Exam: 070-290
Title: Managing and Maintaining a Microsoft Windows Server 2003
Environment
# QUESTION 1:
You are the network administrator for CertKing .com. The CertKing network contains seven application
servers. Each application server runs a database application named CertKing App.
Requirements for CertKing App state that when you add a new user, you must add the user to the server
that has the most available disk space.
You need to ensure that you meet the requirements when you add new users to CertKing App.
What should you do?
A. Use Event Viewer to review the application logs on each of the seven servers.
B. Use Performance Logs and Alerts to record the PhysicalDisk object on all seven servers.
C. Use Task Manager to view the performance data on each of the seven servers.
D. Use System Monitor to generate a histogram view of the LogicalDisk object on all seven servers.
Answer: D
Explanation: System Monitor shows real-time performance data based on Object counters, and can
display the log data recorded by Performance Logs And Alerts either in the form of Counter (interval
polling) logs, or Trace (event-driven) logs. Logs written by Performance Logs And Alerts can be loaded
into System Monitor for analysis. The System Monitor is designed for real-time reporting of data to a
console interface, and can be reported in graph, histogram, or numeric form. This should aid you in
ensuring that you meet the stated requirements. Incorrect answers:
A: The Application log contains data written to it by software programs, it records events that are
generated by
application programs and network application services. Using Event Viewer to review application logs
would
thus not ensure that you add a new user to the server with the most available space.
B: The Performance Logs And Alerts snap-in can do no configuration, only reporting data through
Counter
Logs as reported by providers (object counters) on a configured interval, or through Trace Logs as
reported by
event-driven providers. Thus this option will not work.
C: Viewing performance data through the Task Manager is not what you need.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 6
# QUESTION 2:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
The network includes a file server named CertKing 1. CertKing 1 contains a single disk for system files
and
two SCSI hard disks that comprise a 72-GB mirrored volume with 65 GB of read-only data. Users
connect to this data by using shortcuts on their desktops.
CertKing 1 is scheduled for replacement. You have a scheduled maintenance window to complete this
task.
Before the maintenance window, you build a new server.
You need to bring the new server online with current data and re-establish redundancy as quickly as
possible. You must also ensure that the desktop shortcuts will continue to function.
What should you do?
A. Name the new server CertKing 1.
Create a new mirrored volume by using two 72-GB disks.
Connect CertKing 2 to the network and copy the data from CertKing 1.
When copying is complete, shut down the old CertKing 1.
B. Name the new server CertKing 1.
Move both disks from the old CertKing 1 to the new CertKing 1.
Scan the disks for changes.
Import the disks.
Connect the new CertKing 1 to the network.
C. Name the new server CertKing 1.
Break the mirror on the old CertKing 1.
Move one of the disks from the old CertKing 1 to the new CertKing 1.
Scan the disk for changes.
Initialize the disk.
Select the spare disk and create the mirror.
Connect the new CertKing 1 to the network.
D. Name the new server CertKing 1.
Remove one of the disks in the mirror from the old CertKing 1.
Move the disk on the new CertKing 1.
Scan the disk for changes.
Import the disk,
Shut down the old CertKing 1 and connect the new CertKing 1 to the network.
Answer: B
Explanation: You have to make use of the existing old CertKing 1 disks to make sure that the current data
will be brought online. When moving disks from one computer to another keep in mind that before
disconnecting the disks from the old CertKing 1 you must make sure the status of all volumes on each of
the disks is healthy. For any volumes that are not healthy, repair the volumes before you move the disks.
After you physically connect the disks to the new CertKing 1, in Disk Management, open the Action
menu and choose Rescan Disks. The scanning will detect changes. The new disk will show up as
Dynamic/Foreign. By default, Dynamic/Foreign disks and should be brought online automatically, but if
not, bring it online by right-clicking the disk and selecting Online. Furthermore, to make
Dynamic/Foreign disks useable, you must import it. The disk group remain as is and the database does
not change. When connecting new CertKing 1 to the network you will enable users to use their existing
shortcuts. Incorrect answers:
A: Since CertKing 1 is scheduled for replacement you need no mirroring to be done for the question
states pertinently that you have to re-establish redundancy which means that redundancy used to be in
place before. A mirrored volume (also known as RAID Level 1 or RAID-1) consists of two identical
copies of a simple volume, each on a separate hard disk. Mirrored volumes provide fault tolerance in the
event that one physical disk fails. Besides, CertKing 2 is irrelevant in this scenario.
C: By moving only one disk from the old CertKing 1 to the new CertKing 1 will affect not only the
current amount of data available, but will also result in a lack of possible redundancy.
D: Removing one old CertKing 1 disk from the mirror will not enable you to accomplish your task
successfully. Reference: Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows
Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3
# QUESTION 3:
You are the administrator of a Windows Server 2003 computer named CertKing 1. Two hard disks are
The data volume, which resides on Disk 1, is low on space. You need to provide additional space for the
data volume. What should you do?
A. Use Disk Management to extend the data volume.
B. Run the fsutil volume command on the data volume.
C. Using Diskpart.exe, run the extend command on the data volume.
D. In Device Manager, select Disk 1.
On the Volumes tab, click the Populate button.
Answer: A
Explanation:
To increase a volume's capacity is to extend the volume. You can extend a simple or spanned volume on
a dynamic disk so long as that volume is formatted as NTFS and so long as the volume is not the system
or boot volume. And this is done through Disk Management.
Incorrect Answers:
B: With fsutil, Windows Server 2003 administrators can perform tasks such as managing disk quotas,
managing mount points, and several other advanced disk-related tasks. Thus this command does not
provide additional space.
C: Diskpart.exe command is used in converting disks and also to extend simple volumes, and not to
extend disk volumes as is needed in this case which will have to be a spanned volume.
D: Populating Disk1 does not mean providing additional space. Reference: Dan Holme and Orin Thomas,
MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows
Server 2003 Environment, p. 11, 15 Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3
# QUESTION 4:
You are the network administrator for CertKing .com. Your network includes a computer named
Server1, which runs Windows Server 2003. All file and print services, all user home folders and all user
profiles reside on Server1.
CertKing merges with Acme. Users from both companies will store their files and folders on Server1.
Now you need to increase storage space on Server1. You will not create any additional volumes. What
should you do to accomplish this task?
A. Make use of Diskpart.exe, run the Extend command on volume G:\ Then convert volume G:\ to FAT.
B. Make use of Diskpart.exe, run the Extend command on volume C:\ Then convert volume C:\ to NTFS.
C. Make use of Diskpart.exe, run the Extend command on volume I:\ Then convert volume I:\ to NTFS.
D. Make use of Diskpart.exe, run the Extend command on volume E:\ Then convert volume E:\ to
FAT32.
Answer: C
Explanation: You can use the Diskpart.exe utility to manage disks, partitions, and volumes from a
command-line interface. You can use Diskpart.exe on both Basic disks and Dynamic disks. If an NTFS
volume resides on a hardware RAID 5 container that has the capability of adding space to the container,
you can extend the NTFS Volume with Diskpart.exe while the disk remains a Basic disk.
Note: When you use Diskpart.exe to extend an NTFS partition, Microsoft recommends that you perform
this
task in Safe mode or Active Directory Restore mode. By doing so, you prevent open handles to the drive
that
cause the process to fail.
Use the extend command to incorporate unallocated space into an existing volume while preserving the
data.
Incorrect answers:
A: Volume G is a striped volume which will not lend itself to being extended safely and without risks. A
striped volume (RAID-0) combines areas of free space from multiple hard disks into one logical volume.
Unlike a spanned volume, however, data is written to all physical disks in the volume at the same rate.
Because multiple spindles are in use, read and write performance is increased almost geometrically as
additional physical disks are added to the stripe. But like extended simple volumes and spanned volumes,
if a disk in a striped volume fails, the data in the entire volume is lost.
B: Volume C contains the system information and it is thus not recommended to use that specific volume
to create space for data storage. NTFS can be extended.
D: FAT32 volumes cannot be extended. Also you cannot extend boot volumes. Reference: Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 3 Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam
70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, p. 423
# QUESTION 5:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
A server named Server1 hosts several applications. This server contains two hard disks, Disk0 and Disk1.
Each disk is connected to a different EIDE channel. Each disk is configured as a basic disk and formatted
as NTFS. System files are installed on Disk1.
You install a third hard disk on Server1. You configure it as a basic disk and format it as NTFS.
When you restart Server1, you receive the following message:
"Windows could not start because of a computer disk hardware configuration problem. Could not read
the selected boot disk. Check boot path and disk hardware. Please check Windows documentation about
hardware disk configuration and your hardware reference manuals for additional information."
You press a key. Server1 restarts, but it displays the same message.
You need to ensure that Server1 will start correctly. You solution must not require reinstalling any
applications on Server1.
What should you do?
A. Start Server1 from the Windows Server 2003 installation CD-ROM. Use the Recovery Console to
repair the system.
B. Start Server1 in Safe Mode with Command prompt.
C. Start Server1 from the Windows Server 2003 installation CD-ROM. Press F6 to replace the Mass
Storage driver.
D. Reconfigure the new disk drive so it is enumerated after the existing drives. Restart Server1.
Answer: A
Explanation: Adding the extra hard disk has probably caused the problem. The boot.ini file needs to be
corrected to reflect the new disk configuration. We can use the Bootcfg utility in the Recovery Console to
correct this problem.
Use the Bootcfg utility in the Recovery Console to correct the Boot.ini file:
1 Use the Windows XP CD-ROM to start your computer.
2 When you receive the message to press R to repair Windows by using the Recovery Console,
press the R
key.
3 Select the Windows installation that you want, and then type the administrator password when
prompted.
4 Type bootcfg /rebuild, and then press ENTER.
5 When the Windows installation is located, the following instructions are displayed:
Add installation to boot list? (Yes/No/All)
[Type Y in response to this message.]
Incorrect Answers:
B: If the boot.ini file is wrong, you won't be able to boot into safe mode.
C: This is not a driver problem. The mass storage driver worked before we added the new disk.
D: The disk drives are on different EIDE controllers, so this won't be possible (without moving the disk
to the
other EIDE controller).
Reference:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 15
# QUESTION 6:
You are the network administrator for CertKing .com. Your network includes a computer named
CertKing Srv1, which runs Windows Server 2003 and Windows XP Professional in a dual boot
configuration. CertKing Srv1 has two basic disks, which are configured as shown in the following table.
ion 1
m
d
p data
ion 2
cation files
d
You need to create a 10 GB partition on Server 1 to store user data. CertKing Srv1 must retain its dual
boot functionality.
What should you do?
A. Convert both disks to dynamic disks.
Create a 10 GB extended volume by using the unused space on Disk 1 and Disk 2.
B. Back up Partition 2 on Disk2.
Remove Partition 2 from Disk 2 and restore it on Disk 1 by using the unused space on Disk 1.
Create a 10 GB partition on Disk 2.
C. Back up partition 2 on Disk 1.
Remove Partition 2 from Disk 1 and restore it on Disk 2 by using the unused space on Disk 2. Create a 10
GB partition on Disk 1.
D. Convert both disks to dynamic disks.
Back up Volume 2 on Disk 2.
Remove Volume 2 from Disk 2 and restore it on Disk 1 by using the unused space on Disk 1.
Create a 10 GB volume on Disk 2.
Answer: B
Explanation:
You are presented with two choices, one, you could move the Application files from disk 2 to disk 1 or,
two, you could move the boot files from disk 1 to disk 2. However, none of these options aredesirable;
however, moving the application files is a better option. It is not advisable to move the boot files.
Because
you cannot convert basic disks to dynamic disks if they contain multiple installations of Windows 2000,
Windows XP Professional, or the Windows Server 2003 family of operating systems. Moreover, after the
conversion, it is unlikely that you will be able to start the computer using that operating system. After the
disk is converted to dynamic, you can start the operating system that you used to convert the disk, but
you will not be able to start the other operating systems on the disk.
Here are some considerations to keep in mind:
1 You can convert a basic disk containing the system or boot partitions to a dynamic disk.
2 After the disk is converted, these partitions become simple system or boot volumes (after
restarting the computer).
3 You cannot mark an existing dynamic volume as active.
4 You can convert a basic disk containing the boot partition (which contains the operating system)
to a dynamic disk.
5 After the disk is converted, the boot partition becomes a simple boot volume (after restarting the
computer).
Incorrect Answers:
A: Because you cannot convert basic disks to dynamic disks if they contain multiple installations of
Windows 2000, Windows XP Professional, or the Windows Server 2003 family of operating systems.
Moreover, after the conversion, it is unlikely that you will be able to start the computer using that
operating system. After the disk is converted, the boot partition becomes a simple boot volume (after
restarting the computer).
C: It is not advisable to move the boot files even is it is possible.
D: Do not convert basic disks to dynamic disks if they contain multiple installations of Windows
Operating systems. After the conversion, it is unlikely that you will be able to start the computer using
that operating system. Reference: Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit
(Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, p. 433
Server Help
# QUESTION 7:
You are the network administrator for CertKing .com. You administare a Windows Server 2003
computer named CertKing 12. CertKing 12 has a single disk. The disk is configured so that it has four
primary partitions, which are formatted as FAT32. The disk also has unallocated space available. You
need to use the unallocated disk space to store user data.
What should you use?
A. Convert all existing partitions to NTFS.
B. Using Diskpart.exe, run the create command.
C. Convert the disk to a dynamic disk, and create a new volume.
D. Using Diskpart.exe, run the extend command.
Answer: C
Explanation: Converting the disk to a dynamic disk and then creating a new volume will enable you to
use the
unallocated disk space to store data.
Incorrect answers:
A: Merely converting all existing partitions to NTFS is not the answer. This is only part of the solution.
B: Diskpart.exe command is used in converting disks and also to extend simple volumes, and not to
extend disk volumes as is needed in this case which will have to be a spanned volume.
D: You can use the Diskpart.exe utility to manage disks, partitions, and volumes from a command-line
interface. You can use Diskpart.exe on both Basic disks and Dynamic disks. Use the extend command to
incorporate unallocated space into an existing volume while preserving the data. However, FAT32
volumes cannot be extended. Reference: Dan Balter, MCSA/MCSE Managing and Maintaining a
Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3 Dan Holme and
Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a
Microsoft Windows Server 2003 Environment, p. 423
# QUESTION 8:
You are the network administrator for CertKing .com. You manage a Windows 2003 computer named
CertKing 3 that functions as a file server.
The data volume on CertKing 3 is mirrored. Each physical disk is on a separate controller. One of the
hard disks that contains the data volume fails. You discover that the failure was caused by a faulty SCSI
controller. You replace the SCSI controller.
You need to restore the data volume to its previous state. You want to achieve this goal by using the
minimum amount of administrative effort.
What should you do?
A. Run the diskpart active command on the failed volume
B. Convert both disks to basic disks, and then restore the data.
C. Break the mirror, and then re-create the mirror.
D. Select a disk in the mirror, and then reactivate the volume.
Answer: D
Explanation: To restore the volume, replace the failed disk, rescan the disks, and reactivate the disk. If
this doesn't make the volume healthy again, then right-click the volume and choose Reactivate Volume.
The computer will chug away for a couple of minutes, rebuilding the missing data with the parity
information on the
remaining disks, and the stripe set will be back in one piece. Thus if you select a disk in the mirror and
then
reactivate the volume you will solve the problem in this case.
Incorrect answers:
A: Replaces the FDISK tool with which you're probably familiar. Creates or deletes disk partitions. Only
use
this command on basic disks-it can damage dynamic disks. This is not what is needed here.
B: This is unnecessary.
 C: There is no need to break the mirror since the problem only arose due to a failed SCSOI
controller.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.
 A. Callahan & Lisa Justice, Mastering Windows
Server 2003, Sybex Inc., Alameda, 2003, pp. 867, 891
Lisa Donald & Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003
Environment
Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, pp. 230-231
Part 2: Monitor and Repair server hardware. Tools might include Device Manager, the Hardware
Troubleshooting Wizard, and appropriate Control Panel items. (10 Questions)
# QUESTION 9:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003, and all client
computers
run Windows XP Professional.
Dr Bill, one of the users in the domain, report that she cannot access a server named CertKing 2.
What action should you take to enable Dr.Bill to access the server?
Answer:
Explanation: Re-enable the NIC.
In the exhibit the 3Com 3C920 Integrated Fast Ethernet Controller is mark with a red cross. This means
that Dr.
Bill will first have to enable this card to re-establish a connection to the server CertKing 2.
If you disable a listener connection, no one will be able to connect to Terminal Services on the NIC for
which it
is configured until you re-enable it.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 547
# QUESTION 10:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. You use Microsoft
Operations Manager (MOM) to monitor all servers.
An e-mail server named Mail CK1 is located at a remote data center. Mail CK1 runs Microsoft Exchange
Server 2003.
Mail CK1 restarts unexpectedly during business hours. The event log indicates a problem with the SCSI
CD-ROM.
You need to ensure that Mail CK1 remains continuously available during business hours.
What should you do?
A. Use Device Manager to disable the SCSI CD-ROM.
B. Create and implement a new hardware profile to exclude the SCSI CD-ROM.
C. Use Device Manager to update the driver for the SCSI CD-ROM.
D. Use Device Manager to update the driver for the SCSI controller.
Answer: A
Explanation: The problem lies with the SCSI CD-ROM as indicated by the Event Log. This means that if
you circumvent the problem you will avoid the problem of Mail CK1 restarting at unexpected times.
Thus you only need to disable the SCSI CD-ROM and not remove it. You can enable and disable devices
for a specific hardware profile through their properties dialog boxes in Device Manager. Incorrect
answers:
B: It is not necessary to create a new hardware profile.
C: Updating the driver may solve the problem. However, disabling the device will make sure of it.
D: Updating the driver for the SCSI controller by making use of Device Manager will not solve the
problem of the server starting unexpectedly. Reference: Dan Balter, MCSA/MCSE Managing and
Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 2
# QUESTION 11:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
Your network includes one branch office in addition to the main office. A server named Server CK1
connects the main office to the branch office by using an external dial-up modem.
One morning, users report that the connection to the branch office is not functioning.
On investigation, you discover that the modem is turned off. You restart the modem. Then you open
Device Manager and see the information shown in the exhibit:
You need to ensure that the connection between the main office and the branch office functions correctly.
Your solution must involve the minimum amount of change to Server CK1 and the minimum amount of
interruption in network service.
What should you do?
A. Restart Server CK1 .
B. Create a new dial-up connection to the branch office.
C. Open Device Manager to scan Server CK1 for changes in hardware.
D. Use the Add Hardware Wizard to detect and install the modem.
Answer: C
Explanation: According to the exhibit, there is no modem found. This is evident from the lack of modem
subsection. You should thus Open Device Manager to scan Server CK1 for changes in hardware in an
effort to find the modem. This will ensure that you do not add any changes to the existing network and
with the minimum amount of server downtime.
Incorrect answers:
A: Restarting the server as suggested here does not mean restoring the settings and establishing the
connection from the branch office to the head quarters because the modem has been unplugged.
B: Creating a new dial-up connection to the branch office will involve unnecessary changes.
D: You do not need to add any hardware as the modem was installed and was operational before. You use
the Add Hardware Wizard when you want to add new hardware to the computer and the modem is not
new it was just turned off. Reference: Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 12:
You are the file server administrator for CertKing . The company network consists of a single Active
Directory domain named CertKing .com. The domain contains 12 Windows Server 2003 computers and
1,500 Windows XP Professional computers. You manage three servers named CertKing 1, CertKing 2,
and CertKing 3. You need to update the driver for the network adapter that is installed in Serve1. You log
on to CertKing 1 by using a nonadministrative domain user account named Bill. You open the Computer
Management console. When you select Device Manager, you receive the following error message: "You
do not have sufficient security privileges to uninstall devices or to change device properties or device
drivers". You need to be able to run the Computer Management console by using the local administrator
account. The local administrator account on CertKing 1, CertKing 2, and CertKing 3 has been renamed
Jack. Jack's password is kY74X. In Control Panel, you open Administrative Tools. You right-click the
Computer Management shortcut and click Run as on the shortcut menu. What should you do next?
Answer:
Explanation:
You need to make use of "The following User" setting because you want to run the program under a
different
account to the one you're logged in with, by entering " CertKing 1\Jack" in the User Name field, enter
kY74X"
in the password field. CertKing 1\Jack indicates a user account named Jack on a computer named
CertKing 1;
in
this scenario, this is the local administrator account.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam Cram 2 (Exam 70-290), Chapter 2
# QUESTION 13:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003,
and
all client computers run Windows XP Professional.
A user reports that she cannot access a server named CertKing B.
First, you verify that the network adapter on CertKing B has the correct driver installed. Then, you open
Now you need to use Device Manager to restore network connectivity on CertKing B. What should you
do?
A. Enable the network adapter.
B. Change the IRQ setting of the network adapter.
C. Change the IP address of the network adapter.
D. Adjust the link speed of the network adapter to match the link speed of the network.
E. Resolve all possible hardware conflicts between the network adapter and the unknown device.
Answer: A
Explanation: The exhibit shows that the network card is disabled. The question also mentions that the
correct driver is installed. Therefore, by enabling the network adapter will render it operational. Incorrect
Answers:
B: Interrupt request (IRQ) - One of a set of possible hardware interrupts, identified by a number. The
number of the IRQ determines which interrupt handler will be used. If the IRQ was wrong, the network
adapter would have an exclamation mark in a yellow circle over it.
C: If the IP address was wrong, the network adapter would seem to be operational in Device Manager.
D: If the link speed was wrong, the network adapter status will appear as operational in Device Manager.
E: If there was a hardware conflict, the network adapter status will be marked with an exclamation mark
in a yellow circle over it. Reference: Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training
Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, p. 763
# QUESTION 14:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003.
CertKing operates 10 branch offices in addition to the main office. Each branch office has one filer server
with two logical disks, P:\ and U:\. Each disk has a capacity of 20 GB. For each department in the branch
office, P:\ hosts one folder in which departmental users save shared documents. For all users in the
branch office, U:\ hosts home folders.
The main office includes a network operations center that monitors servers and network status.
However, branch office users frequently report that their servers have no more disk space. In such cases,
local support technicians log on to the servers and delete unnecessary files.
You need to create a proactive monitoring strategy for the network operations center. Monitoring must
alert the network operations center before the branch office servers run out of disk space. Monitoring
must also report which disks on the servers are approaching capacity. The monitoring strategy must
require the minimum amount of administrative effort.
What should you do?
A. Configure a server in the main office to report performance alters on the branch office servers.
Use the logicaldisk(_total)\ &Free Space counter to indicate when free space is less than 5 percent.
Use the logicaldisk(_total)\Free megabytes counter to indicate when free space is less than 100 MB.
B. On each branch office server, create a performance alert.
Use the logicaldisk(_total)\ %Free Space counter to indicate when free space is less than 5 percent.
Use the logicaldisk(_total)\Free megabytes counter to indicate when free space is less than 1000 MB.
C. Configure a server in the main office to report performance alerts on the branch office servers.
Use the logicaldisk(P)\ %Free Space counter and the logicaldisk(U)\ %Free Space counter to indicate
when free
space is less than 5 percent.
D. On each branch office server, create a performance alert.
Use the logicaldisk(P)\ %Free Space counter and the logicaldisk(U)\ %Free Space counter to indicate
when free
space is less than 5 percent.
Answer: C
Explanation: The monitoring must alert the network operations centre before the branch office servers
run out of disk space and monitoring must also report which disks on the servers are approaching
capacity. LogicalDisk: % Free Space is a counter that indicates the amount of free space available on the
disk as a percentage of the total disk capacity. Paging problems can occur if you have little disk space to
which the system can swap data out of memory, and operating system errors can occur if the partition on
which the OS is installed becomes too full. Incorrect Answers: A: It is necessary is to know which disks
are near capacity, so we cannot monitor the total disk space - we must monitor the individual logical
disks.
B: We need to know which disks are near capacity, so we cannot monitor the total disk space - we must
monitor the individual logical disks.
D: The monitoring must alert the network operations centre before the branch office servers run out of
disk space; therefore, the monitoring should be done from the main office. Reference: Deborah Littlejohn
Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a
Windows Server 2003 Environment Study Guide & DVD Training System, p. 748
# QUESTION 15:
You are the network administrator for CertKing .com. You administer a Windows Server 2003 computer
named CertKing 5. The hardware vendor for CertKing 5 notifies you that a critical hotfix is available.
This
hotfix is required for all models of this computer that have a certain network interface card.
You need to find out if the network interface card that requires the hotfix is installed in CertKing 5.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. Open Network Connections, and then examine the properties of each connection that is listed.
B. Open the Component Services snap-in, expand Computers, expand My Computer, and then examine
the list.
C. Run the netsh interface command, and then examine the list.
D. Open Device Manager, expand Network adapters, and then examine the list.
Answer: A, D
Explanation:
A: The Network Connections tab contains settings for network connections and a Wizard to create new
connections. From there you will be able to examine the properties of each connection that is listed. This
will reveal if the network interface card that requires the hotfix is installed on CertKing 5.
D: The Device Manager utility is a graphically-based utility that provides information about all of the
devices that your computer currently recognizes. Through Device Manager, you can see a summary of all
of the currently installed hardware; view and change hardware settings; view, uninstall, update or roll
back a device driver; disable and enable devices; and print a summary of all of the hardware devices that
have been installed on your computer. You can also run the Hardware Troubleshooting Wizards from
Device Manager. If you make use of Device Manager and then expand the Network Adapters tab, you
will be able to find out if the appropriate network interface card is installed on CertKing 5. Incorrect
answers:
B: This option will not display the relevant information needed.
C: You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (including
addresses, default gateways, DNS servers, and WINS servers) and to display configuration and statistical
information. Reference: Microsoft Knowledge Base: 306794: How to Install the Support Tools from the
Windows XP CD-ROM Network Monitor is provided with Windows Server products and Microsoft
Systems Management Server (SMS). Microsoft Corporation, 2004 Deborah Littlejohn Shinder, Dr.
Thomas W. Shinder, Chad Todd & Laura Hunter, MCSA/MCSE: Exam 70-291: Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, pp. 686, 854-856, 926 Lisa Donald & Suzan Sage London & James Chellis, MCSA/MCSE:
Windows(r) Server 2003 Environment Management and Maintenance: Study Guide, Sybex Inc,
Alameda, 2003, Chapter 2, pp. 84 &116
# QUESTION 16:
You are the network administrator for CertKing .com. You are the administrator of a Windows Server
2003 computer named CertKing 3.
Newly hired employees recently started storing files on CertKing 3. Now users report that CertKing 3 is
responding much slower than it did before the additional users were added. You suspect the disk
subsystem needs to be upgraded to accommodate the additional user load.
You need to confirm whether the disk subsystem on CertKing 3 needs to be upgraded.
What should you do?
A. Configure a Performance Logs and Alerts on the %Free space counter.
B. Use Device Manager to populate volume settings and examine the properties of the disk drives on
CertKing 3.
C. Use Event View to examine the system logs and search the system logs for event logs for events
generated by the disk event source.
D. Use System Monitor to monitor counters based on the PhysicalDisk object.
Answer: D
Explanation: One adds key counters to track for the processes subsystem and how to tune and upgrade the
processes subsystem to the System Monitor. The PhysicalDisk object is the sum of all logical drives on a
single physical drive. Adding this object counter to the System Monitor should give you the relevant
information necessary to confirm whether an upgrade of the disk subsystem is needed. Incorrect answers:
A: The %Free space counter tracks how much free space is available on the hard drive. It is a way to
track disk space usage proactively so users do not experience "out of disk space" errors. This is not the
information needed to confirm whether an upgrade of the disk subsystem is needed.
B: Device Manager is a Windows Server 2003 utility used to view information about the computer's
hardware configuration and set configuration options. This is not what is required.
C: Event Viewer is a Windows Server 2003 utility that tracks status information about the computer's
hardware and software, as well as security events. This information is stored in multiple log files
dependent upon the configuration of the server. The minimum number of logs is three: the Application
log, the Security log, and the System log. However, you should rather make use of System Monitor to
monitor counters based on the PhysicalDisk object in this case. Reference: Lisa Donald & Suzan Sage
London & James Chellis, MCSA/MCSE: Windows(r) Server 2003 Environment Management and
Maintenance: Study Guide, Sybex Inc, Alameda, 2003, Chapter 9, p. 460
# QUESTION 17:
Exhibit
You are the network administrator for CertKing .com. All network servers run Windows Server 2003. A
Windows Server 2003 computer named CertKing 2 functions as a mail server.
CertKing 2 has a single disk that is configured as a basic disk. You add a second disk. In Disk
Management, you right-click the unallocated file system. You discover that the "New Partition" menu
command is unavailable, as shown in the exhibit.
You need to create a new partition.
What should you do?
A. Restart the server, and then select the New partition menu command.
B. Right-click the disk, select Initialize, and then select the New partition menu command.
C. Replace the disk that you added, and then select the New partition menu command.
D. Ask the appropriate administrator to assign you Administrator rights on CertKing 2, and then select
the New partition menu command.
Answer: B
Explanation: When you attach a new disk to your computer, you must first initialize the disk before you
can create partitions. When you first start Disk Management after installing a new disk, a wizard appears
that provides a list of the new disks that are detected by the operating system. When you complete the
wizard, the operating system initializes the disk by writing a disk signature, the end of sector marker (also
called a signature word), and a master boot record (MBR). The question states that a second disk has
been added thus you will need to initialize the disk and then select the new Partition menu command to
create a new partition. Incorrect answers: A: Restarting the server is not the way to go when you first
need to initialize the disk as the questin states that a second disk has been added.
C: This does not make sense considering that a second disk has already been added. What is needed is to
initialize the disk and only then will the New Partition menu command be available.
D: This is not a matter of administration rights. Reference: Dan Holme and Orin Thomas, MCSA/MCSE
Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003
Environment, p. 11.38 Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows
Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3 Lisa Donald & Suzan Sage London &
James Chellis, MCSA/MCSE: Windows(r) Server 2003 Environment Management and Maintenance:
Study Guide, Sybex Inc, Alameda, 2003, Chapter 4, p. 216
# QUESTION 18:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
The network includes a file server named CertKing 17. CertKing 17 contains a single disk for system
files
and two SCSI hard disks that comprise a 72-GB mirrored volume with 65 GB of read-only data. Users
connect to this data by using shortcuts on their desktops.
CertKing 17 is scheduled for replacement. You have a scheduled maintenance window to complete this
task. Before the maintainance window, you build a new server.
You need to bring the new server online with current data and re-establish redundancy as quickly as
possible. You must also ensure that the desktop shortcuts will continue to functions.
What should you do?
A. Name the new server CertKing 20. Create a new mirrored volume by using two 72-GB disks. Connect
CertKing 20 to the network and copy the data from CertKing 17. When copying is complete, shut down
the old CertKing 17.
B. Name the new server CertKing 17. Move both disks from the old CertKing 17 to the new CertKing 17.
Scan the disks for changes. Connect the new CertKing 17 to the network.
C. Name the new server CertKing 17. Break the mirror on the old CertKing 17. Move one of the disks
from the old CertKing 17 to the new CertKing 17. Scan the disk for changes. Initialize the disk. Select the
spare disk and create the mirror. Connect the new CertKing 17 to the network.
D. Name the new server CertKing 17. Remove one of the disks in the mirror from the old CertKing 17.
Move the disk to the new CertKing 17. Scan the disk for changes. Import the disk. Shut down the old
CertKing 17 and connect the new CertKing 17 to the network.
Answer: B
Explanation: The "Scan For Hardware Changes" option allows you to force a manual scan to see if any
new hardware changes have been detected. To be able to bring the server online with the current data and
re-establishing redundancy as soon as possible whilst ensuring that desktop shortcuts stay functional, you
will need to give the same name to the new server, namely CertKing 17 and use the two disks from the
old CertKing 17. You should then scan it for any changes and then connect the new CertKing 17 to the
network. Incorrect answers: A: There is no need to create a new mirrored volume in this case. Besides
where will you get the two new disks from to copy the existing data of CertKing 17 onto. What is needed
is to use the old CertKing 17 disks to provide continuity for users insofar as disktop shortcuts are
concerned. C & D: This is not necessary. All that has to be done is touse the existing CertKing 17 disks
and put them on the newly created and named CertKing 17 server. Scanning the disk for changes and
then connecting new CertKing 17 to the network. Reference: Lisa Donald & Suzan Sage London &
James Chellis, MCSA/MCSE: Windows(r) Server 2003 Environment Management and Maintenance:
Study Guide, Sybex Inc, Alameda, 2003, Chapter 2, p. 91
# QUESTION 19:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
A server named CK1 contains a simple volume that stores mission critical data files. CK1 experiences
hardware failure and stops functioning. Replacement parts will be available within 72 hours.
A second file server named CK2 is available. However, CK2 has insufficient disks space to hold the data
on CK1 .
You need to provide immediate access to the data on CK1 .
First, you install the disks from CK1 on CK2 and restart CK2 . However, the disks do not appear in Disk
Management.
