From  CertCities.com
PopQuiz

Microsoft Exam 70-217: Implementing and Admin. a Windows 2000 Directory Services Infrastructure
6 questions. Answers and explanations can be found at the end of the quiz.

courtesy of   Transcender LLC

Questions:

1. You are the systems administrator of a small publishing company. You have been examining your company's new Windows 2000 configuration. While studying Active Directory, you create a test OU in order to investigate Active Directory properties. When you attempt to delete the test OU, you accidentally delete the Marketing OU instead. You view the Active Directory Replication Monitor, and you see that replication has not yet occurred.

How should you recover the Marketing OU with the least administrative effort?

a. Create and configure a new Marketing OU.

b. Copy the Marketing OU from another domain controller.

c. Force replication from another site.

d. Retrieve the Marketing OU from the LostAndFound folder.

e. Perform an authoritative restore of Active Directory.

f. Perform a nonauthoritative restore of Active Directory

 

2. Eva, a user in your Windows 2000 native-mode domain, complains that she cannot log on to the network from some of the computers that she normally uses to log on to the domain. You suspect that another administrator may have changed some of the properties of Eva's user account. An account management audit policy is enabled on all of the domain controllers in the domain. You want to determine who changed Eva's account and when those changes took place. The logs in Event Viewer contain numerous entries.

Which four of the following actions should you take?

a. View the system log.

b. View the security log.

c. View the application log.

d. Use the Filter command from the View menu.

e. Use the Find command from the View menu.

f. Specify Eva's user name in the User text box.

g. Specify Eva's user name in the Description text box.

h. Perform the search on one specific domain controller in the domain.

i. Perform the search on each domain controller in the domain.

j. Perform the search on each member server in the domain.

k. Perform the search on each computer in the domain.

 

You are planning to implement a DNS namespace for a company named TeleSoft Corporation. TeleSoft requires a network that is Windows 2000-based. The company has a registered name, telesoft.com, and will maintain a public domain on the Internet and a secured corporate intranet.

Your plan must meet the following requirements:

  • The DNS namespace should be simplified to implement Active Directory domains and to avoid possible user confusion.
  • The DNS namespace should be maintained with minimal administrative overhead.
  • Only authorized security principals should be able to create, delete and modify DNS resource records.
  • Fault tolerance of the DNS name resolution infrastructure should be provided in a manner that prevents a single point of failure.
  • A sufficient number of additional DNS servers should be implemented to offload authoritative DNS servers without increasing zone transfer traffic.
  • Zone transfers to unauthorized DNS servers should be prevented.

You take the following actions:

  • Create a single Active Directory domain, telesoft.com, that spans both the external network and the intranet.
  • Create a single standard DNS zone, telesoft.com, that spans both the external network and the intranet.
  • Allow dynamic updates for the DNS zone.
  • Implement additional caching-only DNS servers.
  • Allow zone transfers to only the servers that are listed on the Zone Transfers tab in the Properties page for the zone.

Which of the following objectives have been achieved?

a. The DNS namespace has been simplified to implement Active Directory domains and to avoid possible user confusion.

b. Minimal administrative overhead is required to maintain the DNS namespace.

c. Only authorized security principals can create, delete and modify DNS resource records.

d. Fault tolerance of the DNS name resolution infrastructure has been provided in a manner that prevents a single point of failure.

e. Additional DNS servers have been implemented to offload authoritative DNS servers without increasing zone transfer traffic.

f. Zone transfers are allowed to only authorized DNS servers.

 

4. You are responsible for implementing a site and replication topology for a Windows 2000 domain named northern.com. The network consists of four offices in four cities that are connected by T1 frame relay links, as shown in the exhibit.

network configuration diagram

Using the Active Directory Sites and Services tool, you have created site and subnet objects for each office, placed domain controller objects in each site, and installed a Global Catalog server in each site. Because high priority data is transferred between all offices and the geography of the network spans time zones, it is paramount that you design a site link topology that will maximize the efficiency of your available network bandwidth, optimize Active Directory replication and provide logon fault tolerance between all four sites.

Which of the following methods should you use to connect your sites in order to maximize the efficiency of your network?

a. Create an IP site link between every site in a mesh topology.

b. Create an SMTP site link between every site in a mesh topology.

c. Connect the four sites with a single IP site link.

d. Connect the four sites with a single SMTP site link.

e. Create an IP site link bridge between every site in a mesh topology.

 

5. You are the administrator of the Windows 2000 domain that is shown in the exhibit.

network configuration diagram

You must implement security policies that affect the objects that belong to the Office organizational unit (OU).

