Implement and Admin Directory Services Infrastructure

(70-217)

1. You are the enterprise administrator of a Windows 2000 domain named

Test.local. Your domain contains three domain controllers, Test1, Test2, and
Test3. Test1 does not hold any operations master roles. The system state
data of Test1 was backed up last week. Today, the hard drive for Test1 is no
longer responding and you believe that it has failed. You purchase a new
server computer to replace Test1. You install Windows 2000 Server onto the
new computer. What should you do next?

a. Use the Active Directory Installation Wizard to make the new computer
a
replica in the domain
b. Add the server to the domain. Do an authoritative restore of the
original backup of the original DCA system state data that you made
two weeks ago
c. Use the Ntdsutil utility to copy the Active Directory database from DCB
to the new DCA
d. Add the server to the domain. Use Windows Backup to create a backup
of the DCB System state data, and restore this backup on the new
DCA

Answer: A

2. Your domain controller uses SCSI hard disks. You currently have two SCSI
hard disks installed on this computer. You add three new SCSI hard disks to
the computer. You configure these disks in a hardware RAID-5 array. You will
need to optimize the speed of the Active Directory database for this
computer. How can this be done? (Choose two)

a. Move the log files and the Ntds.dit file to the RAID-5 array
b. Move the log files to a separate physical disk from the operating
system
c. Move the Ntds.dit file to the RAID-5 array
d. Move the Netlogon share to the RAID-5 array
e. Create a mirror volume and place the log files on the mirror

Answer: B, C

3. You are the enterprise administrator of a Windows 2000 domain. The domain
has five trees all running in native mode. Each domain will have several users
that are members of the assistant administrators staff. Each domain has a
global group named Assistant Administrator Members that contains the
assistant administrators from each domain. Assistant administrators are
responsible for the Interns Organizational Unit (OU). There is an OU named
Interns in the root domain. All of the assistant administrators must be able to
reset the passwords of the users in the Interns Organizational Unit. How can
this be done?
 a. Create a new universal security group named assistant administrators
in the root domain. Place the five assistant administrators members
groups in the assistant administrators group. Create a new local
security group named Reset Interns in the root domain. Place the
assistant administrators group in the Reset Interns group. In the
Interns OU, assign the Reset Password permission to the Reset Interns
group
b. Create a new global security group named assistant administrators in
the root domain. Place the five assistant administrators in the assistant
administrators group. Create a new local security group named Reset
Interns in the root domain. Place all users from the Interns OU in the
Reset Interns group. In the Interns OU, assign the Reset Password
permission to the Reset Interns group
c. Create a new global security group named assistant administrators in
the root domain. Place the five assistant administrators groups in the
assistant administrators group. Place the assistant administrators
group in the Reset Interns group. In the reset Interns group, assign
the Reset Password permission to the assistant administrators group.
d. Create a new universal security group named assistant administrators
in the root domain. Place the five assistant administrators groups in
the assistant administrators group. Create a new local security group
named Reset Interns in the root domain. Place all users from the
Interns OU in the Reset Interns group. In the Reset Interns group,
assign the Reset Password permission to the assistant administrators
group

Answer: A

4. You create a new Windows 2000 Active Directory network. The network runs
for several months without any issues. One day, you find that the Active
Directory database file is taking up too much disk space on one of your
domain controllers. You will need to reduce the size of the Active Directory
database file. What should you do? (Choose three)

a. Restart the domain controller in directory services restore mode

b. Run Windows Backup to back up the System State data. Immediately
run
Windows Backup again to restore the System State data from the
backup file
c. Stop the Net Logon service on the domain controller
d. Use the Ntdsutil utility to compact the database to a folder. Move the
compacted database file to the original location
e. Start the Net Logon service on the domain controller
f. Restart the domain controller and boot normally

Answer: A, D, F

5. You have recently installed a Windows 2000 Server computer onto your
network that will act as a primary domain controller for your domain. This
computer will also act as a DNS server for the domain. You install and
configure Active Directory on this computer. All of the client computers in the
domain are running Windows 2000 Professional. Whenever any of the client
 computers attempts to logon to the domain, they all receive an error message
stating that a domain controller could not be found. What should you do?

a. Check for the presence of an NTDS folder on the domain controller

b. Check for the presence of a Sysvol folder on the domain controller
c. Check DNS for the addition of an appropriate A (host) record in the
zone
d. Check DNS for the addition of an appropriate SRV (service) record in
the zone
e. On the client computers, create a Hosts file that contains the A (host)
record for the domain controller

Answer: D

6. You are the administrator of a network that contains 1,300 users. You will be
assigning three users various administrative responsibilities. The first user,
Peter, will be responsible for creating and deleting computer accounts. The
second user, Robert, will be responsible for changing user accounts. The third
user, Laura, will be responsible for adding client computers to the domain.
You will need to use directory services to track all of the changes that these
three users make. How can this be done?

a. Create a Group Policy object (GPO) for the domain. Assign Read and
Apply Group Policy permissions to only Peter, Robert, and Laura.
Configure the GPO to audit directory services access and audit object
access.
b. Create a Group Policy object (GPO) for the domain. Assign Read and
Apply Group Policy permissions to only Peter, Robert, and Laura.
Configure the GPO to audit object access and process tracking.
c. Create a Group Policy object (GPO) for the domain controllers. Assign
Read and Apply Group Policy permissions to only Peter, Robert, and
Laura. Configure the GPO to audit directory services access and audit
object access.
d. Create a Group Policy object (GPO) for the domain controllers. Assign
Read and Apply Group Policy permissions to only Peter, Robert, and
Laura. Configure the GPO to audit directory services access and
account management.