Which action or actions should you perform? (Choose all that apply)
A. Install the disks from CK1 on CK2 . In Disk Management, initialize the disks.
B. Install the disks from CK1 on CK2 . In Disk Management, rescan the disks.
C. In Disk Management, select each disk from CK1 . Then, select the option to import foreign disks.
D. In Disk Management, select each disk from CK1 . Them, select the option to repair the volume.
E. On CK2 , run the mountvol /p command from a command prompt.
F. On CK2 , convert the dynamic disks to basic disks.
Answer: B, C
Explanation: It is imperative that you rescan disks after you move hard disks between computers.
Following is the reason: When Disk Management rescans disk properties; it scans all attached disks for
changes to the disk configuration. It also updates information about removable media, CD-ROM drives,
basic volumes, file systems, and drive letters. When you move a dynamic disk from one computer to
another, Windows Server 2003 considers the disk as a foreign disk by default. When Disk Manager
indicates the status of a new disk as foreign, you have to import the disk before you can access volumes
on the disk. Incorrect Answers:
A: When you attach a new disk to your computer, you must first initialize the disk before you can create
partitions. When you first start Disk Management after installing a new disk, a wizard appears that
provides a list of the new disks that are detected by the operating system. When you complete the wizard,
the operating system initializes the disk by writing a disk signature, the end of sector marker (also called
a signature word), and a master boot record (MBR). If you cancel the wizard before the disk signature is
written, the disk status remains Not Initialized.
D: Since replacement parts are underway, you need not repair the disk as this will not make the CK1 data
available immediately.
E: The Mountvol command creates, deletes, or lists a volume mount point. Mountvol is a way to link
volumes without requiring a drive letter.
F: If you convert the dynamic disks to basic disks you will lose the data and the question pertinently asks
for the CK1 data to be made available. Reference: Dan Holme and Orin Thomas, MCSA/MCSE Self-
Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003
Environment, p. 11.38 Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows
Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3
# QUESTION 20:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
CertKing A hosts highly confidential files. The Disk Management console for CertKing A is shown in the
exhibit.
You need to ensure the security of all files on CertKing
A. In the event of disk failure, you need to
minimize the time required to make these files available again. You also need to improve file system
performance.
How will you go about accomplishing these objectives?
A. Configure the unallocated disks in a RAID-0 configuration and then convert the disks to basic disks.
B. Configure one of the unallocated disks in a RAID-1 configuration and then convert the disks to
dynamic
disks.
C. Store a shadow copy of disk C on one of the unallocated disks and then convert the disks to basic
disks.
D. Configure the unallocated disks as an extended volume and then convert the disks to dynamic disks.
Answer: B
Explanation: Part of the objectives state that you must minimize the time needed to make these files
available again in case of disk failure. This can be accomplished through mirroring Disk0 to another disk.
A disk mirror is also known as RAID-1. You have to convert the disks to dynamic disks to accomplish
this. A mirrored volume is a fault-tolerant set of two physical disks that contain an exact replica of each
other's data within the mirrored portion of each disk. Mirrored volumes are supported only on Windows
Server computer versions. If you convert the disk containing the boot and system partitions to a dynamic
disk, you can mirror the boot and system volumes onto another dynamic disk. Then, if the disk containing
the boot and system volumes fails, you can start the computer from the disk containing the mirrors of
these volumes. Incorrect Answers:
A: A RAID-0 is fast but it offers no redundancy. Redundancy is necessary if you need to consider using
the minimum time needed to make these files available after possible disk failure. The disks are already
basic disks there is no need for any conversion. Furthermore the objectives will only be met through
converting the disks to dynamic volumes.
C: A shadow copy will keep copies of previous versions of the files. You won't be able to access these
though if Disk0 fails. The disks are already basic disks there is no need for any conversion. Furthermore
the objectives will only be met through converting the disks to dynamic volumes.
D: An extended volume offers no redundancy which if needed to minimize the time needed to make these
files available in case of disk failure. Though dynamic disks will allow mirroring, the extended volume
configuration will negate that possibility. Reference: Dan Balter, MCSA/MCSE Managing and
Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3
# QUESTION 21:
You are the network administrator for CertKing .com. You administer a Windows Server 2003 computer
named CertKing 4. CertKing 4 has a single physical disk that is configured as a simple volume.
You plan to store the files for a large database on CertKing 4. You plan to install additional physical
disks
on CertKing 4.
You need to reconfigure the disks on CertKing 4. Your solution must provide fault tolerance for the
operating system and the database files.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Install three additional physical disks. Create a new RAID-5 volume. Place the database files on the
new volume.
B. Install three additional physical disks. Create a new striped volume. Place the database files on the
new volume.
C. Install one additional physical disk. Configure the simple volume as a mirrored volume.
D. Install one additional physical disk. Configure the simple volume as a spanned volume.
Answer: A, C
Explanation: RAID (Redundant Array of Independent Disks)-5 volume or striped set with parity volume
is a fault-tolerant collection of equal-sized partitions on at least three physical disks, in which the data is
striped and includes parity data. The parity data helps recover a member of the striped set if the member
fails. If a single disk fails in a RAID-5 volume, data can continue to be accessed as is the case here.
During read operations, any missing data is regenerated on the fly through a calculation involving
remaining data and parity information thus taking care of redundancy in the sense that work will continue
and no information will be lost. RAID-5 can only sustain a single drive failure. Thus RAID-5 is a volume
configuration that stripes data over multiple disk channels and places a parity stripe across the volume for
fault tolerance. A mirrored volume set contains a primary volume and a secondary volume. The data
written to the primary volume is mirrored to the secondary volume. Mirrored volumes provide fault
tolerance, because if one volume in the mirrored volume fails, the other volume still works without any
interruption in service or loss of data. Mirrored volumes are copies of two simple volumes stored on two
separate physical drives. So, if you are to provice fault tolerance for the operating system and the
database files in your re-configuration of CertKing 4, you should install three additional physical disks,
create a new Raid-5 volume and place the database files on the new volume. You should also install
another physical disk and configure ti as amirrored volume. Incorrect answers:
B: A striped volume is a dynamic disk volume that stores data in equal stripes between 2 to 32 dynamic
drives. Typically, administrators use striped volumes when they want to combine the space of several
physical drives into a single logical volume and increase disk performance.You should not create a new
striped volume, RAID-5 will provide fault tolerance since CertKing 4 is configured as a simple volume.
D: A spanned volume is a dynamic disk volume that consists of disk space on 2 to 32 dynamic drives.
Spanned volume sets are used to dynamically increase the size of a dynamic volume. With spanned
volumes, the data is written sequentially, filling space on one physical drive before writing to space on
the next physical drive in the spanned volume set. CertKing 4 is a simple volume. Reference: Lisa
Donald & Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003 Environment
Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, Chapter 4, p. 208
# QUESTION 22:
You are the network administrator for CertKing .com. You manage a Windows Server 2003 computer
that functions as a file server. The data volume on the server is configured as a software RAID-5 array.
One of disks that contain the data volume fails. You replace the failed disk. You start the Disk
Management utility and view the status listed in the following table.
s
e mic
e mic
itiated own
Missing
Offline
Dynamic
You need to restore fault tolerance.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a striped set that includes Disk1 and Disk2.
B. Initialize Disk3 and convert it to a dynamic disk.
C. Reactivate the RAID-5 array volume.
D. Repair the RAID-5 array volume to include Disk3.
E. Initiailize Disk3 and configure it as a basic disk.
F. Reactivate the missing disk.
Answer: B, D
Explanation: The question states that Disk3 is not initiated. Thus to restore fault tolerance you should
make sure that their type are all the same, hence the need to initialize Disk3 and converting it to dynamic.
A RAID-5 volume is where data is written to 3 to 32 physical disks at the same rate, and is interlaced
with parity to provide fault tolerance for a single disk failure. Since the question mentions that the data
volume that is configured as a software RAID-5 array has one failed disk, you should also repair the array
to restore fault tolerance. Incorrect answers:
A: A mere striped set that includes only Disk1 and Disk2 will not restore the lost fault tolerance since
those two disks are still operational and available and not Disk3.
C: You need to repair the RAID-5 array and not reactivate it.
E: Configuring Disk3 as a basic disk will not restore fault tolerance. Disk3 needs to be converted to
dynamic disk so as to make it the same type as the other two disks.
F: Reactivating the missing disk is not going to restore fault tolerance. Reference: Dan Holme and Orin
Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft
Windows Server 2003 Environment, p. 11.38 Dan Balter, MCSA/MCSE Managing and Maintaining a
Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 3 Lisa Donald &
Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003 Environment
Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, Chapter 4, p. 203
# QUESTION 23:
Exhibit
You are the network administrator for CertKing .com. All network servers run Windows Server 2003. A
server named CertKing 2 functions as a file server. The hard disks in CertKing 2 are configured as shown
in the table displayed in the exhibit. Users in the finance department store documents in the shared folder
on CertKing 2. Users report that
they experience poor performance when they save files in the shared fodler.
You need to use System Monitor to find out if the storage subsystem has a performance problem when
users save files in the shared folder on CertKing 2.
What should you do?
A. Add the LogicalDisk performance object. Monitor the Free Megabytes counter on drive F.
B. Add the LogicalDisk performance object. Monitor the Avg. Disk Queue Length counter on physical
disk 1.
C. Add the Paging File performanced object. Monitor the % Usage counter.
D. Add the Server performance object. Monitor the Bytes Total/sec counter.
Answer: B
Explanation: Disk Queue Length indicates the number of outstanding disk requests that are waiting to be
processed. The Avg. Disk Queue Length counter forms part of the most useful performance data and will
yield
the necessary information regarding the storage subsystem.
Incorrect answers:
A: You will not get the necessary information for the purposes of this question.
C: The Paging File > %Usage counter indicates how much of the allocated page file is currently in use. If
this
number is consistently over 70 percent, you may need to add more memory or increase the size of the
paging
file. You should use the Paging File > %Usage counter value in conjunction with the Memory >
Available
Bytes and Memory > Pages/Sec counters to determine how much paging is occurring on your computer.
D: This will not yield the proper information needed in this case.
Reference:
Lisa Donald & Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003
Environment
Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, Chapter 9, pp. 454, 460
# QUESTION 24:
Exhibit You are the network administrator for CertKing .com. All network servers run Windows Server
2003. A server named CertKing 6 functions as a print server. Users in the sales department print large
reports and sales documents on several printers that ar attached to CertKing 6. Users report that during
periods of peak activity, CertKing 6 becomes unresponsive and it is slow to print documents. You use
System Monitor to view the performance of CertKing during a period of peak activity. The results are
shown in the exhibit. You need to improve the performance of CertKing 6 when documents are printed
during periods of peak activity. What should you do?
A. Configure a printer ppol on CertKing 6 by using an additional print device.
B. Install an additional hard disk in CertKing 6. Move the spool directory to the new hard disk.
C. Increase the amount of physical RAM that is installed in CertKing 6.
D. Upgrade the processor in CertKing 6.
Answer: B
Explanation: A common problem with printing in larger networks is that the spool folder gets so large
that it fills up all available space on the disk drive. To get around this, move the spool folder to a different
disk partition that has plenty of free space. Since the problem only occurs during periods of peak activity
there is an indication that you need additional hard drive space so as to be able to print the large
documents and reports. With network printing you need to spool the documents before printing as many a
time there would be a print queue. Thus to improve CertKing 6 performance, you need to install an
additional hard disk and move the spooler to the new hard disk.
Incorrect answers:
A: Making use of an additional print device will not solve the problem that the print server, CertKing 6, is
experiencing.
C: This is not a matter of insufficient RAM that causes the problem but rather a problem caused by
insufficient space to spool the documents.
D: There is no need to upgrade the processor since it is not a processor that ia causing the problem.
Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied,
MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment: Study
Guide & DVD Training System, Syngress Publishing, Rockland, 2003, Chapter 7, p. 611
# QUESTION 25:
You are the network administrator for CertKing .com. You administer a Windows Server 2003 computer
named CertKing 7. Users report that they experience poor performance when they access resources
located on CertKing 7. You suspect a disk bottleneck. You need to set up performance counters to
monitor CertKing 7.
You need to decide which performance objects to monitor.
Which two counters should you choose? (Each correct answer presents part of the solution. Select two.)
A. LogicalDisk\% Idle Time
B. PhysicalDisk\% Disk Time
C. PhysicalDisk\Avg. Disk Queue Length
D. Memory\Write Copies/sec
E. Memory\Commit Limit
Answer: B, D
Explanation: The Memory: Pages/sec counter is used to measure memory usage. And with the
PhysicalDisk\%Disk Time counter you will get an indication of whether the disk is being read quickly
enough
or not. These two counters would be essential is you suspect a disk bottleneck.
Incorrect answers:
A: This counter will not be as crucial to the requirements of this question.
C: The Physical Disk: Ave. Disk Queue Length counter is used to measure hard disk performance.
E: The Commit Charge group box is related to the Kernel Memory group box.The virtual memory details
can be found here. (Remember, virtual memory is the maximum size of the page file.) The Peak item in
this Commit Charge group box can exceed the physical memory value in the Physical Memory group box
since page file can be utilized.The Limit item displays the maximum memory available. Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied, MCSA/MCSE:
Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment: Study Guide & DVD
Training System, Syngress Publishing, Rockland, 2003, Chapter 9, p. 725
# QUESTION 26:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
A server named CertKing 6 functions as a file server. The disk subsystem on CertKing 6 is configured as
You need to ensure that you are notified if there is less than 1 GB of available disk space for company
data.
What should you do?
A. Create a performance alert. Configure the alert to monitor LogicalDisk performance objects for
volume F.
B. Create a trace log. Configure the log to record disk input/output for volume F.
C. Create a performance alert. Configure the alert to monitor the PhysicalDisk performance objects for
physical disks 3, 4, 5, and 6.
D. Create a trace log. Configure the log to record the LogicalDisk performance objects for volume F.
Answer: A
Explanation: The purpose of an alert is to notify the system administrator that the system is not
functioning according to standard operating environment.You can configure alerts to send a network
message, start a program, run a script, or log an event in the event log if a performance threshold is
reached.Thresholds are limits that you specify (for example, when a disk is 90 percent full), or in this
case to monitor LogicalDisk performance object for volume F for volume F: has the company data that is
bound to grow larger in volume. Incorrect answers:
B: You should be creating a performance alert, not a trace log. Furthermore, recording disk input and
output will not yield the proper alert.
C: This option if halfway correct except that you need to monitor LogicalDisk performance object for
volume
F: and not PhysicalDisk performance objects for disks 3, 4, 5 and 6.
D: You should be creating a performance alert and not a trace log. Reference: Deborah Littlejohn
Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied, MCSA/MCSE: Exam 70-290:
Managing and Maintaining a Windows Server 2003 Environment: Study Guide & DVD Training System,
Syngress Publishing, Rockland, 2003, Chapter 9, p. 788
# QUESTION 27:
You are the network administrator for CertKing . All network servers run Windows Server 2003. You
administer a server named CertKing 76. You need to configure CertKing 76 to function as a streaming
media server for CertKing .com's content team. The content team wants CertKing 76 to provide the
fastest performance and the most available space possible. Redundancy is not import. CertKing 76
currently has three identical, unpartitioned hard disks available. You need to configure the disks to meet
the content team's requirements. What should you do?
A. Create a simple volume on disk and then expand it to the other two disks.
B. Create a mirrored volume that uses two of the disks.
C. Create a RAID-5 volume that uses all three disks.
D. Create a striped volume that uses all three disks.
Answer: D
Explanation: A striped volume is where data is written to 2 to 32 physical disks at the same rate. It offers
maximum performance and capacity but no fault tolerance. Striped volumes use RAID-0, which stripes
data across multiple disks. Striped volumes cannot be extended or mirrored, and do not offer fault
tolerance. If one of the disks containing a striped volume fails, the entire volume fails. When creating
striped volumes, it is best to use disks that are the same size, model, and manufacturer. With a striped
volume, data is divided into blocks and spread in a fixed order among all the disks in the array, similar to
spanned volumes. Striping writes files across all disks so that data is added to all disks at the same rate.
Despite their lack of fault tolerance, striped volumes offer the best performance of all the Windows disk
management strategies and provide increased I/O performance by distributing I/O requests across disks.
For example, striped volumes offer improved performance when:
1 Reading from or writing to large databases.
2 Collecting data from external sources at very high transfer rates.
3 Loading program images, dynamic-link libraries (DLLs), or run-time libraries.
Thus the answer to the problem would be to create a striped volume that uses all three disks.
Incorrect answers:
A: This option will not meet the requirements.
B: Mirrored voumes are used for redundancy purposes.
C: A RAID-5 volume is where data is written to 3 to 32 physical disks at the same rate, and is interlaced
with
parity to provide fault tolerance for a single disk failure. However, since the problem mentions that
redundancy
is not important, it would be better to make use of a striped volume that uses all three disks.
Reference:
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, pp. 281, 11.49
# QUESTION 28:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. A server named CertKing
9 functions as an application server. The disks in CertKing 9 are configured as shown in the following
table.
cal disk
ting system
pace
You purchase four additional 20-GB hard disks for CertKing 9. You plan to install an inventory database
on CertKing 9. You estimate that you need a total of 60 GB of disk space to hold all the inventory data.
You need to protect the data against the failure of any disk that contains either operating system data or
inventory database data.
You need to create a new disk configuration on CertKing 9.
Which two actions should you perform? (Each correct answer presents part of the solution. Select two.)
A. Use one additional disk to create a mirror for drive C.
B. Use two additional disks to create a striped set for drive C.
C. Use three additional disks to create a RAID-5 volume for drive D.
D. Use two additional disks to create a RAID-5 volume for drive C.
E. Use one additional disk to create a mirror for drive D.
F. Use three additional disks to create a striped set for drive D.
Answer: A, C
Explanation: A RAID-5 volume is where data is written to 3 to 32 physical disks at the same rate, and is
interlaced with parity to provide fault tolerance for a single disk failure. Good read performance; good
utilization of disk capacity; expensive in terms of processor utilization and write performance as parity
must be calculated during write operations. Since Drive C holds the operating system, you should make
use of an additional disk to create a mirror for drive C. Incorrect answers: B & F: Striped volumes are
made up of two to 32 disks. Each disk should be the same size to efficiently use all space. It is possible to
use different-sized disks, but the stripe size on every disk will be limited to the amount of free space on
the smallest disk, so there will be space wasted on the larger disk(s). A striped set, whether making use of
two or three additional disks, will not suffice in this case.
D: Two additional disks will not support RAID-5, you need three for Drive D and not Drive C.
E: You should create the mirror for Drive C and not drive D. Reference: Dan Holme and Orin Thomas,
MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows
Server 2003 Environment, pp. 281, 11.49 Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E.
Hunter & Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment: Study Guide & DVD Training System, Syngress Publishing, Rockland, 2003,
Chapter 2, p. 81
# QUESTION 29:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. CertKing .com's written security policy states that all computers are
permitted to use only hardware that is listed on the Windows Server Catalog.
You need to change the policy settings for the Windows Server 2003 computer so that it complies with
the
written security policy.
Which policy setting should you modify? To answer, select the appropriate policy in the exhibit.
Answer:
Explanation: Devices: Unsigned Driver installation behavior
Driver signing is a method for marking or identifying driver files that meet certain specifications or
standards.
Windows Server 2003 uses a driver-signing process to make sure drivers are certified to work correctly
with the
Windows Driver Model (WDM) in Windows Server 2003. By modifying the Unsigned Driver
installation
behavior, you will be able to comply with company regulations regarding security policy.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 2
# QUESTION 30:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
A change in business rules requires you to configure hardware drivers on all network computers. You
open the Group Policy Object Editor, as shown in the work area.
You need to configure Driver Signing in the treeview pane.
Which node should you configure?
Answer:
Explanation: Select "Local Policies" Every device that is attached to a computer requires software,
known as a device driver, is to be installed on the computer to enable it to function properly. Every
device requires a device driver to communicate with the operating system. Device drivers that are used
with the Microsoft Windows operating systems are typically provided by Microsoft and the device
manufacturer. Each device driver and operating system file that is included with Windows has a digital
signature. This setting can be located in the LOCAL POLICIES section. Reference: Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 2
# QUESTION 31:
You are the administrator of a Windows Server 2003 computer named CertKing 1. There is a driver
conflict on CertKing 1. You suspect that an unsigned driver has been installed for one of the hardware
devices.
You need to locate any unsigned drives.
What should you do?
A. Use the advanced options of the File Signature Verification tool to scan the contents of the
Systemroot\System32 folder and all subfolders.
B. Run the drivequery / si command, and examine the output.
C. Use the advanced options of the File Signature Verification tool to scan the contents of the
Systemroot\System folder and all subfolders.
D. Run the ver command.
Answer: A
Explanation: The File Signature Verification tool generates the report of unsigned drivers with the least
administrative effort. You can use File Signature Verification tool (Sigverif.exe) to identify unsigned
drivers on a Windows-based computer by running a scan for unsigned drivers. sigverif.exe is a wizarddriven
tool , which scans the system for the presence of unsigned drivers and critical system files. It also
creates a report that lists all the files scanned along with relevant version and digital signature
information. The report is stored in your Windows directory and is called sigverif.txt. This information
can be helpful when you are troubleshooting system instability in Windows. Incorrect answers:
B: The driverquery command with the si parameter specifies to display the properties of signed drivers
only and
not the location of unsigned drivers.
C: Systemroot\System32 folder is a protected directory in the Windows Server 2003 environment and the
Systemroot\System folder is not besides that folder will not indicate whether the driver is signed or not.
D: You need to specify exactly what you want to verify.
Reference:
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 10.6
# QUESTION 32:
You are the network administrator for CertKing .com. You attempt to install a new network adapter in a
Windows Server 2003 computer. You receive an error message that states that the software for the
hardware that you are attempting to install has not passed Windows Logo testing to verify its
compatibility with this version of Windows. The error message also states that the hardware has not
installed. You need to change the policies to ensure that you can install the network adapter on the
Windows Server 2003 computer. Which policy setting should you modify? To answer select the
appropriate policy in the work area.
Answer:
Explanation: Change the "Unsigned driver installation behaviour" setting to "Allow installation". The
exhibit shows that unsigned driver installation behaviour setting is on do not allow. This has to be
changed in order for the network adapter to be installed successfully. Each device driver and operating
system file that is included with Windows has a digital signature. The digital signature indicates that the
driver or file meets a certain level of testing and that it was not altered or overwritten by another
programs installation process. Using signed device drivers helps to ensure the performance and stability
of your system. Also, it is recommended that you use only signed device drivers for new and updated
device drivers. Reference: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam
70-290: Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training
System, pp. 203-205
# QUESTION 33:
You are the network administrator for CertKing .com. You are the administrator of a Windows Server
2003 computer named CertKing 8. You log on to CertKing 8 and attempt to access the network. You
discover that the server is not communicationg on the network. You discover that a service pack and an
updated network adapter
driver were installed on CertKing 8 the previous night. A complete backup, including the System State
data, was performed before the service pack and the driver were installed.
You need to restore network communications.
What should you do first?
A. Use Roll Back Driver to reinstall the previous driver for the network adapter.
B. Use the Backp or Restore Wizard to restore the backup from the previous night.
C. Restart CertKing 8 by using Last Known Good Configuration option.
D. Use the Registry Editor to delete the registry settings for the network adapter driver.
Answer: A
Explanation: When drivers cause problems within a system, you might experience two levels of severity.
The first is the device simply not being enabled on system startup or installation. A more severe level will
result in the system not starting up due to a bug check (also known as a blue screen or STOP error).
If the problem is caused during a driver upgrade, you can leverage the capability to rollback a driver.To
roll back a driver from a previous version, open the device Properties dialog box in Device Manager and
select the Driver tab. In that tab is a button called Rollback that you can select to roll back the driver to
the previous version.
Incorrect answers:
B: This option would not be advisable in this case as the complete backup was performed before the
service pack and the driver were installed. And what is thus needed is to just rollback to the previous
driver.
C: When Last Known Good Configuration is used, Windows starts using the Registry information and
driver settings saved at the last successful logon. However, all you need to do is to make use of Roll Back
Driver to reinstall the previous driver.
D: This would not be necessary. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura
E. Hunter & Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment: Study Guide & DVD Training System, Syngress Publishing, Rockland, 2003,
Chapter 3, p. 235
# QUESTION 34:
You are the network administrator for CertKing .com. In particular you administer a Windows 2003
server named CertKing 4. CertKing 4 stops responding several times. Each time, the following error
You suspect that a hardware component is causing the problem, and you contact the vendor. The vendor
requires debugging information.
You need to configure CertKing 4 to generate a file that contains relevant information for the vendor.
What should you do?
A. Configure CertKing 4 to perform a memory dump.
B. Add the /debug option to the Boot.ini file on CertKing 4.
C. Enable Physical Addressing Extensions on CertKing 4.
D. Install the Recovery Console on CertKing 4.
Answer: A
Explanation:
It is important that you record the information associated with the bug check and driver information
sections. Many of the bug check messages have relevant information that you should read and understand
if they apply to your situation. Your device vendor and/or Microsoft make use of the memory dumps to
help understand the state of the system at the time that the bug check occurred. You can change the
memory dump settings through the Startup and Recovery button in the System Properties'
Advanced tab.
Incorrect Answers:
B: Adding the /debug option to the Boot.ini file will not address your problem.
C: Enabling Physical Addressing Extensions will not generate a file with the necessary information to
address
your problem.
D: Installing the Recovery Console will not yield the necessary information for the vendor.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 236
# QUESTION 35:
You are the network administrator for CertKing .com. In particular you administer a Windows 2003
server named CertKing 13. You need to use Disk Management to configure a partition on CertKing 13.
When you attempt to access Disk Management, you receive the following error message:
"Unable to connect Logical Disk Manager service."
You verify that the Logical Disk Manager service is started.
What is the most likely cause of the problem?
A. There is not enough available space on the boot partition.
B. The disk performance counters are disabled.
C. The Logical Disk Manager Administrative service is disabled.
D. The Windows 2003 Administration Tools Pack is not installed
Answer: C
Explanation: A disabled Logical Disk Manager Administrative service manifests as an inability to
connect to Logical Disk Manager.
Incorrect answers:
A: It is not a matter of enough available space but rather an inability to connect to the Logical Disk
Manager service.
B: Disk performance counters are irrelevant in this scenario.
D: This is not the problem; it is the service that needs to be enabled. Reference: Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 3
# QUESTION 36:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
Terminal Services is installed on your network. You currently use a terminal server farm. CertKing 1, the
first server in the farm, acts as the session directory server.
All terminal servers are operating at maximum capacity. An increasing number of users report slow
response times when they use these servers.
You need to improve the performance of the terminal server farm. You plan to use a server named
CertKing 4, which has hardware identical to that of the other terminal servers in the farm.
First, you add CertKing 4 to the Session Directory Computers group on CertKing 1.
What should you do next?
A. Add CertKing 4 to the Session Directory Computers group on the PDC emulator.
B. On CertKing 4, select the Terminal Services configuration option to join the existing session directory.
C. On CertKing 4, install the Session Directory service.
D. On CertKing 4, create a new session directory server.
Answer: B
Explanation: The session directory is a database that can reside on a server that is separate from the
terminal servers in the farm, although it is possible to have it on a member of the farm. The session
directory database maintains a list of the user names associated with the session IDs connected to the
servers in a load balanced Terminal Server farm. There are two Session Directory components to keep in
mind when installing and configuring Session Directory: (1) Session Directory server and (2) Client
servers.
1 The Session Directory server is the server that is running the Session Directory service. It is not
required to
be a
Terminal Server, or even to have Remote Desktop enabled.
2 The client servers are the Terminal Servers which will request data from the Session Directory
server. Client
servers need to be configured to point towards the Session Directory server for Session Directory
requests.
Architecturally, one Session Directory server may service multiple load balanced farms, although this
may
cause confusion if the administrator configures all farms to have the same logical cluster name value.
After adding CK4 to the Session Directory Computers group on CK1 , CK4 must be joined to the existing
session directory.
Incorrect answers:
A: The PDC emulator can be used in a situation where you have windows NT4 servers in your domain.
This is
however not applicable in this scenario.
C: On all editions of the Windows Server 2003 family Session Directory service is installed by default.
There is
thus no need to install it on CK4 .
D: It would be superfluous to add another session directory server; a farm only requires one session
directory
server.
Reference:
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 750 Microsoft Knowledge Base Article -
301926, Overview of the Session Directory Technology in Terminal Services
# QUESTION 37:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The domain contains two domain controllers named CertKing 1 and
CertKing 2.
During routine monitoring of the domain controllers, you observe numerous errors in the system log.
The errors are similar to the one shown in the exhibit.
You need to resolve these errors on your domain controllers as quickly as possible.
What are two possible ways to achieve this goal? (Each answer is a complete solution. Select two.)
A. Install the appropriate printer drivers on CertKing 1 and CertKing 2.
B. Modify the Default domain controller GPO. Enable the Do not allow client printer redirection policy.
C. Add the Domain Admins group to the built-in Print Operators group.
D. Add the Domain Users group to the built-in Print Operators group.
Answer: A, B
Explanation: The System log records events generated by the operating system and its subsystems, such
as its device drivers and services. It could be that the incorrect drivers were installed on the domain
controllers. Thus if you install the appropriate driver on CertKing 1 and CertKing 2 you will solve the
problem. If the Default To Main Client Printer setting is disabled, the Terminal Server session will use
the default printer of the Terminal Server computer. Printer redirection settings can be specified by a
GPO. This option should also solve your problem. Incorrect answers: C, D: The built-in Print Operators
group has the right to log on locally. Whether you add the Domain Admins group or the Domain Users
group to the built-in Print Operators group, it will not solve your problem as the problem is registered as
a different type of error. Reference: Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 6
# QUESTION 38:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003. All client computers run Windows
XP Professional.
The network contains a domain controller named CertKing 3. You create a preconfigured user profile on
a client computer named CKClient 1.
You need to ensure that all users receive the preconfigured user profile when they log on to the network
for the first time. All users must still be able to personalize their desktop environments.
What should you do?
A. From CKClient 1, copy the user profile to \\ CertKing 3\netlogon\Default User.
B. From CKClient 1, copy the user profile to \\ CertKing 3\netlogon\Default User. Change the User
Profile path for all users in the Active Directory to \\ CertKing 3\netlogon\Default. User.
C. From CKClient 1, copy the user profile to the C:\Documents and Settings\Default User folder. Share
the Default User profile on the network.
D. Create a Folder Redirection policy in Active Directory.
Answer: A
Explanation: The Net Logon service uses it for processing logon scripts. To assign a preconfigured user
profile for all first time users on the network, you need to copy CKClient 1's user profile to the \\
CertKing 3\netlogon\Default User. This option will still allow users to personalize their desktop
environments. Incorrect answers:
B: You do not need to change the User Profile path for all users, it is only the first time users that you
need to assign the preconfigured user profile.
C: Sharing the Default User profile is not going to ensure that all first time users will be assigned the
profile.
D: Folder redirection is not what is required in this scenario. Reference: Dan Balter, MCSA/MCSE
Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-
290), Chapters 4 & 5
# QUESTION 39:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. Some client computers
run
Windows 2000 Professional, and the rest run Windows XP Professional.
All user accounts in the Sales department are located in the Sales organizational unit (OU).
To store roaming user profiles, you create a shared folder named Profiles on a member server named
CK1 . You assign the Allow - Full Control permission on the Profiles folder to the Everyone group.
Now you need to create roaming user profiles for the user accounts in the Sales OU.
What should you do?
A. Select all user accounts in the Sales OU.
Modify the account properties to specify \\ CK1 \Profiles\%username% as the profile path.
B. Select all user accounts in the Sales OU.
Modify the account properties to specify \\ CK1 \Profiles as the profile path.
C. Create a Group Policy object (GPO) and link it to the Sales OU.
In the User Configuration section of the GPO, configure Folder Redirection to use \\ CK1 \Profiles.
D. Create a Group Policy object (GPO) and link to the Domain Controllers OU.
In the User Configuration section of the GPO, configure Folder Redirection to use \\ CK1 \Profiles.
Answer: A
Explanation: The users will log on the client computers and will be authenticated on domain controllers.
The roaming profiles are stored on a member server, so we must enter the UNC path to the shared
profiles folder in the profile path. In this case, the UNC path is \\ CK1 \Profiles. To create profiles based
on
the user names, we can use the %username% variable. The %username% variable will be changed the
users log in name when the user logs in. For example, if a user named Jack logs in,
\\ CK1 \Profiles\%username% will become \\ CK1 \Profiles\Jack.
Incorrect answers:
B: The account properties should specify the profile path by making use of the %username% variable if
you want to create roaming user profiles for the user accounts in the Sales OU.
C: Linking a GPO to the Sales OU as described in this case will not work, you should still make use of
the %username% variable to create roaming user profiles for the accounts in the Sales OU.
D: Whether you create a GPO to be linked to the Domain Controllers OU, the folder Redirection should
be more specific and point to the %username% variable as well. Reference: Deborah Littlejohn Shinder
and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment Study Guide & DVD Training System, p. 285
# QUESTION 40:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003.
User profiles are stored in a folder named CertKing Profiles, which is located on a member server named
CertKing 12. CertKing Profiles is shared as Profiles.
A change in business rules requires you to create a template account for users in the engineering
department. All user accounts that are created from the template will use roaming profiles. Each profile
name will be based on user name. All profiles must be stored in a central location.
You create the template and name it T-Engineer.
