Group Policy inheritance.



QUESTION 12You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers that arenot domain controllers have computer accounts in an organizational unit (OU) named ApplicationServers. Clientcomputers have computer accounts in 15 OUs organized by department. All users have user accounts in anOU named CompanyUsers. Your company wants all users to have Microsoft Word available on their clientcomputers. Your company does not want to install Word on domain controllers or other servers. You need toconfigure the network to install the application as required, without affecting any existing policies or settings.What should you do?

A. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installationsection of the computer settings. Link this GPO to the domain. Configure the Domain Controllers OU andthe ApplicationServers OU to block policy inheritance.

B. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installationsection of the computer settings. Link this GPO to the domain. Configure permissions on the GPO so thatall server and domain controller accounts are denied the permissions to read and apply the GPO.

C. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installationsection of the user settings. Link this GPO to the domain. Configure the Domain Controllers OU and theApplicationServers OU to block policy inheritance.

D. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installationsection of the user settings. Link this GPO to the domain. Configure permissions on the GPO so that allserver and domain controller accounts are denied the permissions to read and apply the GPO.



QUESTION 13You have a single Active Directory directory service domain named corp.contoso.com. You are merging withanother company that has a single domain named corp. fabrikam.com. You establish a forest trust betweencorp.contoso.com and corp.fabrikam.com. Both domains have a NetBIOS name of CORP. You need to ensurethat users can use the CORP NetBIOS name to access resources in the corp.contoso.com forest. What shouldyou do?

A. Create a new UPN suffix named CORP.B. Create a new UPN suffix named Fabrikam.C. In the corp.fabrikam.com domain, add a new DNS alias (CNAME) record that points CORP to

corp.contoso.com.D. Disable the CORP NetBIOS name suffix in the corp.fabrikam.com forest, and enable the CORP NetBIOS

name suffix in the corp.contoso.com forest.



QUESTION 14You are a network administrator for your company. The company consists of two subsidiaries named Litware,Inc., and Contoso, Ltd. The network consists of a single Active Directory forest. The functional level of the

forest is Windows Server 2003. The forest contains a forest root domain named litwareinc.com and anadditional domain tree named contoso.com, which contains two child domains. All domain controllers runWindows Server 2003. The Directory Services object is configured with the default property settings. Theforest contains 250,000 objects that are changed frequently. You need to be able to restore objects in one ofthe child domains in the contoso.com domain tree from a three-month-old backup. You need to make a changeto a Directory Services property on a domain controller in one of the domains in order to achieve this goal.What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choosetwo.)

A. Run the netdom command on a domain controller in contoso.com.B. Use the Ntdsutil utility on a domain controller in litwareinc.com.C. Use the ADSIEdit utility on a domain controller in contoso.com.D. Run the ldp command on a domain controller in litwareinc.com.



QUESTION 15You have a single Active Directory directory service domain. You plan to use a server named Server1 to deliverMicrosoft updates to all your companys workstations. The workstations are located in an organizational unit(OU) named Workstations. Server1 is located in an OU named Servers. You need to ensure that allworkstations receive Microsoft updates from Server1 and that the updates are installed at 3:00 AM each day.What should you do?

A. Create a GPO and enable the Configure Automatic Updates and Enable recommended updates viaAutomatic Updates options. Link the GPO to the Workstations OU.

B. Create a GPO and enable the Configure Automatic Updates and Automatic Updates detection frequencyoptions. Link the GPO to the Workstations OU.

C. Create a GPO and enable the Configure Automatic Updates and Specify intranet Microsoft update servicelocation options. Link the GPO to the domain.

D. Create a GPO enable the Configure Automatic Updates and Specify intranet Microsoft update servicelocation options. Link the GPO to the Servers OU.



QUESTION 16You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest, asshown in the exhibit. (Click the Exhibit button.) A domain controller named dc1.corp.contoso.com runsWindows 2000 Server. All other domain controllers run Windows Server 2003. Contoso, Ltd., is engaged in ajoint venture with Litware, Inc. The network at Litware, Inc., consists of a single Active Directory forest namedlitwareinc.com that contains one domain. The functional level of the litwareinc. com forest is Windows Server2003. You need to ensure that the users at Contoso, Ltd., can log on to the litwareinc.com forest. You upgradedc1.corp.contoso.com to Windows Server 2003. Which two additional courses of action should you take? (Eachcorrect answer presents part of the solution. Choose two.)

A. Raise the functional level of the corp.contoso.com domain and the east.corp.contoso.com domain toWindows 2000 native. Raise the functional level of the contoso.com forest to Windows Server 2003.

B. Raise the functional level of the corp.contoso.com domain to Windows 2000 native. Raise the functionallevel of the east.corp.contoso.com domain to Windows Server 2003. Raise the functional level of thewest.contoso.com domain to Windows Server 2003.

C. Create a one-way forest trust relationship in which the contoso.com forest trusts the litwareinc.com forest.D. Create a one-way forest trust relationship in which the litwareinc.com forest trusts the contoso.com forest.



QUESTION 17You have a single Active Directory directory service domain with three sites named Site1, Site2, and Site3.There are site links between all three sites, and replication between sites occurs every 30 minutes. You need toensure that all replication traffic is routed through Site2. What should you do?

A. Define a preferred bridgehead server for Site2.B. Reduce the interval between replications between Site1 and Site2 and between Site2 and Site3.C. Decrease the cost of the site link between Site1 and Site3.D. Increase the cost of the site link between Site1 and Site3.



QUESTION 18You are the network administrator for your company. Your network consists of a single Active Directory domain.All servers run Windows Server 2003. All client computers run Windows XP Professional. Employees use clientcomputers and also use Remote Desktop to connect to a terminal server named TS1. All users in yourcompany have user accounts in an organizational unit (OU) named Company Users. All users receiveapplications that are assigned to their user accounts by Group Policy objects (GPOs) linked to the CompanyUsers OU. The GPOs use security filtering to control which security groups receive which applications. Usersreport that when using TS1, their assigned applications are not available. You need to configure your networkso that the applications are available to users when they connect to TS1. You need to ensure that users cannotrun any application that is not currently assigned to them. What should you do?

A. Reconfigure the GPOs containing software installation packages so that the software installation packagesare published to users.

B. Reconfigure the GPOs containing software installation packages so that assigned software installationpackages are automatically installed at logon.

C. Install all required software on TS1. Use NTFS permissions to control which security groups can accesswhich applications.

D. Link the GPOs containing software installation packages to the domain, not to an OU.



QUESTION 19You are the network administrator for your company. The network consists of a single Active Directory domainthat contains two domain controllers. Both domain controllers run Windows Server 2003. All client computersrun Windows XP Professional. The only account in the Domain Admins security group is the Administratoraccount in the domain. Each night, a full backup is made of the hard disks in each domain controller. Youdisable the local Administrator account in the Default Domain Policy Group Policy object (GPO). You discoverthat you are no longer able to log on to either domain controller as the Administrator from the domain. You needto ensure that you can log on to both domain controllers as the Administrator from the domain. What shouldyou do?

A. Restart one domain controller in Safe Mode. Log on as Administrator. Create an account for a secondadministrator. Restart the domain controller and use the new account to remove the restrictions on the localAdministrator accounts.

B. Restore the entire hard disk on one domain controller by using the last nightly backup before the changewas made. Restart the domain controller. Allow time for Active Directory replication to complete.

C. Restart one domain controller and use a Windows Server 2003 CD to run the Recovery Console. Stop theGPC service. Restart the domain controller.

D. Restart one domain controller in Directory Services Restore Mode. Perform an authoritative restoreoperation of the Domain Controllers OU in Active Directory from the last nightly backup before the changewas made. Restart the domain controller.



QUESTION 20Your network consists of Windows Vista computers joined to an Active Directory directory service domain. Allclient computers are located in an organizational unit (OU) named Clients. A Group Policy object (GPO) islinked to the Clients OU. This GPO assigns a new application to all computers in the Clients OU and uses theUninstall the application when it falls out of the scope of management Group Policy setting. You need toremove this application from only a specific group of computers. What should you do?

A. Move the group of computers to another OU.B. Unlink the GPO from the OU.C. Remove the assigned package from the GPO.D. Create a security group containing users who log on to the specific computers. Use security filtering to allow

the group the Read permission and deny the group the Apply Group Policy permission for the GPO.



QUESTION 21You have a single Active Directory directory service domain. Users each have a primary client computer butalso frequently use shared client computers. You use a Group Policy object (GPO) to publish an application tothe users in the marketing department. The users can remove the application when they no longer need it.Some users report that when they log on to a shared client computer on which the application has beenremoved, the application is no longer available to install. You need to ensure that the application is available forall users on each client computer, even if another user removes the application. What should you do?

A. Modify the Group Policy software installation package to be Assigned.B. Modify the permissions of the GPO to deny the Authenticated Users group the Delete all child objects

permission.C. Modify the GPO to include a software restriction policy with a Path rule to the application.D. Configure the link to the GPO with the Enforced option.