Answer: D

7. You have been hired to secure a Windows 2000 network. You use a security
template to create a custom template and save it as Secure.inf. There are
four domain controllers on the network that will all require the use of this
security template. What should you do? (Choose two)

a. Import the Secure.inf file

b. Create a Group Policy object on the Domain Controller Organizational
Unit
c. Create a new security database
d. Copy the Secure.inf file to the Sysvol shared folder on one domain
controller
e. Rename Secure.inf to Ntconfig.pol
 Answer: A, B

8. You are the head administrator of a Windows 2000 network that consists of
three domains. The three domains are named test.local, California.test.local,
and newyork.test.local. You have hired an assistant administrator named
Peter to assist in the administration of the newyork.test.local domain. Peter
must not be able to make any changes to any systems residing in the
test.local or California.test.local domains. What should you do?

a. Add Peter’s user account to the Server operators and Account

operators group in newyork.test.local
b. Move Peter’s user account to the Domain Controllers organizational
unit (OU) in newyork.test.local
c. Add Peter to the Enterprise Admins group and delegate control only at
the test.local domain
d. Add Peter’s user account to the Domain Admins group in
newyork.test.local

Answer: A

9. You are the administrator of a Windows 2000 domain. Your Windows 2000
domain contains an Organizational Unit (OU) named Stocks. You have just
finished writing a logon script for all of the members of the Stocks OU to use.
You store the logon script on a domain controller named AlphaServ. The logon
script is saved at \\AlphaServ\ docs\stockscript.vbs. To assign the logon script
to the members of the Stocks OU, you will use a group policy object (GPO).
What should you do? (Choose three)

a. Create a new GPO named script and assign the script GPO to the
domain. Configure the permissions on the script GPO to grant READ
permissions to all users in the Stocks OU
b. Create a new GPO named script and assign the script GPO to the
Stocks OU
c. Copy the stockscript.vbs file to the appropriate folder in Group policy
Template (GPT) of the script GPO
d. Add stockcript.vbs as a logon script to the script GPO
e. Copy the stockscript.vbs file to the folder that shared as netlogon
script on the PDC emulator
f. For each user in the Stocks OU, set the logon script in the user profile
to stockcript.vbs

Answer: B, C, D

10. You edit the group policy on the default domain controller in your domain to
require that all users passwords are eight characters in length. Upon
completion, you find that users in the domain are able to create passwords of
any length. What should you do?

a. Initiate replication to make sure the Group Policy containers and the
Group Policy template (GPT) are replicated
b. Edit the Default Domain Controllers Group Policy to force passwords to
meet complexity requirements
 c. Configure each client computer to have a local Group Policy that
requires passwords to be at least eight characters long
d. Edit the Default Domain Group Policy to require password to be at
least eight characters long

Answer: D

11. You run the DCPROMO.EXE command to install a new domain to your existing
domain. However, you receive an error message stating that the existing
domain cannot be contacted. At this point you are unable to proceed with the
installation of the new child domain. What should you do?

a. Install WINS on the new domain controller

b. Configure the new domain controller with the address of an
authoritative DNS server for the existing domain
c. Create an Active Directory integrated zone for the child domain on the
new domain controller
d. Configure the new domain controller with the address of an existing
WINS server
e. Add SRV (service) records for the domain naming master to a Hosts
file on the new domain controller

Answer: B

12. Your Windows 2000 network contains 700 Windows 2000 Professional client
computers. Recently, it has come to your attention that the users on your
network have been using the same passwords for the last year. You would
like to enforce a policy that requires all users to change their passwords
periodically. You create a Group Policy Object (GPO) and filter it to the users.
Which two settings will you need to enable for the GPO? (Choose two)

a. Enforcement of password history

b. User must log on to change the password
c. Minimum password length
d. Maximum password age
e. Minimum password age

Answer: A, D

13. All of the client computers on your corporate network are running Windows
2000 Professional. They are all members of a single domain. Each user is a
member of the Power Users local group on their respective computer. One of
the users on your network, Michael, requires a dial-up Internet connection.
You must ensure that none of the other users are able to access Michael’s
Internet connection. What should you do?