Now you need to add information about profile location to T-Engineer.
What should you do?
Answer:
Explanation: The users will log on the client computers and will be authenticated on domain controllers.
The roaming profiles are stored on a member server, so we must enter the UNC path to the shared
profiles folder in the profile path. In this case, the UNC path is \\ CertKing 12\profiles. To create profiles
based on the user names, we can use the %username% variable. The %username% variable will be
changed the users log in name when the user logs in. For example, if a user named Jack logs in, \\
CertKing 12\profiles\%username% will become \\ CertKing 12\profiles\Jack. References: Deborah
Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining
a Windows Server 2003 Environment Study Guide & DVD Training System, p. 285
# QUESTION 41:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003, and all client computers run
Windows 2000 Professional.
You need to standardize the desktop environment for all client computers. Your solution must prevent
domain users from permanently modifying their regional settings or the desktop background.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Specify the profile's network path in the user properties in Active Directory Users and Computers.
B. Specify the profile's local path in the user properties in Computer Management,
C. Specify the profile's network path in the user properties in Computer Management.
D. In the network share where profiles reside, rename Ntuser.dat to Ntuser.man.
E. In the local profile directory, rename Ntuser.dat to Ntuser.man.
F. In the network share where profiles reside, rename the Ntuser.ini to Ntuser.man.
Answer: A, D
Explanation: Your solution must prevent domain users from permanently modifying their regional
settings or the desktop background. The trick here is the word permanently; the user with a mandatory
profile can modify his profile, but the mandatory profile will change the settings again next time the user
logs on. A mandatory user profile is a user profile that is not updated when the user logs off. It is
downloaded to the user's desktop each time the user logs on, and it is created by an administrator and
assigned to one or more users to create consistent or job-specific user profiles. Only members of the
Administrators group can change settings in a preconfigured user profile. The user can still modify the
desktop, but the changes are not saved when the user logs off. The next time the user logs on, the
mandatory user profile is downloaded again. User profiles become mandatory when you rename the
NTuser.dat file on the server to NTuser.man. By renaming this file, you have effectively made the user
profile read-only, meaning that the operating system does not save any changes made to the profile when
the user logs off. Microsoft recommends this method for creating mandatory user profiles. Incorrect
answers:
B: The profile's network path and not the local path should be specified.
C: The profile's network path is specified in the user properties in Active Directory Users and Computers
and not in the user properties in Computer Management.
E: Renaming the Ntuser.dat to Ntuser.man in the local profile directory thus making it a mandatory user
profile will only be applicable to the local profile directory and not to the network share. If the server
where user profiles are stored is not available when a user logs on, the operating system defaults to using
an existing local profile for the user. If the user has no local profile on that computer, it creates a local
profile for the user from the local default profile. If you want to strictly enforce a policy that states that no
user can log on without a roaming profile, you can append the extension of .man to the roaming user
profile folder's name.
F: This will not work even if you have the correct location in the network share where the profiles reside.
Reference: HOW TO: Create a Roaming User Profile in Windows Server 2003 KB article 324749 Dan
Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam
Cram 2 (Exam 70-290), Chapter 4
# QUESTION 42:
Exhibit
You are the network administrator for CertKing .com. All network servers run Windows Server 2003. All
users log on to the company's domain.
A user named CertKing logs on to multiple computers on the network. Jack reports that her desktop
settings are not retained when she switches between computers. You decide to configure a roaming
profile for Jack. From Jack's primary desktop computer, you attempt to copy his profile to the network
by using Jack's credentials. You receive the dialog box shown in the exhibit.
You need to copy Jack's profile to the network.
What should you do?
A. Log on to Jack's computer by using a local Administrator account.
B. Add Jack's account to the local Administrators group.
C. Add the Add the Adminstrator security group to roaming user profiles policy setting to the Default
Domain Policy GPO.
D. Remove the Prevent Roaming Profile changes from propagating to the server policy setting from the
Default Domain Policy GPO.
Answer: A
Explanation: A roaming user profile is a server-based user profile that is downloaded to the local
computer when a user logs on and is updated both locally and on the server when the user logs off. But in
this case you need to log on to Jack' computer by using the local Administrator account in order to copy
Jack' profile to the network using her credentials. Incorrect answers:
B: Just adding Jack' account to the local Administrators group will not enable you to copy her profile to
the network.
C: It is just a matter of changing profile type and not changing settings to the GPO as only Jack' account
is problematic.
D: This is not the solution. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E.
Hunter & Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment: Study Guide & DVD Training System, Syngress Publishing, Rockland, 2003,
Chapter 3, p. 210
# QUESTION 43:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com All network servers run Windows Server 2003. All client computers run
Windows XP Professional. Multiple users share the same client computer. A server named CertKing 2
functions as a file and print server. You set the profile path for all user accounts to \\ CertKing
2\Profiles\username. Some domain users were added to the local Administrators group on the Windows
XP Professional computers. A user reports that other users can log on to client computers that he has
previously used and gain access to files stored in his My Documents folder on the local hard disk. You
need to permanently prevent users from being able to access the My Documents folder of other domain
users on the client computers. What should you do?
A. In Active Directory, modify the Default Domain Policy. Disable the Do not check for user ownership
of Roaming Profile Folders setting.
B. In Active Directory, modify the Default Domain Policy. Enable the Delete cached copies of roaming
profiles setting.
C. Log on to all client computers and delete all user profiles from the local hard disks.
D. Log on to all client computers and configure the Number of previous logons to cache setting to 0.
Answer: B
Explanation: When users on your network regularly move from one profile-creating workstation to
another, every machine they use will store a copy of their local profile. You may use System Policy
Editor or Group Policies to compel the workstations to delete cached copies of roaming profiles when the
user logs out. This is a machine-specific setting that is implemented in the Registry in
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON. What this setting also does is to prevent users from being able
to access the My Documents folder of other domain users on the client computers as is the case in this
question. Incorrect answers:
A: Disabling the Do not check for user ownership of Roaming Profile Folders will not prevent users from
being
able to access folders of other domain users on the client computers.
C: Deleting all user profiles from the local hard disks is not the solution.
D: Configuring the number of previous logons to cache setting to 0 is not the solution.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.
A. Callahan & Lisa Justice, Mastering Windows® Server 2003, Sybex Inc., Alameda, 2003, p.815
# QUESTION 44:
You are the network administrator for CertKing . All network servers run Windows Server 2003. A
server named CertKing 6 functions as a file server. All client computers run Windows XP Professional
and are members of the domain. CertKing .com periodically hires temporary employees. You need to
prepare a custom user profile for all temporary employees. You log on to a client computer as an
administrator, and you configure the desktop settings. You copy the profile to a folder named \\ CertKing
6\Profiles\Temp_profile. You rename the Ntuser.dat file in the \\ CertKing 6\Profiles\Temp_profile folder
to Ntuser.man. You create three new user accounts for the temporary employees. The user accounts are
named temp_user1, temp_user2, and temp_user3. You need to configure the temporary user accounts to
receive the new desktop settings that you created on CertKing 6. The temporary employees must not be
allowed to retain customized desktop settings? What should you do?
A. Specify a user profile path of \\ CertKing 6\Profiles\username for each of the three user accounts.
B. Specify a user profile path of \\ CertKing 6\Profiles\username.man for each of the three user accounts.
C. Specify a home folder path of \\ CertKing 6\Profiles\username for each of the three user accounts.
D. Specify a user profile path of \\ CertKing 6\Profiles\Temp_profile for each of the three user accounts.
E. Specify a user profile path of \\ CertKing 6\Profiles\Temp_profile.man for each of the three user
accounts.
Answer: D
Explanation: Force the user to load a particular profile - If you specify the directory path on the domain
controller or server as DIRECTORYNAME.MAN but you do not rename the hive file to
NTUSER.MAN, the operating system will not see it as a mandatory profile. If the hive file is not named
NTUSER.MAN, the workstation will classify it merely as a roaming profile. In this scenario, users can
make changes to their Desktops. At logon, however, the user will not be able to log in if the profile
directory does not exist in the specified path. Renaming the NTUSER.DAT file to NTUSER.MAN so
that the user cannot save changes to the profile has been done in this case. What is necessary further is to
specify an appropriate user profile path to the \\ CertKing 6\Profiles\Temp_profile folder for each of the
three user accounts, and then you will prevent temporary employees from retaining customised desktop
settings. Incorrect answers:
A: This will not work.
B: This is inappropriate in this scenario.
C: You should not be specifying a home folder path, but rather a user profile path to the appropriate
folder.
 E: This is not the solution.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.
 A. Callahan & Lisa Justice, Mastering Windows
Server 2003, Sybex Inc., Alameda, 2003, pp. 816-817
# QUESTION 45:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The sales department is hiring employees. An OU named CertKing Sales
is created to hold objects for the new sales department users. Each sales department user has a portable
computer. Each portable computer runs Windows XP Professional. The sales department users are
responsible for joining their portable computers to the domain. You need to ensure that the computer
accounts for the Sales department user's portable computers are created in the CertKing Sales OU. You
need to achieve this goal without granting any unnecessary permissions. What should you do?
A. Assign the sales department users the Allow - Read permissions for the Computer container.
B. Configure the sales department users' user accounts to be trusted for delegation.
C. Prestage the computer accounts in the CertKing Sales OU for the sales department users' portable
computers.
D. Assign the sales depertment users the Allow - Create all Child Objects permission for the CertKing
Sales OU.
Answer: C
Explanation: Pre-staging prevents RIS from deploying an operating system to unknown client
computers. And with pre-staging you can add the user accounts with the appropriate permissions in the
OU. This option is best suited in this scenario.
Incorrect options:
A: Assigning the Allow - Read permission for the Computer Container to the Sales department users will
not work.
B: The Account Is Trusted For Delegation option enables a service account to impersonate a user to
access network resources on behalf of a user. This is not recommended in this scenario.
D: Assigning the Allow - Create all child objects permission for the CertKing Sales OU will be granting
unnecessary permissions. References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder,
MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, 3: 9 Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 46:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run Windows XP Professional. You install a new server named Server22 with default settings. During
installation, you set the IP configuration shown in the exhibit.
You make Server22 a member of a workgroup. Then you restart Server22 and use the local
Administrator account to log on locally. You join Server22 to the domain.
You restart Server22 and use the Domain Administrator account to log on. However, you are
unsuccessful.
You need to ensure that Server22 is a member of the domain.
What should you do?
A. Open the Active Directory Users and Computers and reset Server22.
B. From a command prompt on another member server or domain controller, type:
dsmod computer Server22. CertKing .com-reset
C. Log on locally.
In the TCP/Ip properties, change the DNS server of Server22.
D. Log on locally.
In the TCP/IP properties, change the subnet mask of Server22.
E. From a command prompt on another member server or domain controller, type:
nltest /server:Server22. CertKing .com /trusted_domains
Answer: E
Explanation: The command "nltest /server:Server22. CertKing .com /trusted_domains" will display a list
of
domains trusted by the server Server22. CertKing .com. A trusted domain means the domain that the
computer is a member of or other domains trusted by the computer's domain.
Incorrect Answers:
A: The client workstation hasn't been offline. Therefore, it is unlikely that the account needs resetting.
B: This command also resets the account.
C: The questions states, "You join Server22 to the domain". You would have got an error if you had a
DNS
problem.
D: The questions states, "You join Server22 to the domain". You would have got an error if you had an
IP
configuration problem.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 284
# QUESTION 47:
You are the network administrator for CertKing .com. The network contains two Windows Server 2003
computers named CertKing 7 and CertKing 8.
You install a new modem on CertKing 7 to allow an application to dial out to your pager. You install the
driver. When you test the modem, it does not dial out successfully. You install an identical hardware and
driver configuration on CertKing 2, and the modem dials out successfully.
You need to find out if the modem card in CertKing 7 is defective.
What should you do on CertKing 7?
A. In Device Manager, right-click the modem, and then click Scan for hardware changes.
B. In Modem Properties, click the Modem tab, and then set the maximum port speed to the same value as
the value for the maximum port speed on CertKing 8.
C. In Modem Properties, click the Diagnostics tab, and then click the Query Modem button.
D. In Device Manager, right-click Ports, and then click Scan for hardware changes.
Answer: C
Explanation: You can manage the modem properties by clicking on and selecting the modem you want to
manage on the Modems tab, then clicking the Properties button. This brings up the Modem Properties
dialog box, which allows you to configure general properties and modem properties, run diagnostics, set
advanced parameters, view and manage the driver, and view the resources the modem is using. Using the
Query Modem button will enable you to verify whether the modem card in CertKing 7 is defective or not.
Incorrect answers:
A: This will not aid you in checking whether the modem card is defective or not.
B: The Modem tab and the setting of the maximum port speed are not causing the problem since an
identical
situation on CertKing 2 has the modem dialling out successfully.
D: This is not the place to check whether the modem card is defective or not.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, p. 124
# QUESTION 48:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
You place computer accounts for servers in OUs that are organized by server roles. You apply GPOs to
these servers at the OU level.
You need to add a new server to the domain. You need to ensure that the appropriate GPOs are applied
to this server.
What should you do?
A. Prestage a domain computer account for the new server in the appropriate OU. Join the server to the
domain by using the prestaged computer account.
B. On the server, add the domain name for the Active Directory domain to the DNS suffix setting. Join
the server to the domain.
C. Assign a user account the Allow - Create permission for the appropriate OU. Join the new server to the
domain by using the user account.
D. Join the new server to the Active Directory domain. On the new server, run the gpupdate /force
command.
Answer: A
Explanation: With pre-staging you can add the user accounts with the appropriate permissions in the OU.
This
option is best suited in this scenario since GPOs are applied at OU level.
Incorrect answers:
B: Joining the server to the domain will not ensure that the GPO will be applied to the server.
C: Assigning the Allow-Create permission albeit to the appropriate OU and joining the new server to the
domain will not ensure that the appropriate GPOs are applied to the server.
D: This option is not suitable since GPOs are applied at OU level. References: Deborah Littlejohn
Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a
Windows Server 2003 Environment Study Guide & DVD Training System, 3: 9 Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 4
# QUESTION 49:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
forest that contains two domain. The functional level of the forest is Windows 2000. The functional level
for both domains is Windows 2000 native. All servers run Windows 2003.
You create a group named CertKing Staff. The CertKing Staff group includes users from both domains.
The group properties are shown in the exhibit.
You need to use the CertKing Staff group to assign permissions to resources in both domains. However,
when you attempt to assign permissions to a shared folder by using the CertKing Staff group, you receive
an error message that states than an object named " CertKing data" cannot be found.
You need to ensure that the CertKing Staff group can be used to assign permissions to shared resources in
both domains.
What should you do?
A. Upgrade the forest functional level to Windows Server 2003.
B. Upgrade the domain functional level for both domains to Windows Server 2003.
C. Modify the group properties to make the group a global distribution group.
D. Modify the group properties to make the group a universal security group.
E. Modify the group properties to make the group a domain local security group.
Answer: D
Explanation: Use security groups for the distribution of e-mail as described for distribution groups, but
also use them to assign permissions to Windows resources. You can also use security groups to assign
user rights to group members. User rights include actions such as Backup files and directories or Restore
files and directories, both of which are assigned to the Backup Operators group by default. You can
delegate rights to groups to enable the members of the group to perform a specific administrative function
that is not normally allowed by their standard user rights. You can also assign permissions to security
groups to enable them to access network resources, such as printers and file shares. Universal groups can
include other groups and user/computer accounts from any domain in the domain tree or forest.
Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal
groups are only available if your domain functional level is set to Windows 2000 native mode. Incorrect
answers: A, B: Upgrading the forest functional level or even the domain functional level for both
domains to Windows Server 2003 will not work because once you have raised the domain functional
level, domain controllers running earlier operating systems cannot be used in that domain. As an
example, should you decide to raise domain functional level to Windows Server 2003, Windows 2000
Server domain controllers cannot be added to that domain.
C: Distribution groups are used for distributing messages to group members. And global groups can
include other groups and user/computer accounts from only the domain in which the group is defined.
Modifying the group to be a global distribution group will not work
E: Making the group a domain local security group will not ensure permissions to shared resources on
both domains. References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam
70-290: Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training
System, pp. 319-320
# QUESTION 50:
Your network consists of a single Active Directory forest containing two domains. hq. CertKing .com
and
manu. CertKing .com. The functional level of both domains is Windows 2000 mixed. hq. CertKing .com
contains two domain controllers running Windows Server 2003 and three domain controllers running
Windows 2000 Server.
You are the network administrator for hq. CertKing .com. The domain controllers in your domain host
applications and shared folder to which users in manu. CertKing .com require access.
You need to create a group that will grant the required access to users in manu. CertKing .com.
What should you do?
Answer:
Explanation: Domain local - Security. Distribution groups can be used only with e-mail applications
(such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled,
which means that they cannot be listed in discretionary access control lists (DACLs) discretionary access
control lists (DACLs) The part of an object's security descriptor that grants or denies specific users and
groups permission to access the object. Only the owner of an object can change permissions granted or
denied in a DACL; thus, access to the object is at the owner's discretion. If you need a group for
controlling access to shared resources, create a security group. Security groups are used with care;
security groups provide an efficient way to assign access to resources on your network. Using security
groups, you can:
1 Assign user rights to security groups in Active Directory.
2 Assign permissions to security groups on resources. A group can be converted from a security
group to a distribution group, and vice versa, at any time, but only if the domain functional level is set to
Windows 2000 native or higher. No groups can be converted while the domain functional level is set to
Windows 2000 mixed. Domain local groups can contain other domain local groups in the same domain,
global groups from any domain, universal groups from any domain, user accounts from any domain, and
computer accounts from any
domain. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will
Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003
Environment Study Guide & DVD Training System, pp. 320, 329
# QUESTION 51:
You are an employee at CertKing . The network consists f a single Active Directory forest containing two
domains helsinki. CertKing .com and mumbai. CertKing .com. The functional level of both domains is
Windows 2000 mixed. helsinki. CertKing contains two domain controllers running Windows Server 2003
and three domain controllers Windows 200 Server. You are the network administrator for helsinki.
CertKing .com. Users in your domain require access to applications and shared folders that reside on
member servers in mumbai. CertKing .com. What action should you take? (Configure options in the
dialog box)
Answer:
Explanation: Select "Global" and "Security". Global groups can include other groups and user/computer
accounts from only the domain in which the group is defined. Permissions for any domain in the forest
can be assigned to global groups. The group's Security tab is used to add and remove permissions to this
group for other accounts (users and groups). Use the Add button to add the accounts, and then use the
check boxes at the bottom to select the permissions for the newly added accounts. Read is the default
permission assigned when you add an account to the security tab of a group. The Advanced button
enables you to manage permissions to the group on a more granular level. This is also where you manage
auditing, ownership, as well as view effective permissions. Using security groups, you can:
1 Assign user rights to security groups in Active Directory.
2 Assign permissions to security groups on resources.
A group can be converted from a security group to a distribution group, and vice versa, at any time, but
only if the domain functional level is set to Windows 2000 native or higher. No groups can be converted
while the domain functional level is set to Windows 2000 mixed. Reference: Deborah Littlejohn Shinder,
Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, MCSA/MCSE: Exam 70-290: Managing
and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 320,
329
# QUESTION 52:
Your company network consists of a single Active Directory domain named CertKing .com. The
functional
level of the domain is Windows 2000 Native. The network contains 20 member servers running Windows
2000 and 5 domain controllers running Windows Server 2003.
The user accounts for employees in the Finance department are members of a global distribution group
named Finance_Users. You create a shared folder named Finance_Docs on a Windows 2000 member
server.
You need to enable the Finance users to access the Finance_Docs folder.
What should you do?
A. Change Finance_Users to a security group.
B. Change the scope of Finance_Users to Universal.
C. Change the scope of Finance_Users to Domain Local.
D. Raise the domain functional level to Windows Server 2003.
Answer: A.
Explanation: Groups are special objects that contain users, and security groups are used to simplify
management of multiple user accounts by enabling you to apply permissions, user rights, and so forth to
an entire group of users in a single operation instead of having to apply them to individual user accounts.
You cannot assign permissions to file shares to a distribution group. The group must be converted to a
security group. Note: you must be in at least Windows 2000 Native Functional Level in order to be able
to convert a distribution group to a security group. Incorrect Answers:
B: You cannot assign permissions to file shares to a universal distribution group.
C: You cannot assign permissions to file shares to a distribution group, regardless of what functional
level the forest is in. Finance_Users is a distribution group.
D: You cannot assign permissions to file shares to a distribution group, whatever functional level the
domain is in. Finance_Users is a distribution group. Reference: Deborah Littlejohn Shinder, Dr. Thomas
W. Shinder, Laura E. Hunter and Will Schmied, MCSA/MCSE: Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 256
# QUESTION 53:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
forest containing two domains, hq.hmopslab.com and mm. hmopslab.com. The function level of both
domains is Windows 2000 mixed. hq.hmopslab.com contains 2 domain controllers running Windows
Sever 2003 and 3 domain controllers running Windows 2000 server.
You are the network admin for hq.hmopslab.com. Users in your domain require access to applications
and shared folders that reside on member severs in mm.hmopslab.com.
You need to create a group in hq.hmopslab.com that will provide the required access.
Answer:
Explanation: Global, Security. We should use Global Security groups because the users in the domain
require access to the applications and shared folders that are on the member servers. Global groups can
include other groups and user/computer accounts from only the domain in which the group is defined.
Permissions for any domain in the forest can be assigned to global groups. The group's Security tab is
used to add and remove permissions to this group for other accounts (users and groups). Use the Add
button to add the accounts, and then use the check boxes at the bottom to select the permissions for the
newly added accounts. Read is the default permission assigned when you add an account to the security
tab of a group. The Advanced button enables you to manage permissions to the group on a more granular
level. This is also where you manage auditing, ownership, as well as view effective permissions.
Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied,
MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, pp. 320, 329
# QUESTION 54:
You are a network administrator for CertKing . The network consists of a single Active Directory domain
named CertKing .com.
A user named Mrs. Bill works in the information technology (IT) security department. Mrs. Bill is a
member of the ITSecurity global group. Mrs. Bill reports that no one in the ITSecurity global group
can access the security log from the console of a computer named CertKing 1.
You need to grant the ITSecurity global group the minimum rights necessary to view the security log on
CertKing 1.
How should you modify the local security policy?
A. Assign the Generate security audits user right to the ITSecurity global group.
B. Assign the Manage auditing and security logs user right to the ITSecurity global group.
C. Assign the Allow logon through Terminal Services user right to the ITSecurity global group.
D. Assign the Act as part of the operating system user right to the ITSecurity global group.
Answer: B
Explanation: Security events are logged in the security log, accessible by administrators via the Event
Viewer. An audit entry can be either a Success or a Failure event in the security log. A list of audit entries
that describes the life span of an object, file, or folder is referred to as an audit trail. Security auditing
enables you to track access to and modifications of objects, files, or folders, and to determine who has
logged on (or attempted to do so) and when. The right to manage the security event log is a powerful user
privilege that should be closely guarded. Anyone with this user right can clear the security log, possibly
erasing important evidence of unauthorized activity. The default security groups for this user right are
sufficient for the Legacy Client and Enterprise Client environments. However, this user right is
configured to enforce the default Administrators in the High Security environment. Incorrect answers:
A: Being able to generate security audits does not mean that that specific group can view the security
logs.
Security logs can only be viewed with administrator rights via the Event Viewer.
C: Having the Allow logon through Terminal Services user right will not grant the ability to view security
logs.
D: The Act as part of the operating system user right will not do, you need to be an administrator.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 749.
# QUESTION 55:
You are the network administrator for CertKing . The network consists of several domains in a single
Active Directory forest CertKing .com. The functional level for all child domains is Windows 2000
mixed. A server named CertKing A.litwareinc.com runs Windows Server 2003. You share a folder
named SalesDocs on this server. In the properties for SalesDocs, you assign the Allow - Full Control
permissions to a universal group named U_Sales in CertKing .com. Effective permissions for U_Sales are
shown in the U_Sales exhibit.
In each domain in the forest, you create a global group named G_Sales, whose membership consists of
users in that domain's department. You add every G_Sales group to the U_Sales group.
Ben Smith is a member of G_Sales in child1. CertKing .com. He reports that he cannot access SalesDocs.
You need to ensure that Ben Smith can access SalesDocs.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two)
A. Add Ben Smith's user account to U_Sales in litwareinc.com
B. Change the group scope of U_Sales to domain local.
C. Change the group type of U_Sales to distribution.
D. Assign the Allow - Full Control permissions to G_Sales in child1. CertKing .com.
E. Instruct Ben Smith to log on by using his user principal name.
Answer: B, D
Explanation: Ben Smith is unable to access SalesDocs because the child domains are in mixed mode thus
cannot use the Universal group.
Only CertKing .com is in native mode because Universal group U_sales was created there.
We need to change the scope For U_Sales Universal to domain local. This will give Ben the required
permissions because the Global Group G_Sales is a member of U_Sales.
Alternatively, we could assign the permission directly to the G_Sales group in child1. CertKing .com.
Incorrect answers:
A: U_Sales was created in CertKing .com, but adding Ben Smith's account to U_Sales will not work as
U_Sales'
group scope will have to be changed from global to domain local.
C: Windows Server 2003 has two group types: security and distribution. Security groups are used to
assign
permissions for access to network resources. Distribution groups are used to combine users for e-mail
distribution lists. Security groups can be used as a distribution group, but distribution groups cannot be
used as
security groups.
E: Logging on by making use of a UPN is irrelevant in this scenario as one needs to change the groups
scopes
first and then assign the appropriate permissions that will allow Ben Smith access to SalesDocs.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 4
# QUESTION 56:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. The functional level of the domain is Windows 2000 native. Some network
servers
run Windows 2000 Server, and others run Windows Server 20003.
All users in your accounting department are members of an existing global distribution group named
Global-1. You create a new network share for the accounting users.
You need to enable the members of Global-1 to access the file share.
What should you do?
A. Raise the functional level of the domain to Windows Server 2003.
B. Change the group type of Global-1 to security.
C. Change the group scope of Global-1 to universal.
D. Raise the functional level of the forest to Windows Server 2003.
Answer: B.
Explanation: You cannot assign permissions to file shares to a distribution group. The group has to be
converted to a security group. Note: you must be in at least Windows 2000 Native Functional Level in
order to be able to convert a distribution group to a security group.
Incorrect Answers:
A: You will not be able to assign permissions to file shares to a distribution group, whatever functional
level the domain is in.
C: You will not be able to assign permissions to file shares to a universal distribution group.
D: You will not be able to assign permissions to file shares to a distribution group, whatever functional
level the forest is in. References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE
Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD
Training System, pp. 321-323
# QUESTION 57:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain in its own forest. All network servers run Windows Server 2003.
CertKing .com merges with Foo.com, which also has a single Active Directory domain in its own forest.
A
cross-forest trust from CertKing .com to Foo.com is created.
You need to ensure that all users have access to personal payroll tools located in the CertKing .com
domain. The built-in users group for CertKing .com has the appropriate permissions on the payroll tools.
What should you do?
A. Create a new universal group in the Foo.com domain. Add all Foo.com users to the group. Place the
new group in the built-in Users group for Foo.com.
B. Create a new universal group in the CertKing .com domain. Add all CertKing .com users to the group.
Place the new group in the built-in Users group for CertKing .com.
C. Create a new universal group in the Foo.com domain. Add all Foo.com users to the group. Place the
new group in the built-in Users group for CertKing .com.
D. Create a new universal group in the CertKing .com domain. Add all CertKing .com users to the group.
Place the new group in the built-in Users group for Foo.com.
Answer: C
Explanation:
Universal groups are used to logically organize global groups and appear in the Global Catalog.
Universal
groups can contain users from anywhere in the domain tree or forest, other universal groups, and global
groups.
For all users to have access to the personal payroll tools in the CertKing .com domain you need to create
a new
universal group for the Foo.com domain and then place it in the built-in users group for CertKing .com
since
the
CertKing .com domain contains the tools.
Incorrect answers:
A: This option is suggesting the wrong group of users to be added to the new universal group and the
wrong built-in Users group to add it to.
B: The CertKing .com domain does not need to be given access to the personal payroll tools.
D: You should add the Foo.com users to the group and not the CertKing .com users. Furthermore, you
should place the new group in the built-in users for CertKing .com and not Foo.com Reference: Lisa
Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, p. 167
# QUESTION 58:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003.
Files and folders for the network users are stored on a member server named CertKing 8. Folders are
shared on the network by assigning the Allow - Full Control permission to the Authenticated Users
group.
A folder named Budget contains financial information. Permissions for Budget are shown in the exhibit.
A new employee named CertKing is hired to manage CertKing 's financial information. You create a user
account for her. However, Jack reports that she cannot create new files in Budget.
You need to ensure that Jack can perform these actions.
To which group should you add her user account?
A. Group1
B. Group2
C. Group3
D. Administrators
E. Users
Answer: B
Explanation: The group2 account has the Allow - Modify permission applied to the budget folder only.
The Allow - Modify permission involves: View and list folders and files; view the contents of files; write
data to files; add folders and files; delete folders, files, and file contents; view and set attributes and
extended attributes. This should enable Jack to perform her duties since the Budget folder contains the
financial information. Reference: Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 5
# QUESTION 59:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003.
An administrator named CertKing attempts to perform troubleshooting tasks on a file server. However,
when she attempts to open the security event log, she receives the error message shown in the exhibit.
You need to ensure that Jack can complete her troubleshooting tasks. What should you do?
A. Add Jack's user account to the Server Operators domain group.
B. Add Jack's user account to the local Administrators group on the file server.
C. Configure Jack's client computer to enable the IPSec Server (Request Security) policy.
D. Assign Jack's user account the Allow logon through Terminal Services user right for the file server.
Answer: B
Explanation: You can configure the security logs to record information about Active Directory and server
events. These events are recorded in the Windows security log. The security log can record security
events, such as valid and invalid logon attempts, as well as events that are related to resource use, such as
creating, opening, or deleting files. You must log on as an administrator to control what events are
audited and displayed in the security log. Security log files are also stored in the
systemroot/system32/config directory. Security logs can be exported and archived in the following file
formats:
1 Event log files (.evt) (Default).
2 Comma delimited (.csv).
3 Text file (.txt).
Jack needs to troubleshoot tasks on the file server; therefore we need to add her to the local
administrators
group. Making Jack part of the Administrator's group will allow her access to the security log which will
enable
her to perform troubleshooting.
Incorrect answers:
A: To be able to access the security log one has to be part of the administrator's group on that specific
server,
thus making Jack part of the Server Operators will not grant her enough permissions to view the security
log.
C: Enabling the IPSec Server (Request Security) policy permission for Jack's client computer will not
suffice in
allowing her to view the security log. She still needs to be an administrator on the server.
D: The Allow logon through Terminal Services user right for the file server will not grant the same rights
as an
administrator account. Thus this option will not grant Jack the ability to view the security log.
References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, pp. 230-233
# QUESTION 60:
You are the network administrator for CertKing . The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003.
The sales department recently hired 10 new employees. User accounts for these employees were created
in Active Directory. The manager of the sales department sent you a list of a new users and asked you to
add the user accounts to an existing global group named SalesDept.
You need to add the users to the SalesDept global group.
What are two possible ways to achieve this goal? Each correct answer presents a complete solution.
Choose two.
A. Use the dsadd user command to add the user accounts to the SalesDept global group.
B. Use the dsadd group command to add the user accounts to the SalesDept global group.
C. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Properties menu command.
D. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Add to a Group menu command.
Answer: B, D
Explanation: You can automate the process of creating users, groups, and computers through the Dsadd
command-line utility. Each Dsadd command offers a series of switches (which can be viewed from a
command prompt window by typing Dsadd /?) that can be used to configure the object that is being
created. Active Directory Users and Computers on Windows Server 2003 domain controllers, is the main
tool used for managing the Active Directory users, groups, and computers. To set up and manage domain
user accounts, you use the Active Directory Users And Computers utility. The Add to a Group menu
command will enable you to add the users to the SalesDept global group. Incorrect answers:
A: The Dsadd user command includes parameters for almost all of the options that can be configured for
a user
through the Active Directory Users And Computers utility. This is not the appropriate parameter in this
case.
C: The properties menu command would be the inappropriate choicein this matter.
Reference:
James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE: Windows(r)Server 2003 Network
Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2003,
p. 227
# QUESTION 61:
You are the network administrator for CertKing . The network consists of a single Active Directory
domain named CertKing .com. All domain controller run Windows Server 2003. CertKing .com
employes three database administrators who administer seven databases servers that run Windows Server
2003. The database administrators occasionally restore a database server after a disaster. To restore a
server, database administrators need the rights required to perform the following tasks:
1 Back up files and folders
2 Restore files and folders.
3 Restore the System State data.
You need to assign the database administrators the rights that they require to perform the specified
tasks. For security reasons, you must not assign the administrators more rights than they require to
perform the tasks.
What should you do?
A. Add the database administrators' user accounts to the Administrators group on each of the database
servers.
B. Add the database administrators' user accounts to the Power Users group on each of the database
servers.
C. Add the database administrators' user accounts to the Backup Operators group on each of the database
servers.
D. Add the database administrators' user accounts to the Backup Operators group on one of the domain
controllers.