QUESTION 22Your company has offices in three locations. You have an Active Directory directory service domain with threeActive Directory sites named Site1, Site2, and Site3. Each site represents a physical location with multiplesubnets. There is one domain controller in each site. All sites are connected through site links. The domaincontroller in Site1 is not accessible. You need to ensure that clients in Site1 are authenticated by the domaincontroller in Site3. What should you do?

A. Create a preferred bridgehead server in Site3.B. Associate Site1 subnets with Site3.C. Increase the cost of the site link between Site1 and Site3.D. Lower the weight for DNS service locator (SRV) records on the domain controller in Site3.



QUESTION 23You have a single Active Directory directory service domain. You have 10 Active Directory sites. Each sitecontains multiple domain controllers. Active Directory replication is failing between all of the sites. You need toview the status of Active Directory intersite replication. What should you do?

A. Run the repadmin /showrepl command.B. Run the repadmin /queue command.C. Run the dcdiag /test:replications command.D. Run the dcdiag /test:topology command.



QUESTION 24You have a single Active Directory directory service domain. Your company has multiple kiosk computers. Thecomputer accounts for the kiosk computers are located in an organizational unit (OU) named Kiosks. Yourcompanys user accounts are located in an OU named CorpUsers. A Group Policy object (GPO) namedCorpUsers is linked to the CorpUsers OU. You create a GPO named Secure Kiosks and link it to the KiosksOU. You define several user and computer settings within the Secure Kiosks GPO. You need to ensure that theuser settings from the Secure Kiosks GPO are enforced when a user logs on to a kiosk computer. What shouldyou do?

A. Enforce the GPO link for the Secure Kiosks GPO.B. Block Group Policy inheritance on the Kiosks OU.C. Enable loopback processing in Replace mode on the CorpUsers GPO.D. Enable loopback processing in Replace mode on the Secure Kiosks GPO.



QUESTION 25You have a single Active Directory directory service domain. All domain controllers run Windows Server 2003.All client computers run Windows Vista. Computer accounts and user accounts are located in severalorganizational units (OUs). You plan to deploy a new software application to an OU named Sales. You need toensure that the application is available for installation by only users in the Sales OU. What should you do?

A. Publish the application to users in the domain.B. Publish the application to users in the Sales OU.C. Assign the application to users in the Sales OU.D. Assign the application to computers in the domain.



QUESTION 26You are the network administrator for your company. The network consists of a single Active Directory domainthat contains four domain controllers. All servers run Windows Server 2003. All user accounts are located in anorganizational unit (OU) named CompanyUsers. A written company policy requires all users to use strong passwords. User passwords must contain a mixture of letters, numbers, or special characters. Passwords mustbe at least 10 characters long. Passwords must be changed at least every 60 days, and the new passwordcannot be the same as the old one. To enforce this requirement, you create a Group Policy object (GPO)named Password Policies and link the GPO to the CompanyUsers OU. The settings in the Password Policysection of the Password Policies GPO are shown in the exhibit. (Click the Exhibit button.) You discover thatusers are creating simple passwords that do not meet the complexity requirements. You need to ensure thatthe company password requirements are enforced. What should you do?

A. Link the Password Policies GPO to the Domain Controllers OU. Make it the first GPO in the list.B. Configure the properties of the Password Policies GPO so that it cannot be overridden.C. Delete the Password Policies GPO. Edit the Default Domain Policy GPO to include the settings from the

Password Policy section of the Password Policies GPO.D. Delete the Password Policies GPO. Edit the Default Domain Controllers Policy GPO to include the settings

from the Password Policy section of the Password Policies GPO.



QUESTION 27You are a network administrator for your company. The network consists of a single Active Directorydomain. All client computers run Windows XP Professional. The company's main office is located in Dallas.You are a network administrator at the company's branch office in Mexico City. You create a Group Policyobject (GPO) that redirects the Start menu for users in the Mexico City branch office to a shared folder on afile server. Several users in Mexico City report that many of the programs that they normally use are missingfrom their Start menus. The programs were available on the Start menu the previous day, but did not appearwhen the users logged on today. You log on to one of the client computers. All of the required programsappear on the Start menu. You verify that users can access the shared folder on the server. You need tofind out why the Start menu changed for these users. What are two possible ways to achieve this goal?(Each correct answer presents a complete solution. Choose two.)

A. On one of the affected client computers, run the gpupdate command.B. In the Group Policy Management Console (GPMC), select the file server that hosts the shared folder

and a user account that is in the Domain Admins global group and run Resultant Set of Policy (RSoP) in

planning mode.C. On one of the affected client computers, run the gpresult command.D. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run

Resultant Set of Policy (RSoP) in logging mode.



QUESTION 28You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forestthat contains a single domain named contoso.com. The functional level of the forest is Windows Server2003. Your company purchases a company named Fabrikam, Inc. The Fabrikam, Inc., network consists ofone Windows NT 4.0 account domain and two Windows NT 4.0 resource domains, as shown in the exhibit.(Click the Exhibit button.) All file resources are stored on file servers in the contoso.com domain and in theFABRESOURCE1 domain. You need to accomplish the following goals: You need to minimize the numberof trust relationships that must be maintained in the network environment. Users in each company must beable to access the file resources on the file servers in the other company's domain.Which two actionsshould you take? (Each correct answer presents part of the solution. Choose two.)

A. Create a one-way external trust relationship in which the contoso.com domain trusts the FABACCOUNTdomain.

B. Create a one-way external trust relationship in which the contoso.com domain trusts theFABRESOURCE1 domain.

C. Create a one-way external trust relationship in which the FABACCOUNT domain trusts the contoso.comdomain.

D. Create a one-way external trust relationship in which the FABRESOURCE1 domain trusts the contoso.com domain.



Exam G

QUESTION 1You are a network administrator for a company that operates a call center. The network consists of a singleActive Directory domain. All servers run Windows Server 2003. All client computers are members of thedomain.

Computers in the call center are configured by a Group Policy object (GPO) to have a common, restricteddesktop. All computers in the call center have accounts in an organizational unit (OU) named Call CenterComputers.

Nonmanagement users have user accounts in an OU named CallCenterStaff. Managers have user accounts inan OU named ManagementUsers.You link a GPO to the Call Center Computers OU. The current settings of the GPO are shown in the work area.

Any user logging on to these computers receives the restricted desktop. Currently, a manager who logs on to acomputer in the call center is presented with the restricted desktop. The restricted desktops prevent managersfrom performing management tasks.

You need to ensure that any manager logging on to a computer in the call center receives a normal,unrestricted desktop.

Which GPO setting should you change?

To answer, select the appropriate setting in the work area.

Hot Area:

Correct Answer:

Section: Hot AreaExplanation

Explanation/Reference:Explanation:Select "User Group Policy loopback processing mode : Enabled"

QUESTION 2You are a network administrator for A. Datum Corporation. The network consists of a single Active Directoryforest that contains two domains. All servers run Windows Server 2003. The domains and organizational units(OUs) are structured as shown in the work area.

Users in the research department have user accounts in the research.adatum.com domain. All other useraccounts and resources are in the adatum.com domain. All domain controllers are in the Domain ControllersOU of their respective domain. No other computer or user accounts are in the Domain Controllers OUs.

A written company policy requires that all users working in the research department must use complexpasswords of at least nine characters in length. The written policy states that no other users are to havepassword restrictions. All affected users have user accounts in an OU named Research Users in theresearch.adatum.com domain.

You create a Group Policy object (GPO) that contains the required settings.

You need to ensure that these settings affect the users in the research department, and that the settings do notaffect any other domain users or local accounts.

Where should you link the GPO?

To answer, select the appropriate location or locations in the work area.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select the research.adatum.com domain.Password restrictions for domain user accounts must always be set at domain level.Password policies applied at OU level will only apply to local user accounts. In this scenario,research.testking.com contains only research users so applying the policy at the domain level will not affect anyother others.

Reference:Jill Spealman, Kurt Hudson Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Microsoft Press,Redmond, Washington, 2004, pp. 10-31to 10-44

QUESTION 3HOTSPOTYou are the network administrator for TestKing.com. The network consists of a single Active Directory domainnamed testking.com. The domain contains an organizational unit named Accounting.

The Accounting OU contains both user accounts and computer accounts. You create a Group Policy object(GPO) named Custom ADM Template and link it to the Accounting OU.

You need to apply specific security-related registry entries to all of the computer accounts in the AccountingOU. You create an ADM template named Custom Security Settings that includes the security-related registryentries.

You need to import the Custom Security Settings template into the Custom ADM Template GPO so that youcan enable the new policy settings in the Custom Security Settings template.

Where should you import the Custom Security Settings template?

To answer, select the appropriate section of the GPO in the dialog box.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select"Administrative templates"under Computer Configuration.You would import a security INF file into the SECURITY node.