a. Remove the Internet connection from the All Users directory on

Michael’s computer, and then re-create the connection in Michael’s
personal user directory
b. Create a Group Policy Object that disables the configuration of
connection sharing. Grant the other users Apply Group Policy
permissions to the GPO
 c. Create a Group Policy Object that disables the configuration of
connection sharing. Grant Michael Read and Apply Group Policy
permissions to the GPO
d. Create a high security zone in Internet Explorer

Answer: B

14. You are the administrator of a single domain Windows 2000 network. One of
the domain controllers in the domain has a failing hard disk. You will be
replacing this domain controller with another identical domain controller.
Before doing so, you would like to remove Active Directory from the failing
domain controller’s hard disk. You run the DCPROMO.EXE command. While
you are running DCPROMO.EXE, the hard disk in the domain controller fails.
The domain controller will no longer boot. The resources from the failed
domain controller are still appearing in Active Directory. You must correct this
before installing the replacement domain controller. You will use the
NTDSUTIL utility. Which option should you use?

a. Security account management

b. Domain management
c. Metadata cleanup
d. Authoritative restore
e. Semantic database analysis

Answer: C

15. Your company has four locations all connected by T1 circuits. Each location
has a Windows 2000 domain controller. To optimize network performance,
you want to control the bandwidth usage and replication schedule of directory
information to each domain controller in each location. What should you do?
(Choose two.)

a. Create a site that spans all the locations

b. Create a site for each location
c. Create server objects for each domain controller in every site
d. Move each server object from Default-First-Site-Name to the
appropriate
site
e. Create server objects for each domain controller in their own sites
f. Copy all server objects from Default-First-Site-Name to each site

Answer: B, D

16. A user named Steven has been assigned the role of Backup Operator of a
Windows 2000 domain. The domain contains two domain controllers. Steven
will be responsible automating the backup of the Active Directory database
files of both domain controllers once a week. What should Steven do?

a. Schedule a backup job and select Schema.ini file in the System32

folder
and all files in the NTDS folder to be backed up once a week
b. Schedule a task that will run the Ntdsutil once a week
 c. Schedule a task that will copy the Ntds.dit file and the Sysvol folder
once a week
d. Schedule a backup job that will backup the System State data once a
week

Answer: D

17. Your network contains a global catalogue server named GlobalC1. You will be
replacing GlobalC1 with another server computer that will also act as a global
catalogue server. The new server will be named GlobalC2. You would like to
use GlobalC1 as a domain controller but no longer as a global catalogue
server. You would also like to increase the amount of available disk space on
GlobalC1. What should you do? (Choose all that apply)

a. Use active directory sites and services. Select the NTDC setting object
for the GC00 server to clear the global catalogue check box
b. On the GC01 server run the NTDS UTIL utility to enable the global
catalogue server option
c. On the GC00 server run the NTDS UTIL utility to defragment active
directory
d. On the GC00 server reinstall Windows 2000

Answer: A, D

18. You are the administrator of a Windows 2000 network. The members of your
Legal Organization Unit (OU) require a mapped drive connection to a specific
resource on a server. You will need to create a logon script that will
automatically map a drive connection for all current and future users of the
Legal OU. You create a logon script named LegalMap.CMD that will accomplish
this. What should you do to implement this logon script?

a. Create a Group Policy object (GPO) that enforces LegalMap.CMD as a

startup script. Assign the GPO to the Legal OU
b. Copy LegalMap.CMD to the Sysvol share on each domain controller.
Assign Read permission to the file for all users in the Legal OU
c. Create a Group Policy object (GPO) that enforces LegalMap.CMD as a
logon script. Assign the GPO to the Legal OU.
d. Copy LegalMap.CMD to the Netlogon share on each domain controller
in the domain. Select each user in the Legal OU and set the logon
script to LegalMap.CMD.

Answer: C

19. You are the enterprise administrator of a Windows 2000 domain running in
native mode. You will need to implement a policy that will deny all non-
members of the Domain Administrators security group the ability to use the
shutdown command. You create a new Group Policy object (GPO) named
NoShutDown. You configure the NoShutDown GPO to disable the Shutdown
option. You assign the NoShutDown GPO to the domain. You want to ensure
that the policy does not apply to the members of the Domain Administrators
group. What should you do?
 a. Add the Domain Administrators group to the Group Policy Creator
Owners group
b. On the computers that the members of the Domain Administrators
group use to log on, configure the local GPO to enable the Shutdown
option
c. Create a new OU named No Shutdown. Move the Domain
Administrators group to the No Shutdown OU. Configure the No
Shutdown OU to block policy inheritance
d. On the Shutdown GPO, deny the Apply Group Policy permission to the
Domain Administrators group
e. On the Shutdown GPO, remove the Apply Group Policy permission
from the Authenticated Users group. Grant the Apply Group Policy
permission to the Users group

Answer: D

20. You are the administrator of a Windows 2000 domain. You would like to
increase the security of network transmissions within your network. You will
accomplish this by encrypting all TCP/IP communications on your network.
How can this be done?