E. Add the database administrators' user accounts to the Server Operators group on one of the domain
controllers.
Answer: C
Explanation: The members of the Backup Operators group have rights to back up and restore the file
system, even if the file system is NTFS and they have not been assigned permissions to the file system.
However, the members of Backup Operators can access the file system only through the Backup utility.
To be able to directly access the file system, they must have explicit permissions assigned. Thus by
adding the database administrator's user accounts to this group on each of the database servers, you will
be granting them the appropriate rights to perform their tasks. Incorrect answers:
A: The Administrators group has full rights and privileges on all domain controllers within the domain.
Its members can grant themselves any permissions they do not have by default to manage all of the
objects on the computer. (Objects include the file system, printers, and account management.) By default,
the Administrator user account and the Domain Admins and Enterprise Admins groups are members of
the Administrators group. Because of the permissions associated with this group, you should add users to
this group with caution. This should work, but it would be granting the database administrators too much
permissions.
B: This option would also give them too much permissions.
D: This is the correct group to make them members of, but it should be done on all the database servers.
E: The Server Operators group members can administer domain servers. Administration tasks include
creating, managing, and deleting shared resources, starting and stopping services, formatting hard disks,
backing up and restoring the file system, and shutting down domain controllers.The Server Operators
Group would be the wrong choice to add the database administrators to. Reference: Lisa Donald, Suzan
Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment Management and
Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 168-173
# QUESTION 62:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
You create an organizational unit (OU) named Engineering, which will hold all objects associated with
the users and computers in the engineering department. You also create a global group named
Engineering Admins, whose members will administer these objects.
Now you need to assign the appropriate permissions to the Engineering Admins group so its members
can administer the objects in the Engineering OU.
First, you use Active Directory Users and Computers to view the properties of the Engineering OU.
However, the Security tab is not available.
What should you do next?
A. Convert the system partition to NTFS.
B. Enable the Advanced Features option in the View menu of Active Directory Users and Computers.
C. Enable the Users, Groups, and Computers as Containers option in the View menu of Active Directory
Users and Computers.
D. Log on by using a user account that has Administrator permissions for the Engineering OU.
Answer: B
Explanation: The Security tab is available for modification in the Advanced Features option of the View
menu. If you select that entry and click View/Edit, you will see the specific permissions assigned to. By
default we
cannot see the security tab. Therefore we must enable the advanced features option in the View menu of
Active
Directory Users and Computers.
Incorrect answers:
A: Converting the system partition to NTFS does not facilitate the viewing of the security tab as this tab
is available in the view menu of Active Directory Users and computers and converting any system
partition will not make it available as it has to be enabled in that view menu.
C: A Container is an object in a directory that contains other objects. By enabling the Users, Groups and
Computers as containers, you grant yourself the ability to organize the objects. Though, you still have to
enable the Advanced Features option to get the security tab available.
D: Administrator permissions - Members of the administration group have complete and unrestricted
access to the domain and to servers and other resources within the domain. Administrators have the
power to grant themselves any rights or permissions that they do not already have. Because the security
context for members of the Administrators group is so high, the server and the network is vulnerable to
attacks from Internet-related sources and email-related virus-infected attachments if accounts in the
Administrators group are compromised. For these reasons, members of the Administrators group should
log on using an administrative account only when necessary. The Runas command enables administrators
to log on to the machine with their ordinary user accounts yet launch support tools under an
administrative security context. However, to make the security tab available, they still have to enable the
Advanced Features option. References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder,
MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, p. 166 Dan Balter, MCSA/MCSE Managing and Maintaining a
Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 7
# QUESTION 63:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
forest that contains three domains. The functional level of the forest is Windows Server 2003. The
domain names are CertKing .com, europe. CertKing .com, and asia. CertKing .com. Each domain
contains 500 user accounts. CertKing .com is in the process of acquiring several other companies whose
networks will be add to the CertKing .com Windows Server 2003 domain. These acquisitions will entail
the addition of several new offices, which will be connected to CertKing 's network by means of
dedicated 56-Kbps WAN connections. You create a new shared folder named NewProjects on a file
server in CertKing .com. Several users in each existing domain need access to the NewProjects folder.
These users are not in the same group in any domain. All users who need access to the NewProjects
folder must be able to add, delete, and modify files and folders in the NewProjects folder. Users in the
acquired companies also will require access to this folder. You need to create the required Active
Directory groups and configure the required permissions for the NewProjects folder. Your solution must
minimize ongoing administrative effort as you add new companies to the network. You must also
minimize unnecessary traffic across the WAN connections. What should you do?
A. Create a single universal security group. Add all users that require access to the folder to the group.
Create a domain local group in the CertKing .com domain. Add the universal group to the domain local
group. Assign permissions to the shared folder by using the domain local group.
B. Create a global security group in each domain. Add all users that require access to the folder to the
global group in their domain. Create a domain local group in CertKing .com domain. Add the global
groups to the domain local group. Assign permissions to the shared folder by using the domain local
group.
C. Create a universal security group in each domain. Add all users that require access to the folder to the
group in their domain. Assign permissions to the shared folder by using the universal groups.
D. Create a global security group in each domain. Add all users that require access to the folder to the
group in their domain. Assign permissions to the shared folder by using the global groups.
Answer: B
Explanation: Applying security permissions to groups of users instead of to individual users greatly eases
the administrative burden of managing control over data and other resources. You can change the type of
a group from security to distribution or from distribution to security at any time, provided that the domain
is set at the Windows 2000 native or the Windows Server 2003 domain functional level. Domain local
group scope - a group assigned as domain local can only specify permissions on resources within a single
domain. Global group scope - a global group can contain users, groups, and computers from its own
domain as members. Global groups are available under any domain functional level. Following this it
would make sense to create a global security group in each domain, add all users that needs access to the
global group in their domain. Create a domain local group and add the global group to this domain local
group. After which you can assign permissions to the shared folder. Incorrect answers:
A: Creating a universal security group will result in too much overhead in terms of bandwidth usage. The
question pertinently states that you should minimize traffic over the WAN connections.
C: A universal group can contain users, groups, and computers from any domain in its forest. The
membership list of universal groups is maintained by global catalog (GC) servers, unlike global groups
and domain local groups. Certain DCs must be assigned as GCs so that applications and computers can
locate resources within the Active Directory database. When a member is added to or removed from a
universal group, global catalog servers must track the change, and each change must be replicated to all
the global catalog servers in the forest. This result in increased overhead and network replication traffic
for universal groups and thus will not serve the purpose.
D: Assigning permissions to the shared folder by using the global groups will not work in this scenario.
You need to assign permissions to the shared folder by making use of the domain local group. Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 64:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The functional level of the domain is Windows 2000 native.
A global group named Travelling contains 7,000 users. All of these users are assigned portable
computers, which they will use to run new POSIX-compliant application.
You create a global group named POSIX. For all 7,000 users in Travelling, you change the primary
group to POSIX.
Members of Travelling now report that they cannot access necessary domain resources.
How should you solve this problem?
A. Ensure that each site on your network is connected to at least one other site by a replication link that
uses the
SMTP protocol.
B. Create two new global groups, Travelling1 and Travelling2.
Place one half of the members of Travelling in each new group.
Then place both new groups in Travelling.
C. Remove all domain users from the Users group, and then add all domain users to the group again.
D. Remove all users from Travelling.
Change Travelling to a universal group.
Add the same users to the new Travelling group.
Answer: B
Explanation: Per Microsoft: Updates to the Active Directory store must be made in a single transaction.
One consequence of this is that you should not create groups with more than 5,000 members. Because
group memberships are stored in a single multi-valued attribute, a change to the membership requires that
the whole attribute-that is, the whole membership list-be updated in a single transaction. Microsoft has
tested and supports group memberships of up to 5,000 members. Global groups are used primarily to
provide categorized membership in domain local groups for individual security principals or for direct
permission assignment (particularly in the case of a mixed or interim domain functional level domain).
Often, global groups are used to collect users or computers in the same domain and share the same job,
role, or function. Global groups:
1 Exist in all mixed, interim, and native functional level domains and forests
2 Can only include members from within their domain
3 Can be made a member of machine local or domain local group
4 Can be granted permission in any domain (including trusted domains in other forests and pre-
Windows 2003
domains)
5 Can contain other global groups (Windows 2000 native or Windows Server 2003 domain
functional level
only) A global group is a group that can be used in its own domain and in trusting domains. However, it
can
contain user accounts and other global groups only from its own domain.
A domain local group can contain users and global groups from any domain in the forest, universal
groups, and
other domain local groups in its own domain. A local group used on ACLs only in its own domain.
Global
group (scope) is a group that is available domain-wide in any domain functional level.
Incorrect answers:
A: Replication on network computers enables the contents of a directory, designated as an export
directory, to
be copied to other directories, called import directories. Active Directory changes are replicated to all
domain
controllers on a regular schedule. Thus the contents of a directory do not mean access to domain
resources.
C: Removing all domain users from the group and then re-adding them to the group will not help as the
Microsoft recommended amount of members per group will still be exceeded.
D: Converting travelling to a new universal group and in the process getting rid of the existing travelling
group,
but universal groups are used primarily to grant access to resources in all trusted domains, but universal
groups
can only be used as a security principal (security group type) in a Windows 2000 native or Windows
Server
2003 domain functional level domain. Thus this option is not viable.
References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, pp. 4: 5-21, 770
# QUESTION 65:
You are the network administrator for CertKing Oil. The network consists of three Active Directory
domains in a single forest. All domain controllers run Windows Server 2003.
CertKing Oil enters into a business partnership with Oil Importers. The Oil Importers network consists
of four Active Directory domains in a single forest. To enable the two companies to share resources, a
two-way forest trust relationship with selective authentication is created.
Now you need to ensure that the research data of CertKing Oil will remain inaccessible to all users in Oil
Importers.
First, you create a local group named No Oil. Then, you assign the Deny - Full Control permission to No
Oil.
What should you do next?
A. Add the Domain Guests group from each of the four domains of Oil Importers to No Oil.
B. Add the Other Organization group to No Oil.
C. Add the Users group from each of the four domains of Oil Importers to No Oil.
D. Add the Proxy group to No Oil.
Answer: C
Explanation: Using Active Directory Domains and Trusts, you can determine the scope of authentication
between two forests that are joined by a forest trust. You can set selective authentication differently for
outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide
access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the
outside forest have the same level of access to resources in the local forest as users who belong to the
local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide
authentication is used, users from ForestB would be able to access any resource in ForestA (assuming
they have the required permissions). If you decide to set selective authentication on an incoming forest
trust, you need to manually assign permissions on each domain and resource to which you want users in
the second forest to have access. To do this, set a control access right Allowed to authenticate on an
object for that particular user or group from the second forest. Therefore we need to add the Users group
from each of the four domains of Oil Importers to No Oil. With the Deny-Full Control permission
activated to the No Oil local group, and by adding the users of all the four domains to No Oil, you will
ensure the integrity of the research data by keeping it inaccessible. Incorrect answers:
A: For the data to remain inaccessible to all users you need to add all the users from all the groups to the
No Oil
local group. If you add the Domain Guests group from each of the four domains of Oil Importers to the
No Oil
local group then you are not including all the users.
B: Adding the Other Organization group to No Oil will not have the desired effect.
D: By adding only the Proxy group to No Oil, will not work as Proxy servers only provide security by
shielding
the IP addresses of internal clients from the Internet.
Reference:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 829 Dan
Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 769
# QUESTION 66:
You are the network administrator for CertKing .com Active Directory domain. The domain includes
Windows Server 2003 domain controllers and Windows XP Professonal client computers.
A new administrator named Sandra is hired to assist you in deploying Windows XP Professional to 100
new computers. Sandra installs the operating system on a new computer named CertKing 11.
However, when Sandra tries to log on to the domain from CertKing 11, she is unsuccessful. The logon
box
does now allow her to view and select the domain name.
You need to ensure that Sandra can log on to the domain from CertKing 11.
What should you do?
A. Enable the computer account for CertKing 11.
B. Configure CertKing 11 as a member of the domain.
C. Add Sandra's user account to the Enterprise Admins group.
D. Add Sandra's user account to the Server Operators group.
Answer: B
# QUESTION 67:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
The network consists of 10 offices located across Europa. The OU structure consists of one top-level OU
for each branch office. Each top-level OU contains eight or more child OUs, one for each department.
User accounts are located in the appropriate departmental OU within the appropriate office OU.
For security purposes, you routinely disable user accounts for terminated employees. As part of an
internal audit, you need to create a list of all disabled user accounts.
You need to generate the list of disabled user accounts as quickly as possible.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. In Active Directory Users and Computers, create a new saved query.
B. Run the dsget user command.
C. Run the dsquery user command.
D. Run the netsh command.
Answer: A, C
# QUESTION 68:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
Some client computers run Windows NT 4.0 Workstation, others run Windows 2000 Professional, and
the rest run Windows XP Professional.
You need to create a new global group by modifying an existing script written in Microsoft Visual Basic,
Scripting Edition (VBscript). Client computers will access the new global group by using the name
Accounting.
How should modify the script? (Drag suitable lines of code to the corrections to the work area. Use only
Answer:
Explanation: Since all client computers will access the new global group by making use of the name
Accounting, the group setting should be set accordingly. Global groups can include other groups and
user/computer accounts from only the domain in which the group is defined. Permissions for any domain
in the forest can be assigned to global groups. Global group can contain users, groups, and computers
from its own domain as members. Global groups are available under any domain functional level.
Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied,
MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, p. 320 Dan Balter, MCSA/MCSE Managing and Maintaining a
Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 69:
You are the network administrator for CertKing .com. The network consists of two Active Directory
domains in a single forest. The functional level of each domain is Windows 2000 mixed.
Your engineering department has 3,000 users. The engineering users are members of various global
groups.
CertKing plans to open a new office where engineering users will test products. Engineering users will
need to dial in to the company network when they work at the new office.
You need to ensure that all new user accounts in the engineering department will have the appropriate
group memberships. These accounts must be allowed to connect to the network by using remote access
permissions. You must achieve your goal by using the minimum amount of administrative effort.
First, you create a template account for engineering users.
Which two additional actions should you perform? (Each correct answer presents part of the solution.
Choose two)
A. Modify the schema for the office and street attributes by selecting the Index this attribute in the Active
Directory check box.
B. Modify the schema for the group attribute by selecting the Index this attribute in the Active Directory
check box.
C. Manually add the Allow Access remote access permission to each new user account that you create.
D. Manually add the group membership information to each new user account that you create.
E. Add the group membership information to the template account.
F. Add the Allow Access remote access permission to the template account.
Answer: C, E
Explanation: You can add the template account to the appropriate groups. When you copy the template
account, the copy will have the same group membership as the template account. This does not apply
however, to remote access permission. When you copy the template account, the copy will have the
default remote access permission. Therefore, we need to manually assign the appropriate remote access
permission to the new user accounts. Incorrect Answers:
A: Modifying the schema would be obsolete as it would result in additional administrative efforts.
B: If you want to avoid adding to the administrative efforts that has to be done, then you do not have to
modify
the schema.
D: When you copy the template account, the copy will have the same group membership as the template
account.
F: The copy will have the default remote access permission when one copies the template account.
Therefore,
we need to manually assign the appropriate remote access permission to the new user accounts.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 283
# QUESTION 70:
You are the network administrator for CertKing .com. All user accounts and groups in the domain are in
the container named Users.
Company naming conventions require that names of global groups begin with G_ and names of domain
local groups begin with DL_. A domain local group named HRServices does not meet the requirements.
The HRServices group has one global group member named G_HRUsers. The HRServices group is
assigned to Allow - Full Control permission for a shared folder named HRFiles. The shard folder is
located on a file server.
You need to rename the HRServices group to meet the naming convention requirements. In addition, you
need to ensure that user access to the HRFiles shared folder is not disrupted while you perform the
procedure.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. Open Active Directory Users and Computers, and then delete the existing HRServices domain local
group. Create a new domain local group named DL_HRServices. Add the G_HRUsers group to the
DL_HRServices group. Assign the DL_HRServices group the Allow - Full Control permission for the
HRFiles shared folder.
B. Open the Active Directory Users and Computers, and then change the name of the HRservices group
to DL_HRServices.
C. Run the following command: dsadd group CN=DL_HRServices,CN=Users,DC= CertKing
.com,DC=com - member CN=G_HRUsers,CN=Users,DC= CertKing ,DC=com
D. Run the following command: dsmove CN=HRServices,CN=Users,DC= CertKing ,DC=com -
newname DL_HRServices
Answer: B, D
Explanation: The Dsmove command-line utility is used to rename or move a single object within the
Active Directory. When you use the Dsmove command-line utility, you specify the object's distinguished
name, then the new name of the object (if you are changing the object's name) and the new location of the
object. Active Directory Users and Computers on Windows Server 2003 domain controllers, is the main
tool used for managing the Active Directory users, groups, and computers. To set up and manage domain
user accounts, you use the Active Directory Users And Computers utility. You need to change the name
of the HRservices group to DL_HRServices. And then run the appropriate dsmove command. Incorrect
answers:
A: You only need to change the name and not assign the DL_HRServices group Full Control permission.
C: You can automate the process of creating users, groups, and computers through the Dsadd commandline
utility. However, in this case you should rather run the dsmove command with the appropriate
parameters. Reference: James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE:
Windows(r)Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study
Guide, Sybex Inc., Alameda, 2003, p. 227
# QUESTION 71:
You are the network administrator for CertKing . The network consists of a single Active Directory forest
that contains three domains. The functional level of the forest is Windows 2000. The NetBIOS names of
the domains are CertKing 1, CertKing 2, CertKing 3. The functional level of all three domains is
Windows
2000 mixed. You manage resources in CertKing 1.
A new file server is added to CertKing 1. Users in all three domains need access to resources on the file
server.
You need to create a group that will be used to grant access to the file server in CertKing 1.
Which two actions should you perform? Each correct answer presents part of the solution. Select two.
A. Create a security group.
B. Create a distribution group.
C. Configure the group to be a global group.
D. Configure the group to be a universal group.
E. Configure the group to be a domain local group.
Answer: A, E
Explanation: The group type security group is a logical group of users who need to access specific
resources.
Security groups are listed in Discretionary Access Control Lists (DACLs) to assign permissions to
resources.
A domain local group is a type of group used to assign permissions to resources. It can contain user
accounts,
universal groups, and global groups from any domain in the tree or forest. It can also contain other
domain local
groups from its own local domain.
These two options should allow you to create a group that will be used to grant access to the file server in
CertKing 1 under the given circumstances.
Incorrect answers:
B: A distribution group type is a logical group of users who have common characteristics. Applications
and e-mail programs (for example, Microsoft Exchange) can use distribution groups. Distribution groups
can't be listed in DACLs and therefore have no permissions. This is not what is required.
C: Global groups are used to organize users who have similar network access requirements. A global
group is simply a container of users. This will not do in these circumstances.
D: Universal groups are used to logically organize global groups and appear in the Global Catalog (a
search engine that contains limited information about every object in the Active Directory). Universal
groups can contain users (not recommended) from anywhere in the domain tree or forest, other universal
groups, and global groups. But this is not what is required. Reference: Lisa Donald, Suzan Sage London
& James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment Management and Maintenance
Study Guide, Sybex Inc. Alameda, 2003, pp. 167-170
# QUESTION 72:
Exhibit
You are the network administrator for CertKing .com. The network contains a third-party application
that runs as a service. The application service is secured with a domain-level service account. The
properties of the service account are displayed in exhibit.
Users report that the application is no longer available. The application service is stopped.
An administrator reports that the password of the service account had expired and was changed. You
reset the password on the service to match the new password of the service account. You unsuccessfully
attempt to restart the service.
You need to ensure that the service will start. You need to prevent this problem from happening again
while retaining administrative control over the service account password.
What should you do?
Answer:
Explanation: Enable Password never expires.
Since the question states that the password of the service account had expired and was changed, you need
to
enable the Password never expires option especially in lieu of you already having has the password reset
to
match the new password of the service account and you still unable to restart the service. This option will
enable you to start the service and also prevent this situation from occurring again, whilst it will allow
you to
retain administrative control over the password.
References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, pp. 7:12-13
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 317-318.
# QUESTION 73:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The domain contains Windows Server 2003 computers and Windows XP
Professional computers.
You use a non-administrative user account named Joseph to log on to a client computer. You need to
change the password for a domain user account named Sophia.
You open the Active Directory Users and Computers console. When you attempt to change Sophia's
password, you receive the following error message: "Access is denied".
You need to remain logged on to the client computer as Joseph, and you need to be able to change
Sophia's password.
What should you do?
A. Add the non-administrative domain user account to the local Administrators group.
B. Use the runas command to run Active Directory Users and Computers with domain administrative
credentials.
C. From a command prompt, run the net user Sophia /add /passwordreq:yes command.
D. From a command prompt, run the net accounts /uniquepw: /domain command.
Answer: B
Explanation: The runas command can be used to perform administrative tasks. Run as, also called
secondary logon, is a useful tool that allows a user to run a specified program with permissions that are
different from those belonging to the account with which the user is currently logged on. You can use this
command to run executable files, and Control Panel items, among other tasks. It allows you to run a
specified program with permissions that are different from that associated to the account (user account
named Joseph) with which you are currently logged on. Therefore, you can use the runas command to run
Active Directory Users and Computers with domain administrative credentials to change Sophia's
password. Incorrect Answers:
A: Adding a non-administrative account to the local administrators group will allow you to complete this
task. But the question states that you need to remain logged on the client computer as Joseph. This results
in you needing a secondary logon rather than being added to the local administrators group.
C: This command allows you to add or modify user accounts or display user account info. And as this
command is used in this scenario, it also specifies that the user must have a password. This will not allow
you to change Sophia's password because you need to have either administrator status or use the run as
command especially since the question states that you need to remain logged on to the client computer as
Joseph who is a non-administrative account.
D: This specific command updates user accounts database and modifies password and logon requirements
for all accounts. Furthermore it requires the user not to use same password for the number of password
changes and it performs the operation on the primary domain controller of the current domain, else the
modification will be performed on the local computer. However, this assumes that you are working from
an administrator's account rather than a non-administrative user account named Joseph. Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Chapter 1, p. 36
# QUESTION 74:
You are the network administrator for CertKing . Your network consists of three Active Directory
domains in a single forest. You do not have administrative rights to the forest.
All domain controllers run Windows Server 2003. Universal group membership caching is enabled.
CertKing has a main office in Madras and five branch offices located worldwide. Each office is
configured as an Active Directory site, as shown in the exhibit.
Each office contains three domain controllers, one for each domain.
A new employee named Dr Bill is hired in the Berlin office. You create a new user account for Dr Bill
from a domain controller in Berlin. However, Dr Bill reports that he cannot log on to his domain. Other
users from Berlin report no difficulties.
You need to ensure that Dr Bill can log on successfully.
What should you do?
A. Delete the user account in Berlin. Recreate the user account in Madras.
B. Force directory replication between all domain controllers in Berlin.
C. Restore network connectivity between the domain controllers in Berlin and Madras.
D. Instruct Dr Bill to use his user principal name when he logs on for the first time.
Answer: C
Explanation: When a new user logs on to a native mode domain, the authenticating domain controller
needs to be able to contact a Global Catalog server to obtain universal group information. The Global
Catalog servers are in the Madras office, so a lack on network connectivity between Berlin and Madras
would prevent the new user from being able to log on. The reason no one else has a problem logging on
is that Universal Group caching is enabled. However, the information in the cache on the Berlin domain
controller is out of date in the sense that it doesn't contain information about the new user. Incorrect
Answers:
A: The account does not need to be created in Madras. It can be created on any domain controller in the
domain.
B: The domain controllers in Berlin are in separate domains. They do not need to replicate to each other.
D: You don't have to log on using your UPN name. The question states that the user couldn't log on to
"his"
domain. This implies that he either attempted to log on using his UPN or he entered his downlevel
username
and selected the correct domain in the drop down box.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, p. 426
# QUESTION 75:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
A new management directive states that users can log to the domain only during business hours. Users
who remain logged on after business hours must be automatically disconnected from network resources.
You need to enforce this directive by using the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Configure the Default Domain Policy Group Policy object (GPO) to increase scheduling priority for
all
users.
B. Configure the Default Domain Policy Group Policy object (GPO) to force users to log off when their
logon
hours expire.
C. Select all user accounts.
Modify the account properties to restrict logon hours to business hours.
D. Create a domain user account named Temp.
Configure the account properties to restrict logon hours to business hours.
E. Modify the DACL on the Default Domain Policy Group Policy object (GPO) to assign the Allow -
Read
permission to the Users group.
Answer: B, C
Explanation: When you restrict logon hours, you might also want to force users to log off after a certain
point. If you apply this policy, users cannot log on to a new computer, but they can stay logged on even
during restricted logon hours. To force users to log off when logon hours expire for their account, apply
the Network security: Force logoff when logon hours expire policy. You can assign logon hours as a
means to ensure that employees are using computers only during specified hours. This setting applies
both to interactive logon, in which a user unlocks a computer and has access to the local computer, and
network logon, in which a user obtains credentials that allow him or her to access resources on the
network. Incorrect answers:
A: Increasing the scheduling priority will not affect logon hours.
D: Restricting logon hours to business hours by configuring the account properties will work, but this
option does not mention measures to cut down on administrative effort.
E: A DACL is a list of ACEs that lets administrators set permissions for users and groups at the object
and attribute levels. This list represents part of an object's security descriptor that allows or denies
permissions to specific users and groups. Modifying the DACL by assigning the Allow-Read permission
will not work as you first need to force all users to log off when their logon hours expire. References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 582
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 58, 442.
# QUESTION 76:
You are responsible for administering the Production OU. You are assigned the Allow - Full Control
permission for the OU. All computer objects in the Production OU are administered by another
administrator named Tom. The Production OU contains the computer account for a Windows Server
2003 computer named CertKing 1. Tom submits a list of configuration settings that he wants to apply to
CertKing 1 by means of a Group Policy object (GPO). A GPO that contains Tom's required settings is
created in another OU by the domain administrator. You only want to allow Tom to link existing GPOs to
the Production OU. He must not have any more rights than he needs to perform the required tasks. What
should you do?
A. Add Tom's user account to the Group Policy Creator Owners group in the domain.
B. Run the Delegation of Control Wizard and assign Tom's user account the Allow - Manage group
policy links permission for the Production OU.
C. Run the Delegation of Control wizard and assign Tom's user account the Allow - Change permission
for the Production OU.
D. Run the Delegation of Control wizard and assign Tom's user account the Allow - Apply group policy
permission for all GPOs that are linked to the Production OU.
Answer: B
Explanation: You can delegate permissions to manage Group Policies of the Production OU. This is done
through delegation of control. Right click the designated container in Active Directory Users and
Computers. Select Delegate Control. Once the Delegate Control Wizard runs, select the user (Tom)
whom should be granted control in the container. Then, add Manage Group Policy Links from the
Permissions list, and complete the Delegate Control Wizard. Tom will only be able to create GPO links in
containers where he has been allowed the particular permission. Thus restricting him to only what he
needs to be able to do his job. Incorrect Answers:
A: This type of group permissions should be applied at the root of the volume. The Creator Owner group
e.g. is a special group that determines the access that a user has to files and folders he or she has created.
By default, the Full Control special permissions assigned to this group automatically apply to every
folder created on the volume. Thus the default permissions of being Creator Owner would grant Tom too
many permissions than is necessary. C, D: Active Directory enables you to efficiently manage objects by
delegating administrative control of the objects. You can use the Delegation of Control Wizard and
customized consoles in Microsoft Management Console (MMC) to grant specific users the permissions to
perform various administrative and management tasks. You use the Delegation of Control Wizard to
select the user or group to which you want to delegate control. You also use the wizard to grant users
permissions to control organizational units and objects and to access and modify objects. However, these
options, whether Allow- change or Allow - Apply group policy permission, will grant Tom more than the
necessary permissions to perform his tasks.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning,
Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure,
Chapter 10
p. 601
# QUESTION 77:
You are the network administrator for CertKing . The network consists of two Active Directory domains:
CertKing .com and Domain 2. All client computers run Windows XP Professional. The relevant portion
of
A support technician named Jack needs to create user accounts in both domains. You delegate the
appropriate permissions to her. Then you run Adminpak.msi from the Windows Server 2003 CD-ROM
on Jack's computer.
Later, Jack reports that she cannot connect to CertKing SrvA or CertKing SrvB by using her
administrative tools. However, she can access all other resources in both domains.
How should you solve this problem?
A. On Jack's computer use Registry Editor to disable signing and encryption of LDAP traffic.
B. On CertKing SrvA and CertKing SrvB, use Registry Editor to change the LDAP port value to 380.
C. On CertKing SrvA and CertKing SrvB, run Adminpak.msi from the Windows Server 2003 CD-ROM.
D. On Jack's computer, change the domain membership from Domain 2 to CertKing .com.
Answer: A
Explanation:
To use the Windows Server 2003 Active Directory administrative tools to manage Windows 2000-based
domain controllers with Windows 2 Service Pack 2 (SP2) or earlier installed when NTLM authentication
is
negotiated, you can configure the administrative tools to communicate by using non-secured LDAP
traffic.
To turn off the signature and encryption of LDAP traffic for the Windows Server 2003 Active Directory
tools,
set the ADsOpenObjectFlags value to 0x03.
Incorrect Answers:
B: It is not necessary to change the LDAP port value.
C: You cannot install the Windows 2003 adminpak.msi on a Windows 2000 computer.
D: It is not necessary to change the domain membership of the computer. Reference:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325465
# QUESTION 78:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
All user accounts in the Sales department are located in the Sales organizational unit (OU). You suspect
that one or more user accounts in the OU have compromised passwords.
You need to force all users in the Sales department to reset their passwords.
What should you do?
A. Select all user accounts in the Sales OU.
Disable the accounts and re-enable them.
B. Select all user accounts in the Sales OU.
Modify the account properties to force all passwords to be changed on next logon.
C. Create a Group Policy object (GPO) and link it to the Sales OU.
Modify the password policy to set the maximum password age to 0.
D. Create as Group Policy object (GPO) and link it to the domain.
Modify the password policy to set the maximum password age to 0.
Answer: B
Explanation: To force all the users in the Sales OU to reset their passwords, we must select all user
accounts in the Sales OU and modify the account properties to force all passwords to be changed on next
logon. User rights can be assigned in a domain environment by editing a GPO assigned to the domain. To
access the default domain policy and set user rights on its GPO, open Active Directory Users and
Computers console from the Administrative Tools menu, right-click the domain name in the left console
pane, select Properties. Click the Group Policy tab, select the GPO, and then click Edit. This opens the
Group Policy Object Editor. Under Computer Configuration in the left pane, expand Windows Settings,
expand Security Settings, expand Local Policies, and select User Rights Assignment. Incorrect answers:
A: Disabled accounts have as a consequence the inability to log on with the account. It does not alter or
modify
password settings.
C: Maximum password age determines the period of time (in days) that a password can be used before
the
system requires the user to change it. You can set passwords to expire after a number of days between 1
and
999, or you can specify that passwords never expire by setting the number of days to 0. Linking the GPO
to the
OU will not compel users to reset their passwords.
D: Linking a GPO where the maximum password age is set to 0 to the domain will not force users to reset
their
passwords.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 297, 442.
# QUESTION 79:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The functional level of the domain is Windows 2000.
Your sales department employs 100 users. All users accounts for sales employees are located in an OU
named Sales.
To reduce the size of the sales department, the company terminates 10 sales users.
You need to disable these 10 user accounts by using the minimum amount of administrative effort.
You use the Active Directory Users and Computers in an attempt to disable all 10 users accounts
simultaneously. You see the dialog box in the exhibit.
What should you do?
A. Disable each of the 10 affected user accounts, one by one.
B. Log on by using an account that has administrative access to the domain. Disable all user accounts in
the Sales OU simultaneously.
C. Select all user accounts in the Sales OU. Disable all user accounts simultaneously.
D. Select only the 10 affected user accounts in the Sales OU. Disable all 10 user accounts simultaneously.
Answer: D
Explanation: Active Directory Users and Computers is used to manage Active Directory objects such as
users, groups, and machines within the domain. To make space available and thus reduce the size of the
Sales OU in an efficient manner with the least amount of administrative effort, you can make use of
Active Directory Users and Computers to disable several user accounts simultaneously.
Incorrect answers:
A: Disabling each of the 10 affected user accounts one by one can be made more efficient. Though this
option will work, it is not the answer as it results in too much administrative effort and does not disable
the accounts simultaneously. B, C: Disabling all the user accounts will not be advisable in this scenario as
you will then have to re-enable all the user accounts other than the 10 affected user accounts afterward.
Also option B has even more administrative effort attached to it than is already mentioned for option C
and B together. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and
Will Schmied, Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD
Training System, pp. 259-267, 337
# QUESTION 80:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
A user named Bill will leave CertKing in one week. A replacement will be hired in one month.
The replacement will need the same access to network resources that Bill currently has. The
replacement will also need ownership of all files that currently reside in Bill's home folder.
You need to minimize the administrative effort that will be required when the replacement is hired. You
also need to ensure that no one can use Bill's user account to log on to the domain until the replacement
is hired.
What should you do?