But if you create an ADM file, you must add it into the ADMINISTRATIVE TEMPLATES node.

CODE http://support.microsoft.com/kb/323639

QUESTION 4You are the network administrator for A. Datum Corporation. The network consists of a single Active Directoryforest that contains three domains named adatum.com, child1.adatum.com, and child2.adatum.com. Thefunctional level of the forest is Windows Server 2003.

The help desk department is responsible for resetting passwords for all user accounts in the forest except foraccounts that have administrative privileges. There is an organizational unit (OU) named Corp_Users in eachdomain that contains the user accounts in that domain. All of the user accounts that have administrativeprivileges are in the default Users container in each domain.

There is a universal group named HD_Users in the adatum.com domain. All user accounts for the help deskdepartment users are members of the HD_Users group.You need to delegate the required authority for resetting passwords to the users in the help desk department.

For which Active Directory component or components should you delegate control?

To answer, select the appropriate component or components in the work area.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:We need to delegate the required authority for resetting passwords for the Corp_UsersOU to the HD_Usersuniversal group. The Corp_Users OU in each domain contains the users that the help desk staff need to resetpasswords for. The HD_Users universal groupcontains the help desk staff and is visible to all domains in theforest.

Reference:Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 408-411Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Microsoft Press,Redmond, Washington, 2004, pp. 6-3 to6-9, 6-16 to 6-23

QUESTION 5HOTSPOTYou are the network administrator for TestKing.com. The company consists of two subsidiaries namedTestKing and TestKing.com. The network consists of two Active Directory domains with two sites. The sites arenamed Site1 and Site2. The domains are named testking.com and fabrikam.com.

The network includes one Active Directory application partition named AppPartition1. This application partitionis replicated to domain controllers in Site1and Site2.

The network contains six domain controllers. The domain controller locations and the roles of the domaincontrollers are identified in the work area below.

You need to configure preferred bridgehead servers in each site. You need to configure the minimum numberof domain controllers as preferred bridgehead servers such that no bridgehead servers will be automaticallyselected.

Which domain controller or domain controllers should you configure as preferred bridgehead servers?

To answer, select the appropriate domain controller or domain controllers in the work area.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Correct = Select DC2, DC3, DC5, DC6

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-8,5-31 to 5-32

QUESTION 6HOTSPOTYou are a network administrator for TestKing.com. The network consists of a single Active Directorydomain named testking.com. The domain consists of four sites asshown in the work area.

Pedro is another administrator for TestKing.com. Pedro is responsible for managing the frequency of ActiveDirectory replication among the four sites.

You need to allow Pedro to manage the frequency of intersite replication. You must ensure that Pedro cannotmodify any other objects.

Where should you grant Pedro the permission that he needs?

To answer, select the appropriate node in the dialog box.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select "Inter-Site Transports".Pedro needs to manage intersitereplication. This is managed through the Inter-Site Transports node in Active

Directory Sites and Services.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-26to 5-30

QUESTION 7HOTSPOTYou are a network administrator for TestKing.com. The relevant portion of yournetwork configuration is shownin the work area.

TestKing has offices in Toronto and New York. The Toronto office has 500employees, and the New York officehas 150 employees. Employees in both officesuse an application that frequently reads configuration data in theglobal catalog.

You install Windows Server 2003 on all domain controllers. You create a singleWindows Server 2003 ActiveDirectory domain. The functional level of the forest isWindows Server 2003. You configure servers as shown inthe following table.

You need to plan the placement of global catalog servers for TestKing.com. Youneed to ensure that theapplication performs well during times of peak activity. Youneed to ensure that the application continues tofunction in the event of multipleglobal catalog failures.

Where should you place the global catalog server or servers?

To answer, select the appropriate computer or computers in the work area.

Leading the way in IT testing and certification tools, www.testking.com

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select Testking1, Testking2 and Testking5.Only domain controllers can function as Global Catalog servers. In this case, onlyTestking1, Testking2 and Testking5 are domain controllers. We need to use all domaincontrollers to ensurethat the application continues to function in the event of multipleglobal catalog failures.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17to 1-18, 5-41 to 5-45, 5-48 to 5-50.Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra Littlejohn

Shinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, and Maintaining a WindowsServer 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 543, 547,550-552.

QUESTION 8You are the network administrator for your company. The network consists of a single Active Directory domain.The functional level of the domain is Windows Server 2003. The domain contains three Active Directory sitesnamed Site1, Site2, and Site3. The sites are connected by site links as shown in the work area.

SiteLink1 and SiteLink2 include redundant, high-speed WAN connections.

Each site has one subnet associated with it. The number of computers in each site and the operating systemthat the computers are running are indicated in the following table.

Site1 contains a Windows Server 2003 domain controller named Server1 that is the relative ID (RID) master forthe domain. Site2 contains two Windows Server 2003 domain controllers named Server2 and Server3. Server2is the infrastructure master for the domain. Site3 contains a Windows Server 2003 domain controller namedServer4.

You need to decide where to place the PDC emulator role holder. You want to optimize the overall responsetime for users in all sites.

Where should you place the PDC emulator role?

To answer, select the appropriate domain controller or domain controllers in the work area.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Place the PDC emulator on Site3. This site has the most Windows 98 and NT 4.0 workstations which need aPDC emulator to contact to logon while XP and Windows 2000 can logon at any DC.

Leading the way in IT testing and certification tools, www.testking.com

Reference:Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice,Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 565-567.Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, p. 505.

QUESTION 9HOTSPOTYou are the network administrator for TestKing.com. The network consists of asingle Active Directory domainnamed testking.com. The functional level of thedomain is Windows Server 2003.

You configure two Active Directory sites named Testking1 and Testking2. Testking1contains all of theoperations masters and two global catalog servers. Testking2contains a domain controller named Server1. Youcreate a site link named SiteLink1that includes Testking1 and Testking2.

You need to provide global catalog services locally in Testking2.

Which Active Directory component should you configure?

To answer, select the appropriate component in the work area.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select "NTDS Settings" under SERVER1.The global catalog service is added or removed in the NTDS Settings Properties dialogbox of the ActiveDirectory Sites and Services console.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-41to 5-45, 5-48 to 5-50Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, and Maintaining a WindowsServer 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 543, 547,550-552.

QUESTION 10MULTIPLE HOTSPOTYou are the network administrator for TestKing.com. The network consists of a singleActive Directory domain named testking.com. All client computers run Windows XP Professional.

A written TestKing policy requires all documents created by the legal department to be saved to a shared foldernamed MyDocs on a file server named FileS1. The written policy also states that each user in the legaldepartment must have a unique folder in which to store the user's documents.

The user accounts for all users in the legal department are in an organizational unit(OU) named Legal. The users belong to various Active Directory groups.

You create a new Group Policy object (GPO) and link it to the Legal OU. In the GPO, you open the properties ofthe Folder Redirection setting for My Documents folder. The dialog box is shown in the work area.

You need to configure folder redirection by using the minimum amount of administrative effort.

How should you configure the folder redirection settings?

To answer, configure the appropriate option or options in the dialog box.

Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Select"Basic - Redirect everyone's folder to the same location"Select "Create a folder for each user under the root path"


Exam H

QUESTION 1DRAG DROPYou are the network administrator for TestKing.com. The network consists of asingle Active Directory namedtestking.com. The functional level of the domain isWindows Server 2003.

TestKing has a main office and four branch offices. Each branch office is connected to the main office by aWAN connection. You configure an Active Directory site for each office. The sites and WAN connections areshown in the exhibit.

You need to create site links to minimize replication traffic over WAN connections.

Which site link or site links should you create?

To answer, drag the appropriate site link or site links to the correct location or locations in the work area.

Exhibit:

Select and Place:

Correct Answer:

Section: Drag & DropExplanation

Explanation/Reference:Explanation:Each branch office is only connected to the main office. Therefore, site links should be between the main officeand the branch offices, no between two branch offices.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-7 to5-8

QUESTION 2You are the network administrator for Tailspin Toys. The network consists of a single Active Directory forest.The functional level of the forest is Windows 2000. The forest consists of a root domain named tailspintoys.comand two child domains named child1.tailspintoys.com and child2.tailspintoys.com.

The functional level of all domains is Windows 2000 native. All domain controllers in the tailspintoys.comdomain run Windows Server 2003. All domain controllers in the child1.tailspintoys.com andchild2.tailspintoys.com domains run Windows 2000 Server.

You need to be able to rename all domain controllers in tailspintoys.com. You want to minimize impact to thenetwork.

What should you do?

To answer, drag the appropriate action or actions to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:To rename domain controllers, the domain has to be in Windows 2003 functional level.

Reference:Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, Chapter 4, p. 320MS white paper: Step-by-Step Guide to Implementing Domain RenameMS Knowledge base article: Q814589 HOW TO: Rename a Windows 2003 DomainController

QUESTION 3

DRAG DROPYou are the network administrator for TestKing.com. Your network consists of a single Active Directory domainnamed testking.com.