a. Implement TCP/IP packet filtering, and open only the ports required
for your network services
b. Edit the local security policies on the servers and client computers, and
enable the Digitally sign client and server communications option
c. Create a GPO for the domain, and configure it to assign the Secure
Server IPSec Policy
d. Create a GPO for the domain and configure it to assign the Server
IPSec Policy and to enable the Secure channel: Require strong session
key option

Answer: C

21. You are the administrator of a single domain Windows 2000 network. All of
the client computers in use on the network are running Windows 2000
Professional. You are configuring the network security settings for each client
computer. The client computers are a mix of portable and workstation
computers. The members of the Legal department are all using portable
computers. Members of the Legal department also use routing and remote
access to connect to the company’s network. All of the members of the legal
department will need to be members of the local administrators group on
their portable computers in order to run a third party database application.
You will need to deny the members of the legal department the ability to
modify their existing network connections and settings. What should you do?

a. Create a System Policy to hide Network Neighborhood and disable

registry-editing tools. Apply this policy to all the Legal users
b. Create a Group Policy object (GPO) for the domain. Filter the GPO for
the Legal users. Configure the GPO to deny the Legal users access to
the properties of the LAN or Remote and Routing Access connection
c. Create a Group Policy object (GPO) for the domain controllers. Filter
the GPO for the Legal users. Configure the GPO to deny the Legal
users access to the Network Connection Wizard
 d. On each portable computer, create only the permitted LAN and
Remote and Routing Access connection. At the server, configure the
Legal user accounts to permit connections to only the specific
computers

Answer: B

22. You are the head administrator of a Windows 2000 network that consists of
four separate locations. The network’s primary location is in San Francisco.
Seattle, London, and New York are all remote networks. Each remote network
has an administrator. These administrators will need local administrative
privileges of local resources. Administrators in remote offices must not be
able to control resources in other remote offices. Only the administrators in
the San Francisco office will be able to create and change user accounts. You
want to be able to create an Active Directory structure to accomplish these
goals. What should you do?

a. Create a domain tree that has a top-level domain for the main office
and a child domain for each remote office. Grant the local
administrators membership in the Enterprise Admins group in the
domain tree
b. Create a single domain. Create an organizational unit (OU) for each
remote office and an additional OU named CorpUsers. Delegate
authority for resource administration to the local administrators for
their own OUs. Delegate authority to the CorpUsers OU only to the
Domain Admins group
c. Create a domain tree that has a top-level domain for the main office
and a child domain for each remote office. Grant the local
administrators membership in the Domain Admins group in their child
domains
d. Create a domain tree that has a top-level domain for the main office
and a child domain for each remote office. Grant the local
administrators membership in the Enterprise Admins group in the
domain tree

Answer: B

23. You are the administrator of a single domain Windows 2000 network. You will
be deploying Windows 2000 Professional to client computers on your network
using an RIS server. There are several dozen departments within your
corporation that will each need their own custom Windows 2000 Professional
installation package. You have created a group named Department Managers
to allow members of the Department Managers group access to create custom
images and post them to the RIS servers for deployment. The Department
Managers will also be able to install the images from the RIS server onto
client computers. How can this be done?

a. Grant the department managers group Read and Write permissions to

the Oschooser folder
b. Grant the department managers group Full Control permissions to the
SysPrep utility
c. Grant the department managers group Full Control permissions to the
RIPrep.exe
 d. Grant the department managers group Read and Write permissions to
the
Remoteinstall folder
e. Grant the department managers group Read and Write permissions to
the administrator folder

Answer: D

24. You are the head administrator of your company’s network. The network is a
single domain Windows 2000 network. Your company has its main office in
Los Angeles. You have three large regional offices in St. Louis, Chicago, and
Austin. You have three smaller branch offices near each of the regional
offices. The regional offices are connected to the main office by a T3 circuit.
The branch offices are connected to the regional offices by DSL lines. Branch
offices in Boston, Dallas, and San Diego also have direct DSL connections with
Los Angeles. . For fault tolerance and load balancing purposes, each office has
its own Windows 2000 domain controller. Each office is configured as its own
site. All site links have been created. You want to create a replication
topology that allows only the regional offices to communicate with the main
office. You want to ensure that each branch office communicates only with the
closest regional office. What should you do?

a. Manually create connection objects between each branch office and the
closest regional office. Use SMTP as the transport protocol
b. Allow the Knowledge Consistency Checker (KCC) to automatically
create the connection objects between the branch offices and the
regional offices
c. Allow the Knowledge Consistency Checker (KCC) to automatically
create the connection objects between the main office and all other
offices
d. Manually create connection objects between the domain controllers in
the main office and the regional offices. Use SMTP as the transport
protocol

Answer: C

25. You are the administrator of a single domain Windows 2000 network named
abcxyz.com. The domain consists of three sites named San Francisco,
Oakland, and San Jose. Each site has been configured with two domain
controllers. San Francisco and Oakland each have 2,000 users. San Jose has
only 1,000 users. There are two IP site links; San Francisco to Oakland and
San Jose to Oakland. You want to add another domain controller in each site
to handle all replication from each site. What should you do?