A. Move Bill's user account to the LostAndFound organizational unit (OU).
B. Disable Bill's user account.
C. Configure Bill's user account to require a change in password at next logon.
D. Delete Bill's user account.
Answer: B.
Explanation: The quickest way is to disable Bill's user account. When the replacement starts, we can
enable and rename the account.
To ensure no unauthorized use of Bill's account it should be disabled only because the question also
poses the
scenario of wanting to use the Bill user account with all its work, documents, etc for the new
replacement.
Disabling the account will not destroy the information and the documents residing in that account. It will
leave
the option there for the administrators to use it for the new replacement.
Incorrect answers:
A: Placing files in whatever OU will not render it safe from other users who might still be able to access
it.
C: A change in password at the next logon configuration will not preclude tempering with the account till
the replacement arrives.
D: Deleting Bill's user account would be folly as his replacement will need that account and the data that
it holds. Deleting the account will destroy the information and the documents residing in that account.
References: Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290):
Managing and Maintaining a Microsoft Windows Server 2003 Environment, pp. 173-178
# QUESTION 81:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All domain controllers run Windows Server 2003.
Users who enter an invalid password more than twice in one day must be locked out.
You need to configure domain account policy settings to enforce this rule.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Set the minimum password age to one day.
B. Set the maximum password age to one day.
C. Change the Enforce password history setting to three passwords remembered.
D. Change the Account lockout duration setting to 1440 minutes.
E. Change the Account lockout threshold setting to three invalid logon attempts.
F. Change the Reset account lockout counter after setting to 1440 minutes.
Answer: E, F
Explanation: An Account lockout policy disables a user account if an incorrect password is entered a
specified number of times over a specified period. These policy settings help you to prevent attackers
from guessing users' passwords, and they decrease the likelihood of successful attacks on your network
Account lockout threshold is a security setting that determines the number of failed logon attempts that
causes a user account to be locked out. A locked-out account cannot be used until it is reset by an
administrator or until the lockout duration for the account has expired. You can set a value between 0 and
999 failed logon attempts. If you set the value to 0, the account will never be locked out. Reset account
lockout counter after is a security setting determines the number of minutes that must elapse after a failed
logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available
range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be
less than or equal to the Account lockout duration. Thus when you choose Account lockout threshold to
3, by default Windows Server 2003 will put 30 minutes value for: Reset account lockout and Account
lockout duration, but if you change Reset account lockout default value to 1440. Windows Server 2003
will change for you the value for Account lockout duration to match Reset account lockout. Incorrect
answers:
A: Setting the minimum password age to one day will not work as it is a case of entering a wrong invalid
password, whether it is once, twice, or even many times, in a single day that has to be prevented.
B: Setting the maximum password age to one day is irrelevant as this scenario calls for preventing the
entering of invalid passwords more than twice in a single day.
C: Changing the enforce password history setting to three password remembered will result in Active
Directory maintains a list of recently used passwords, and will not allow a user to create a password that
matches a password in that history. The result is that a user, when prompted to change his or her
password, cannot use the same password again, and therefore cannot circumvent the password lifetime.
The policy is enabled by default, with the maximum value of 24. to make this setting to three passwords
remembered will result in users being allowed to enter invalid passwords more than twice.
D: This policy defines how long locked-out accounts remain locked out. The default setting is none (or
undefined) because you must enable the Account Lockout Threshold policy for this policy to be in effect.
The available range is from 0 minutes through 99,999 minutes. This does not include a setting for a
quantity of invalid password entering. References: Deborah Littlejohn Shinder and Dr. Thomas W.
Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment
Study Guide & DVD Training System, pp. 282, 317-318 Dan Balter, MCSA/MCSE Managing and
Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 82:
You are the network administrator for CertKing . The network consists of a single Active Directory
domain named CertKing .com.
You add a Windows Server 2003 computer to the domain. This server is used to store critical business
applications and confidential data. You create several local accounts on the server to manage the
applications.
Some users report that they are having difficulty accessing an application that is stored on the server.
The application uses local accounts.
You need to enable auditing to track all attempts to access the server through a local account in order to
gather more information. You must not track more data than is necessary.
What should you do?
To answer, drag the appropriate setting or settings to the correct policy or policies in the work area.
Answer:
Explanation:
Success Audit - Indicates the occurrence of an event that has been audited for success.
For example, a Success Audit event is a successful logon when system logons are being audited.
Failure Audit - Indicates the occurrence of an event that has been audited for failure. For example, a
Failure Audit event is a failed logon due to an invalid username and/or password when system logons are
being
audited.
These would be the only necessary information in this case.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, p. 490
# QUESTION 83:
You are the network administrator for CertKing . The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
CertKing .com purchases a new server to test applications in a stand-alone environment. CertKing .com's
written security policy includes the following requirements:
1 User passwords on stand-alone computers must be changed every 45 days.
2 Users can change their passwords immediately after they change their passwords once.
3 Users must not be able to use the same password again until at least 10 different passwords are
used. You need to configure the password settings so that the new server conforms to the written security
policy.
Answer:
Explanation:
Minimum Password Age defines the minimum number of days a user must keep a password before they
can
change the password.
Maximum Password Age defines how many days a user can keep the same password before having to
create a
new password.
Enforce Password History, specifies how many passwords are remembered and is used to prevent users
from
re-using the same password when they configure new passwords.
Setting the minimum password age to 0, Setting the maximum password age to 45 and Setting the
enforce
password history to 10 will comply with the written requirements.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 141-142
# QUESTION 84:
You are the network administrator for CertKing . The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. All client computers run
Windows XP Professional and are members of the domain.
The domain has security settings that are applied that are applied the Default Domain Policy GPO. The
current password policy shown in the Policy Exhibit.
A new user named CertKing logs on to the domain for the first time and is prompted to reset her
password. Jack successfully sets a new password. Later the same day, she attempts to change her
password. You view the properties of her account in Active Directory Users and Computers. The
properties for CertKing's account are shown in the Account Properties exhibit.
You need to ensure that Jack can change her password.
What should you do?
A. In the properties of CertKing's user account, select the Store password using reversible encryption
check box.
B. In the properties of CertKing's user account, on the Account tab, select the User must change password
at next logon check box.
C. In the properties of CertKing's user account, on the Account tab, select the Password never expires
check box.
D. In the properties of CertKing's user account, on the Account tab, configure the account to expire today.
Answer: B
Explanation: User Must Change Password At Next Logon If selected, forces the user to change the
password
the first time they log on. This is done to increase security and moves password responsibility to the user
and
away from the administrator. And in this case it will ensure that Jack can change her password.
Incorrect answers:
A: This will not ensure that Jack will be able to change her password.
C: Password Never Expires - if selected specifies that the password will never expire, even if a password
policy
has been specified. For example, you might select this option if this is a service account and you do not
want
the administrative overhead of managing and changing passwords. This is not what is required.
D: This will not ensure that Jack will be able to change her password.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, p. 145
# QUESTION 85:
You are the network administrator for CertKing .com. The network consists if two Active Directory
domains. All client computers run Windows XP Professional. The relevant portion of your network
configuration is shown in the exhibit.
A support technician named Sandra needs to create user accounts in both domains. You delegate the
appropriate permissions to her. Then you run Adminpak.msi from the Windows Server 2003 CD-ROM
on Sandra's computer.
Later, Sandra reports that she cannot connect to DC1 or DC2 by using her administrative tools.
However, she can access all other resources in both domains.
How should you solve this problem?
A. On Sandra's computer, use Registry Editor to disable signing and encryption of LDAP traffic.
B. On DC1 and DC2, use Registry Editor to change the LDAP port value to 380.
C. On DC1 and DC2, run Adminpak.msi from the Windows Server 2003 CD-ROM.
D. On Sandra's computer, change the domain membership from Domain 2 to Domain 1.
Answer: A
Explanation: Because Active Directory is based on the Lightweight Directory Access Protocol (LDAP),
you can reference each object within Active Directory using different types of LDAP naming
conventions. Distinguished names (DNs) and relative distinguished names (RDNs) are two of the naming
conventions that Active Directory uses for its objects. DNs and RDNs use specific naming components to
define the location of the objects that they are identifying. There is a need to import and export data into
and out of Active Directory and other Lightweight Directory Access Protocol (LDAP) directory services.
In the above scenario Sandra is unable to connect to DC2 or DC2 and to solve her problem you need to
use the Registry Editor on her computer to disable signing and encryption of LDAP traffic since she can
access all other resources in both the domains. Incorrect answers:
B: The problem that is being described stems from Sandra's computer and not the domain controllers,
thus
changing thr LDAP port value on the domain controllers will nto address the problem. Sandra can access
the
other resources in both the domains; she just is unable to connect by means of her administrative tools.
C: Running the Adminpak.msi from the Windows Server 2003 CD-ROM will not work; the problem is
with
Sandra's computer and not the domain controllers.
D: You do not need to change domain membership on Sandra's computer.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 315
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows(r) Server 2003 Environment
Exam Cram 2 (Exam 70-290), Chapter 4
# QUESTION 86:
You are the network administrator for CertKing . The network originally consists of a single Windows
NT 4.0 domain.
You upgrade the domain to a single Active Directory domain. All network servers now run Windows
Server 2003, and all client computers run Windows XP Professional.
Your staff provides technical support to the network. They frequently establish Remote Desktop
connections with a domain controller named DC1.
You hire 25 new support specialists for your staff. You use Csvde.exe to create Active Directory user
accounts for all 25.
A new support specialist named Bill reports that he cannot establish a Remote Desktop connection with
DC1. He receives the message shown in the Logon Message exhibit:
You need to ensure that Bill can establish Remote Desktop connections with DC1. What should you do?
A. Direct Bill to establish a VPN connection with DC1 before he starts Remote Desktop Connection.
B. Direct Bill to set a password for his user account before he starts Remote Desktop Connection.
C. In the local security policy of DC1, disable the Require strong (Windows 2000 or later) session key
setting.
D. In the local security policy of DC1, enable the Disable machine account password changes setting.
Answer: B
Explanation: The exhibit shows us that logons by accounts with blank passwords are limited to console
logons only (this is also the default setting). The error message indicates that this is the reason that Bill is
unable to connect with a Remote Desktop connection. We can solve this problem by instructing Bill to
set a password for his user account before he starts a Remote Desktop Connection. Incorrect Answers:
A: It is not necessary to create a VPN connection before starting a Remote Desktop Connection.
C: This will not help. The client computer is running Windows XP Professional, which can use a strong
session
key.
D: This is unrelated to Remote Desktop connections.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing,
and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, p. 574
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 545-546
# QUESTION 87:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
You use a script written in Microsoft Visual Basic, Scripting Edition (VBScript) to create new user
accounts.
You need to modify the script and enable all new user accounts created from the script.
What should you do?
To answer, drag the appropriate line or lines of code to the correct location or locations in the work area.
Answer:
Explanation: The key here is that we need to enable all new user accounts. This script creates two
different sets of user accounts, one to create the Empadminuser and one counter to create salesuser from
1 to 5. We need to enable all new accounts, in this way we had to drag and drop. oUser.AccountDisabled
= False for enable user Empadminuser. to oUser set info part oLeaf.AccountDisabled = False for enable
users SalesUser1, SalesUser2, SalesUser3, SalesUser4, SaleUser5 to oLeaf set info part Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/pro
ddocs /entserve Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290:
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System,
p. 692
# QUESTION 88:
Exhibit:
You are the network administrator for CertKing . All network servers run Windows Server 2003. A
server named CertKing 5 is joined to the domain. CertKing 5 functions as a printer server.
Your user account is a member of only the Domain Admins group and the Domain Users group.
You attempt to establish a Remote Desktop connection to CertKing 5. You receive the error message
displayed in the exhibit.
What should you do?
A. Enable the Digitally sign secure channel data security setting on CertKing 5.
B. Add your user account to the Remote Desktop Users group in the CertKing .dom domain.
C. Add your user account to the Remote Desktop Users group on CertKing 5.
D. Enable Remote Assistance on CertKing 5.
E. Configure the appropriate remote settings on CertKing 5 by using System Properties in Control panel.
Answer: D
Explanation: Remote Desktop allows you to remotely take control of a Windows Server 2003 server from
another location. For example, you could access a server located in a remote office from your company's
corporate headquarters. Remote Assistance is used to request assistance from another user or an expert
user. Common examples of when you would use Remote Assistance include:
1 When you are diagnosing problems that are difficult to explain or reproduce. By using Remote
Assistance,
you can remotely view the computer and the remote user can show you what the error is or step you
through
processes that caused the error to occur.
2 When an inexperienced user needs to perform a complex set of instructions. Instead of asking the
inexperienced user to complete the task, you can use Remote Assistance to take control of the computer
and
complete the tasks yourself.
Incorrect answers:
A: You need to enable Remote Assistance to establish a Remote Desktop connection and not the
Digitally sign
secure channel data.
B & C: Adding your user account to the Remtoe Desktop Users group in the CertKing .com domain or on
CertKing 5 is not going to work in this case. You should enable Remote Asistance on CertKing 5.
E: This is not the solution.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 545, 553
# QUESTION 89:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All domain controllers run Windows Server 2003, and all client computers run
Windows XP Professional.
CertKing acquires a subsidiary. You receive a comma delimited file that contains the names of all user
accounts at the subsidiary.
You need to import these accounts into your domain.
Which command should you use?
A. ldifde
B. csvde
C. ntdsutil with the authoritative restore option
D. dsadd user
Answer: B
Explanation: The csvde (CSV Directory Exchange) command can be used to import and export Active
Directory information using files formatted in the Microsoft comma-separated value (CSV), or comma
delimited, format. The csvde command can also support batch operations. The csvde command only
allows you to add new objects. It does not allow you to modify existing objects. Incorrect Options:
A: The ldifde (LDIF Directory Exchange) command can be used to create, modify, and delete directory
objects on Windows Server 2000, Windows Server 2003 and Windows XP Professional. You can also
use ldifde to extend the schema, export Active Directory user and group information to other LDAP
(Lightweight Directory Access Protocol) applications or services, and populate Active Directory with
data from other directory services. The ldifde command, however, uses the LDAP Data Interchange
Format (LDIF) file format, which is a draft Internet standard for a file format that may be used to perform
batch operations against directories that conform to the LDAP standards.
C: The ntdsutilcommand is used to perform an authoritative restore of Active Directory. The ntdsutil is
used to mark the restored Active Directory database as authoritative. However, in this scenario we are not
restoring the Active Directory database, but importing user accounts into it from a CSV file.
D: The dsadd user command allows you to add a single user to Active Directory directory. The dsadd
user command has a number of parameters that allows you to specify various attributes of the user
account, such as first name, last name, password, etc. The dsadd user command, however, does not allow
you to import objects into Active Directory from a CSV file. References: Deborah Littlejohn Shinder and
Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment Study Guide & DVD Training System, pp 300-303, 315.
# QUESTION 90:
You are the network administrator for CertKing .com.com. All network servers run Windows server
20003, and all client computers run Windows XP Professional.
A user named Bill manages an application server named Server25. One morning, Bill tries to log on to
the network from Server 25. He receives the message shown in the Logon message exhibit.
Bill notifies you of the problem. You open Active Directory Users and Computers and see the display
You need to enable Bill to log on to Server 25. Your solution must require the minimum amount of
administrative effort.
What should you do?
A. Enable the computer account for Server 25
B. Reset the computer account for Server 25.
C. Remove Server 25 from the domain, and then rejoin Server25 to the domain.
D. Delete the computer account for Server25, and then create a new account with the same name.
Answer: A
Explanation: You need a valid user account as well as a valid computer account to be able to log on to a
domain. In this case the red balloon means that Server25 account has been disabled.
Incorrect Answers:
B: The exhibit shows that the account is disabled and it thus resetting the account is not needed.
C: This would be unnecessary.
D: This will not work due to the new account having a different Security Identifier (SID) from the
original
computer account. Security Identifier (SID) is a unique identifier associated with a specific resource, such
as a
user account object or a computer.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 411
# QUESTION 91:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003.
CertKing has offices in Chicago, New York and Los Angeles. Each office has one domain controller.
Each
office also has its own organization unit (OU), which contains all user accounts and computer accounts in
that office.
The Chicago OU is accidentally deleted from Active Directory. You perform an authoritative restoration
of that OU.
Some users in Chicago now report that they receive the following error message when they try to log on
to the domain.
"The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the
account referenced is the security database in DOMAINMEMBER$. The following error occurred:
Access is denied".
How should you solve this problem?
A. Reset the computer accounts of the computers that receive the error message. Instruct the affected
users to restart their computers.
B. Perform a nonauthoritative restoration of Active Directory. Force directory replication on all domain
controllers.
C. Restart the Kerberos Key Distribution Center service on each domain controller.
D. Run Nltest.exe on the computers that receive the error message. Restart the Net Logon service on the
domain controller on Chicago.
Answer: A
Explanation:
You have restored the computer accounts. The result is that you restored computer accounts have an
older password to the password that the computers are currently using. The password is used for the
secure channel between the client computer and the domain controller. You must reset the computer
accounts to synchronize the passwords.
Incorrect Answers:
B: A nonauthoritative restoration of Active Directory will be overwritten by the existing copy of Active
Directory. We need an authoritative restore of the OU.
C: The Kerberos Key Distribution Center service is irrelevant to this scenario.
D: The security channel is used by the Net Logon service on the client and on the domain controller to
communicate. However, then problem doesn't lie with the Net Logon service. Furthermore, Nltest.exe
can be used only to test the trust relationship between the client and the domain controller on which its
machine account resides. It doesn't resolve the problem.
# QUESTION 92:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
You install a new file and print server named File1. You configure standard company policies and other
local options. You use third-party software to create and save an image of the server. Then you join File1
to the domain.
Six weeks later, you reapply the saved image to File1 and restart the server. You try to log on to the
domain by using domain credentials. However, you are unsuccessful.
You need to log on to File1 and re-establish its domain membership. Your solution must require the
minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Reset the computer account for File1 in Active Directory Users and Computers.
B. Reset the password for Administrator account by logging on locally to File1 as a member of the local
Power Users group.
C. Reinstall and reconfigure File1.
D. Join File1 to the domain.
E. Remove File1 from the domain.
Answer: A, D
Explanation: Resetting the password for domain controllers using this method is not allowed. Thus
resetting a computer account breaks that computer's connection to the domain and requires it to rejoin
the domain. This is also the quickest way.
Since the print server named File1 was joined to the domain after the image of the server was saved, it
resulted
in File1 not being present when the saved image was reapplied. In order to successfully log on to the
domain,
File1 must be added to the domain.
Incorrect answers:
B: You should be resetting the computer account for File1 and not the password for the administrator
account. Although this can also be done to achieve this goal, it involves more administrative effort.
C: Reinstalling and reconfiguring File1 will result in unnecessary administrative effort.
E: Removing File1 from the domain will not make it available to all users and will inevitably amount to
more administrative effort. Reference: Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training
Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, p. 86-88
# QUESTION 93:
You are the domain administrator for CertKing .com's Active Directory domain. All client computers run
Windows XP Professional. A user reports that she attempted to log on six times unsuccessfully. She
reports that she logged on successfully yesterday. You discover that the user reset her password three
days ago to comply with a new security policy that requires strong passwords. The account policies that
are applied in the Domain Security Group Policy object (GPO) as shown in the following table.
mumPasswordAge
mumPasswordAge
mumPasswordLength
ordComplexity
ordHistorySize
utBadCount
LockoutCount
utDuration
You need to ensure that the user can log on to the domain. What should you do?
A. Reset the password for the computer account.
B. Unlock the user account.
C. In the user account properties, select the Password never expires check box for the user account.
D. In the user account properties, select the User must change password on next logon check box for the
user account.
Answer: B
Explanation: As you can see in the exhibit, the user account will be locked out if someone tries to login 5
times (LockOutBadCount). The most common problems with user accounts are due to group
membership, password problems, or account lockouts. Group membership problems manifest themselves
by users not being able to access resources that are assigned through group membership. This can easily
be verified and corrected via Active Directory Users and Computers or from the command line using the
dsget.exe and dsmod.exe commands. Password problems are usually due to users forgetting their
password and needing it reset. This can be accomplished via Active Directory Users and Computers or
via the dsmod.exe command. Lastly: users often lockout their accounts due to them entering their
password incorrectly. This is usually due to them forgetting their password because they just changed it
recently, in which case you would need to unlock their account and reset their password. Sometimes they
just cannot type or CAPS LOCK is on and they enter in their password incorrectly too many times and
lock their account. User accounts can be unlocked by using Active Directory Users and Computers or by
using the dsmod.exe command. The user said she attempted to log on six times, but failed. As a result the
account is locked out. Therefore we can simply unlock the user account, and she can logon again.
Incorrect answers:
A: Resetting the password for the user account does not necessarily grant log on rights to the domain.
You need
to unlock the account first.
C: Modifying the properties of the account to password never expires will not affect the situation. The
account
must first be unlocked. Whether the password expires or not, she will still need to use a strong password
once
the account has been unlocked. She obviously went over the account lockout count threshold.
D: The user's problems stems from going over the account lockout threshold too many times. Her account
has
to be unlocked first to be able to log on to the domain. The User must change password on next logon
check
box in her user account properties will not help in this case as her account has been locked out.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 317-318.
# QUESTION 94:
You are the network administrator for CertKing .com. The network consists of single Active directory
domain CertKing .com. The domain contains a Windows Server 2003 domain controller named CertKing
3. The securews.inf security policy has been applied to the domain. A network application requires a
service account. The network application runs constantly. You create and configure a service account
named SrvAcct for the network application. The software functions properly using the new account and
service. You discover an ongoing brute force attack against the SrvAcct account. The intruder appears to
be attempting a distributed attack from several Windows XP Professional domain member computers on
the LAN. The account has not been compromised and you are able to stop the attack, you restart Server6
and attempt to run the network application, but the application does not respond.
A. Reset the SrvAcct password,
B. Configure the default Domain Controllers policy to assign the SrvAcct account the right to log on
locally.
C. Unlock the SrvAcct account.
D. Restart the NetAppService service.
Answer: C
Explanation: Disabling the Interactive logon: Require Domain Controller authentication to unlock
workstation
will weaken the security configuration, but it will allow the application to run smoothly.
Incorrect Answers:
A: Resetting the password for that specific account will not work in this scenario. You want to be able to
run the
network application after the attack has been stopped and thus locked the account which first has to be
unlocked
to enable the application to run smoothly.
B: Assigning the log on locally permission to the SrvAcct account is not sufficient; you still need to
unlock the
account.
D: Restarting the backup application is not sufficient as the account has to be unlocked for the application
to
respond.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing,
and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, p. 401
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 317-318.
# QUESTION 95:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. The Default Domain Group Policy object (GPO) uses all default settings.
The network contains five servers running Windows Server 2003 and 800 client computers. Half of the
client computers are portable computers. The other half are desktop computers. Users of portable
computers often work offline, but users of desktop computers do not.
You install Windows XP Professional on all client computers with default settings. Then you configure
user profiles and store them on the network.
Some users of portable computers now report that they cannot log on to their computers. Other users of
portable computers do not experience this problem.
You need to ensure that all users of portable computers can log on successfully, whether they are
working online or offline.
What should you do?
A. Configure all portable computers to cache user credentials locally.
B. Ensure that all users of portable computers log on to the network at least once before working offline.
C. In all portable computers, rename Ntuser.dat to Ntuser.man.
D. For all portable computers, configure the Loopback policy setting.
Answer: B
Explanation: If a user is logging on to the domain for the first time, then a profile will be created on his
workstation. So the workstation has to be connected to the network for this to work. If the workstation is
not connected to the network, then the user login cannot be validated and a profile will not be created.
After the user has logged on to the domain and logged out again, the workstation can be disconnected
from the network. The user can now log in using cached credentials. By compelling the portable users to
log on to the network at least once is a logical way of finding out which of the portable users can log on
successfully. Incorrect answers:
A: This setting is default: ENABLED.
C: You can protect both local and roaming profiles from being permanently changed by users if you
simply rename the ntuser.dat file to ntuser.man. By renaming this file, you have effectively made the user
profile read-only, meaning that the operating system does not save any changes made to the profile when
the user logs off. If you enable user profiles on Windows 9x computers, the file that stores the user
settings is named user.dat instead of ntuser.dat. You can rename user.dat to user.man to make the user
profile mandatory (read-only). Thus this action will create mandatory profiles meaning the profile
settings cannot be changed.
D: The User Group Policy loopback processing mode policy setting is an advanced option that is
intended to keep the configuration of the computer the same regardless of who logs on. This option is
appropriate in certain closely managed environments, such as servers, terminal servers, classrooms,
public kiosks, and reception areas. Setting the loopback processing mode policy setting applies the same
user settings for any user who logs onto the computer, based on the computer. Reference: Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 4
# QUESTION 96:
You are the administrator of an Active Directory domain named CertKing .com. A user reports that he
forgot his password and cannot log on to the domain. You discover that yesterday morning the user reset
his password and successfully logged on to the domain.
You need to enable the user to log on to the domain.
What should you do? (Choose two)
A. Use Active Directory Users and Computers to move the account to the default organizational unit
(OU)
named Users.
Instruct the user to restart his computer.
B. Use Active Directory Users and Computers to open the account properties for the user's user account.
Clear the Account is locked out check box, and select the User must change password at next logon check
box.
C. Use Active Directory Users and Computers to reset the user's password.
Give the user the new password.
D. Use Computer Management to reset the password for the local Administrator account.
Give the user the new password.
Answer: B, C
Explanation: It is possible that he typed in his password several times; as a result his account is locked.
Therefore we must unlock his account and reset his password since he has forgotten it.
Password problems are usually due to users forgetting their password and needing it reset. This can be
accomplished via Active Directory Users and Computers or via the dsmod.exe command.
Users often happen to lockout their accounts. This is usually due to them forgetting their password
because they
just changed it recently, in which case you would need to unlock their account and reset their password.
Sometimes they just cannot type or CAPS LOCK is on and they enter in their password incorrectly too
many
times and lock their account. User accounts can be unlocked by using Active Directory Users and
Computers or
by using the dsmod.exe command.
Incorrect answers:
A: You would need to open the account properties to get access to the Account is locked out check box.
That is
the checkbox that has to be accessed to get to the User must change password at next logon option.
Moving the
account to the default organizational unit (OU) named Users will not solve the problem
D: Resetting the password for the local Administrator account will not grant a user account right to log on
to the
domain.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 317-318.
# QUESTION 97:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run Windows XP Professional. Robert's user account is located in the standard Users folder of the
domain. One day, Robert tries to log on to his computer. When he enters the password he receives an
error message indicating that his account is locked out. Robert cannot remember the correct password.
You examine the domain's Account Lockout Policy, which is shown in the exhibit.
You need to ensure that Robert can log on as soon as possible.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Unlock Robert's account.
B. Increase the value for the Reset account lockout after option.
C. Decrease the value for the Reset account lockout after option.
D. Reset Robert's password.
E. Increase the value for the Account lockout threshold option.
F. Decrease the value for the Account lockout threshold option.
Answer: A, D
Explanation: Account lockout policy disables users account if an incorrect password is entered a
specified number of times over a specified period. These policy settings help you to prevent attackers
from guessing users' passwords, and they decrease the likelihood of successful attacks on your network
Account lockout is based on the lockout security policy, a user will be denied access, or locked out, after
a predefined number of failed logon attempts. The duration of the lockout is also set in the lockout
security policy. You need to enable Robert to access his account by unlocking it. And then you need to
reset Robert's password to grant him the ability to log on in a speedy manner. Robert's account will be
locked out because he entered a wrong password at least five times. Therefore we need to unlock Robert's
account. We can do this manually or we can wait for 30 minutes. The question states that you need to
ensure that Robert can log on as soon as possible so we'll unlock the account manually. Robert can't
remember his password so we can set a new password. Users often lockout their accounts due to entering
incorrect passwords due to them forgetting their password because they just changed it recently, in which
case you would need to unlock their account and reset their
password. Sometimes they just cannot type or CAPS LOCK is on and they enter in their password
incorrectly
too many times and lock their account. User accounts can be unlocked by using Active Directory Users
and
Computers or by using the dsmod.exe command.
Incorrect answers:
B: Reset account lockout counter after is a security setting that determines the number of minutes that
must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon
attempts. The available range is 1 minute to 99,999 minutes. Thus increasing this value setting is not
going to allow Robert to be able to log on as soon as possible. Manual unlocking of the account would be
best suited.
C: For the same reason as option B, decreasing the value setting will not ensure Robert the ability to log
on as soon as possible.
E: Account lockout threshold is a security setting determines the number of failed logon attempts that
causes a user account to be locked out. A locked-out account cannot be used until it is reset by an
administrator or until the lockout duration for the account has expired. You can set a value between 0 and
999 failed logon attempts. If you set the value to 0, the account will never be locked out. Thus increasing
the threshold will not aid Robert as his account is already locked out.
F: A locked-out account cannot be used until it is reset by an administrator or until the lockout duration
for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the
value to 0, the account will never be locked out. Unlocking and resetting the user account manually will
grant Robert the ability to log on as soon as possible. References: Deborah Littlejohn Shinder and Dr.
Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003
Environment Study Guide & DVD Training System, pp. 317-318
# QUESTION 98:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
CertKing has 16 different office locations. Each office is a separate Active Directory site. You work in
the
main office.
A user named Anne works in a branch office. Every morning for one week, Anne reports that her user
account is locked out. Each time, you are obliged to unlock her account. You suspect that Anne's account
is being misused or attacked outside of regular business hours.
You need to investigate the cause of the account lockout.
Where should you search for security events?
A. Only in the event log of a domain controller in your site.
B. Only in the event logs of the domain controllers in Anne's site.
C. In the event logs of all domain controllers in all sites.
D. Only in the event log of Anne's computer.
Answer: C
Explanation: The Event Viewer displays event log data. There are at least three different event log files:
the application, security, and system logs. Security log - Events that affect system security are included in
this event log.
These events include failed or successful logon attempts, creating, opening or deleting files, changing
properties or permissions on user accounts and groups, etc. Domain logons give users access to resources
throughout the domain. Domain user accounts are stored in an Active Directory domain. Active Directory
is deployed on each domain controller and domain user accounts are replicated throughout a domain.
Before a user can log on to a computer using a domain account, the computer must be joined to a domain.
If the computer has access to a network connection, the user can log on to a domain provided that the user
has an account in the domain's Active Directory. The computer must transparently authenticate to the
domain's Active Directory. This form of logon is called a computer logon. Both users and computers are
considered equal security principals in Active Directory; to be granted access to network resources, both
must be able to verify their identities. Therefore to investigate the cause of the account lockout we must
look at all eventlogs of all the domain controllers in all sites. Incorrect answers:
A: Checking the event log of the domain controllers in your site will not yield the information that you
need.
B: If Anne's account is being misused or even attacked outside of regular business hours, then you need
to check the event logs of all the domain controllers in all the sites. Because it could be that the attack can
be launched from outside of the office where Anne's account resides.
D: If you are to check only the event log on Anne's computer then you will not be able to see who or
from where an attack has been launched on her account. Both users and computers are considered equal
security principals in Active Directory; to be granted access to network resources, both must be able to
verify their identities. Thus you need to check the event log of all the domain controllers in all the sites.
References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290:
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System,
pp. 760, 762.
# QUESTION 99:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows 2000 Professional.
CertKing is organized in three departments. Each department corresponds to a separate organizational
unit (OU). Computer accounts for each department reside in the corresponding OU.
Domain users report that their accounts are locked out after three unsuccessful attempts to log on.
You need to increase your account lockout setting to five unsuccessful attempts to log on. You also need
to ensure that you can review all unsuccessful attempts to log on to the domain or to log on locally to
client computers. The new settings must be applied to a limited number of objects.
What should you do?
To answer, drag the appropriate security policy settings to the correct locations in the work area.
Answer:
Explanation:
Account Lockout Settings must always be applied at domain level. If they are applied at any other level
such
as an OU for example, they will not apply to domain user accounts.
Audit Account Logon Events: This is for auditing logon events for domain accounts; therefore, this
policy
must be applied to the domain controllers.
Audit Logon Events: This is for auditing local logon events. The Marketing, Finance and Research OUs
all
contain computer accounts, so we must apply this policy to all three OUs.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 317
# QUESTION 100:
You are the administrator of a Windows 2003 domain CertKing .com. The domain contains 20 Windows
2000 Professional computers and two Windows 2003 Server computers. For the domain, you want to set
an account policy that locks any user's account after three consecutive failed logon attempts. You also
want to ensure that only administrators will be able to unlock the account. Which two actions should you
take? (Each correct answer presents part of the solution. Choose two)
A. Set the Account lockout duration value to 0.
B. Set the Account lockout duration value to 3.
C. Set the Account lockout threshold value to 0.
D. Set the Account lockout threshold value to 3.
E. Set the Reset account lockout counter after value to 0.
F. Set the Reset account lockout counter after value to 3.
Answer: A, D
Explanation: The Account lockout duration security setting determines the number of minutes a lockedout
account remains locked out before automatically becoming unlocked. The available range is from 0
minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked
out until an administrator explicitly unlocks it. The Account lockout threshold determines the number of
failed logon attempts that will cause a user account to be locked out. A locked out account cannot be used
until it is reset by an administrator or the account lockout duration has expired. Incorrect Answers:
B: Setting the Account lockout duration value to 3 would cause a locked account to become unlocked
after 3 minutes.