You are responsible for configuring Active Directory security for the domain. All groups for the domain are in anorganizational unit (OU) named Groups. Resource groups will be used to provide permissions to users inaccounts groups.

The human resources department needs to be able to manage the membership of only the accounts groups.The server support department needs to be able to manage the membership of only the resource groups. TheDomain Admins group needs to be able to manage all groups.

You need to configure the OU structure to allow the appropriate permissions to be granted. You want to achievethis goal by using the minimum amount of administrative effort.

What should you do?

To answer, drag the appropriate OU or OUs to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:We need to create two top level OUs to delegate control of the appropriate departments to the appropriategroups. By having the OUs at the same level means that neither department will have control over the otherOU.

The human resources department needs to be able to manage the membership of only the accounts groups.An OU for the accounts groups will enable us to delegate the necessary permissions to the Human Resourcesdepartment.

The server support department needs to be able to manage the membership of only there source groups.AnOU for the resource groups will enable us to delegate the necessary permissions to the Server Supportdepartment.

The Domain Admins group needs to be able to manage all groups. The domain admins group has permissionto manage all groups in the domain.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 6-3 to6-9, 6-16 to 6-23

QUESTION 4You are the network administrator for your company. The network consists of a single Active Directory domain.The functional level of the domain is Windows Server 2003.

The company's written security policy requires the following account policies:

· User accounts must be automatically locked out in the event of three consecutive failed logon attempts withina 30-minute period.· Manual administrative action must be required to unlock a user account.

You need to configure the account policies for the domain to comply with the security requirements.

What should you do?

To answer, drag the appropriate account policy setting or settings to the correct location or locations in the workarea.

Select and Place:

Correct Answer:



Explanation:The Account lockout duration security setting determines the number of minutes a locked-out account remainslocked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999minutes. If you set the account lockout duration to 0, the account will be locked out until an administratorexplicitly unlocks it.

The Account lockout threshold security setting determines the number of failed logon attempts that causes auser account to be locked out. A locked-out account cannot be used until it is reset by an administrator or untilthe lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts.If you set the valueto 0, the account will never be locked out.

The Reset account lock out counter after security setting determines the number of minutes that must elapseafter a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. Theavailable range is 1 minute to 99,999 minutes.

Reference:Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290):Managing and Maintaining a Microsoft Windows Server 2003 Environment, MicrosoftPress, Redmond, Washington, 2004, p. 3-40Microsoft Official Curriculum 1558, Advanced Administration of Microsoft Windows 2000 - Module 7: AdvancedAdministration of User Accounts and Groups, pp. 6-10.

QUESTION 5You are the network administrator for your company. The network consists of a single Active Directory domain.The company contains several departments. One of these departments is sales. A group named Sales Adminsis responsible for administering the sales department. In addition, the sales department has two teams that areresponsible for daily support. One of these teams supports the sales department's user accounts. The otherteam supports the sales department's computers.

Each department in the company has a specific set of Group Policy objects (GPOs). The sales department hastwo additional sets of GPOs. One set of GPOs is for user accounts. The other set of GPOs is for computers.

You need to configure the organizational unit (OU) structure to support the implementation of GPOs anddelegation of security for the sales department. You want to accomplish this task by using the minimum amountof administrative effort.

How should you configure the OU structure?

To answer, drag the appropriate OU or OUs to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The Sales OU has two additional GPOs: one for User accounts and one for computer. Therefore we need a twolevel OU structure with the Sales OU as the parent OU and the Accounts OU and Computers OU being childOUs.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam70-294: Planning,Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Microsoft Press,Redmond, Washington, 2004, pp. 6-3 to6-9, 6-16 to 6-23

QUESTION 6You are the network administrator for a company that has two locations, New York and Singapore. Thecompany is installing an Active Directory forest that consists of a single domain.

The company's departments are divided into two main divisions named Operations and Support. The local ITstaff at each location is responsible for user support at their location, regardless of the user's division. Theresearch and development (R&D) department has its own IT support staff. The R&D department maintains itsown IT support staff regardless of location.

You need to plan a top-level organizational unit (OU) structure that facilitates delegation of administrativecontrol.

Which top-level OU or OUs should you create?

To answer, drag the appropriate top-level OU or OUs to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The local IT staff at each location is responsible for user support at their location,regardless of the user'sdivision. An OU for each location will enable the local IT staff tomanage resources in that location (except forR&D resources).

The research and development (R&D) department has its own IT support staff. The R&D department maintainsits own IT support staff regardless of location. An OU for R&D resources will enable the R&D support staff tomanage the R&D resources.


QUESTION 7You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domainnamed contoso.com. All servers run Windows Server 2003. You are planning the implementation of new GroupPolicy objects (GPOs).

The accounting department and the research department each has its own organizational unit (OU). Theaccounting department includes the accounts payable (AP) department and the accounts receivable (AR)department. The Accounting OU contains an AP OU and an AR OU. User accounts are in the Accounting, AP,AR, and Research OUs.

The accounting department has an accounting application that must be installed on the computers that areused by users in the accounting department. You want to avoid installing the accounting application on thecomputers of any other users. You plan to create a GPO named Software to install the accounting application.

The research department's user accounts must have passwords that are at least eight characters in length andmust be changed every 30 days.There are no specific password requirements for any other users in the contoso.com domain. You plan tocreate a GPO named Password to configure the minimum password length and password age.

You need to decide the correct locations for placing the Password GPO and the Software GPO, whileminimizing the time it takes for any user to log on to the domain.

Where should you link the Password GPO and the Software GPO?

To answer, drag the appropriate GPO or GPOs to the correct location or locations in the work area. If bothpolicies need to be linked to the same location, use the source labeled Both GPOs.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The accounting department has an accounting application that must be installed on the computers that areused by users in the accounting department. You want to avoid installing the accounting application on thecomputers of any other users. You plan to create a GPO named Software to install the accounting application.The software GPO can be applied to the Accounting OU. This GPO will also apply to the AP and AR OUs(which also contain accounts users).

The research department user accounts must have passwords that are at least eight characters in length andmost be changed every 30 days. There are no specific password requirements for any other users in thetestking.com domain. You plan to create a GPO named Password to configure the minimum password lengthand password age. Password policies for domain user accounts must be applied at the domain level. Thepolicies will have no effect on domain user accounts if they are applied at any other level.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 12-3to 12-10, 12-13 to 12-28, 12-34 to 12-39

QUESTION 8

You are the network administrator for Northwind Traders. The network consists of a single Active Directorydomain named northwindtraders.com.Windows Server 2003 domain controllers are located in two sites named Site1 and Site2. The domain containsan organizational unit (OU) named Accounting. The user accounts for users in the accounting department arelocated in the Accounting OU. Users in the accounting department can log on to any client computer.

You need to deploy an antivirus application to all computers on the network without user intervention. You alsoneed to deploy a special accounting application to user accounts in the Accounting OU without userintervention. The accounting application must be available to users in the accounting department regardless ofwhich computer they are using. You need to minimize the number of GPO links.

You create the Group Policy objects (GPOs) listed in the following table.

Where should you link the GPOs ?

To answer, drag the appropriate GPO or GPOs to the correct domain component or components in the workarea.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:We need to apply the antivirus application to all computers on the network. This means we should configureComputer Configuration section of the GPO to assign the antivirus application and link the GPO at the Domainlevel. Applications can only be assigned to computers they cannot be published to computers. The only GPOthat meets this is GPO1.

We also need to apply an accounting application to user accounts in the Accounting OU without userintervention. The accounting application must be available to users in the accounting department regardless ofwhich computer they are using. This means theapplications must become part of the users desktop or startmenu. So we should configure User Configuration section of the GPO to assign the accounting application andlink the GPO at the OU level. The only GPO that meets this is GPO4


QUESTION 9

You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003.

The user accounts for support staff users are located in an organizational unit (OU) named Support. All otheruser accounts are located in an OU named UserAccounts. As the company expands, user accounts for usersother than support staff might be created in OUs other than the UserAccounts OU.

A written company policy states that all users, including support staff, must comply with the following rules:

· Users are not allowed to use offline files.· Only support staff employees are allowed to edit the registry.

The written policy also states that any changes to these rules must be applied to the entire company as quicklyas possible.

You need to enforce the written company policy by using the minimum amount of administrative effort.

Which action or actions should you take, and where should you take the action or actions?


Select and Place:

Correct Answer:


Explanation/Reference:Explanation:All users, including support staff, are not allowed to use offline files and only supportstaff employees areallowed to edit the registry.This means we need an OU at the domain level that disables the registry editingtools, andone that prevents the use of offline tools. These GPOs will ensure that all users, including supportstaff, are not allowed to use offline files. It will also disable the use of registry editing tools for all users.Therefore, we need another GPO that allows the use of the registry editing tools for the Support OU. GPOs areapplied at the domain level before theOU level so the GPO applied at the OU level will override the GPO applied at the domain level.