a. Create a new site link that has a lower cost than the existing site links
b. Delete the existing connection objects in each site and manually start
the KCC
c. Create a connection object from each domain controller in each site to
the new domain controller in each site
d. Configure each new domain controller to be the IP preferred
bridgehead server for its site

Answer: D
26. You are the administrator of a Windows 2000 network that consists of a single
domain and five organizational units (OU). The five organizational units are:
Accounting, Legal, Human Resources, Helpdesk, and Administrators. A user in
the Human Resources department is no longer able to logon to the domain.
You have been auditing all objects in active Directory since the domain was
created. You are unable to find any record of the user’s account being
deleted. For security reasons, you must find a record of the user’s account
being deleted. What should you do?

a. Search the security event logs on each domain controller for object
access events
b. Search the Active Directory Users and Computers console on each
domain controller for the user’s previous account name
c. Search the security event logs on each domain controller for account
management events
d. Search the Active Directory Users and Computers console on each
domain controller for the user’s computer account

Answer: C

27. You are the administrator of your company’s network. The network is a single
domain that uses Windows NT 4.0 Servers as domain controllers. You will be
adding Windows 2000 Professional client computers to the network. You
create and implement a security policy that will be applied to these
computers. You would like for this security policy to remain in effect at all
times on each client computer. However, it is sometimes necessary for
administrators to change the security settings of computers for
troubleshooting and repair. You want to automate the security analysis and
configuration of client computers on the network so that you can track
changes to security policy and reapply the original security policy when it is
changed. What should you do?

a. Use Windows 2000 Group Policy to globally configure the security

policy settings on the client computers
b. Use the Security and Configuration Analysis tool on the client
computers to analyze and configure the security policy
c. Schedule the Secedit command to run on the client computer and stop
analyze and configure the security policy
d. Use Windows NT System Policy to globally configure the security policy
settings on the client computers

Answer: C

28. You are the administrator of a Windows 2000 domain. You are using a
Windows 2000 Server computer named PDC1 as a domain controller. All of
the client computers in the domain are running Windows 2000 Professional.
The users of these client computers tend to move from one computer to
another quite often. You would like to enforce mandatory roaming profiles for
each user.

You want to accomplish the following goals:

 All of the users in the domain will be able to work on all of the Windows 2000
Professional computers and have their own desktop settings available on all
computers

All of the users in the domain will be able to make changes to their desktop
settings

All of the users in the domain will be able to access their documents in the
My Documents folder from any Windows 2000 Professional computer

The amount of data that is copied between the PDC1 server and the
Windows 2000 Professional computers each time a user logs on or off will
be minimized.

What should you do? (Choose two.)

a. Configure a roaming profile for each user in the domain. Use

\\PDC1\Profiles\%Username%\Ntuser.man as the Profile path
b. Configure a roaming Profile for each user in the domain. Use
\\PDC1\Profiles\%Username% as the Profile path
c. Create a new Group Policy object (GPO) named Profilescript. Assign the
Profilescript GPO to the domain. Configure the Profilescript GPO to assign
a logon script to all users. Include the runas/profile explorer.exe command
in the logon script.
d. Create a new Group Policy object (GPO) named Docs. Assign the Docs
GPO
to the domain. Configure the Docs GPO to redirect the My Documents
folder
to the \\PDC1\Docs\%User- name% location

Answer: B, D

29. You are the administrator of a multiple domain Windows 2000 network. The
network is composed of four domains named whatever.com,
na.whatever.com, sa.whatever.com, and etc.com. The root of the forest is
whatever.com. There are two Windows NT BDCs in each domain. Members of
the legal drafting department place finished legal drafts for Etc Inc. onto a
server named LegalServ.etc.com. Read and Write permissions are granted to
the LegalDrafters Domain Local group in the etc.com domain. A user named
Michael is a member of the Legal Drafters global distribution group in the
na.whatever.com domain. He is unable to gain access to the shared folder on
LegalServ.etc.com. You want to allow Michael to access the shared folder.
What should you do?

a. Change the LegalDrafters Domain Local group to a universal group and

add it to the Legal group
b. Change the Legal Drafters group type to Security and add it to the
LegalDrafters Domain Local group
c. Change the mode of the domain controller in na.whatever.com to
native mode. Add the Legal Drafters group to the LegalDrafters
Domain Local group
d. Change the Legal Drafters group to a Domain Local group and add it to
the LegalDrafters Domain Local group
 Answer: B