C: Setting the Account lockout threshold value to 0 would cause the accounts to never be locked out.
E: Setting the Reset account lockout counter after value to 0 determines the number of minutes that must
elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
A setting of 0 is not possible.
F: Setting the Reset account lockout counter after value to 3 determines the number of minutes that must
elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290:
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System,
p. 317
# QUESTION 101:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. For security reasons, management decides that a particular user must not
be able to log on to the domain after 5:00 P.M. If the user is logged on to the domain at 5:00 P.M., he
must be logged off automatically. You configure the Logon Hours setting for the appropriate user
account. That night, you verify that the user cannot log on to the domain after 5:00 P.M. The next day,
you notice that the user is still accessing domain resources at 6:00 P.M. You verify that the time on the
user's computer and on the domain controller are correct. You need to ensure that the user is logged off
automatically if he is still working on the domain after 5:00
 P.M.
What should you do?
 A. In Active Directory Users and Computers, on the Sessions tab, configure the End Session
setting for the user
account. Instruct the user to log off from the domain and log on again.
 B. Modify the Default Domain Policy GPO to enforce logoff when logon hours expire.
Ensure that the user's computer has the latest Group Policy settings applied.
C. Remove the user's domain account from the local Administrators group on the user's client computer.
Instruct the user to log off from the domain and log on again.
D. Use Computer Management on the domain controller. Restart the Net Logon service.
Answer: B
Explanation: When you restrict logon hours, you might also want to force users to log off after a certain
point. If you apply this policy, users cannot log on to a new computer, but they can stay logged on even
during restricted logon hours. To force users to log off when logon hours expire for their account, apply
the Network security: Force logoff when logon hours expire policy. You can assign logon hours as a
means to ensure that employees are using computers only during specified hours. This setting applies
both to interactive logon, in which a user unlocks a computer and has access to the local computer, and
network logon, in which a user obtains credentials that allow him or her to access resources on the
network. Incorrect answers:
A: Option A suggests instructing the user to log off and then on again. This is not what is required.
C: Option C suggests instructing the user to log off and then on again. However, when removing the
user's
domain account from the local Administrator's group on the user's client computer, you will only be
fulfilling
half of what is required. You need to ensure that the user is logged off automatically if he is still working
on the
domain after 5:00 P.M.
D: Restarting the Net Logon service is not what is required in this scenario.
References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 582
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 58, 442.
# QUESTION 102:
Exhibit
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All seven servers are configured as domain controllers and run Windows
Server 2003, and all client computers run Windows XP Professional.
CertKing .com frequently hires temporary employees. You specify account expiration dates when you
configure user accounts for temporary employees.
A former temporary employee named CertKing is hired full-time. When Jack tries to log on, she receives
the logon message shown in the exhibit.
You need to modify the properties of Jack' user account to correct this problem.
What action should you take?
A. Select the Account is locked out option
B. Select the Password never expires option.
C. Set the Account expires option to never.
D. Clear the Account is disabled option.
Answer: C
Explanation: Setting an account expires option is a good feature if you have contract or temporary
employees working for you. If you know they are on a six-month contract, go ahead and set their
accounts to expire in six months. Some companies set all temporary employee user accounts to expire
monthly as a security precaution. If the temporary user leaves the company without notifying the IT
department, the account can only be used (or abused) for 30 days. However, in this scenario Jack is made
one of the permanent staff and thus you have to set the Account expires option to never. Incorrect
Answers:
A: Selecting the Account is locked out option will not allow Jack to log on.
B: With this option the user's password will not expire. This option overrides the account policy
configured for the domain (in the default domain policy GPO). This is not desired as it poses a security
risk.
D: Disabling an account does not change any permissions assigned to or settings configured for the user
account. It just disables logging on with the account. References: Deborah Littlejohn Shinder and Dr.
Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003
Environment Study Guide & DVD Training System, pp. 282-283
# QUESTION 103:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named ad. CertKing ,com. CertKing also uses a DNS namespace named CertKing .com for its
external Internet communications. Users in the sales department log on by using their e-mail addresses. A
user named Ben Smith works for the sales department. He reports that when he attempts to log by using
bsmith@ CertKing .com, he receives the error message shown in the Error Message exhibit.
The details of Ben's user account are shown in the User Account exhibit.
You need to ensure that Ben can log on by using a user ID that matches his e-mail address. What should
you do?
A. Configure Ben's user account to be trusted for delegation.
B. Configure Ben's user account to require a smart card for interactive logon.
C. In User logon name options, change the user principal name (UPN) for Ben's account.
D. Change the Log On To options for Ben's account.
Answer: C
Explanation: As you can see in the User Account exhibit, his UPN is bsmith@ad. CertKing .com. We
must
change this to bsmith@ CertKing .com. After that he can logon to the domain.
Typing the User logon name automatically fills in the User logon name (pre-Windows 2000) field as
well.
When you have filled in all necessary information, click Next to continue.
1 [/USER:[domainname\]username]
2 [/USER:[dotted domain name\]username]
3 [/USER:[username@dotted domain name]
The first one [/USER:[domainname\]username] tells you to specify the username in the format of domain
name
followed by the username. This format uses the one-word NetBIOS-compatible domain name. The
second one
tells you to specify the username in the format of fully qualified domain name followed by the username.
This
is the hierarchical Active Directory domain name. The third one tells you to specify the username by
using the
user principal name (UPN). This format uses the @ sign between the user account name and the domain
name,
like an Internet e-mail address. The Account tab is where most of the action takes place. This is where
you
change a user's logon name, the user principal name (UPN), or a user's UPN suffix.
-u Connects as . Default: the logged-on user. Username can be: username,
domain\username, or user principal name (UPN).
Incorrect answers:
A: Delegation trust will not solve the problem that Ben is experiencing. This tab should be left unchecked
most
of the time. Selecting it could weaken your network security. Setting an account to be trusted for
delegation
enables a service running as this account to impersonate a client to get access to resources on another
machine
running the same service.
B: A smart card for interactive logon will not solve Ben problem. This configuration disables logging on
without a smart card. The user's password is randomly changed and set to never expire. Active Directory
manages the password for the account. This is good for security, but it can be a problem if a user forgets
his or
her smart card or needs to log on to a machine that does not have a smart card reader.
D: Changing the Log On To options for Ben's account will not solve the problem. Ben needs the UPN to
be
changed to enable him to log on.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 264, 282-
284,
334
# QUESTION 104:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The functional level of the domain is Windows Server 2003.
Some user accounts have expiring passwords and some do not.
You need to identify all user accounts that do not have expiring passwords. You need to modify the
password property to allow the passwords on these accounts to expire. You must complete this task by
using the minimum amount of administrative effort.
First, you create a saved query to obtain a list of all user accounts that do not have expiring passwords.
What should you do next?
A. Export the query results to a comma-delimited file.
Use a CSVDE script to modify the password property of each user account.
B. From the Results pane of the query, select all user accounts and modify their password properties
simultaneously.
C. Export the query results to a comma-delimited file.
Use an LDIFDE script to modify the password property of each user account.
D. From the Results pane of the query, select each user account and modify the password property, one
by one.
Answer: B
Explanation: You have created a saved query to obtain a list of all user accounts that do not have expiring
passwords. A new feature of Windows 2003 is that you can make changes to the properties of multiple
user accounts simultaneously. You can do this by displaying the resultant set of user accounts from the
query, selecting them all and accessing the properties of the accounts. Here you can make a change that
will apply to all user accounts. To get the desired effect you need to select all users and modify their
passwords simultaneously after the query has been run. Incorrect Answers:
A: A script is not necessary because it is not the quickest way to make the same change to multiple
accounts.
The csvde (CSV Directory Exchange) command can be used to import and export Active Directory
information
using files formatted in the Microsoft comma-separated value (CSV), or comma delimited, format. The
csvde
command can also support batch operations. The csvde command only allows you to add new objects. It
does
not allow you to modify existing objects.
C: A script is not necessary because it is not the quickest way to make the same change to multiple
accounts.
The ldifde (LDIF Directory Exchange) command can be used to create, modify, and delete directory
objects on
Windows Server 2000, Windows Server 2003 and Windows XP Professional. You can also use ldifde to
extend
the schema, export Active Directory user and group information to other LDAP (Lightweight Directory
Access
Protocol) applications or services, and populate Active Directory with data from other directory services.
The
ldifde command, however, uses the
LDAP Data Interchange Format (LDIF) file format, which is a draft Internet standard for a file format
that may
be used to perform batch operations against directories that conform to the LDAP standards.
D: A new feature of Windows 2003 is that you can make changes to the properties of multiple user
accounts
simultaneously. You don't need to do it one at a time. This option will take much longer than option B
though it
will achieve the same result after much more administrative effort.
References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, pp. 3: 16, 20, 4: 13, 13: 6.
# QUESTION 105:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. Half of the client
computers run Windows XP Professional and the other half run Windows NT 4.0 Workstation. You
install Terminal Server on five member servers named CertKing SrvC through CertKing SrvG. You place
all five servers in an organizational unit (OU) named Terminal Server. You link a group Policy
object (GPO) to the Terminal Server OU.
Two days later, users notify you, that the performance of CertKing SrvF is unacceptable slow. You
discover that CertKing SrvF has 75 disconnected Terminal Server sessions.
You need to configure all five terminal servers to end disconnected sessions after 15 minutes of
inactivity.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Log on the console of each terminal server. In the RDP-Tcp connection properties, set the End a
disconnected session option to 15 minutes.
B. Edit the GPO to set the time limit for disconnected sessions to 15 minutes.
C. On CertKing SrvC, run the tsdiscon] command to disconnect all 75 users from CertKing SrvF
D. In Active Directory Users and Computers, set the End a disconnected session option for all domain
user accounts to 15 minutes.
Answer: B
Explanation: We can configure a group policy to configure the Terminal Servers to set the time limit for
disconnected sessions to 15 minutes. Note: We are applying this policy to the Terminal Servers, not the
users or the client computers. The Sessions tab enables you to control how long a user may remain
actively connected to a session and how long a disconnected session should be allowed to remain on the
Terminal Services computer. Even though they are not active, disconnected sessions can use substantial
resources on the Terminal Services computer because applications are still running on them. Depending
on your environment, it may be advisable to terminate them after a specific period of time. By default,
most of the settings on this page are configured to use the user account property settings and several
settings are grayed out. This can be overridden by selecting the check box next to Override user settings.
Incorrect Answers:
A: Using a group policy requires less administrative effort.
C: Ending the current disconnected sessions won't help. We also need to end future disconnected sessions
after
15 minutes to prevent the problem reoccurring.
D: This would work for current users, but not future users.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 442, 551.
# QUESTION 106:
Your company network consists of a single Windows 2003 Active Directory domain. You are a member
of the Domain Admins group. The network includes 10 member servers running Windows Server 2003
and 4 domain controllers running Windows Server 2003. The 200 client computers all run Windows XP
Professional. The user accounts for employees in the Finance department are located in an Organisational
Unit (OU) named Finance. The Finance OU also contains a Global Security group named FinanceUsers.
All Finance employees are members of FinanceUsers. An employee named Alice works in the Finance
department. Alice reports that she cannot log in the domain. She receives the error message shown in the
exhibit: You need to enable Alice to log in to the domain. What should you do?
A. Use the dsmod user command line tool to enable Alice's user account.
B. Use Active Directory Users and Computers to add Alice's user account to the Domain Users group.
C. Use Active Directory Users and Computers to add Alice's user account to the Guests group.
D. Use the net accounts command line tool to enable Alice's user account.
E. Perform an authoritative restore of Alice's user account.
Answer: A
Explanation:
dsmod user UserDN -disabled {yes|no}
UserDN Specifies the distinguished name of the user object to be disabled or enabled.
{yes|no} Specifies whether the user account is disabled for log on (yes) or not (no).
Incorrect answers:
B: Domain users cannot make changes to their computer systems nor can they install application or utility
programs. But the question states that Alice gets the account disables message which means that her
account should be enabled first.
C: Guest accounts members can log on, run applications, and even shut down the system on computers
that are not DCs. However, in this scenario Alice needs to be able to log into a domain.
D: Making use of the net accounts toll will not enable Alice to log in to the domain.
E: Performing an authoritative restore of Alice's user account will not enable her to log into the domain.
The account has to be enabled first. Reference:
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/usi
ng/pro ductdoc/ Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290):
Managing and Maintaining a Microsoft Windows Server 2003 Environment, pp. 85, 106, 194
# QUESTION 107:
You are the network administrator for your company. The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003, and all client
computers
run Windows XP Professional.
All client computer accounts are stored in the Computer container.
A user named Peter reports that he cannot log on to the domain from his computer. Peter receives the
logon message shown in the exhibit.
Exhibit:
Logon Message
Your account is configured to prevent you from using this computer. Please try another computer.
You need to enable Peter to log on.
What should you do?
A. Create an account for Peter's computer in the Computers container.
B. Grant the Log on locally user right to Peter's user account.
C. Enable Peter's user account.
D. Change the properties of Peter's user account so he can log on to any computer.
Answer: D
Explanation:
This issue occurs if the user account is configured to log on from specific workstations. Change the
setting in
LogOn To option in the User Properties dialog box.
Incorrect answers:
A: Although the Computers container is the default container for computer objects, it is not the ideal
container for computer objects. Unlike OUs, containers such as Computers, Users and Builtin cannot be
linked to policies, limiting the possible scope of computer-focused group policy. Thus placing Peter's
computer in the Computers container is not the answer.
B: The Deny logon locally user right will override your capability as an administrator to log on to the
console. You need to remove this group assignment to be able to log on to the console again. Thus the
same will happen when you grant this right to the Users group. Thus this option will not ensure that all
users be authenticated when they log on to the domain controller.
C: Peter's account is already enabled; he only needs to be able to log on meaning that all you need to do is
to change the properties of his user account. Reference: Deborah Littlejohn Shinder and Dr. Thomas W.
Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment
Study Guide & DVD Training System, pp. 146, 174, 209, 915 Dan Balter, MCSA/MCSE Managing and
Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-290), Chapter 7
# QUESTION 108:
You are the network administrator for CertKing GmBh. The network consists of a single Active
Directory domain named CertKing .com. All network servers run Windows Server 2003, and all client
computers run Windows XP Professional. CertKing 's main office is located in Berlin, which is also the
location of all domain controllers. The Berlin office contains 200 client computers. A branch office is
located in Helsinki. This office contains 60 client computers. All user accounts for permanent employees
in Helsinki are contained in an organizational unit (OU) named HelUsers. All user accounts for
temporary employees in Helsinki are contained in an OU named TempUsers. A temporary employee
named Bill is hired in the Helsinki office. The business hours in his office are
9:00 A.M. to 5:00 P.M. at 9:05 A.M. on his first Monday at work, Bill tries to log on to the domain from
his client computer. However, he receives the message shown in the exhibit.
You need to ensure that Bill can log on to the domain. What should you do?
A. Move Bill's account to HelUsers.
Create a Group Policy object (GPO) and link it to HelUsers.
In the GPO, decrease the account lockout duration.
B. Make TempUsers a child of HelUsers.
Create a Group Policy object (GPO) and link it to HelUsers.
In the GPO, decrease the account lockout threshold.
C. Modify the properties of Bill's user account to the Logon Hours setting is the same as the business
hours for
the Helsinki office.
D. Modify the properties for Bill's user account to extend the dates during which his account can be used.
Answer: D
Explanation: The user account has expired. This means that the user account was created with an expiry
date set. We need to modify the user account to extend the dates during which his account can be used. In
other words, we need to set the account to expire at a later date.
Incorrect Answers:
A: The accounts in HelUsers are for permanent users and have no expiry date. Bill is a temporary user so
we should set an expiry date on his account. The account lockout duration is the time an account is
locked out after failed log on attempts due to incorrect username or passwords. It is not related to this
question.
B: We don't need to rearrange the OU structure. The account lockout threshold is related to logon failures
due to incorrect username or passwords. It is not related to this question.
C: The logon hours setting is not the cause of the problem. The account has expired. If you tried to log on
'out of hours', you would get a different error message. References: Deborah Littlejohn Shinder and Dr.
Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server 2003
Environment Study Guide & DVD Training System, pp. 282, 318
# QUESTION 109:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All domain controllers run Windows Server 2003.
A user named Bill is responsible for managing groups in the domain. In Active Directory, you delegate
the permissions to create, delete, and manage groups to him.
When Bill tries to log on to a domain controller, he receives the error message shown in the exhibit.
You need to ensure that Bill can immediately manage groups.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Modify the default security policy for the domain. Refresh the policy by using Secedit.exe.
B. Modify the default security policy for the domain. Refresh the policy by using Gpupdate.exe.
C. Modify the default security policy for the Domain Controllers organizational unit (OU). Refresh the
policy by using Secedut.exe.
D. Modify the default security policy for the Domain Controllers organizational unit (OU). Refresh the
policy by using Gpupdate.exe.
E. Install the Windows Server 2003 administrative tools on Bill's computer. Instruct him to run Dsa.msc
from his computer.
F. Share Dsa.msc from a computer running Windows Server 2003. Instruct Bill to run Dsa.msc from his
computer.
Answer: D, E
Explanation: Normal users are not able to log on to a domain by default. Thus, to enable Bill to manage
accounts from his computer, his user account has to be granted these permissions. To apply the new
policy immediately, we need to refresh the policy. The secedit tool to refresh policies has changed from
2000 server to 2003 servers; the new tool is gpupdate. Incorrect Answers:
A: Using a group policy is a quicker way of applying a setting to all the domain controllers.
B: Bill needs to log on to the domain controllers only, so we should apply the policy to the domain
controllers
OU.
C: Secedit.exe is no longer used in Windows 2003. It has been replaced by gpupdate.exe.
F: You cannot share a single file. You can only share folders containing files.
References:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapters 4 & 5
# QUESTION 110:
Exhibit
You are the network administrator for CertKing .com. You manage a Windows Server 2003 computer
named CertKing 2. CertKing 2 is a stand-alone server in your workgroup, which also contains five client
computers.
All client computers on the network run Windows XP Professional. No time synchronization mechanism
is currently in place.
A user named Sandra is given management responsibilities on CertKing 2. However, when Sandra tries
to
log on to CertKing 2, she receives the error message shown in the exhibit.
You need to ensure that Sandra can log on to CertKing 2 to perform her management responsibilities.
What should you do?
A. Syncrhonize the clocks on all computers in your workgroup.
B. Install Active Directory on CertKing 2.
C. Configure Sandra's account password so it never expires.
D. Modify the security policy on CertKing 2 to assign the appropriate rights to Sandra.
Answer: D
Explanation: User right assignment is done in the Security settings in the local Policies. The default
security settings do not allow regular users to log on interactively at a server. You can change this setting
through Start Administrative Tools Security Policy. Expand Local Policies, then User Rights Assignment.
Doubleclick Allow Log On Locally and click the Add User Or Group button. In the Add User Or Group
dialog box, type in Sandra and click the OK button. In the Security Policy Setting dialog box, click the
OK button. Close any open dialog boxes. In the exhibit is shows clearly that it is a local security policy
violation when Sandra attempts to logon. What is thus necessary is to modify the security policy and
assign Sandra the appropriate rights to carry out her tasks. Incorrect answers:
A: It is not a matter if synhronizing clocks on the computers in the workgroup, as the problem are located
at the
local security policy.
B: You do not need to install Active Directory. This will not solve the problem of loging on interactively.
C: Following the exhibit, you will see that it is not a matter of altering Sandra's password so it never
expires.
Rather it is a matter of chaing the local security policy to allow Sandra to logon interactively.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, p. 142
# QUESTION 111:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. The Default Domain
Policy GPO is configured to prompt users to change their password 14 days before it expires.
A user who returns from a two-week vacation reportes that she cannot log on to the domain. You
discover that when she last logged on, she was prompted to change her password. She reports that she
did not change her password before leaving on vacation.
You need to ensure that the user can log on to the domain.
What should you do?
A. Enable the user account.
B. Reset the password for the user account.
C. Use Active Directory Users and Computers to select the Password never expires option.
D. Configure the Prompt user to change password before expiration security policy option to 21 days.
Answer: B
Explanation:
In the question it is mentioned that the default domain GPO is set to have users change their passwords
14 days
before expiry which the user neglected to do. What is thus needed is to reset the password for the user
account
to enable to user to log on.
Incorrect answers:
A: The user account has worked before and thus it is not a matter of enabling the user account.
C: This is contradictory to the default domain GPO.
D: Changing the policy option to 21 days will not ensure that the user can log on to the domain, the
account is already not able to log on. Reference: Lisa Donald, Suzan Sage London & James Chellis,
MCSA/MCSE: Windows(r)Server 2003 Environment Management and Maintenance Study Guide, Sybex
Inc. Alameda, 2003, p. 149
# QUESTION 112:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. All 3,500 user accounts
are
located in the default Users container.
All user accounts have their Department attribute values set to the appropriate employee department.
The network engineer creates an OU structure for the domain, based on the CertKing 's departments.
You need to place all user accounts that have the Departmetn attribute set to Sales in the Sales OU.
Because of time constraints, you need to automate this process.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the dsmod command with the appropriate parameters.
B. Run the dsget command with the appropriate parameters.
C. Run the dsquery command with the appropriate parameters.
D. Run the dsmove command with the appropriate parameters.
E. Run the dsrm command with the appropriate parameters.
F. Run the find command with the appropriate parameters.
Answer: C, D
Explanation: The Dsmove command-line utility is used to rename or move a single object within the
Active Directory. When you use the Dsmove command-line utility, you specify the object's distinguished
name, then the new name of the object (if you are changing the object's name) and the new location of the
object. You use the Dsquery command-line utility to query the Active Directory for objects that meet
specified criteria. Incorrect answers:
A: You can modify existing Active Directory objects through the Dsmod command-line utility.
B: The Dsget command-line utility is used to display the selected properties of a specified object within
the
Active Directory.
E: This is not what is needed in this case.
F: Find is usually used to find and locate. This is not what is required.
Reference:
Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server 2003 Environment
Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 190-194
# QUESTION 113:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All client computers run Windows XP Professional.
The finance deparment uses a specific naming process to audit users and their computers. The process
requires that each user's client computer has an account in Active Directory and that each client
computer name corresponds to a specific user account.
A user name Marie is a member of only the Domain Users security group. She reports that the hardware
on her computer fails. She receives a new computer.
You need to add Marie's new computer to the domain. You need to comply with the finance department
naming process.
What should you do?
A. Instruct Marie to run the ipconfig /flushdns command on her new computer and to add the new
computer to the domain by using the same computer name as her failed computer.
B. Assign Marie permissions for adding computer accounts to the default container named Computers.
Instruct Marie to add her new computer to the domain.
C. Reset the computer account for Marie's failed computer. Instruct Marie to add her new computer to the
domain by using the same name as her failed computer.
D. Configure the IP address of Marie's new computer to be the same as the failed computer. Instruct
Marie to add the new computer to the domain.
Answer: C
Explanation: Active Directory is a directory service that is available with the Windows 2000 Server and
Server 2003 platforms. It stores information in a central database that allows users to have a single user
account for access to resources across the enterprise network. The users and groups that are stored in
Active Directory's central database are called Active Directory users or domain users. Since Marie's
hardware failed and she will be receiving a new computer, it will be a matter of just substituting the old
computer account for the new one is you are to comply with the finance department's naming process.
She will then still be using her own name. Incorrect answers:
A: The ipconfig /flushdns command flushes and resets the DNS resolver cache. This is not what is
required here.
B: It is not a matter of assigning permissions in this case.
D: This option will not solve the problem and comply with the finance departments requirements.
Reference:
James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE: Windows(r)Server 2003 Network
Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2003,
pp.
99, 311
# QUESTION 114:
Exhibit:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. All client computers run
Windows XP Professional.
A user named CertKing regurarly accesses a folder named CertKing Docs on a server named CertKing 1.
You instruct another administrator to audit and modify share permissions and NTFS permissions on
CertKing 1. Now, CertKing reports that she cannot access the shared folder from the network.
You verify that no changes were made to group memberships in the domain. On CertKing 1, you view
the
effective permissions for the CertKing Docs folder, as shown in the exhibit,
You need to ensure that CertKing can access the data in the shared folder.
What should you do?
A. Add CertKing's user account to the ACL on the Sharing tab.
B. Instruct CertKing to log off and log on to the computer.
C. Delete CertKing's user account and re-create the user account.
D. Add CertKing's user account to the local Power Users group.
Answer: A
Explanation: Since Jack could previously access that particular folder, and the question states that group
memberships were not changed and that it is only a matter of share permissions and NTFS permissions
that was modified, it stands to reason that Jack' user account should be added to the Access Control List
on the Sharing tab of the CertKing Docs folder, because the shared folder has enough effective
permissions for Jack to be able to access it. Incorrect answers:
B: Merely logging on and logging off to the computer will not ensure access to the folder especially if
you do not have access to the folder.
C: Recreating the user account will not solve the problem.
D: Adding that particular user account to the local Power Users group will not address the problem. It has
been stated that the group memberships have not been altered and that there was previous access to this
folder. Reference: Lisa Donald, Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r)Server
2003 Environment Management and Maintenance Study Guide, Sybex Inc. Alameda, 2003, pp. 214, 291
# QUESTION 115:
You are the network administrator for CertKing .com. The network consists of a single Activev Directory
domain named CertKing .com. All network servers run Windows Server 2003.
CertKing .com purchases a new server to test applications in a stand-alone environment. The company's
written security policy states that if a user attempts to log on by using an incorrect password three times
in 30 minutes, the account is locked out. An administrator must unlock the account.
You discover that users of the new server who have accounts that are locked out can log on again after 30
minutes.
You need to ensure that the new server meets the requirements of the written security policy.
What should you do?
A. Set the Reset account lockout counter after policy to 1.
B. Set the Reset account lockout counter after policy to 99999.
C. Set the Account lockout duration policy to 0.
D. Set the Account lockout duration policy to 99999.
Answer: C
Explanation: The account lockout policies are used to specify how many invalid logon attempts should be
permitted. You configure the account lockout policies so that after x number of unsuccessful logon
attempts within y number of minutes, the account will be locked for a specified amount of time or until
the administrator unlocks it. Account Lockout Duration specifies how long account will remain locked if
Account Lockout Threshold is exceeded. Thus setting the account lockout duration policy to 0 will have
the desired effect and comply with the written security policy.
Incorrect answers:
A & B: This counter specifies how long counter will remember unsuccessful logon attempts. Clearly this
counter whether set to 1 or 99999 will not have the desired effect.
D: Setting the account lockout duration to 99999 will result in the new server being uinable to comply
with written security policy. Reference: James Chellis, Paul Robichaux & Matthew Sheltz,
MCSA/MCSE: Windows(r)Server 2003 Network Infrastructure Implementation, Management, and
Maintenance Study Guide, Sybex Inc., Alameda, 2003, p. 112
# QUESTION 116:
You are the network administrator for CertKing .com. The network consists of a single Activev Directory
domain named CertKing .com. All client computers run Windows XP Professional.
Jack, a user in the Sales staff, reports that she has attempted to log on six times unsuccessfully. Jack
reports that she logged on successfully yesterday. You discover that Jack reset her password three days
ago to comply with a new security policy that requires strong passwords.
The account policies that are applied in the Domain Security GPO are shown in the following table.
y setting
mumPasswordAge
mumPasswordAge
mumPasswordLength
ordComplexity
ordHistorySize
utBadCount
LockoutCount
utDuration
You need to ensure that the user can log on to the domain. What should you do?
A. Reset the password for the computer account.
B. Unlock the user account.
C. In the user account properties, select the Password never expires check box the user account.
D. In the user account properties, select the User must change password on next login check box the user
account.
Answer: B
Explanation: Jack' account got locked out since she made six unsuccessful attempts to log on to the
domain and the table in the question clearly shows that the LockoutBadCount is set to 5. The most
common problems with user accounts are due to group membership, password problems, or account
lockouts. Group membership problems manifest themselves by users not being able to access resources
that are assigned through group membership. This can easily be verified and corrected via Active
Directory Users and Computers or from the command line using the dsget.exe and dsmod.exe commands.
Password problems are usually due to users forgetting their password and needing it reset. This can be
accomplished via Active Directory Users and Computers or via the dsmod.exe command. Lastly: users
often lockout their accounts due to them entering their password incorrectly. This is usually due to them
forgetting their password because they just changed it recently, in which case you would need to unlock
their account and reset their password. Sometimes they just cannot type or CAPS LOCK is on and they
enter in their password incorrectly too many times and lock their account. User accounts can be unlocked
by using Active Directory Users and Computers or by using the dsmod.exe command. The user said she
attempted to log on six times, but failed. As a result the account is locked out. Therefore we can simply
unlock the user account, and she can logon again. Incorrect answers:
A: Resetting the password for the user account does not necessarily grant log on rights to the domain.
You need
to unlock the account first.
C: Modifying the properties of the account to password never expires will not affect the situation. The
account
must first be unlocked. Whether the password expires or not, she will still need to use a strong password
once
the account has been unlocked. She obviously went over the account lockout count threshold.
D: The user's problems stems from going over the account lockout threshold too many times. Her account
has
to be unlocked first to be able to log on to the domain. The User must change password on next logon
check
box in her user account properties will not help in this case as her account has been locked out.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 317-318.
# QUESTION 117:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003 You install a new server named
CertKing 6. You install an application on CertKing 6. The application fails to start because of the NTFS
permission on CertKing 6 are too restrictive. You use a security template from the manufacturer of the
application to modify the NTFS permissions on CertKing 6 to allow the application work. A new update
to the application is released. The application no longer requires the modified NTFS permissions. You
need to restore the default permissions on CertKing 6 to restore the original level of system security.
Which security template should you import into the local security policy of CertKing 6?
A. The Syssetup.inf template.
B. The Profsec.inf template.
C. The Defltsv.inf template.
D. The Netserv.inf template.
Answer: C
Explanation: The default permissions are saved in the Defltsv.inf security template. This would thus be
the template to import into the local security policy of CertKing 6 if you need to restore default
permissions in stead of the modified permissions. The other templates will not have the default
permissions. Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 202, 655
Diana Huggins, Windows® Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291), Chapter 4
# QUESTION 118:
You are the network administrator for Proseware, Inc. All network servers run Windows Server 2003,
and all client computers run Windows XP Professional.
The network consists of two Active Directory forests: proseware.com and CertKing .com. External trust
relationships exist between the two forests.
You create an additional user principal name (UPN) suffix for proseware.com. The new UPN suffix is
mail.proseware.com.
David Campbell a user from proseware.com, reports that he cannot log on to proseware.com from
You need to ensure that David Campbell can log on to his domain from CertKing .com.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two)
A. Change David Campbell's user logon name to match his pre-Windows 2000 user logon name.
B. Clear the User cannot change password option in the David Campbell Properties dialog box.
C. Instruct David Campbell to log on by using his pre-Windows 2000 user logon name.
D. Change David Campbell's UPN suffix to proseware.com.
E. Create a computer account for David Campbell's computer in CertKing .com.
F. Delete David Campbell's user account and recreate it in CertKing .com.
Answer: A, C
Explanation: The user cannot log on because it is only possible to use an explicit UPN-Name to log on
when there is forest trust. As stated in the question there is an external trust relationship between the two
forests, not forest trust. In this case you can only use an implicit UPN-Name to log on. Alternatively, you
can use the pre-Windows 2000 user logon name to log on. A user principal name (UPN) is a variation of
a user account name that looks like an e-mail name but can be used to log on to a domain. The syntax is
@. UPNs allow you to use the same logon name across different domains in the same forest or in
different forests. The following two types of UPNs exist:
1 Implicit: Always takes the form userID@DNSDomainName. For example,
johns@corp.contoso.com is the UPN for the account of John Smith, whose user ID is johns and whose
account is a member of the corp.contoso.com forest. The implicit UPN is always associated with the
user's account, regardless of whether an explicit UPN is defined.
2 Explicit: Always takes the form string@Anystring, where both string and Anystring are explicitly
defined by the administrator. For example, John Smith might have the UPN ITJS@coneast. Explicit
UPNs are useful for situations when the organization does not want to publicize the name of domains or
the forest structure. Incorrect Answers:
B: This is not a password problem. Thus clearing the option User cannot change password will not solve
the problem.
D: David Campbell's user account already has the correct UPN suffix; all he needs to be able to log on is
an implicit UPN name.
E: It is unnecessary to create a computer account for David Campbell's computer in CertKing .com; there
is an external trust relationship between the forests, not a forest trust. All that is needed to grant David
Campbell logon abilities is to use an implicit UPN-name.
F: Deleting David Campbell's user account and recreating it in CertKing .com is not the solution. There is
already an external trust relationship between the two forests. References: Deborah Littlejohn Shinder
and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment Study Guide & DVD Training System, pp. 264, 282-284, 334
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/pla
n/mtfs twp.asp
# QUESTION 119:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com.
You install Windows Server 2003 on a computer named CertKing 6. CertKing 6 is a member of a
workgroup. You configure CertKing 6 as the Web server for CertKing 's intranet Web site.