QUESTION 10You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. Each department in the company has an organizational unit (OU) for allits resources and accounts.

The company has a desktop support team that provides support to all departments. A separate team createsGroup Policy objects (GPOs) for the desktop support staff to use. The GPO creation team is not allowed to linkthe GPO to any departmental OUs. The desktop support staff is allowed to use the GPOs created by the GPOcreation team with departmental OUs. If members of the desktop support staff need a GPO that does not exist,they can request it, but they are not allowed to create any GPOs.

You need to ensure that the appropriate teams are granted the appropriate permissions.

What should you do?


Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The GPO creation team must not link the GPO to any departmental OU. The desktop support staff must beable use the GPO but are not allowed to create any GPOs themselves. Thus, the GPO creation team must bemembers of the Group Policy Creator Owners group, and the desktop support staff must have Allow - Readand Allow - Write permissions to the gPLink and gPOptions attributes of the departmental OUs.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Microsoft Press,Redmond, Washington, 2004, pp. 10-40to 10-41

QUESTION 11You are the network administrator for your company. Your network consists of a single Active Directory domain.All servers run Windows Server 2003. All user accounts in your domain are located in an organizational unit(OU) named User Accounts.

User accounts are separated into two types: accounts for users who use portable computers and accounts forusers who use desktop computers.The accounts for the users who use portable computers are in an OU named Portable, and the accounts for theusers who use desktop computers are in an OU named Desktop. The OU structure is shown in the work area.

Users who use portable computers often travel with them, but they do not connect to the network when they areout of the office.

You need to install an application on all client computers. Users must be able to run the application even if theclient computer is not connected to the network. You need to perform the installation in a way that reducesnetwork load on the installation source. All software installed by using a Group Policy object (GPO) mustrequire as little support as possible.

You need to configure Group Policy to install the application. You also need to link any GPO to the appropriateOU.

What should you do?

To answer, drag the appropriate action or actions for a GPO to perform to the correct OU or OUs in the workarea.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The application must be installed on all client computers. However, some computers are portable computers.We therefore should not apply the GPO at the domain level but at the OU level because we can only have the

application installed on the portable computers when users log on to the network from the portable computers.Once installed, this application must be available even when users aren't connected to the network,thereforewe need to assign and not publish the application.

Because we apply the GPO at the OU level, desktop users can be treated differently. To reduce network loadon the installation source we can configure the GPO for the Desktop OU to install the application on demandrather than at log on.


QUESTION 12You are the network administrator for Wingtip Toys. The network consists of a single Active Directory domainnamed wingtiptoys.com. The network also consists of two sites named Site1 and Site2. Each site containsdomain controllers. An organizational unit (OU) named Accounting contains two child OUs named AccountsPayable and Accounts Receivable. All user accounts for users in the accounting department are located inthese three OUs.

User accounts in the Accounting OU need to have password lengths of at least eight characters. You need toensure that users in the Accounting OU, the Accounts Receivable OU, and the Accounts Payable OU cannotmodify their screen savers. In addition, you need to ensure that users in the Accounts Payable OU cannotchange their desktop wallpaper.

Another administrator creates the four Group Policy objects (GPOs) listed in the following table.

You need to decide where to link the appropriate GPOs to each OU.


To answer, drag each appropriate GPO to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:We need to ensure that user accounts in the Accounting OU have password lengths of at least eightcharacters. We can accomplish this by applying GPO2 at the domain level.

Next we need to ensure that users in the Accounting OU, the Accounts Receivable OU,and the AccountsPayable OU cannot modify their screen savers. We can accomplish this by applying GPO3 at the AccountingOU because the Accounts Receivable OU and the Accounts Payable OU is child OUs of the Accounting OU.

Finally, we must ensure that users in the Accounts Payable OU cannot change their desktop wallpaper. We canaccomplish this by applying GPO4 at the Accounts Payable OU. We would use GPO4 rather than GPO1

because the setting is Prevent changing wallpaper. This must be enabled.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-16to 10-20, 10-41

QUESTION 13DRAG DROPYou are the network administrator for TestKing.com. The network consists of a single Active Directory forestthat contains two domains with three sites. Domain1 isused as an empty root domain for security purposes.Domain1 has a domain controller only in Testking1. Domain2 has domain controllers in all three sites. The domain controllers in Testking1 and Testking2 are global catalog servers. Each client computer on thenetwork runs Windows NT Workstation 4.0, Windows 2000Professional, or Windows XP Professional.

You and your administration staff are located at Testking1, where you performadministrative tasks. You want tominimize network traffic as much as possible. The number of user accounts per site for each domain is shownin the following table.

You are planning the placement of the operations master role holders. You need to place your operationsmaster roles in the appropriate sites.

How many operations master roles should you place in each site?

To answer, drag the appropriate number of roles to the correct locations in thework area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:Domain1 had one domain controller only in the Testking1 site. Therefore, the domain controller in Domain1 willneed all five FSMO roles: the Schema role, the DomainNaming Master role, the Primary Domain Controller (PDC) Emulator Role, the Relative Identifier (RID) MasterRole, and the Infrastructure Master Role.

Domain2 has domain controllers in all three sites but most users are in site Testking3.The two forest-wide roles - the Schema role and the Domain Naming Master role - cannot be assigned again.This leaves us with three roles. The Primary Domain Controller (PDC) Emulator Role and the Relative Identifier(RID) Master Role should be in the site with the most users, and the Infrastructure Master Role can be placedin the remaining site.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-29to 4-30.

Designing a Microsoft Windows Server 2003 Active Directory and NetworkInfrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-13 to 5-14.

Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder & Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide &DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 300-312, 505-508.

QUESTION 14DRAG DROPYou are the network administrator for TestKing.com. The network consists of asingle Active Directory forestthat contains multiple domains. The functional level ofthe forest is Windows Server 2003.

The forest includes two Active Directory sites named TestKingSite1 andTestKingSite2. TestKingSite1 containstwo domain controllers that are globalcatalog servers named TestKingA and TestKingB. TestKingSite2 containstwodomain controllers that are not global catalog servers named TestKingC andTestKingD. The two sites areconnected by a WAN connection. Users inTestKingSite2 report that logon times are unacceptably long.

You need to improve logon times for the users in TestKingSite2 while minimizingreplication traffic on the WANconnection.

How should you configure the network?

To answer, drag the appropriate configuration option or options to the correctlocation or locations in the work

area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:

We need to improve logon times for the users in TestKingSite2 while minimizingreplication traffic on the WANconnection. Logon times in TestKingSite2 are slowbecause the domain controllers need to contact a globalcatalog server in TestKingSite1for universal group information. We can prevent this by enabling Universalgroupmembership caching in TestKingSite2. Enabling Universal group membership caching atthe site level willensure that all the domain controllers in TestKingSite2 will be able tocache the information. We could improvelogon times by placing a global catalog server enabling Universal group membership caching is a bettersolution.

Universal group membership caching allows the domain controller to cache universalgroup membershipinformation for users. You can enable domain controllers that arerunning Windows Server2003 to cacheuniversal group memberships by using the ActiveDirectory Sites and Services snap-in.Enabling universal group membership caching eliminates the need for a global catalogserver at every site in adomain, which minimizes network bandwidth usage because adomain controller does not need to replicate allof the objects located in the forest. It alsoreduces logon times because the authenticating domain controllers donot always need toaccess a global catalog to obtain universal group membership information.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17to 1-18, 5-41 to 5-46.

Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 31, 543, 547,550-552.

QUESTION 15DRAG DROPYou are the network administrator for TestKing.com. The network consists of asingle ActiveDirectory domain with four sites. The sites are connected by site links,as shown in the work area.

You need to ensure that the Knowledge Consistency Checker (KCC) uses the faster connection links whenpossible.

What should you do?

To answer, drag the appropriate site link cost or costs to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:Site link costs determine which links are first used for replication. The link with thelowest cost is used first. Ifthat link is down, the link with the next lowest cost is used.We must therefore assign the lowest cost to the site links with the highest available bandwidth, i.e., Site TK1 -Site TK4 and Site TK2 - Site TK3. We must then assign the site link with the next highest available bandwidth(Site TK3 - Site TK4) the next lowest cost. The site link with the lowest available bandwidth (Site TK1 - SiteTK2) must have the highest cost.

Reference:Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 449-452, 458,458-459

QUESTION 16You are the network administrator for your company. The network consists of a single Active Directory domain.The functional level of the domain is Windows Server 2003. The domain is shown in the exhibit. (Click the Exhibit button.)

Replication is scheduled to take place once per day. Each server is fully backed up daily.

You connect to Server1 and create seven logon scripts in the Default Domain Policy Group Policy object(GPO).

Three days later, an administrator in Tel Aviv inadvertently corrupts the scripts on Server3. Ten minutes later,you successfully make changes to one of the logon scripts on Server1.