30. You have been assigned the task of creating an Organizational Unit (OU)
structure for a large textile manufacturing organization named Plastic Stuff
Inc. Plastic Stuff Inc is running a single domain Windows 2000 network
named PlasticStuff.com. You will need to delegate administrative control of
user objects on the network. You create an OU named Users. The Users OU is
a child OU of the Development OU. You create a group named Development
User Administrators that includes users who have permissions to create and
manage the workstations in the Workstation OU. The Development User
Administrators group has Full Control permission for the Development OU.
You want user accounts to be created only in the User OU. Which three
actions should you take? (Choose three)

a. Remove the Development User Administrator group from the

Development OU ACL
b. Disable inheritance of permissions from the Development OU to the
User OU
c. Grant Read and Write permissions to the PlasticStuff.com domain
d. Deny Create User objects permission on the Development OU
e. Grant Full Control permission to the Development User Administrators
group on the User OU for computer objects
f. Grant Create Contact objects permission on the User OU

Answer: B, D, E

31. You are the administrator of a two domain Windows 2000 network. The two
domains are divided among six separate sites. The sites are named Site1,
Site2, Site3, etc. Each site has one or more domain controllers. You have
configured one domain controller in each site as a global catalog server. Users
report that several times a day, network performance and data transfer for an
application located in Site 1 are extremely poor. You would like to remote this
performance bottleneck. What should you do?

a. Configure at least two domain controllers in each site as global catalog

servers
b. Create site links between all sites and set less frequent replication
schedules
c. Configure the domain controllers in only one site as global catalog
servers
d. Create connection objects between each domain controller. Use RPC as
the transport protocol
e. Create connection objects between each domain controller. Use SMTP
as the transport protocol

Answer: B

32. You will use an RIS server to deploy Windows 2000 Professional installation
packages. You will need to find out the GUIDs of the computers in your
network to do this. What should you do?
 a. Use Network Monitor to capture and view the DHCPOffer packets. Then
search for GUID
b. Use Network Monitor to capture and view the DNS query packets. Then
search for GUID
c. Use Network Monitor to capture and view the DHCPDiscover packets.
Then
search for GUID

Answer: C

33. You are the administrator of a Windows 2000 domain running in native mode.
The domain contains 20 Windows 2000 Server computers all of which are
configured as domain controllers. There are 2,000 Windows NT 4.0
Workstation client computers on the network. One day, a power outage
causes the first domain controller that was installed on the network to suffer a
hardware failure. The domain controller will no longer boot. Shortly
thereafter, whenever any user on the network attempts to change their
password, they find that they must wait several hours for the change to be
executed. Also, none of these users are able to connect to shared resources
on the network by using their new passwords. What should you do?

a. Using the NTDSUTIL utility connect to another domain controller and

cease the PDC emulator role
b. Using the NTDSUTIL utility connect to another domain controller and
transfer the PDC emulator role
c. Using the NTDSUTIL utility connect to another domain controller and
transfer the domain naming master role
d. Using the NTDSUTIL utility connect to another domain controller and
cease the domain naming master role

Answer: C

34. You will need to install Windows 2000 Professional onto 300 computers on
your network. You will need to use a custom configuration for 100 of the
computers. You will use an SMS server to install various applications onto
these computers. You will use an RIS server to install Windows 2000
Professional onto all of the computers. What should you do?

a. Use the Setup Manager wizard to create a Sysprep answer file. Use
third-party imaging software to create a separate image for each
configuration.
b. Install a test client computer for each custom configuration. Use the
Setup manager wizard to create an answer file for each configuration
c. Create a CD-based RIS image and different answer files for each
custom configuration
d. Create an RIPrep image for each configuration. Grant Read And
Execute permission to users for the image folder

Answer: C

35. You will need to deploy a custom application named Database. To configure
the Database application, you need to set the custom policy setting in the
 HKCU\software\policies location in the registry for every user in the domain.
What should you do?

a. Create a Group Policy Object named Draw Setting. Assign the

Database Setting GPO to the domain. Configure the Database Setting
GPO to run a logon script that changes the appropriate
HKCU\software\policies location in the registry.
b. Create a Group Policy Object named Database Setting. Assign the
Database Setting GPO to the domain. Create a new administrative
template that defines the custom policy settings. Add the new
administrative templates to the Database Setting GPO. Configure the
Database Setting GPO to set the appropriate policy.
c. Create a registry file that has the .reg file name extension. Edit the
registry file to change the appropriate HKCU\software\policies location
in the registry. Place the registry file in the All Users startup folders of
all computers in your domain.
d. Create a Group Policy Object (GPO) named Database Setting. Assign
the Database Setting GPO to the domain. Configure the Database
Setting GPO to run a startup script that changes the appropriate
HKCU\software\policies location in the registry.