You want to meet the following goals:

  • All users in the Office OU must be subject to the same password policy.
  • Different security options should be applied to the Accounting and Billing OUs.
  • An audit policy should only affect computers in the Accounting OU.
  • The security options and the audit policy should not affect resources in the Warehouse OU.

You take the following actions:

  • Specify a password policy in GPO1, and link it to the Office OU.
  • Specify the security options and an audit policy for Accounting in GPO2, and link it to the Accounting OU.
  • Specify the security options for Billing in GPO3, and link it to the Billing OU.

Which goals are met by the actions taken?

a. All users in the Office OU are subject to the same password policy.

b. Different security options are applied to the Accounting and Billing OUs.

c. The audit policy affects only computers in the Accounting OU.

d. The security options and the audit policy do not affect objects in the Warehouse OU.

 

6. Abigail is the network administrator for 4Soft Corporation and is a member of the Enterprise Admins group. The 4Soft Corporation is a Windows 2000 native-mode domain that consists of 5 Windows 2000 Server computers and 850 Windows 2000 Professional computers. One standard primary DNS zone, named 4soft.com, has been established for 4Soft; DNS has not been integrated into Active Directory. Recent expansion of the 4Soft enterprise has led Abigail to create a child Windows 2000 domain named sales.4soft.com. Abigail has also created a standard primary DNS zone named sales.4soft.com within that Windows 2000 domain and has configured the sales.4soft.com zone as a delegated subdomain of the 4soft.com zone. Due to the increased administrative overhead involved in 4Soft's expansion efforts, Abigail wants to delegate some of her responsibilities to her assistant, Vivian. Vivian is a member of the Domain Users global group in the 4soft.com domain.

Which of the following actions should Abigail take in order to give Vivian administrative control of the sales.4soft.com DNS namespace without giving her more authority than is necessary in the sales.4soft.com domain?

a. Abigail should take no further action.

b. Abigail should create a new secondary zone for sales.4soft.com.

c. Abigail should convert the 4soft.com standard primary zone into an Active Directory-integrated zone.

d. Abigail should convert the sales.4soft.com standard primary zone into an Active Directory-integrated zone.

e. Abigail should make Vivian a member of the DNS Admins group in the sales.4soft.com domain.

f. Abigail should make Vivian a member of the Domain Admins group in the sales.4soft.com domain.

Answers:

1) Choice f is correct. To recover the Marketing OU, you must take offline the domain controller on which you deleted the OU and perform a nonauthoritative restore of Active Directory from the most recent backup. Once the domain controller is brought online again, then Active Directory replication will replace the changed attributes from the restored objects with more recent versions located on another domain controller.

Neither creating and configuring a new Marketing OU nor copying the Marketing OU from another domain controller would recover the original Marketing OU object. Either of these options would cause a new, randomly generated identifier to be assigned to the OU; thus, you would be required to reconfigure permissions, group policies and other attributes. Replication should only be forced if you know that a domain controller was kept offline for a period of time or if your network connections do not always work properly. The LostAndFound folder of a domain container stores objects that are created in containers while those containers are being simultaneously deleted on other domain controllers. The LostAndFound folder also stores objects that have been created in, or moved to, a container that no longer exists after replication.

Reference: W2KSRK, Contents, "Distributed Systems Guide," "Active Directory," "Active Directory Data Storage," "Data Storage," "Directory Partitions." support.microsoft.com/support/kb/articles/Q216/2/43.ASP MSDN, Contents, "Knowledge Base," "Windows," "Windows NT," "Impact of Authoritative Restore on Trusts and Computer Accounts." W2KSRK, Contents, "Distributed Systems Guide," "Appendixes," "Active Directory Diagnostic Tool (Ntdsutil.exe)," "Performing an Authoritative Restore."

2) Choices b, e, g and i are correct. Events related to account management are recorded in the security log on the domain controller that was used to manage the corresponding user accounts. In this scenario, you should use Event Viewer to connect to each available domain controller in your domain and to view its security log. If the log contains many entries, then it may be difficult to manually locate the necessary record. You should use the Find command from the View menu to simplify your search. Most of the options for configuring a filter and a search are identical. For example, you can select the event type, event source, category, event ID, user name and computer name. In addition to the options that can be configured for both a filter and a search, in a filter, you can specify a range of entries by their ordinal numbers or by date and time of the events. In the Find dialog box, you can type any text that you expect to find in the sought record, and you can specify the direction of the search as either up or down. In this scenario, you should use the Find command to look for a success audit event of the Account Management category, and you should specify Eva's user name in the Description text box. The entry that you are looking for should contain Eva's user name in the event description under the caption Target Account Name. Reference: W2KSRK, Contents, "Deployment Planning Guide," "Active Directory Infrastructure," "Planning Distributed Security," "Managing Administration," "Auditing." W2KSRK, Contents, "Server Operations Guide," "Troubleshooting," "Troubleshooting Strategies," "Troubleshooting Options," "Event Viewer." W2KSOH, Contents, "Monitoring and Diagnostic Tools," "Event Viewer," "How To...," "Use the Security Log," "Turn on security logging for a domain controller."