You need to make the latest version of the logon scripts available to users in Tel Aviv as soon as possible.

What should you do?

To answer, drag the action that you should perform first to the First Action box. Continue dragging actions tothe corresponding numbered boxes until you list all required actions in the correct order. You might not need to

use all numbered boxes.

Exhibit:

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:You want to get TestKing3 back up to the most current script versions that are stored in active Directory.Restoring the SySVol restores the scripts to the good versions that were backed up in the previous backup.After rebooting, changes in Active Directory since the last backup will be replicated to this server's ActiveDirectory.


QUESTION 17You are the network administrator for Tailspin Toys. The network consists of a single Active Directory forest.The functional level of the forest is Windows 2000. The forest consists of a root domain named tailspintoys.com and two child domains named child1.tailspintoys.com and child2.tailspintoys.com.The functional level of all domains is Windows 2000 native. All domain controllers in the tailspintoys.comdomain run Windows Server 2003. All domain controllers in the child1.tailspintoys.com and child2.tailspintoys.com domains run Windows 2000 Server.You need to be able to rename all domain controllers in tailspintoys.com. You want to minimize impact tothe network.What should you do?To answer, drag the appropriate action or actions to the correct location or locations in the work area

Select and Place:

Correct Answer:

Exam I

QUESTION 1You are the network administrator for your company. The network consists of a single Active Directory domainnamed treyresearch.com.A domain controller named Server1 runs Windows Server 2003. All other domain controllers run Windows NT4.0. You upgrade one Windows NT 4.0 BDC to Windows Server 2003, and remove all other Windows NT 4.0 BDCsfrom the domain. There is one member server running Windows NT 4.0 and one Windows 2000 Server member server.You need to offer the most functionality for the treyresearch.com domain. You must accomplish this task by using the Active Directory Users and Computers console with the leastamount of administrative effort.

A. Simulation

Correct Answer: ASection: SimulatinosExplanation

Explanation/Reference:Answer:5. Open Active Directory Users and Computers. 6. Right-click on treyresearch.com.7. Raise Domain Functional Level to Windows Server 2003.

*** On the exam the Active Directory Users and Computers will be open on screen.

QUESTION 2You Are the network administrator for your company. The company has offices in London and in Cario. Thenetworks are connected using 128 Kbps leased line connection. The network consist of a single ActiveDirectory domain named treyresearch.com. The London office network contains one domain controller wich isassigned the roles of the global catalog. The Cario office network only contains one domain controller. Youdiscover that users from the Cario office usually take a much longer time to log on the network. You need toimprove logon performance for users in the Cario office without increasing WAN traffic that is due toreplication. You must accomplish this task by using the Active Directory Sites and Services console with the least amountof administrative effort. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer:1. Open Active Directory Sites and Services2. On Cairo site right-click on NTDS Site Settings.3. On Prperties select the Enable Universal Group Membership Caching check box.

*** On the exam the Active Directory Sites and Services will be open on screen.

QUESTION 3You are the network administrator for your company. The network consists of a single Active Directorydomain. A server named Server1 functions as a domain controller server.

All computer and user accounts of the human resources (HR) department are located in an organizational unit(OU) named HR. your company uses a Group Policy object (GPO) named HRGPO to centrally apply securitysettings to thr HR OU. For security reasons, you deploy smart cards to the HR department’s computers.You need to ensure the user who uses the interactive logons to logon to the HR computer must use a smartcard. You must configure Server1 by using the least amount of administrative effort. Your operation must notaffect other settings.

A. Simulation


Explanation/Reference:Answer:1. Open Group Policy Object Editor.Then follow this path:2. Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive

logon: Require smart card.

*** On the exam the Group Policy Object Editor will be open on screen.

QUESTION 4You are the network administrator for your company. The network consists of a single Active Directory forestand includes two domains named contoso.com and treysearch.com. A two way domain trust exists between thetwo domains. The domain controllers in the contoso.com domain have remote desktop enabled. The membersof Remote Desktop domains group in contoso.com are enabled to access the domain controllers throughremote desktop.You need to create a group named Group1 to meet the following requirements:

You can add members from both the contoso.com and treysearch.com domains.The users in Group1 should have permissions to access all remote desktop enabled domain controllers inthe contoso.com domain through remote desktop.

You must accomplish this task by using the Active Directory Users and Computers console on Server1 withthe least amount of administrative effort. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer:1. Open Active Directory Users and Computers.2. Right-click on domain contoso.com and create a new group and name it Group1 and select Domain local

and Security options.3. Right-click on domain contoso.com and create a new group and name it AdminGroup and select Global and

Security options.4. Right-click on Group1 and on Properties tab select Members and add it to AdminGroup.


QUESTION 5You are the network administrator for your company. Your network consists of a single Active Directory domain

named contoso.com. All servers run Windows Server 2003. You use Group Policy objects (GPOs) to distribute software. Your company uses two different applicationsnamed Application1and Application2 to view videos. Users are allowed to choose which program they will usebased on the features and formats they require. Only the users are allowed to decide which of these twoapplications will be installed. You need to configure the GPO to install either video application based on the user's choice. You must accomplish this task by using the Group Policy Object Editor console. Your operation must notaffect other settings.

A. Simulation



Answer: 1. Open Group Policy Object Editor.2. Under User Configuration click on Software Installation. 3. Then Right-click on Software Package and select Publish and clear the Auto-install this application by file

extension activation check box.


QUESTION 6You are the network administrator for your company. The network consists of a single Active Directory domain.You have two OUs one for user accounts and one for Servers and two GPO’s one for users OU and one forServers OU.Users GPO install desktop utilities for all user accounts. Servers GPO secure the servers. You must ensure that desktop utilities are not installed on servers when users log on to the servers. You must accomplish this task by using the Group Policy Object Editor console. Your operation must notaffect other settings.

A. Simulation


Explanation/Reference:Answer: 1. Open Group Policy Object Editor. 2. Follow this path: Computer Configuration / Administrative Templates / System / Group Policy / User Group

Policy loopback processing mode select Enable and select Replace Mode


QUESTION 7You are the administrator for Litware, Inc. The network consists of a single Active Directory domain namedlitwareinc.com. All servers run Windows 2003. All client computers run Windows XP Professional. Eachdesktop support team member is configured as a local Administrator so that the team members can installsoftware and support the end users.You create a software restriction policy that only prevents users from running registry editing tools by file hashrule. You apply the policy to all user accounts in the domain.The desktop support team reports that they are unable to run registry editing tools.

You need to ensure that only the desktop support team can run registry editing tools. You must accomplish the task by using the Default Domain Security Settings console. Your operation mustnot affect other settings

A. Simulation


Explanation/Reference:Answer:1. Open the Default Domain Security Settings.2. Edit the permissions of the reg tools GPO by assigning the desktop support team the Deny-Apply group

policy permission.

***On the exam the Default Domain Security Settings will be open on the screen.

QUESTION 8You are the network administrator for your company. The network consists of a single Active Directory domainthat contains four domain controllers. All servers run Windows Server 2003. All userccounts are located in an organizational unit (OU) named CompanyUsers. A written company policy requires all users to use strong passwords.

User passwords must contain a mixture of letters, numbers, or special characters. Passwords must be at least 10 characters long. Passwords must be changed at least every 60 days, and the new password cannot be the same as the oldone.

To enforce this requirement, you create a Group Policy object (GPO) named Password Policies and link theGPO to the CompanyUsers OU. You discover that users are creating simple passwords that do not meet the complexity requirements. You need to ensure that the company password requirements are enforced. What should you do?

A. Simulation


Explanation/Reference:Answer:1. Open Group Policy Management and Right-click on Default Domain Policy and select Edit.2. On the Edit window follow ths path: Computer Configuration / Windows Settings / Security Settings /

Account Policies / Password Policy / select Password must meet complexity requirements Enable checkbox.

*** On the exam the Group Policy Management will be open on screen.

QUESTION 9You are the network administrator for your company. The network consists of a single Active Directory domainnamed contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.You create a Group Policy object (GPO) named GPO1. You configure GPO1 to list an application named App1 in the software installation section of the computersettings. You link GPO1 to the domain.You need to ensure that all users have App1 available on their client computers except domain controllersaccounts on Server1.

You must accomplish this task by using the Active Directory Users and Computers console. Your operationmust not affect other settings.

A. Simulation


Explanation/Reference:Answer:3. Open Active Directory Users and Computers and right-click on the domain and select Propertis.4. On the Policies tab select Edit (GPO1).5. Delete App1 from the computers section.


QUESTION 10You are the network administrator for your company. Your network consists of a single Active Directory domainnamed contoso.com. All servers run Windows 2003.Your company is deploying a new application named App1. The installation must meet the followingrequirements:

The application must be available to all users on their client computers.The application must be fully installed rather than advertised by using a shortcut.The application must be installed by using Default Domain Policy.