Answer: B

36. You are the administrator of a 20,000 user Windows 2000 network. Several
users have informed that you that documents seem to be missing from a
server that is used to store company documents. You suspect that someone is
deleting the documents. You need to track the actions of the users to find out
who has been deleting the files. You create a GPO on the domain and assign
the appropriate permissions to the GPO. What actions should you audit?
(Choose two)

a. Process tracking
b. Delete and Delete subfolders and files
c. Directory Services access
d. Object access
e. Privileged use

Answer: A, C

37. You are the administrator of a Windows 2000 domain. You are using a
Windows 2000 Server computer named AppServ to store applications on.
AppServ is not a domain controller. All members of the Domain Users group
are allowed to logon to AppServ locally. You have created a script named
Permissions.cmd that will define environment variables in the current user’s
profile that AppServ requires. What should you do to make Permissions.cmd
run correctly?

a. Add the Permissions.cmd script to the local Group Policy Object (GPO)
as a logon script
b. Place the Permissions.cmd script in the Sysvol share on the AppServ
server
c. Copy the Permissions.cmd script to the Netlogon share on the AppServ
server
 d. Add the Permissions.cmd script to the local Group Policy Object (GPO)
as a startup script

Answer: A

38. You are the administrator of a single domain Windows 2000 network. You
have created a script named Userconfig.vbs to control the desktop
environment of users in the domain. Userconfig.vbs changes settings in the
current user profile. This script file is deployed as a login script for all users in
the domain. It takes about 15 to 20 seconds for Userconfig.vbs to finish
executing when a user logs on, you would like to ensure that it finishes
executing before a user’s desktop appears. What should you do?

a. Create a new GPO; Assign the GPO to the domain, Add Userconfig.vbs
to the GPO as a logon script. Configure the GPO to run logon scripts
synchronously
b. Create a new GPO; Assign the GPO to the domain, Add Userconfig.vbs
to the GPO as a logon script. Configure the GPO to set a timeout of 15
seconds for logon dialog boxes
c. Create a new GPO; Assign the GPO to the domain, Add Userconfig.vbs
to the GPO as a logon script. Configure the GPO to set a maximum
wait time of 15 seconds for Group Policy scripts
d. For all users in the domain, set the logon script in the user profile to
Userconfig.vbs

Answer: A

39. You are using an RIS server to deploy Windows 2000 Professional to 2,000
new computers. You have configured four RIS servers for load balancing
purposes. Their names are RIS1, RIS2, RIS3, and RIS4. RIS1 and RIS3 are
becoming overworked and are responding too slowly for a timely deployment
to all of the new computers. You will need to make the performance of RIS1
and RIS3 more consistent to ensure that the new computers are all
configured in a timely manner. What should you do?

a. Create computer accounts for all the computers. Complete the

Managed By properties for each account
b. Create pre-staged computer accounts for all the computers. Specify
which RIS server will control each computer
c. Create one site for each segment. Move two RIS servers to each site
d. Create one OU for each segment. Add user accounts for all the users
to the appropriate OUs. Specify the appropriate RIS server in the Log
On To property for each user’s account

Answer: B

40. You are the administrator of a single domain Windows 2000 network. The
network consists of 30 Windows 2000 Professional computers and one
Windows 2000 Server named Moscow. The users in your domain move from
one workstation to another several times during the day. You will need to
accomplish the following goals:
 All users in the domain will be able to work on all Windows 2000 Professional
Computers and have their own predefined desktop settings available on all
computers

Users will be allowed to make changes to the desktop settings while they are
logged on

Changes that users make to their desktop settings will not be saved when
they log off

What should you do?

a. Configure a roaming Profile for each user in the domain. Use

\\Moscow\Profiles\%username% as the Profile path. On the Moscow
server, rename the ntuser.dat file to ntuser.man for each user
b. On each Windows 2000 Professional PC, rename the
Ssytemroot\System32\Config\System file to System.man
c. On each Windows 2000 Professional PC, delete the
Systemdrive\Documents and Settings\Default User folder
d. Create a GPO named DelProfile. Assign the DelProfile GPO to the domain.
Configure the DelProfile GPO to delete the local copy of a user’s profile
when the user logs off

Answer: A

41. You are the administrator for Magazine Sales Inc. and Book Sales Inc. You
have been assigned to manage the multiple domain Windows 2000 network
that both companies use. Both companies have roughly 7,000 users. Both
companies have a total of eight departments. Every department has been
configured as an Organizational Unit (OU) in Active Directory. The members
of each domain and of each Organizational Unit have specific Group Policy
settings that must be applied. Currently, both companies are re-organizing
the members of the eight departments. At least a dozen or more users in
each department will be moved to another department, and in some cases to
a new domain. You must accomplish the following goals:

Place the users accounts in the appropriate domains

Apply the existing policies for each domain or OU to the moved accounts

Do not disrupt user access to shared resources

What should you do?

a. For the users moving between domains, create new user accounts in the
appropriate OUs. Assign permissions to the accounts to apply the Group
Policy settings, and then delete the old accounts. For the users moving
between OUs in the same domain, select the accounts. Then choose MOVE
from the Action menu, targeting the new OU
b. For the users moving between domains, use the Movetree utility,
specifying the source and target domains and OUs. For the users moving
between OUs in the same domain, select the accounts then choose MOVE
from the ACTION menu, targeting the new OU
 c. For the users moving between domains, create new user accounts in the
appropriate OUs. Assign permissions to the account to apply the Group
Policy settings, and then delete the old accounts. For the users moving
between OUs in the same domain, select the accounts. Then choose Copy
from the Action menu, entering the appropriate account information for
the new users accounts. Then delete the old accounts
d. For all users, create new user accounts in the appropriate OUs. Assign
permissions to the accounts to apply the group policy settings, and then
delete the old accounts