3) Only choices e and f are correct. To offload primary and secondary DNS servers that are authoritative for the telesoft.com zone, you can add caching-only servers. Caching-only servers are not authoritative for any DNS zones; they obtain name resolution information by querying other servers and by caching their responses. Using caching-only servers offloads authoritative servers without increasing zone transfer traffic because caching-only servers do not host any zones. To ensure that zone information is provided to only authorized DNS servers, you can explicitly list the IP addresses of those servers on the Zone Transfers tab in the Properties page for the zone. Alternatively, you can specify authoritative servers for the zone on the Name Servers tab and select the option to allow zone transfers to only those servers that are listed on the Name Servers tab.

To facilitate the implementation of Active Directory, DNS domains should be created for each Active Directory domain. In this scenario, you have created a single DNS domain and a single Active Directory domain for a network that consists of two distinct parts: a public subnet that is exposed to the Internet and a private intranet. It is possible to use a single DNS domain that spans both the external network and the intranet; however, doing so is likely to cause confusion among internal users and require additional administrative effort. A single DNS domain requires you to maintain one namespace that spans two separate parts: one that is exposed to the Internet community and the other that should be kept private and protected from unauthorized access. To avoid confusion and simplify administration, you should have created separate Active Directory domains and DNS zones: one domain and zone pair on the external network and another pair on the intranet. Therefore, you have not met the requirement to minimize the administrative overhead for zone maintenance, although you have enabled dynamic updates.

Dynamic updates simplify administration by enabling resource records to be automatically created, updated and deleted either by hosts that support dynamic updates or by DHCP servers on behalf of hosts that do not support dynamic DNS updates. By creating a standard DNS zone, you have not met the requirement to avoid a single point of failure because only one server can be a master for a standard zone. All other authoritative servers for the zone can only host a secondary copy of the zone database and must periodically receive updates from the master. If the master server fails, then no more records can be modified, added to or deleted from the zone. Additionally, standard zones do not support secure dynamic updates. If dynamic updates are enabled, then any host or DHCP server acting on behalf of a host can create, delete or modify resource records.

Reference: W2KSOH, Contents, "Networking," "DNS," "Best practices." W2KSOH, Contents, "Networking," "DNS," "Concepts," "Using DNS," "Planning Issues," "Namespace planning for DNS." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Introduction to DNS," "Introduction to the Domain Name System," "Domain Namespace." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Introduction to DNS," "DNS Servers," "Caching-Only Servers." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Windows 2000 DNS," "Active Directory Integration and Multimaster Replication (entire section)." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Windows 2000 DNS," "Dynamic Update and Secure Dynamic Update (entire section)." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Windows 2000 DNS," "Internet Access Considerations." W2KSRK, Contents, "TCP/IP Core Networking Guide," "Address Allocation and Name Resolution," "Windows 2000 DNS," "Internet Access Considerations," "Planning Your Namespace."

4) Choice a is correct. Creating an IP site link between every site in a mesh topology provides the most reliable, customizable and fault-tolerant replication topology for your network. Although a single IP site link is sufficient to connect the four sites, adding additional site links between the four sites will maximize the efficiency of your network. Windows 2000 provides a single site link object named DEFAULTIPSITELINK in the Active Directory Sites and Services tool. As you add new sites to the network, they are associated by default with this single site link object. The Knowledge Consistency Checker (KCC) process works in the background to optimize the replication paths between domain controllers in all sites. Because site links are also bridged by default, replication paths are transitive; if site A is linked to site B and site B is linked to site C, then an implicit replication path exists between sites A and C.

The KCC makes it possible for inter-site replication to occur with only one site link object. However, it is advisable to create additional site links to provide fault tolerance and replication customization. Site links can be customized both by cost and by schedule. Consequently, higher availability transports can be given precedence between two sites, and replication can be scheduled to occur during periods of low network activity. The Simple Mail Transport Protocol (SMTP) transport is useful when sites are connected by slow and unreliable links. Site link bridging is enabled by default; the option can be toggled by opening Active Directory Sites and Services, expanding the Sites container, expanding the Inter-Site Transports container, right-clicking the appropriate transport, clicking Properties, and clearing or selecting the Bridge all site links check box.