You need to configure Group Policy to install the application. You must accomplish this task by using the GroupPolicy Object Editor console. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer: 1. Open Group Policy Object Editor.2. Under User Configuration click on Software Installation. 3. Then Right-click on Software Package and select Publish and clear the Auto-install this application by file

extension activation check box.


QUESTION 11A company has a single Active Directory. It’s Sales Dept has two Web servers and two Database servers.There is two GPO’s created in place for the servers. First GPO must apply to Web and Database servers.Second GPO must apply to Database server only. You must create an OU structure base on the needs of the 2GPO’s mentioned above. What should you do?

A. Simulation

Correct Answer: ASection: Simulatinos

Explanation

Explanation/Reference:Answer:1. Open Active Directory Users and Computers2. Right-click on domain.local and create a new Organizational Unit and name it Sales. 3. Create 2 child Organizational Units - Database Servers and Web Servers - under Sales.


QUESTION 12Link a GPO to an OU and ensure that they cannot be overwritten and link the Default Domain Policy to theDomain and the Default Domain Controller Policy to the Domain Controller OU. What should you do?

A. Simulation


Explanation/Reference:Answer: 1. Open Group Policy Management and right-click on the OU. 2. Select Link an Existing GPO and select the mentioned GPO.3. Right-click on the OU and on Properties select Group Policy tab then select the mentioned GPO / Options /

select the No Override check box. 4. Right-click on the domain.local and select Link an Existing GPO and select Default Domain Policy.5. Right-click on Domain Controllers OU and select Link an Existing GPO then select Default Domain

Controller Policy.

*** On the exam the Group Policy Management will be open on screen.

QUESTION 13You are the network administrator for your company. The network consists of a single Active Directory domain.All the file servers of the finance department are located in an organizational unit (OU) namedFinanceServer.The finance department hires a new employee named Frank Lee. During the probationary period, Frank Lee must be able to read the public files which are shared in the financedepartment’s file servers.You need to ensure that Frank Lee has only the permissions necessary for performing his required tasks. You must accomplish this task by using the Delegation of Control Wizard dialog box. Your operation must notaffect other settings.

A. Simulation


Explanation/Reference: Answer: 1. Open Active Directory Users and Computers2. Right-click on Marketing OU and Delegate Control to Frank Lee.


QUESTION 14You are the network administrator for your company. The network consists of a single Active Directory domainwith three sites. Site1,site2 and site3. Site 1and Site3 are connected by 56kbps line and Site1 to Site2 andSite2 to Site3 are connected by T1 lines. You need to ensure that traffic is routed through higher bandwidth first for domain replication traffic.You must accomplish this task by using the Active Directory Sites and Services console with the leastamount of administrative effort. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer: 1. Open Active Directory Sites and Services.2. Then follow this path: Expand Sites / Expand Inter-Site Transports / Expand IP.3. Right-click on Site1 to Site2 and under Properties select Change the Cost value to 56 kps.


QUESTION 15You have computers that are used for guest access. You must ensure the following:

1. Internet Explorer (iexplorer.exe) must run only on these computers.2. The home page of internet explore must be http://www.contoso.com

You must accomplish this task by using the Group Policy Object Editor console. Your operation must notaffect other settings.

A. Simulation


Explanation/Reference:Answer:1. Open Group Policy Object Editor.2. Follow this path: User Configuration / Administrative Templates / System. Enable Run only allowed windows

applications and add iexplorer.exe to the list. 3. Follow this path: : User Configuration / Administrative Templates / Windows Components / Internet

Explorer. Enable Disable change of home page and specify http://www.contoso.com as home page.


QUESTION 16You are the network administrator for your company. The company has offices in Toronto and Chicago. Thenetwork consists of a single Active Directory domain that contains four domain controllers. The Toronto andChicago offices are connected by an IP site link. You notice that the print servers increase to 100 percent and become unresponsive to user requests during

Active Directory replication. You need to ensure that the print servers are responsive to user requests during Active Directory replication. You must accomplish this task by using the Active Directory Sites and Services console with the leastamount of administrative effort. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer: 1. Open Active Directory Sites and Services.2. Right-click On the first site and uncheck the Global Catalog role from the print servers and make another

server in the same site the global catalog (Web Server).

*** On the exam the Active Directory Sites and Services will be open on screen

QUESTION 17In a Site with 2 Servers, you must transfer the RID, PDC and Infrastructure Role from DC1 to DC2. You must accomplish this task by using the Active Directory Users and Computers console with the leastamount of administrative effort.

A. Simulation


Explanation/Reference:Answer: 1. Open Active Directory Users and Computers Right-click on domain.local.2. Follow this path: All Tasks / Operations Masters / Change RID to DC2 / Change PDC to DC2 / Change

Infrastructure to DC2.


QUESTION 18A question about passwords history, minimum, and maximum ages.

A. Simulation


Explanation/Reference:Answer:On the the Local Security Settings for the Password Policy Panel:3. Right-click on Minimum Password Age and change the number accordingly.4. Right-click on Maximum Password Age and change the number accordingly.5. Right-click on Password History and change the number accordingly.

***On the exam the Local Security Settings panel will be open on the screen.

QUESTION 19You are the network administrator for your company. The network consists of a single forest with two sites. Thefunctional of the forest is Windows Server 2003. The forest consists of two domains named treysearch.comand Litwareinc.com. Some users are relocated from Site 1 to Site2. Their user accounts remain in theLitwareinc.com domain, and they use their user principal names (UPNs) to log on from the Treyresearch.comdomain. The relocated users report that they cannot log on to the domain when the network connection is unavailablebetween Site1 and Site2.You need to ensure that the relocated users can log on to the domain when the network connection isunavailable even if they have never logged on before. You must accomplish this task by using the Active Directory Sites and Services console with the leastamount of administrative effort. Your operation must not affect other settings.

A. Simulation


Explanation/Reference:Answer:1. Open Active Directory Sites and Services.2. Add SMTP bridgehead server in both sites.


QUESTION 20You are the network administrator for a company that has two locations, New York and Singapore. Thecompany is installing an Active Directory forest that consists of a single domain.

The company's departments are divided into two main divisions named Operations and Support. The local ITstaff at each location is responsible for user support at their location, regardless of the user's division. Theresearch and development (R&D) department has its own IT support staff. The R&D department maintains itsown IT support staff regardless of location.

You need to plan a top-level organizational unit (OU) structure that facilitates delegation of administrativecontrol.

Which top-level OU or OUs should you create?

To answer, drag the appropriate top-level OU or OUs to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The local IT staff at each location is responsible for user support at their location,regardless of the user'sdivision. An OU for each location will enable the local IT staff tomanage resources in that location (except forR&D resources).

The research and development (R&D) department has its own IT support staff. The R&D department maintainsits own IT support staff regardless of location. An OU for R&D resources will enable the R&D support staff tomanage the R&D resources.


QUESTION 21You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domainnamed contoso.com. All servers run Windows Server 2003. You are planning the implementation of new GroupPolicy objects (GPOs).

The accounting department and the research department each has its own organizational unit (OU). Theaccounting department includes the accounts payable (AP) department and the accounts receivable (AR)department. The Accounting OU contains an AP OU and an AR OU. User accounts are in the Accounting, AP,AR, and Research OUs.

The accounting department has an accounting application that must be installed on the computers that areused by users in the accounting department. You want to avoid installing the accounting application on thecomputers of any other users. You plan to create a GPO named Software to install the accounting application.

The research department's user accounts must have passwords that are at least eight characters in length andmust be changed every 30 days.There are no specific password requirements for any other users in the contoso.com domain. You plan tocreate a GPO named Password to configure the minimum password length and password age.

You need to decide the correct locations for placing the Password GPO and the Software GPO, whileminimizing the time it takes for any user to log on to the domain.

Where should you link the Password GPO and the Software GPO?

To answer, drag the appropriate GPO or GPOs to the correct location or locations in the work area. If bothpolicies need to be linked to the same location, use the source labeled Both GPOs.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The accounting department has an accounting application that must be installed on the computers that areused by users in the accounting department. You want to avoid installing the accounting application on thecomputers of any other users. You plan to create a GPO named Software to install the accounting application.The software GPO can be applied to the Accounting OU. This GPO will also apply to the AP and AR OUs(which also contain accounts users).

The research department user accounts must have passwords that are at least eight characters in length andmost be changed every 30 days. There are no specific password requirements for any other users in thetestking.com domain. You plan to create a GPO named Password to configure the minimum password lengthand password age. Password policies for domain user accounts must be applied at the domain level. Thepolicies will have no effect on domain user accounts if they are applied at any other level.


QUESTION 22

You are the network administrator for Northwind Traders. The network consists of a single Active Directorydomain named northwindtraders.com.Windows Server 2003 domain controllers are located in two sites named Site1 and Site2. The domain containsan organizational unit (OU) named Accounting. The user accounts for users in the accounting department arelocated in the Accounting OU. Users in the accounting department can log on to any client computer.