CertKing 's written security policy states the following requirements:
1 Smart cards are required to log on to all servers.
2 Membership to the Remote Desktop Users group should remain empty.
3 Users should not be able to log on through Terminal Server by using a blank password.
4 Third-party applications should not be installed on network servers.
When you attempt to log on to CertKing 6 by using your smart card, you receive an error message. You
verify that your user account is a member of the Domain Admins global group in your domain.
You need to be able to log on to CertKing 6 by using your smart card.
What should you do?
A. Join CertKing 6 to the domain.
B. In Computer Management, add your user account to the Administrators local group.
C. Restart CertKing 6 in safe mode.
From a command prompt, run the runas.exe /smartcard command.
D. In the local security policy, assign your user account the Allow log on locally user right.
Answer: A
Explanation: Smart cards are small credit-card-sized cards that usually store encryption keys, public key
certificates, and other types of account information. The card is inserted into a card reader attached to the
computer, which reads the information stored on the card. Typically, a password or Personal
Identification Number (PIN) is required to release the account information for authentication within a
network. This means that, in order to authenticate, a user must both have physical possession of the card
and have knowledge of the PIN. This is commonly used with EAP-TLS authentication. What should also
be kept in mind is that for you to be able to log on to CertKing 6 using the smart card is that CertKing 6
should also be joined to the domain. Incorrect Answers:
B: Adding your user account to the Administrators local group will not work when you want to make use
of
smart cards to log on to CertKing 6. Since you user account is already a member of the Domain Admins
global
group, you need to join CertKing 6 to the domain.
C: Restarting CertKing 6 and running the runas.exe/smartcard command is not enough, CertKing 6 has to
be
part of the domain as well.
D: Allow logging on locally will make the use of smart cards obsolete and the question states pertinently
that
you want to log on by means of the smart card so as to comply with company policy.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing,
and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, pp.
637-638
# QUESTION 120:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003. All client computers
run
Windows XP Professional with default settings. Some users have portable computers, and the rest have
desktop computers.
You need to ensure that all users are authenticated by a domain controller when they log on.
How should you modify the local security policy?
A. Require authentication by a domain controller to unlock the client computer.
B. Cache zero interactive logons.
C. Cache 50 interactive logons.
D. Grant the Log on locally user right to the Users group.
Answer: B
Explanation: A cache is a local store of data commonly used. To ensure that all users are authenticated by
a domain controller when they log on, you need to set the cache to zero for interactive logons. System
cache holds data that was processed previously. It is faster to obtain data from cache, rather than
repeating the transaction. But this also reduces the need to authenticate users and for security purposes
you need to purge the cache and set it to not cache log on information so as to compel all users to be
authenticated each time they log on. GPO Setting -> Interactive logon: Number of previous logons to
cache (in case domain controller is not available) By default 10 logons. This setting would prevent logon
using cached credentials if the network was down or domain controllers otherwise unavailable. Certainly
a non viable setting for mobile laptop users! If we use the zero setting, then every user MUST be
authenticated by a domain controller. Incorrect answers:
A: Unlocking the client computer will not serve the purpose of authentication by the domain controller
upon log on.
C: If you cache 50 interactive logons then users will be able to bypass being authentication by the domain
controller.
D: Users with this right will be able to log on to the console interactively as if they were sitting down at
the actual server itself, and the question states pertinently that you want all users to be domain controller
authenticated when they log on. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura
E. Hunter and Will Schmied, Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, pp. 439-441
# QUESTION 121:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run Windows XP Professional. All client computer accounts for the sales department are located in an
organizational unit (OU) named Sales. A user named Marie, in the sales department, uses a client
computer named CertKing 1. Her computer is a member of the domain. However, Marie reports that she
cannot log on to the domain. You verify that a computer account for CertKing 1 exists in the Sales OU.
Then you log on to CertKing 1 as a local Administrator and use Event Viewer to view the contents of the
event log, as shown in the exhibit.
You need to ensure that Marie can log on to the domain. What should you do?
A. Move the CertKing 1 account to the Computers OU.
B. Reset the password for Marie's user account.
C. Reset the CertKing 1 account.
D. Configure the properties for the CertKing 1 account so CertKing 1 is managed by Marie's user
account.
Answer: C
Explanation: The secure channel's password is stored along with the computer account on all domain
controllers. For Windows 2000 or Windows XP, the default computer account password change period is
every 30 days. If, for some reason, the computer account's password and the LSA secret are not
synchronized, the Netlogon service logs one or both of the following errors messages:
The session setup from the computer DOMAINMEMBER failed to authenticate.
The name of the account referenced in the security database is DOMAINMEMBER$.
The following error occurred: Access is denied.
NETLOGON Event ID 3210
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.
The Netlogon service on the domain controller logs the following error message when the password is
not
synchronized:
In the Active Directory Users and Computers MMC (DSA), you can right-click the computer object in
the
Computers or appropriate container and then click Reset Account.
This resets the machine account. Resetting the password for domain controllers using this method is not
allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to
rejoin
the domain, which will allow Marie to log on to the domain.
Incorrect answers:
A: Moving the CertKing 1 account to the Computers OU will not help because Marie is part of the Sales
OU as well as CertKing 1. For Marie to be able to log on to the domain she needs to make use of
CertKing 1.
B: Resetting Marie's user account password will not ensure her logging on to the domain. What needs to
be done is that the computer account that is used in the connection should be reset, in other words
resetting the machine, so as to allow Marie to log on to the domain.
D: Option D will not ensure that Marie will be able to log on to the domain. It is the CertKing 1 account
that is problematic. Reference: Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit
(Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, p. 771
# QUESTION 122:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003, and all client computers run
Windows XP Professional.
A user named Lilli receives a new computer named Client223. She successfully logs on to the domain.
The next day, she tries to log on again. The domain name appears in the domain dropdown list in the
dialog box. However, Lilli cannot log on.
You try to log on by using Client223, but you are also unsuccessful. Then you use a local Administrator
account to log on. You read the following error message in the system event log.
"NETLOGON Event ID 3210: Failed to authenticate with \\Server5, a Windows NT domain controller
for domain CertKing ".
You search the computer account for Client223 in Active Directory Users and Computers, but the
account does not appear.
You need to ensure that Lilli can log on to the domain successfully.
What should you do?
A. Recreate the user account for Lilli and add her to all appropriate security groups.
B. Run the netdom reset 'Client223' /domain:' CertKing ' command and then restart Client223.
C. Add Client223 to a workgroup. Then join Client223 to the domain.
D. Reset the computer account for Server5 in Active Directory Users and Computers.
Answer: C
Explanation: For a user to be able to log on successfully to a domain, it has to be part of a work group
that has the ability to log on to the domain.
Global groups can include other groups and user/computer accounts from only the domain in which the
group is
defined. Permissions for any domain in the forest can be assigned to global groups.
It looks like the computer account for Client223 has been deleted. Therefore we need to recreate the
account.
However, we cannot just create an account named Client223 as this account will have a different SID
(Security Identifier) to the original account. Therefore, we need to disjoin Client223 from the domain by
adding Client223 to a workgroup. Now we can rejoin Client223 to the domain and create a new computer
account in the process. Incorrect Answers:
A: Lilli's user account itself is not problematic. The problem is that the computer account is missing.
B: This command is used to reset the secure channel between a workstation and the domain. If the
workstation
and computer account passwords are out of sync, the secure channel will not work. However, this is not
the
problem in this question. The problem is that the computer account is missing (probably deleted).
D: With the computer account missing you will be unable to reset the computer account.
Reference:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, p. 771
# QUESTION 123:
You are the network administrator for Contoso, Ltd. Your network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003.
You need to audit all logon attempts by domain users. You must ensure that the minimum amount of
necessary information is audited. To achieve this goal, you will edit the Default Domain Controller
Group Policy object (GPO).
What should you do?
Answer:
Explanation:
This setting will audit all logon events that use domain user accounts.
The Audit Logon Events policy is for auditing log on attempts using local user accounts.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 321
# QUESTION 124:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003, and all client
computers run Windows XP Professional. A user named Bill reports that she cannot log on to the domain
from his computer. Bill receives the You need to enable Bill to log on. What should you do?
A. Run the net user command with the appropriate switches.
B. Run the net accounts command with the appropriate switches.
C. Run the dsmod user command with the appropriate switches.
D. Add Bill to the Users group.
E. Remove Bill from the Guests group.
Answer: C
Explanation: To enable Bill to log on to the domain you would need to run
dsmod user UserDN -disabled {yes|no}
where UserDN specifies the distinguished name of the user object to be disabled or enabled and
{yes|no} specifies whether the user account is disabled for log on (yes) or not (no).
Incorrect answers:
A: The net user command is used mainly to find out which domain groups that a user is a member of, as
well as
view other pertinent information about a user.
B: This command will not enable Bill to log on to the domain.
D: The error message states that Bill's account has been disabled; this means that the account should first
be
enabled for Bill to have the ability to log on.
E: Removing Bill from the Guests group is irrelevant in this scenario.
Reference:
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/usi
ng/pro
ductdoc/
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 4
# QUESTION 125:
You are the network administrator for CertKing .com. The network consists of a single Activev Directory
domain named CertKing .com. The company's main office is in Tokyo, and it has a branch office in
Osaka. Each office is configured as an Active Directory site. The two offices are connected by a 128-
Kbps connection. All domain controllers run Windows Server 2003. All client computers run Windows
XP Professional. All network administrators are located in Tokyo. Universal group membership caching
is enabled. The server roles and IP addresses for each site are shown in the following table.
r role dress
global catalog, WINS,
P
10.200
domain controller, DHCP 20.200
The network connection between Tokyo and Osaka intermittently fails. Only the client computers in
Tokyo have NetBIOS enabled. All client computers are configured to use DHCP.
/NBNS Servers 20.200
Servers 10.200, 10.10.20.200
r 20.1
You create a user account for a new employee in Osaka. The user report that she cannot log on to the
domain. You confirm that you can log on by using your account and then by using the user's account.
You also confirm that all other users in Osaka can log on.
You need to ensure that the user can authenticate to the domain.
What should you do?
A. Configure the user's user account to store passwords by using reversible encryption.
B. Configure the user's computer account to be trusted for delegation.
C. Force Active Directory replication to occur between Tokyo and Osaka.
D. Change the Router setting in the DHCP scope options to 10.10.10.1.
Answer: C
Explanation: Sites are primarily used for directory replication purposes. Consider what happens when
you have two physically separate locations that share a common directory. Without frequent replication,
the two directories would become horribly disjointed and practically useless. Thus if you force replication
between Tokyo and Osaka, then you will enable the user to be authenticated to the domain sincew the
user's account is in Osaka and only client computers in Tokyo have NetBIOS enabled. Incorrect answers:
A: Storing password by means of reversible encryption is not going to solve the problem.
B: This is not a delegatory matter.
D: There is no need to change the router settings as it is only one user that is experiencing the problem.
Reference:
James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE: Windows(r)Server 2003 Network
Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2003,
p.104
# QUESTION 126:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. All client computers run
Windows XP Professional. The NetBIOS name of your domain is CertKing .
CertKing, a user in a the branch office in Los Angeles, reports that she cannot log on to the domain from
a client computer named CertKing 172. She receives the following error message:
"The system cannot log you on to this domain because the system's computer account in its primary
domain is missing or the password on that account is incorrect."
You verify that the user's computer is connected to the network. All other users can log on to the domain
successfully.
You need to ensure that the user can log on to the domain.
What should you do?
A. In the DHCP snap-in, ensure that the correct DNS server settings are provided to client computers.
B. In Active Directory Users and Computers, ensure that a computer account exists for CertKing 172.
C. In Active Directory Users and Computers, reset the user's user account password.
D. In the DNS snap-in, verify that the host (A) resource record exists for CertKing 172.
Answer: B
Explanation: Active Directory Users and Computers on Windows Server 2003 domain controllers, is the
main tool used for managing the Active Directory users, groups, and computers. To set up and manage
domain user accounts, you use the Active Directory Users And Computers utility. This tool is the tool to
use so that the user can log on to the domain. Incorrect answers:
A: This is not a problem that can be solved with the DHCP snap-in. besides the other users can log on to
the domain successfully.
C: Though you can use this tool to reset the user's account password, this will not solve the problem of
the user being unble to log on.
D: This is not a DNS problem since the other users are all able to log on and that the user's computer is
connected to the network. Reference: James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE:
Windows(r)Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study
Guide, Sybex Inc., Alameda, 2003, p. 227
# QUESTION 127:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
You create a shared folder named Client Docs on a member server named CertKing 13. Client Docs will
store project documents. You configure shadow copies for the volume containing Client Docs.
You need to enable client computers to access previous version of the documents in Client Docs.
What should you do?
A. Create a Group Policy object (GPO) to enable Offline Files on all client computers.
B. On each client computer, customize the view for Client Docs to use the Documents (for any file type)
folder template.
C. Create a Group Policy object (GPO) that installs the Previous Versions client software on all client
computers.
D. Assign the Allow - Full Control permission on Client Docs to all users.
E. On each client computer, install the Backup utility and schedule a daily backup.
Answer: C
Explanation: To enable users to access previous versions of the files, you must install the Previous
Versions client software on all client computers. The easiest way to do this is to deploy the software
using
a Group Policy Object.
Incorrect Answers:
A: Offline Files are irrelevant to this scenario.
B: This is irrelevant to this scenario.
D: The users do not need Full Control access to the files. This will not enable users to access previous
versions of the files.
E: The files do not need to be backed up on each client computers. The Shadow Copy service creates
backups of previous versions of the files on the server. Reference: Dan Holme and Thomas Orin,
MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows
Server 2003 Environment, Microsoft Press, pp. 285-288
# QUESTION 128:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003. All client computers run Windows
XP Professional.
Each of the 14 departments at CertKing has an exclusive shared folder on a server named CertKing 5.
You need to ensure that the managers can reset file permissions for any file and folder on CertKing 5.
You want to achieve this goal by using the minimum amount of administrative effort.
What are two possible ways to achieve this goal? (Each correct answer is a complete solution. Select
two.)
A. Assign the managers the Allow - Full Control NTFS permission for each folder.
B. Assign the managers the Take ownership of files or other objects user right.
C. Assign the managers the Bypass traverse checking user right.
D. Assign the managers the Act as part of the operating system user right.
Answer: A, B
Explanation: The Allow Full Control permission's access level is as follows: View and list folders and
files; view the c9ontents of files; write data to files; add folders and files; delete folders, files, and file
contents; view and set attributes and extended attributes; change permissions for folders and files; take
ownership of folders and files. The special permission Take Ownership can be granted to any user or
group. A user with Allow Take Ownership permission can take ownership of the resource. These two
options will ensure that managers will have the ability to reset file permissions for a file or folder on
CertKing 5 with the least amount of administrative effort. Incorrect answers:
C: Bypassing traverse checking permission will allow the users to navigate through the folder, but this is
not
what is required. The Managers need to be able to reset file permissions.
D: This option involves too much administrative effort.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 5
# QUESTION 129:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
forest containing two domains, ch. CertKing .com and de. CertKing .com. The functional level of both
domains
is Windows 2000 mixed.
ch. CertKing .com contains two domain controllers running Windows 2003 and three domain controllers
running Windows 2000 server. A member server named CertKing 9 hosts applications and files that all
company users need to access.
You need to enable all users in de. CertKing .com to access the applications and files on CertKing 9.
Which three actions should you perform? (Each correct answer is a part of a complete solution. Select
three.)
A. Create a domain local group named DeutschUsers in ch. CertKing .com.
B. Create a domain local group named DeutschUsers in de. CertKing .com.
C. Add the Users group from ch. CertKing .com to DeutschUsers.
D. Add the Users group from de. CertKing .com to DeutschUsers.
E. On CertKing 9, grant the appropriate permissions to the Users group from ch. CertKing .com.
F. On CertKing 9, grant the appropriate permissions to DeutschUsers.
Answer: A, D, F.
Explanation: Domain local groups can contain user accounts, universal groups, and global groups from
any domain in the tree or forest. A domain local group can also contain other domain local groups from
its own local domain. To enable the all users to connect to the applications and files on CertKing 9, a
member server that resides on sc. CertKing .com; you need to create a domain local group in ch.
CertKing .com. Then you should add the de. CertKing .com users to this group and then grant the
appropriate permissions to the "united" group. This should enable that all users have access to
applications and files on CertKing 9. Incorrect answers:
B: The domain local group should be created in ch. CertKing .com since this is where CertKing 9 resides.
C: It follows logically that the de. CertKing .com users group should be added to the domain local group
that
was
created and not the users of ch. CertKing .com
E: Permissions should be granted to the DeutchUsers not to the ch. CertKing .com Users.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 319-320
# QUESTION 130:
You are a network administrator for CertKing . The network consists of a single Active Directory domain
named CertKing .com. All servers run Windows Server 2003. All client computers run Windows XP
Professional. A server named CertKing 32 contains a folder that is shared as ManagerData$. A global
group named AllManagers has permission to access the shared folder. A user reports that he needs access
to the ManagerData$ shared folder. You add his user account to the AllManagers global group. When the
user attempts to connect to the shared folder by typing \\ CertKing 32\ManagerData$\ , he receives the
following error message: "\\ CertKing 32\ManagerData$\ is not accessible. You might not have
permissions to use the network resource. Contact the administrator of
this server to find out if you have access permissions. Access is denied.
You need to ensure that the user can access the ManagerData$ shared folder on t CertKing 32.
What should you do?
A. Instruct the user to type \\ CertKing 32\ManagerData\ when he attempts to access the folder.
B. Add the Anonymous Logon group to the ACL for the ManagerData$ shared folder.
C. Select the Replace permission entries on all child object with entries shown here that apply to child
objects check box.
D. Instruct the user to log off and log on again before he accesses the folder.
Answer: D
Explanation: When a user logs on to the network, an access token is created that lists the users' group
memberships. This access token is used when the user tries to access a resource. If you change a user's
group membership, the change will not be reflected in the access token until the user logs off and logs on
again. Instructing the use to log off and then on again will ensure that all the connections will be made. It
could have been that the user tried to access the folder before he was granted access. And to effect those
changes of adding that particular user to gain access needs to be enabled. This action should enable
access to the shared folder. Incorrect answers:
A: The user account has already been added to the AllManagers global group and there is thus no need to
type
\\ CertKing 32\ManagerData\ when attempting to gain access.
B: It will be a huge security breach if Anonymous access is enabled.
C: By following option C, you will not be granting access to the user.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapter 5
# QUESTION 131:
You are a network administrator for CertKing . The network consists of a single Active Directory domain
named CertKing .com. All servers run Windows Server 2003. All client computers run Windows XP
Professional.
The user accounts for all managers are in a global group named Managers. A manager named Roger
creates a folder named ManagerData on a computer named CertKing 1. He shares the folder to enable
other managers to review employee documents. Other managers need to be able to browse and read the
documents in the ManagerData folder. Managers must not have other permissions to the shared folder.
You add the Managers group to the ACL on the Security tab for the folder.
You need to configure permissions for the shared folder. You need to ensure that you do not grant any
unnecessary permissions.
What should you do?
To answer, configure the appropriate option or options in the dialog box in the work area.
Answer:
Explanation:
For managers to be able to browse, read, and edit documents that are in the shared folder, you should
assign the
allow Read & Execute, List Folder Contents, Read and Write permissions.
NTFS Folder Permissions are as follows:
1 Read -Enables objects to read the contents of a folder, including file attributes and permissions.
2 Write - Enables objects to create new files and folders within a folder, write attributes and
extended attributes on files and folders, and can read permissions and attributes on files and folders.
3 List Folder - Gives objects the same rights as the Read permission, but also Contents enables the
object to traverse the folder path beneath the folder where this permission is applied.
4 Read & Execute - Gives objects the same rights as the List Folder Contents permission, but also
enables the object to execute program files stored in the folder.
5 Modify - Gives the object the same permissions as the Read, Write, List Folder Contents, and
Read & Execute permissions, but also enables the object to delete files and folders within the designated
folder.
6 Full Control - Gives objects full access to the entire contents, including the capability to take
ownership of files and change permissions on files and folders. Reference: Deborah Littlejohn Shinder,
Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, MCSA/MCSE: Exam 70-290: Managing
and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 414
# QUESTION 132:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All servers run Windows Server 2003. All CertKing data is stored in
shared folders on network file servers. The data for each department is stored in a departmental shared
folder. Users in each department are members of the departmental global group. Each departmental
global group is assigned the Allow - Full Control permission for the corresponding departmental shared
folder. CertKing requirements state that all access to shared folders must be configured by using global
groups. A user named Dr Bill works in the sales department. Dr Bill needs to be able to modify files in
the Marketing shared folder. You need to ensure that Dr Bill has the minimum permissions for the
Marketing shared folder that he needs to do his job. You need to achieve this goal while meeting
CertKing requirements and without granting unnecessary permissions. What should you do?
A. Add Dr Bill's user account to the Marketing global group.
B. Assign the Sales global group the Allow - Change permission for the Marketing shared folder.
C. Create a new global group. Add Dr Bill' user account to the group.
Assign the new global group the Allow - Change permission for the Marketing shared folder.
D. Assign Dr Bill's user account the Allow - Change permission for the Marketing shared folder.
Answer: C
Explanation:
The best way to accomplish this task is to create a new global group. You need to add Dr Bill' user
account to the group and assign the new global group the Allow - Change permission for the Marketing
shared folder. Global groups can include other groups and user/computer accounts from only the domain
in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.
Incorrect Answers:
A: This would mean that Dr. Bill would have permissions on other folders as well. We need to ensure
that Dr
Bill has the minimum permissions for the Marketing shared folder that he needs to do his job.
B: This would mean that the whole SALES group would have permissions on Marketing. We need to
ensure
that Dr Bill has the minimum permissions for the Marketing shared folder that he needs to do his job.
D: Microsoft does NOT want you to give user account permissions to files. We must do this through
making
use of groups.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 320.
# QUESTION 133:
You are a network administrator for CertKing . The network consists of a single Active Directory domain
named CertKing .com. All servers run Windows Server 2003. All client computers run Windows XP
Professional. Another administrator shares a folder as CertKing Data. He wants users to be able to create
files in the folder. He does not want users to able to open files in the folder. When users attempt to
connect to the CertKing Data folder, they receive an error message.
You need to configure the permission for the folder so that users can place their files in the shared folder.
You need to achieve this goal without granting unnecessary permissions.
What should you do?
Answer:
Explanation: NTFS permissions: Allow List Folder Contents and Write Share permissions: Change
Allowing the List Folder Contents and Write permissions will allow users to place their files in the shared
folder.
1 List Folder Contents - Gives objects the same rights as the Read permission, but also enables the
object to traverse the folder path beneath the folder where this permission is applied.
2 Write - Enables objects to create new files and folders within a folder, write attributes and
extended attributes on files and folders, and can read permissions and attributes on files and folders.
Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied,
MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study
Guide & DVD Training System, p. 414
3
4
# QUESTION 134:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
A member server named CK1 hosts a folder named Public, which stores files for all users in CertKing .
Public is located on an NTFS partition. Existing permissions for Public are configured as shown in the
exhibit.
You need to share Public on the network. All network users, including members of the Administrators
group, should have read-only permissions on the contents of the folder.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Share Public with default share permissions.
B. Share Public by assigning the Allow - Full Control permission to the Everyone group.
C. Share Public by assigning the Allow - Full Control permission to the Authenticated Users group.
D. On the Security tab, add the Authenticated Users group and assign the Allow - Read permission to this
group.
E. On the Security tab, add the Interactive group and assign the Allow - Read permission to this group.
F. On the Security tab, assign the Deny - Full Control permission to the Administrators group.
Answer: A, D
Explanation: By default, the Everyone group has only Read and Execute permissions on the root of each
drive. these permissions are not inherited by subfolders; the Everyone group has no permissions by
default to a newly created folder or file. Similarly, when you create a shared drive or folder, the Everyone
group now has only Read permission by default, rather than full control. This is quite a change from
earlier versions of Windows, where every new folder gave everyone full control via both NTFS and share
permissions. So every user that is trying to access the files by using the SHARE will have read
permissions. However if an admin is trying to access the files by NOT going through the SHARE, he/she
can still change the contents. Therefore we add the Authenticated Users group and assign the Allow -
Read permission to this group. The file that needs to be shared with everybody having read-only
permissions on the contents should have the default share permissions. That should ensure that only
administrators will have full-control permissions on it and not the other users as well. However, the
question states that all users including network administrators should have read-only permission, thus you
should add the Authenticated Users group to the Allow-Read permission group. Incorrect answers:
B: The Allow-Full Control will also allow more permissions than are required. The file that needs to be
shared with everybody having read-only permissions on the contents should have the default share
permissions.
C: The Allow-Full Control will also allow authenticated users more permissions than are required
because the file that needs to be shared with everybody having read-only permissions on the contents
should have the default share permissions.
E: The authenticated users and not the interactive group should be granted permissions.
F: Assigning the Deny - Full Control permission to the Administrators group on the Security tab will not
have the file that needs to be shared with everybody having read-only permissions on the contents.
Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied,
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System,
pp. 414-428
# QUESTION 135:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run Windows XP Professional. You create and share a folder named Sales on a member server. You
apply the default share permission and NTFS permissions to Sales. Then you create a folder named
SalesForecast in Sales. You apply the default NTFS permissions to SalesForecast. Managers in the sales
department are members of a domain user group named SalesManagers. When members of
SalesManagers try to add files to SalesForecast, they receive the "Access is denied" error message. You
need to configure permissions on these folders to fulfil the following requirements:
1 Members of SalesManagers must be able to create, modify, and delete files in both folders.
2 All other domain users must only be able to read files in both folders.
What should you do?
A. Configure the share permissions on Sales to assign the Allow - Change permission to the Everyone
group.
Configure the NTSF permissions on SalesForecast to assign the Allow - Write permission to the
SalesManagers
group.
B. Configure the share permissions on Sales to assign the Allow - Change permissions to the
SalesManagers
group.
Configure the NTSF permissions on Sales to assign the Allow - Write permissions to the SalesManagers
group.
C. Configure the share permissions on Sales to assign the Allow - Change permissions to the Everyone
group.
Configure the NTFS permissions on Sales to assign the Allow - Modify permission to the SalesManagers
group.
D. Configure the share permissions on Sales to assign the Allow - Change permission to the
SalesManagers group.
Configure the NTFS permissions on Sales to assign the Allow - Modify permission to the SalesManagers
group.
Answer: D
Explanation: By default, the Everyone group has only Read and Execute permissions on the root of each
drive. These permissions are not inherited by subfolders; the Everyone group has no permissions by
default to a newly created folder or file.
Similarly, when you create a shared drive or folder, the Everyone group now has only Read permission
by
default, rather than full control. This is quite a change from earlier versions of Windows, where every
new
folder gave everyone full control via both NTFS and share permissions.
The following configurations should be carried out when configuring the correct permissions:
1 Share Permissions - Sales Folder - Everyone group - Allow Read Permissions.
2 Share Permissions - Sales Folder - SalesManagers group - Allow Change Permissions.
3 NTFS Permissions - Sales Folder - Everyone group - Allow Read Permissions.
4 NTFS Permissions - Sales Folder - SalesManagers group - Allow modify Permissions.
Incorrect Answers:
A: This would prevent the SalesManagers group being able to delete files in the SalesForecast folder.
B: This would prevent the SalesManagers group being able to delete files in the SalesForecast and Sales
folder.
C: This option would work, however answer D would be a better and more secure solution.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 423-425
# QUESTION 136:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional. All file and print services are hosted by a member server named CK1 .
You create a folder named Data on CK1 .
You need to configure the initial permissions settings for Data. You must ensure that only local access is
prevented. You must also ensure that users who are logged on to CK1 cannot modify any access
permissions for Data.
What should you do?
To answer, select the appropriate group and make the proper configuration in the dialog box.
Answer:
Explanation:
To prevent local access we must Deny the interactive group.
Setting User Rights and Privileges
1 User rights can override NTFS permissions in certain cases (a user with the Backup files and
directories right is able to read all files on the volume, regardless of the NTFS permissions assigned, but
only for the purpose of backing up and restoring data).
2 Assign user rights to groups whenever possible. Assigning user rights to individual user accounts
is difficult to manage.
3 User rights are set using Group Policy. Reference: Deborah Littlejohn Shinder, Dr. Thomas W.
Shinder, Laura E. Hunter and Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a
Windows Server 2003 Environment Study Guide & DVD Training System, p. 475
# QUESTION 137:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. Some client computers run Windows NT 4.0 Workstation. Others run
Windows 2000 Professional, and the rest run Windows XP Professional. Users in the accounting
department require a shared folder for their own use only. The accounting users must be able to read, edit,
and delete files in the shared folder.
You create the shared folder and use default share permissions. You assign the Allow - Full Control
NTFS permission to members of the Administrators group. You assign the Allow - Modify NTFS
permission to the accounting users.
However, accounting users report that they cannot access the shared folder.
How should you solve this problem?
A. Change the type of setting on the folder to Documents (for any file types).
B. Change the NTFS permissions on the folder to assign the Allow - Delete Sub-Folders and Files
permission to the accounting users.
C. Add the accounting users as owners of the folder.
D. Change the share permissions to assign the Allow - Full Control permission to the accounting users.
Answer: D
Explanation: By default, the Everyone group has only Read and Execute permissions on the root of each
drive. These permissions are not inherited by subfolders; the Everyone group has no permissions by
default to a newly created folder or file. Similarly, when you create a shared drive or folder, the Everyone
group now has only Read permission by default, rather than full control. This is quite a change from
earlier versions of Windows, where every new folder gave everyone full control via both NTFS and share
permissions. To grant the accounting users access to the shared folder so that that can read, write, edit and
delete files, they need the Allow-Full control permission. Incorrect answers:
A: Changing the file type to whatever type will not solve the problem of access to the shared folder. It is
a permissions issue not a file type issue.
B: Assigning the Allow-Delete Subfolders and Files permission to the accounting users enables the object
to delete a file or subfolder, even if the Delete permission has not been granted to the object. Though, this
does not solve the access problem.
C: Taking Ownership enables the object to change the owner of a file or folder to the object's user
ownership. But what is needed in this scenario is to have Allow-Full Control permission. Changing
ownership of the file effectively removes the user that created the file from the CREATOR OWNER
group for that file, and that user's access to the file reverts to the default access he or she has based on the
folder permissions. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and
Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003
Environment Study Guide & DVD Training System, pp. 420 - 421, 423
# QUESTION 138:
You are the network administrator for CertKing .com. All network servers run Windows Server 2003.
A file server named CertKing SrvA has shadow copies enabled. One shared folder on CertKing SrvA has
While viewing a previous version of CertKing Docs, you open and edit Financials.xls. However, when
you try to save the edited file, you receive the following error message:
You need to save your changes to the previous version of Financials.xls. You must ensure that other users
can continue to access current data on CertKing SrvA without interruption.
What should you do?
A. Copy the previous version of CertKing Docs to a separate location.
B. Restore the previous version of CertKing Docs to the default location.
C. Save Financials.xls in a separate location by using Microsoft Excel.
D. In the security properties of Financials.xls, assign the Allow - Modify permissions to the Everyone
group.
Answer: C
Explanation: When you view a 'previous version' of a file, the file is opened as Read Only. You can make
changes to the file, but you cannot save the file in its current location. You need to save the file to an
alternate location or else you will interrupt the other users.
Incorrect Answers:
A: If you copy a shared folder to a new location, the original folder will continue to have the original
share pointing to it. You have made changes to the file. You cannot copy the file to another location
without losing your changes. This is why you must save the file to another location.
B: You have made changes to the file by editing it. You will be unable to restore the previous version of
the file to the default location without losing your changes.
D: You cannot modify the permissions of previous versions of files; you must save or copy the file to
another location first (or restore it to its default location). In this scenario, the file must be saved to an
alternate location because you don't want to lose your changes to the file. Reference: Deborah Littlejohn
Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and Maintaining a
Windows Server 2003 Environment Study Guide & DVD Training System, pp. 426-428
# QUESTION 139:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All network servers run Windows Server 2003. Most client computers run
Windows XP Professional, and the rest run Windows 2000 Professional.
You create and share a folder named ProjectDocs on a member server. The current state of permissions
for the folder is shown in the dialog box.
Users report that they receive an 'Access is denied' error message when they try to add or create files and
folders in ProjectDocs.
You need to configure the permissions on ProjectsDocs to fulfill the following requirements:
1 Domain users must be able to create or add files and folder.
2 Domain users must not be able to change NTFS permissions on the files or folders that they
create or add.
3 Domain users must receive the minimum level of required permissions. What should you do?
Answer:
Explanation: The default share permission is Everyone - Read. To be able to write to the shared folder,
the users require "Change" permission. The Change permission allows users to Read, Write, Execute and
Delete files in the shared folder. Note: the exhibit shows the everyone group. In the exam, if you have the
option to select the groups, then selecting Domain users - Change would be a better option. Share
permissions can be set only at the folder level, not at the file level. Also note that shared-folder
permissions apply only when accessing the resources across the network. These are the two most
important ways in which NTFS permissions differ from shared-folder permissions. Reference: Deborah
Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 414
# QUESTION 140:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. The functional level of the domain is Windows 2000 native. All network servers
run
Windows Server 2003, and all client computers run Windows XP Professional.