Reference: W2KSRK, Contents, "Distributed Systems Guide," "Active Directory," "Active Directory Replication," "Replication Topology," "Managing Replication Between Sites." W2KSRK, Contents, "Distributed Systems Guide," "Active Directory," "Active Directory Replication," "Replication Topology," "Topology Concepts and Components." W2KSRK, Contents, "Deployment Planning Guide," "Active Directory Infrastructure," "Designing the Active Directory Structure," "Creating a Site Topology Plan," "Defining Sites and Site Links."

5) Only choices b, c and d are correct. Generally, a GPO applies to all users and computers in the parent container to which the GPO is linked and in subcontainers of that parent container. However, certain policies, such as user account policies, can only be set for an entire domain. User account policies are ignored if they are specified in GPOs that are linked to containers other than the domain. Therefore, the password policy specified in GPO1 will not be applied to users because GPO1 is linked to the Office OU rather than to the domain. You have met the requirement to apply different security options to the Accounting and Billing OUs by specifying those options in two separate GPOs named GPO2 and GPO3. Because GPO2 is linked to the Accounting OU, the audit policy specified in GPO2 applies only to computers in that OU. Similarly, the security policy that is specified in GPO3 is applied only to the Billing OU. Because no GPOs have been applied directly to the Warehouse OU or indirectly to a parent container of the Warehouse OU, none of these GPOs have any effect on the Warehouse OU.

Ideally, you should use only two GPOs in this scenario. GPO1 should be linked to the domain; this GPO should include the password policy and the policies that should apply to the Accounting OU. GPO2 should be linked to the Billing OU; this GPO should include the security options for that OU. You should enable the Block Policy inheritance option in the Properties page for the Billing and Warehouse OUs to prevent objects in those OUs from inheriting settings specified in GPO1. The Block Policy inheritance option does not apply to user account policies, and password policies would still apply to all user accounts in the domain.

Reference: W2KSRK, Contents, "Deployment Planning Guide," "Active Directory Infrastructure," "Planning Distributed Security," "Setting Uniform Security Policies (entire section)." W2KSRK, Contents, "Distributed Systems Guide," "Desktop Configuration Management," "Group Policy," "Using Security Groups to Filter and Delegate Group Policy," "Filtering the Scope of a Group Policy Object." W2KSOH, Contents, "Users and Computers," "Group Policy," "Concepts," "Understanding Group Policy," "Group Policy Precedence."

6) Choice e is correct. The domain is the fundamental security boundary in Windows 2000. Therefore, Vivian's membership in the sales.4soft.com DNS Admins domain local group grants her full administrative control over DNS in the sales.4soft.com domain; it does not grant her any additional administrative control in the sales.4soft.com domain. Vivian's membership in the DNS Admins group in the sales.4soft.com domain does not grant her any additional permissions in the 4soft.com domain; she will retain only the permissions in the 4soft.com domain that are granted to her through her membership in the Domain Users global group.

A secondary zone is a read-only copy of the primary zone file. A secondary server is a host for a secondary zone. Creating a secondary zone for the sales.4soft.com domain would reduce DNS query traffic on the primary DNS server, but this approach would not alter any administrative responsibilities. Configuring primary DNS zones as Active Directory-integrated zones provides fault tolerance for the DNS zone information, but it does not affect the administrative permissions of any user in the associated domains. If Abigail made Vivian a member of the Domain Admins group in sales.4soft.com, then Vivian would be allowed to manage the zone. However, it would give Vivian more authority than is necessary or desirable.

Reference: W2KSOH, Contents, "Networking," "DNS," "Concepts," "Using DNS," "Managing zones," "Delegating zones." W2KSOH, Contents, "Networking," "DNS," "How To...," "Install and Configure Servers," "Add a secondary server for an existing zone."

These questions and answers are provided by Transcender LLC. Order the full version of this exam simulation online at www.transcender.com, phone 615-726-8779, 8 a.m. - 6 p.m., (CST), M - F, fax 615-726-8884, or mail to Transcender LLC, 565 Marriott Drive, Suite 300, Nashville, TN 37214.


More Pop Quiz:

 

 

top

Copyright 2000-2009, 101communications LLC. See our Privacy Policy.
For more information, e-mail .