Select and Place:

Correct Answer:





QUESTION 23

You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003.

The user accounts for support staff users are located in an organizational unit (OU) named Support. All otheruser accounts are located in an OU named UserAccounts. As the company expands, user accounts for usersother than support staff might be created in OUs other than the UserAccounts OU.

A written company policy states that all users, including support staff, must comply with the following rules:

· Users are not allowed to use offline files.· Only support staff employees are allowed to edit the registry.

The written policy also states that any changes to these rules must be applied to the entire company as quicklyas possible.

You need to enforce the written company policy by using the minimum amount of administrative effort.

Which action or actions should you take, and where should you take the action or actions?


Select and Place:

Correct Answer:


Explanation/Reference:Explanation:All users, including support staff, are not allowed to use offline files and only supportstaff employees areallowed to edit the registry.This means we need an OU at the domain level that disables the registry editingtools, andone that prevents the use of offline tools. These GPOs will ensure that all users, including supportstaff, are not allowed to use offline files. It will also disable the use of registry editing tools for all users.Therefore, we need another GPO that allows the use of the registry editing tools for the Support OU. GPOs areapplied at the domain level before theOU level so the GPO applied at the OU level will override the GPO applied at the domain level.


QUESTION 24You are the network administrator for your company. The network consists of a single Active Directory domain.All servers run Windows Server 2003. Each department in the company has an organizational unit (OU) for allits resources and accounts.

The company has a desktop support team that provides support to all departments. A separate team createsGroup Policy objects (GPOs) for the desktop support staff to use. The GPO creation team is not allowed to linkthe GPO to any departmental OUs. The desktop support staff is allowed to use the GPOs created by the GPOcreation team with departmental OUs. If members of the desktop support staff need a GPO that does not exist,they can request it, but they are not allowed to create any GPOs.

You need to ensure that the appropriate teams are granted the appropriate permissions.

What should you do?


Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The GPO creation team must not link the GPO to any departmental OU. The desktop support staff must beable use the GPO but are not allowed to create any GPOs themselves. Thus, the GPO creation team must bemembers of the Group Policy Creator Owners group, and the desktop support staff must have Allow - Readand Allow - Write permissions to the gPLink and gPOptions attributes of the departmental OUs.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Microsoft Press,Redmond, Washington, 2004, pp. 10-40to 10-41

QUESTION 25You are the network administrator for your company. Your network consists of a single Active Directory domain.All servers run Windows Server 2003. All user accounts in your domain are located in an organizational unit(OU) named User Accounts.

User accounts are separated into two types: accounts for users who use portable computers and accounts forusers who use desktop computers.The accounts for the users who use portable computers are in an OU named Portable, and the accounts for theusers who use desktop computers are in an OU named Desktop. The OU structure is shown in the work area.

Users who use portable computers often travel with them, but they do not connect to the network when they areout of the office.

You need to install an application on all client computers. Users must be able to run the application even if theclient computer is not connected to the network. You need to perform the installation in a way that reducesnetwork load on the installation source. All software installed by using a Group Policy object (GPO) mustrequire as little support as possible.

You need to configure Group Policy to install the application. You also need to link any GPO to the appropriateOU.

What should you do?

To answer, drag the appropriate action or actions for a GPO to perform to the correct OU or OUs in the workarea.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:The application must be installed on all client computers. However, some computers are portable computers.We therefore should not apply the GPO at the domain level but at the OU level because we can only have the

application installed on the portable computers when users log on to the network from the portable computers.Once installed, this application must be available even when users aren't connected to the network,thereforewe need to assign and not publish the application.

Because we apply the GPO at the OU level, desktop users can be treated differently. To reduce network loadon the installation source we can configure the GPO for the Desktop OU to install the application on demandrather than at log on.


QUESTION 26You are the network administrator for Wingtip Toys. The network consists of a single Active Directory domainnamed wingtiptoys.com. The network also consists of two sites named Site1 and Site2. Each site containsdomain controllers. An organizational unit (OU) named Accounting contains two child OUs named AccountsPayable and Accounts Receivable. All user accounts for users in the accounting department are located inthese three OUs.

User accounts in the Accounting OU need to have password lengths of at least eight characters. You need toensure that users in the Accounting OU, the Accounts Receivable OU, and the Accounts Payable OU cannotmodify their screen savers. In addition, you need to ensure that users in the Accounts Payable OU cannotchange their desktop wallpaper.

Another administrator creates the four Group Policy objects (GPOs) listed in the following table.

You need to decide where to link the appropriate GPOs to each OU.


To answer, drag each appropriate GPO to the correct location or locations in the work area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:We need to ensure that user accounts in the Accounting OU have password lengths of at least eightcharacters. We can accomplish this by applying GPO2 at the domain level.

Next we need to ensure that users in the Accounting OU, the Accounts Receivable OU,and the AccountsPayable OU cannot modify their screen savers. We can accomplish this by applying GPO3 at the AccountingOU because the Accounts Receivable OU and the Accounts Payable OU is child OUs of the Accounting OU.

Finally, we must ensure that users in the Accounts Payable OU cannot change their desktop wallpaper. We canaccomplish this by applying GPO4 at the Accounts Payable OU. We would use GPO4 rather than GPO1

because the setting is Prevent changing wallpaper. This must be enabled.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-16to 10-20, 10-41

QUESTION 27DRAG DROPYou are the network administrator for TestKing.com. The network consists of a single Active Directory forestthat contains two domains with three sites. Domain1 isused as an empty root domain for security purposes.Domain1 has a domain controller only in Testking1. Domain2 has domain controllers in all three sites. The domain controllers in Testking1 and Testking2 are global catalog servers. Each client computer on thenetwork runs Windows NT Workstation 4.0, Windows 2000Professional, or Windows XP Professional.

You and your administration staff are located at Testking1, where you performadministrative tasks. You want tominimize network traffic as much as possible. The number of user accounts per site for each domain is shownin the following table.

You are planning the placement of the operations master role holders. You need to place your operationsmaster roles in the appropriate sites.

How many operations master roles should you place in each site?

To answer, drag the appropriate number of roles to the correct locations in thework area.

Select and Place:

Correct Answer:


Explanation/Reference:Explanation:Domain1 had one domain controller only in the Testking1 site. Therefore, the domain controller in Domain1 willneed all five FSMO roles: the Schema role, the DomainNaming Master role, the Primary Domain Controller (PDC) Emulator Role, the Relative Identifier (RID) MasterRole, and the Infrastructure Master Role.

Domain2 has domain controllers in all three sites but most users are in site Testking3.The two forest-wide roles - the Schema role and the Domain Naming Master role - cannot be assigned again.This leaves us with three roles. The Primary Domain Controller (PDC) Emulator Role and the Relative Identifier(RID) Master Role should be in the site with the most users, and the Infrastructure Master Role can be placedin the remaining site.

Reference:Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294: Planning,Implementing, and Maintaining a Windows Server 2003Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-29to 4-30.

Designing a Microsoft Windows Server 2003 Active Directory and NetworkInfrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-13 to 5-14.

Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra LittlejohnShinder & Dr. Thomas W. Shinder, MCSE: Exam 70-294: Planning, Implementing, andMaintaining a Windows Server 2003 Active Directory Infrastructure Study Guide &DVD Training System, Syngress Publishing, Rockland, MA, 2003, pp. 300-312, 505-508.

QUESTION 28You are the network administrator for Northwind Traders. The network consists of a single Active Directorydomain named northwindtraders.com.Windows Server 2003 domain controllers are located in two sites named Site1 and Site2. The domain containsan organizational unit (OU) named Accounting. The user accounts for users in the accounting department arelocated in the Accounting OU. Users in the accounting department can log on to any client computer.





Select and Place:

Correct Answer:





QUESTION 29

You are the network administrator for your company. The network consists of a single Active Directory domain.All the file servers of the finance department are located in an organizational unit (OU) namedFinanceServer.The finance department hires a new employee named Frank Lee. During the probationary period, Frank Lee must be able to read the public files which are shared in the financedepartment’s file servers.You need to ensure that Frank Lee has only the permissions necessary for performing his required tasks. You must accomplish this task by using the Delegation of Control Wizard dialog box. Your operation must notaffect other settings.

A. Simulation


Explanation/Reference: Answer: 1. Open Active Directory Users and Computers2. Right-click on Marketing OU and Delegate Control to Frank Lee.


QUESTION 30You are the network administrator for Northwind Traders. The network consists of a single Active Directorydomain named northwindtraders.com.Windows Server 2003 domain controllers are located in two sites named Site1 and Site2. The domain containsan organizational unit (OU) named Accounting. The user accounts for users in the accounting department arelocated in the Accounting OU. Users in the accounting department can log on to any client computer.





Select and Place:

Correct Answer:

PrepKing PrepKing-70-294 - GRATIS EXAM

Documents

Transcript of PrepKing PrepKing-70-294 - GRATIS EXAM