The network includes a shared folder named CertKing Info. Your boss Dr. Bill reports that he is often
unable to access this folder. You discover that the problem occurs whenever more than 10 users try to
connect to the folder.
You need to ensure that all appropriate users can access CertKing Info.
What should you do?
A. Decrease the default user quota limit.
B. Raise the functional level of the domain to Windows Server 2003.
C. Purchase additional client access licenses.
D. Move CertKing Info to one of the servers.
Answer: D
Explanation: It is likely that the share exists on a Windows XP client. That would lead to a situation
where the Windows XP client computer only allows up to 10 connections at the same time resulting in
users being unable to access CertKing Info when the 10 connections are full. Moving the shared folder to
a server computer will allow more concurrent connections. Incorrect Answers:
A: The quota limit is irrelevant to network connections. It only comes into play when considering disk
space.
B: The functional level of the domain is not the cause of the problem. The problem stems from
connectivity
difficulties when multiple users access the folder. Windows 2000 Native- this level supports Windows
2000
DCs and Windows Server 2003 DCs only. Windows 2000 DCs in native mode move to Windows 2000
native
functional level when upgraded to Windows Server 2003.
C: This is not a CAL problem.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 47-50, 141
# QUESTION 141:
You are the administrator of CertKing 's network. Your accounting department has a Windows Server
2003 computer named CertKing Srv
A. This computer hosts a secured application that is shared among
several users in the accounting department. All users of the application must log on locally to
CertKing SrvA.
You decide to create desktop shortcuts that point to the application. These shortcuts must be available
only to new users of CertKing SrvA.
Which folder or folders should you modify on Server? (Choose all that apply)
To answer, select the appropriate folder or folders in the work area.
Answer:
Explanation: Default User When a new user logs on to a machine for the first time, a new profile is
created for that user. The "Default User" profile is copied and given the same name as the username. Any
settings in the Default User profile will be applied to any new users. Incorrect Answers: All Users:
Settings in this profile apply to all users of the machine, including current users. This is contrary to the
requirements set out in the question. Administrator, MZimmerman, RHunter, User: These are all user
profiles. i.e. Profiles belonging to users who have logged in to the computer. References: Deborah
Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining
a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 286-292
# QUESTION 142:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
Terminal services is installed on a server named CertKing 6. This server also stores user profiles.
CertKing 6 has limited processor resources, limited memory resources, and limited disk space.
Remote users connect to CertKing 6 to read e-mail, review documents, and access a front-end SQL query
tool. All remote users have sufficient permissions to edit their registries. All client computers are licensed
to use the query tool.
CertKing, another administrator at CertKing , accidentally changes the server settings on CertKing 6.
You are required to restore the server settings to comply with company standards. You also need to
ensure that no unnecessary files are stored on CertKing 6.
Answer:
Explanation:
Delete temporary folders on exit = Yes.
Use temporary folders per session = Yes.
Licensing = Per Device.
Active Desktop = Disable.
Permission Compatibility = Full Security.
Restrict Users to one session = Yes.
Delete a session's temporary folder when the user logs off. This setting is configured to Yes by default.
Thus the
Delete temporary folders on exit enabled is necessary as CertKing 6's disk space is limited.
Licensing - Allows for the administrator to configure the server as a terminal server or Remote Desktop
for
Administration computer. This setting is configured to Remote Desktop for Administration if the terminal
server role has not been installed. If it has, this setting reflects the licensing choice made when you
installed the
terminal server role (per Device or per User) and can be changed here.
Active Desktop - Enables the use of Active Desktop technologies in Terminal Services sessions. These
desktops
can use considerably more bandwidth than traditional desktops. This setting is configured to be enabled
by
default.
Permission Compatibility Full security is the only choice available for Remote Desktop for
Administration. A
second mode, Relaxed Security, is added when the terminal server role is installed on the server, which
loosens
security to accommodate older Windows computers and legacy applications. This is configured as Full
Security
by default.
Restrict each user to one session - Can be used to ensure that users do not establish more than one session
to a
Terminal Services system. Savvy users may be able to work around this setting by specifying a different
program to start upon connection for each different session.
Reference:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, p. 559
# QUESTION 143:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
forest that contains two domains. You have not modified the default Active Directory site configurations.
The functional level of both domains is Windows 2000 native. Servers run either Windows Server 2003
or
Windows 2000 Server.
CertKing 's internal domain is named CertKing .local. CertKing 's external domain is named
extranet. CertKing .com. The external domain is accessed only by CertKing 's business partners.
You install a Windows Server 2003 computer named CertKing 7 in the extranet. CertKing .com domain.
You
install and configure Terminal Services on CertKing 7. CertKing 7 is configured as a member server in
the
domain. You install a secure database application on CertKing 7 that will be accessed by CertKing 's
business partners.
A few months later, users report that they can no longer establish Terminal Services session to CertKing
7.
You verify that only the default ports for HTTP, HTTPS, and Terminal Services on your firewall are
open to the Internet.
You need to ensure that CertKing 's business partners can establish Terminal Services sessions to
CertKing 7.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two)
A. Install Terminal Services Licensing on a Windows 2000 Server computer in CertKing .local.
Configure the computer as an Enterprise License Server.
B. Install Terminal Services Licensing on a Windows 2000 Server computer in extranet. CertKing .com.
Configure the computer as an Enterprise License Server.
C. Install Terminal Services Licensing on a Windows Server 2003 computer in extranet. CertKing .com.
Configure the computer as an Enterprise License Server.
D. Install Terminal Services Licensing on a Windows Server 2003 computer in CertKing .local.
Configure the computer as an Enterprise License Server.
E. Instruct CertKing 's business partners to connect by using the Terminal Services Advanced Client
(TSAC) over HTTPS.
Answer: B, C
Explanation: Clients connecting to a Windows 2000 terminal server from a Windows 2000 Professional
computer are not required to purchase a license, as Windows 2000 Pro includes a Terminal Services
CAL. However, you still must set up a licensing server. In Windows Server 2003, Remote Administration
mode has been renamed to Remote Desktop for Administration and it is installed by default. This works
like the Remote Desktop feature in Windows XP. As in Windows 2000, you are still limited to two
simultaneous remote desktops at a time. However, there is one improvement: you can now take over the
local console session. Incorrect answers: A: Installing Terminal Services on CertKing .local will not
enable CertKing 's business partners to establish terminal service sessions on CertKing 7.
D: Installing Terminal Services on CertKing .local even if it is a Windows Server 2003 machine, will not
enable CertKing 's business partners to establish Terminal Service sessions.
E: With the release of the Terminal Services Advanced Client (TSAC) as a ValueAdd component on
Microsoft Windows 2000 Server, Service Pack 1, the Terminal Services solution is now extended to the
Web. For example, organizations needing to deploy line of business applications to remote offices can do
so by means of a Terminal server and a Web server running ASP pages, such as the sample pages
supplied with the TSAC. On the client side, all that is needed is Internet Explorer, a connection to the
World Wide Web, and appropriate access rights, however this is not applicable in this scenario.
References: Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290:
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System,
p. 39.
# QUESTION 144:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
You install Terminal Server on three member servers named CertKing 1, CertKing 2, and CertKing 3.
You
add a domain group named HR to the Remote Desktop Users group on all three terminal servers.
One week later, you discover that files on CertKing 1 and CertKing 2 were deleted by a user named Jack,
who is a member of the HR group.
You need to prevent Jack from connecting to any of the terminal servers.
What should you do?
A. On all three terminal servers, modify the RDP-Tcp connection permissions to assign the Deny - Users
Access and the Deny - Guest Access permissions to the HR group.
B. On all three terminal servers, modify the RDP-Tcp connection permissions to assign the Allow - Guest
Access permission to Jack's user account.
C. In the properties of Jack's user account, disable the Allow logon to a terminal server option.
D. On all three terminal servers, modify the RDP-Tcp connection permissions to assign the Deny - User
Access and the Deny -Guest Access permissions to the Remote Desktop Users group.
E. In the properties of Jack's user account, enable the End session option.
Answer: C
Explanation: Jack is a member of the HR group which is a member of the Remote Desktop Users group
on the member servers. As such she has permission to log in to the member servers. We can deny that
permission by disabling the "Allow logon to a terminal server" option on the Terminal Services Profile
tab in the properties of her user account. This setting will override the permissions given to her by way of
group membership. Incorrect Answers:
A: The Deny - Users access permission will deny all users access to the terminal servers.
B: We need to prevent Jack from connecting to the terminal servers. Allowing Guest - access will still
enable her to connect.
D: This will prevent anyone from connecting to the terminal servers.
E: The End Session option will only limit the time Jack can connect to the servers for; it will not prevent
her connecting to the servers. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E.
Hunter and Will Schmied, Managing and Maintaining a Windows Server 2003 Environment Study Guide
& DVD Training System, pp. 547-548
# QUESTION 145:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003.
Three member servers are configured as terminal servers. All three host confidential data. Currently, all
network users are full-time employees, and all network users are allowed to log on to the terminal
servers.
CertKing hires 25 temporary employees. You create a user account for each one.
You need to ensure that only full-time employees are allowed to log on to the terminal servers.
What should you do?
A. Modify the Default Domain Group Policy object (GPO).
Configure a computer-level policy to prevent the temporary employees from connecting to the terminal
servers.
B. Modify the Default Domain Group Policy object (GPO).
Enable the user-level Terminal Server setting Sets rules for remote control of Terminal Services user
sessions.
C. On the Terminal Services Profile tab of the user properties for each account, disable the option to log
on to
terminal servers.
D. In the security policy for domain controllers, disable the computer-level Terminal Server setting
Allow users
to connect remotely using the terminal server.
Answer: C
Explanation: Terminal Services is the underlying technology that enables Remote Desktop for
Administration, Remote Assistance, and Terminal Server. By disabling the logon option in the Profile tab
will effectively prevent workers other than full time workers from logging on. Since all network users are
full time employees are the as such the only users allowed in the network The Allow Logon to Terminal
Server check box controls whether the person is permitted to log in to the terminal server at all. By
default, anyone with an account on the domain or server may do so. Therefore we need to disable this for
the temporary users. Incorrect Answers:
A: This would affect all users; we only need to configure the temporary users. You should not affect the
network users.
B: This would affect all users; we only need to configure the temporary users.
D: Disabling the computer-level Terminal Server is bound to affect all users; we only need to configure
the temporary users without interfering with the full-time personnel. Reference: Dan Balter,
MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2
(Exam 70-290), Chapter 7
# QUESTION 146:
You are the administrator for CertKing .com's Active Directory domain. All client computers run
Windows XP Professional. A Windows Server 2003 computer named CertKing 8 has Terminal Services
installed. Users in the finance department access a custom application that is installed on CertKing 8. A
finance department user reports that he cannot copy files from his Terminal Services session to his
Other finance department users are not experiencing this problem.
You need to ensure that the user can access his local drives through his Terminal Services session.
What should you do?
A. In the environment properties of the user account, enable the Start the following program at logon
option. Specify net use z: \\Localhost\C$ as the program file name.
B. Instruct the user to enable the Disk Drives option in the properties of his remote desktop connection.
C. Instruct the user to log off, and then to select Log on using dial-up connection from the Log On to
Windows dialog box.
D. Instruct the user to run the mstsc /console command.
E. Instruct the user to run the mstsc /edit command.
Answer: B
Explanation: When you initially launch the Remote Desktop Connection utility, most of its configuration
information is hidden. To display it before you use it to establish a connection, click the Options button.
This will reveal a series of tabs and many additional settings that have be configured. Local Resources
tab enables you to control whether or not client resources are accessible in your remote session. By
instructing the user to enable the disk drives will ensure his/her access through his terminal sessions.
Incorrect answers:
A: This option will not solve the user's problem. The user's disk drives should be enabled in the
properties of his remote desktop connection.
C: To solve this user's problem a new connection must be added using the Remote Desktops snap-in and
accept all default settings. Not logging on and using the dial-up connection.
D: The mstsc /console command can be used to connect to the console session of a Terminal Services
computer. However, an administrator actually sitting at the server and using the console session can
request help by using the Remote Assistance functionality in Terminal Services.
E: This command does allow editing it displays the Remote Desktop Connection to establish a connection
with a terminal server. But this is not going to help this user. References: Deborah Littlejohn Shinder and
Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and Maintaining a Windows Server
2003 Environment Study Guide & DVD Training System, pp. 525-526 Dan Balter, MCSA/MCSE
Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-
290), Chapter 7
# QUESTION 147:
You are a network administrator for CertKing . The network consists of a single Active Directory domain
named CertKing .com. The domain contains two Windows Server 2003 terminal servers that host
applications that are used by company employees. An organization unit (OU) named TerminalServers
contains only the computer accounts for these two Terminal servers. A Group Policy object (GPO)
named TSPolicy is linked to the TerminalServers OU, and you have been granted the right to modify the
GPO. Users should use the terminal servers to run only authorized applications. A custom financial
application suite is currently the only allowed application. The financial application suite is installed in
the folder C:\Program Files\MT Apps. The financial application suite contains many executable files.
Users must also be able to use Internet Explorer to access a browser-based application on the company
intranet. The browser-based application makes extensive use of unsigned ActiveX components. The
financial application suite and the browser-based application are frequently updates with patches or new
versions. You need to configure the terminal servers to prevent users from running unauthorized
applications. You plan to configure software restriction policies in the TSPolicy GPO. To reduce
administrative overhead, you want to create a solution that can be implemented once, without requiring
constant reconfiguration. Which three actions should you perform to configure software restriction
polices? (Each correct answer presents part of the solution. Choose three)
A. Set the default security level to Disallowed.
B. Set the default security level to Unrestricted.
C. Create a new certificate rule.
D. Create a new hash rule.
E. Create a new Internet zone rule.
F. Create a new path rule.
Answer: A, E, F
Explanation: We need to prevent unauthorized applications from running. We should set the default
security level to Disallowed. This will prevent the users running any applications; we can exceptions to
this rule. An Internet zone rule would allow the users to run the intranet application. A path rule would
allow the users to run the application in a certain path; in this case C:\Program Files\MT Apps. The
question states that the application is regularly updated with patches etc. Therefore, we cannot use a hash
rule or a certificate rule, because we would have to recreate the hash or the certificate every time the
application was updated. The purpose of a rule is to identify one or more software applications, and
specify whether or not they are allowed to run. Creating rules largely consists of identifying software that
is an exception to the default rule. Each rule can include descriptive text to help communicate why the
rule was created. A software restriction policy supports the following four ways to identify software.
Following are two of them:
1 Path Rule - Path is the local or universal naming convention (UNC) path of where the file is
stored. A path
rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it
matches any
program contained in that folder and any programs contained in subfolders. Both local and UNC paths
are
supported.
2 Zone Rule - A rule can identify software from the Internet Explorer zone from which it is
downloaded.
Incorrect answers:
B: The unrestricted security level will not restrict the users from running unauthorized applications.
C: Certificate Rule: A certificate rule specifies a code-signing, software publisher certificate. For
example, a
company can require that all scripts and ActiveX controls be signed with a particular set of publisher
certificates. Certificates used in a certificate rule can be issued from a commercial certificate authority
(CA)
such as VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed certificate. A certificate
rule is a
strong way to identify software because it uses signed hashes contained in the signature of the signed file
to
match files regardless of name or location. If you wish to make exceptions to a certificate rule, you can
use a
hash rule to identify the exceptions.
D: Hash is a cryptographic fingerprint of the file.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 657 -659
# QUESTION 148:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. The functional level of the domain is Windows Server 2003.
You install Terminal Services on all domain controllers. However, your technical support specialists
report that they cannot use Terminal Services to access any domain controllers.
Which action or actions should you perform to solve this problem? (Choose all that apply)
A. Install Remote Desktop for Administration.
B. Require the support specialists to use a console session to connect to the terminal servers.
C. Add the Remote Administrators group to the Account Operators group.
D. Add the support specialists to the Remote Desktop group.
E. Modify the Default Domain Controller Group Policy object (GPO) to grant the Log on locally user
right to the support specialists.
Answer: D, E
Explanation: The Remote Desktop group has the necessary permissions to connect to the servers using
Terminal Services. Terminal Services is a built-in service that enables you to use the Remote Desktop
Connection software to connect to a session that is running on a remote computer while you are sitting at
another computer in a different location. This process is extremely useful for employees who want to
work from home but need to access their computers at work. Terminal Server mode, deployed
traditionally, allows multiple remote clients to simultaneously access Windows-based applications that
run on the server. Remote Desktop for Administration is used to remotely manage Windows Server 2003
servers. We need to add the support specialists to the Remote Desktop group. As the servers are domain
controllers, we must to grant the Log on locally user right to the support specialists. Incorrect Answers:
A: Remote Desktop for Administration is installed by default in Windows Server 2003.
For security reasons it is disabled by default. It can be enabled through the System control panel. There is
thus
no need to install it.
B: They do not require a console session.
C: The Account Operators do not have permission to connect using Terminal Services.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam
Cram 2 (Exam 70-290), Chapters 5 & 7
# QUESTION 149:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. A Windows Server 2003 computer named CertKing 3 is configured as a
member server in your domain.
You install Terminal Services on CertKing 3. You also install several legacy applications on CertKing 3.
Users report that they cannot run many of the legacy applications on CertKing 3 through their Terminal
Services sessions. You establish a Terminal Services session by using the Administrator account, and you
verify that you can run the legacy applications.
You need to ensure that users can run the legacy applications on CertKing 3 while they are connected
through Terminal Services.
What should you do?
A. Add all Terminal Services users to the domain Server Operators group.
B. Share the C:\Program Files folders on CertKing 2. Assign the Domain Users group the Allow - Full
Control share permissions.
C. Install Terminal Server Licensing Server on CertKing 3.
D. Use Terminal Services Configuration to change the Permissions Compatibility setting.
Answer: D
Explanation: Permission Compatibility can be set to either Full Security or Relaxed Security. It specifies
whether you are using Full Security or Relaxed Security for clients accessing the Terminal Services
server.
Some applications may not work properly with Full Security.
Thus in this case you need to change the Permissions Compatibility setting to ensure that users will be
able to
run the legacy applications on CertKing 3 when connected through Terminal Services.
Incorrect answers:
A: This option will not ensure that all Terminal Services users will be bale to run the legacy applications
on
CertKing 3.
B: Even though CertKing 3 is a member server in the domain, assigning Domain Users the Allow-Full
Control
share permission will not ensure that they can run the legacy application when connected through
Terminal
Services.
C: It is not a Licensing matter.
Reference:
Lisa Donald & Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003
Environment
Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, p. 410
# QUESTION 150:
You are the network administrator for CertKing . Your network consists of two Active Directory
domains. Each department has its own organizational unit (OU) for departmental user accounts. Each OU
has a separate Group Policy object (GPO) A single terminal server named CertKing Term1 is reserved
for remote users. In addition, several departments have their own terminal servers for departmental use.
Your help desk reports that user sessions on CertKing Term1 remain connected even if the sessions are
inactive for days. Users in the accounting department report slow response times on their terminal server.
You need to ensure that users of CertKing Term1 are automatically logged off when their sessions are
inactive for more than two hours. Your solution must not affect users of any other terminal servers. What
should you do?
A. For all accounting users, change the session limit settings.
B. On CertKing Term1, use the Terminal Services configuration tool to change the session limit settings.
C. Modify the GPO linked to the Accounting OU by changing the session limit settings in user-level
group polices.
D. Modify the GPO linked to the Accounting OU by changing the session limit settings in computer-level
group polices.
Answer: B
Explanation: The question states that you need to ensure that users of CertKing Term1 are automatically
logged off when their sessions are inactive for more than two hours. Therefore, you need to configure
CertKing Term1 by changing the session limit settings. You can limit the amount of time that active,
disconnected, and idle (without client activity) sessions remain on the server. This is effective since
sessions which remain running indefinitely on the server, typically consume valuable system resources.
When a session limit is reached for active or idle sessions, you can select to either disconnect the user
from the session or end the session. A user who is disconnected from a session can reconnect to the same
session later. When a session ends, it is permanently deleted from the server, and any running
applications are forced to shut down. This can result in data loss at the client. When a session limit is
reached for a disconnected session, the session ends. This permanently deletes it from the server.
Sessions can also be allowed to continue indefinitely. Incorrect Answers:
A: You need to change the session limit for all users of CertKing Term1, not only for the Finance users.
C: You need to configure CertKing Term1 to change the session limit settings.
D: You need to configure CertKing Term1 to change the session limit settings.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing,
and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, p. 665
# QUESTION 151:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All domain controllers run Windows Server 2003. Half of the client
computers run Windows XP Professional, and the other half run Windows NT 4.0 Workstation.
You install Terminal Server on three member servers named CertKing 1, CertKing 2, and CertKing 3.
Each server has a single Pentium III 600-Mhz CPU with 512 MB of RAM and a single-channel EIDE
disk subsystem. You place all three terminal servers in an organizational unit (OU) named Terminal
Server. You link a Group Policy Object (GPO) to the Terminal Server OU.
Several days after the installation, users report that the performance of all three terminal servers is
unacceptably slow. You discover that each server has at least 50 active sessions at once.
You need to improve performance of all three terminal servers. You must achieve this goal by using the
minimum amount of administrative effort, without upgrading any hardware.
What should you do?
A. Log on to the console of each terminal server. In the RDP-Tcp connection properties, set the
Maximum connections option to 35.
B. Edit the GPO to set the Limit number of connections policy to 35.
C. Modify all domain user accounts to set the When a session limit is reached or broken user property to
End session.
D. Edit the GPO to enable the Remove Disconnect option from shutdown dialog policy.
Answer: B
Explanation: By setting the Limit number of connections policy in the group policy object to 35, you will
be able to prevent a situation where there is more than the necessary amount of simultaneous connections
at any one time. Then you will not get a situation where there is more than 50 simultaneous connections
that would probably be idle sessions and thus cause the performance of the servers to be poor. This option
will not require the upgrading of any hardware or unnecessary administrative effort. Reference: Deborah
Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 47-51, 682
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003 Environment
Exam Cram 2 (Exam 70-290), Chapter 6
# QUESTION 152:
You are the network administrator for CertKing .com. Your network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. A single server running
Terminal Server is available to remote users. Your help desk staff is responsible for monitoring user
activity on the terminal server. The staff is also responsible for sending messages to users about new
programs and about modifications to the terminal server. A company developer writes a script that will
log the relevant user information in a file and provide pop-up messages as needed. You need to ensure
that the script runs every time a user logs on to the terminal server. What should you do?
A. Deploy a client connection object for remote users. Configure the client connection object to run the
script.
B. On the terminal server, configure the RDP-tcp properties with the name of the script. Override other
settings.
C. In the Default Domain Group Policy object (GPO), select the Start a program on startup option and
specify the name of the script.
D. On the terminal server, configure the RDP client properties with the name of the script.
Answer: B
Explanation: A listener connection (also called the RDP-Tcp connection) must be configured and exist on
the server for clients to successfully establish Terminal Services sessions to that server.
You should keep in mind that every property you set will affect all users who connect through the listener
connection. Thus by configuring RDP-Tcp properties with the name of the script on the terminal server
and
overriding all the settings will ensure that the script runs every time a user logs on to the terminal server.
Incorrect answers:
A: Configuring the client connection object to run the script will not run the script when a user logs on to
the
terminal server.
C: Selecting the Start a program on startup option and specifying the name of the script in the Default
Domain
Group Policy object will not make a scrip run every time a user logs on to the terminal server.
D: The most important thing to remember is that every property you set affects all users who connect
through
the listener connection. But configuring the RDP client properties will not ensure that the script runs
every time
a user logs on to the terminal server.
References:
Deborah Littlejohn Shinder and Dr. Thomas W. Shinder, MCSA/MCSE Exam 70-290: Managing and
Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 547-549.
# QUESTION 153:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003. Some client computers
run
Windows XP Professional, and the rest run Windows NT 4.0 Workstation.
CertKing includes departments for accounting, design, marketing, and sales. Each department has a
corresponding organizational unit (OU).
A member server named CertKing 1 can be accessed only by user accounts in the Accounting, Design,
Marketing, and Sales OUs. You install Terminal Server on CertKing 1. Then you install four new
applications on CertKing 1. Each application is intended for users in only one of the four departments.
You need to ensure that each application can be accessed only by users in the appropriate department.
You need to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. In the Default Policy Group Policy object (GPO), configure the Start program on connection policy to
be the
program path and file name of the application to start when the user logs on.
B. In each OU, set the Environment property for each user to the program path and file name of the
application
that corresponds to the OU.
C. On CertKing 1, select the RDP-Tcp connection properties.
Set the program path and file name of the application to start when the user logs on.
D. Create one Group Policy object (GPO) for each department.
Link each GPO to the corresponding OU.
For each GPO, configure the Start program on connection policy to run the application that corresponds
to the
appropriate department.
Answer: D
Explanation: Group policies cannot be applied to groups, only sites, domains, and organizational units.
An organizational unit (OU) is a container object in Active Directory used to separate computers, users,
and other resources into logical units. An organizational unit is the smallest entity to which Group Policy
can be linked. It is also the smallest scope to which administration authority can be delegated. At the
client level, a user can specify that a program be launched when they connect to a server instead of
receiving a desktop. Likewise, an administrator can specify this at the connection level for all users that
connect to a specific listener connection. Finally, this can also be set in Group Policy. However, the client
may receive a message stating, "This initial program cannot be started" This error may be caused by an
input error or incorrect path and executable file name. If you have entered the incorrect path and
executable file name, they will be pointing to a file that does not exist. Another possible cause is that the
correct permissions are not set on the executable file. If Windows Server 2003 cannot access the file, it
will not be able to launch the program. You should verify that the appropriate read and execute
permissions are applied to both the file and the working folder. If neither of these two possible solutions
resolves the issue, the application itself may have become corrupt. Try to launch the application at the
server. If it will not open, you may need to uninstall and reinstall the application. Incorrect Answers:
A: All users would start the same application; this is not what we need
B: All users would start the same application; this is not what we need C: The question states: minimum
amount of administrative effort, therefore we need to use a GPO. This would work though. References:
Dan Holme and Thomas Orin, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, pp. 17: 20 Dan Balter, MCSA/MCSE
Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-
290), Chapter 7
# QUESTION 154:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain named CertKing .com. All network servers run Windows Server 2003, and all client computers
run
Windows XP Professional.
Terminal Services is installed on a member server named Terminal1 with default settings.
Users in the editing department are members of a group named Editors. When these users try to make a
Terminal Services connection to Terminal1, they receive the following error message: "The local policy
of this system does not permit you to logon interactively".
You need to enable members of the Editors group to establish Terminal Services sessions on Terminal1.
What should you do?
A. Enable the Allow users to connect remotely to this computer option on Terminal1.
B. Add the Editors group to the Remote Desktop Users group on Terminal1.
C. Configure the RDP-Tcp connection properties on Terminal1 to assign the Allow - Full Control
permission to the Editors group.
D. Add the Editors group to the Remote Desktop Users group in Active Directory.
Answer: B
Explanation: The Remote Desktop Users group on Terminal1 have the necessary permission to connect
to Terminal1 using a remote desktop connection. By simply adding the Editors group to the Remote
Desktop Users group on Terminal1 we can give the Editors the required permission. The Remote
Desktop Services on Terminal1 is not configured to allow Editors access. This group should be added to
the Remote Desktop Users group on Terminal1 to enable them to establish Terminal Services sessions.
Incorrect Answers:
A: The Allow users to connect remotely to this computer option are for Remote Desktop For
Administration, not Terminal Services.
C: The Editors group do not need Full Control access to the server. The problem is that they don't have
the necessary permission to connect to Terminal1 using a remote desktop connection.
D: If you add the Editors group to the remote Desktop Users group in Active Directory you would allow
the Editors group to connect to any Terminal server in the domain. Reference: Dan Balter, MCSA/MCSE
Managing and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam 70-
290), Chapter 7
# QUESTION 155:
You are the network administrator for CertKing .com. The network consists of a single Active Directory
domain CertKing .com. All servers run Windows Server 2003, and all client computers run Windows XP
Professional.
You install Terminal Server on a member server named CertKing 4. Several days later, users report that
server performance is unacceptably slow.
On Server1, you discover 75 disconnected sessions and 25 sessions that have been idle for at least three
hours.
You need to configure CertKing 4 to fulfill the following requirements:
1 Disconnected sessions remain on the server for a maximum of 1 minute.
2 Idle sessions remain on the server for a maximum of 30 minutes.
3 Sessions idle for more than 30 minutes are automatically reset.
4 Active sessions are not affected.
What should you do?
To answer, configure the appropriate option or options in the dialog box.
Answer:
Explanation: By default, most of the settings in the sessions tab are configured to use the user account
property settings and several settings are grayed out. This can be overridden by selecting the check box
next to Override user settings. When user settings are overridden, several settings are no longer grayed
out; these include:
1 End a disconnected session Used to specify the amount of time a disconnected session can
remain running on the Terminal Services computer.
2 Active session limit Used to specify the amount of time an actively used session can remain
connected and in use.
3 Idle session limit Used to specify the amount of time an idle session can remain connected to the
Terminal Services computer. The first 'Override user settings' checkbox specifies that a session is ended
when the session limit is reached or the connection is broken. That will ensure that disconnected sessions
remain on the server for a maximum of one minute. You can specify the maximum time limit for a
disconnected session to remain on the server by configuring the 'End a disconnected session' option' the
maximum time limit that a user session can remain active on the server by configuring the 'Active session
limit' option; and the maximum time limit for a session to remain idle by configuring the 'Idle session
limit' option. This should keep idle sessions on the server for a maximum of 30 minutes and reset them
automatically. The second 'Override user settings' checkbox specifies the type of action to be taken when
the session limit is reached. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E.
Hunter and Will Schmied, Managing and Maintaining a Windows Server 2003 Environment Study Guide
& DVD Training System, p. 551
# QUESTION 156:
You are the network administrator for CertKing .com. All client computers run Windows 2000
Professional.
You recently deployed 10 new servers that run Windows Server 2003. You placed the servers in an new
OU named W2K3Servers.
Jack is another network administraror.
You need to configure the appropriate permissions to allow Jack to manage the new servers by using
Terminal Services from her client compueter. You need to assign Jack only the permissions she needs to
perform her job.
What should you do?
A. Add Jack's users account to the local Power Users group on each server that runs Windows Server
2003.
B. Add Jack's users account to the Remote Desktop Users group on each server that runs Windows Server
2003.
C. Assign Jack's user account the Allow - Read and the Allow - Write permissions for the W2K3Servers
OU.
D. Configure the Managed By property for the W2K2Servers Out to Jack's user account.
Answer: B
Explanation: The Remote Desktop Users group is a special group that allows its members to log on to the
server remotely. This is what is needed by Jack if she is to perform her job.
Incorrect answers:
A: Adding Jack' account to the local Power Users group will not enable her to make use of Terminal
Services.
C: Having the Allow-Read and the Allow-Write permissions will not ensure that Jack can do her job via
Terminal Services.
D: This will not work for Jack as she will not be able to use Terminal Services to carry out her tasks.
Reference: Lisa Donald & Suzan Sage London & James Chellis, MCSA/MCSE: Windows(r) Server 2003
Environment Management and Maintenance: Study Guide, Sybex Inc, Alameda, 2003, p. 169
# QUESTION 157:
Exhibit, Table
You are the network administrator for CertKing .com. The network consists of a single Active Directory
Domain named CertKing .com. All servers run Windows server 2003. All user accounts are members of
the Domain Users group. You manage a server that is a member of the domain. Some administration
tasks must be performed while you are logged on to the server. A new written security policy states that
only specified users must be able to access the server by using Terminal Services. The written security
policy also states that only administrators on the local server must be able to log on locally to the server.
The settings for the server are shown in the table exhibit. You are a member of the Domain Admins
global group. You attempt to perform maintenance tasks on the server, but you receive an error message
stating that the local policy of the computer is preventing you from logging on locally. You need to
ensure that you can perform the maintenance tasks that are required for the serer. You also need to meet
the requirements of the written security policy. What should you do?
A. Remove the Everyone group from the Access this computer from the network policy. Add the Domain
Admins group to the Allow log on locally policy.
B. Remove the Domain Users group from the Deny log on locally policy.
C. Add the Administrators group to the Allow log on through Terminal Services policy.
D. Add the Domain Admins group to the Allow log on through Terminal Services policy.
Answer: B
# QUESTION 158:
You are the administrator of a Windows Server 2003 computer named CertKing 3. CertKing 3 has
Terminal Services installed. CertKing 3 connects to the Internet through a proxy server on the company
network. Help desk employees periodically access custom web applications on the company network.
You install IIS on CertKing 3 with all the default settings. You need to ensure that help desk employees
can access Terminal Services on CertKing 3 from Internet
Explorer 6.0.
What should you do?
A. Uninstall IIS and Terminal Services. Reinstall IIS, and then reinstall Terminal Services.
B. Configure the Internet Connection Firewall (ICF) to allow incoming ports 80 and 3389.
C. Create a new virtual directory named Tsweb.
D. Create a new web site named Tsweb.
E. Install Remote Desktop Web Connection.
Answer: E
# QUESTION 159:
You are the network administrator for CertKing .com. You manage a server that runs Windows Server