Answer: B

42. You are the LAN administrator for Magnetic Tapes Inc. You hire Renaldo to be
a LAN administrator for the New York office. Magnetic Tapes Inc has one
domain named magnetics.com. Each office has its own Organizational Unit
(OU). Sophia needs to be able to create child OUs under only ou-NewYork,
dc=magnetics, dc=com and verify the existence of the created OUs. Which
permissions should you assign to Renaldo on the New York OU? (Choose
three)

a. List Contents
b. Create OU objects
c. Full Control
d. Create All Child Objects
e. Read
f. Write

Answer: A, D, E

43. You are the administrator of a single domain Windows 2000 network. Roughly
one year ago, you installed a primary domain controller in the domain. During
the past year of operation, you have deleted many different objects within the
domain. However, the Ntds.dit file is the same size today as when you
originally installed the domain controller. Due to disk space constraints, you
will need to make the Ntds.dit file smaller. What should you do? (Choose two)

a. Run the Esentutl utility by using the /d switch.

b. Use the Ntdsutil utility to perform an authoritive restore
c. Restart the server in directory services restore mode
d. Use the Ntdsutil utility to compress the database to another drive
e. Delete all the log files from the NTDS folder and restart the server

Answer: C, D

44. You are the administrator of a single domain Windows 2000 network. You will
be using a Windows 2000 Server computer to install Windows 2000
Professional onto 50 new client computers. You install RIS onto the server.
You boot one of the new client computers and attempt to connect to the RIS
server. The client installation wizard does not appear. You discover that the
network card in the client computer is non-PXE compliant. You will need to
connect to the RIS server. What should you do?

a. Setup a DHCP relay agent

 b. Install Windows 2000 Professional on the test client computer. Run
RIPRep.exe from a network share on the RIS server.
c. From a command prompt, run Rbfg.exe to create a RIS boot disk.
d. Identify the GUID of each client computer.

Answer: C

45. You are the administrator of a single domain Windows 2000 network. You
have created an organizational unit (OU) named California. The California OU
contains all of the members of the California office of your corporation. Some
of the members of the California OU are domain administrators. You would
like to standardize the start menu for all of the members of the California OU.
You have created a share on a server computer named Serv01 that will
contain the customized start menu that members of the California OU will
use. The share path is \\Serv01\Start The everyone group has Change
permission on the Start share.

You must accomplish the following goals:

Members of the domain administrators group will have separate start menus
that they are able to change

All of the members of the California OU, except for domain administrators,
will use the \\Serv01\Start start menu

All of the members of the California OU, except for domain administrators,
will not be able to change their start menu

All non-members of the California OU will have their own start menu that they
will be able to change.

You take the following actions:

Create a new Group Policy Object (GPO) named Start. Assign the Start GPO
to the California OU

Configure the Start GPO to redirect the Start menu folder for the domain
users group to \\Serv01\Start

Change the permissions on the Start GPO to deny Apply Group Policy
permission to the Domain Administrators group

Which results do these actions produce? (Choose all that apply)

a. All users in the California OU, except members of the Domain

Administrators group, use the \\Serv01\Start Start menu
b. Users who use the \\Serv01\Start Start menu can not change the contents
of the Start menu
c. Each user who is not a member of the California OU has a separate Start
menu that the user can change.
d. Each member of the domain administrators group has a separate start
menu that the member can change
 Answer: A, B, C, D

46. You are the administrator of a Windows 2000 domain. You have created an
Organizational Unit (OU) named Sales. You have defined a logon script that
all members of the Sales OU will use. The login script is located at
\\PDC2\Docs\SalesScript.vbs You will use a Group Policy Object (GPO) to
assign the logon script to the users in the Sales OU. What should you do?
(Choose three)

a. Create a new GPO named Script and assign the Script GPO to the
domain. Configure the permissions on the Script GPO to grant Read
permissions to all users in the Sales OU.
b. Create a new GPO named Script and assign the Script GPO to the
Sales OU
c. Copy the SalesScript.vbs file to the folder that is shared as Netlogon
on the PDC emulator
d. For each user in the Sales OU, set the logon script in the user profile to
SalesScript.vbs
e. Copy the SalesScript.vbs to the appropriate folder in the Group Policy
template (GPT) of the Script GPO
f. Add SalesScript.vbs as a logon script to the Script GPO

Answer: B, C, F

47. You are the administrator of a single domain Windows 2000 network. There
are roughly 10,000 users on the network. Several users have reported to you
that documents are missing from the servers. You suspect that someone may
be deleting the documents. You would like to find out who is responsible. You
create a GPO for the domain and assign the appropriate permissions to the
GPO. What actions should you audit? (Choose two)

a. Process tracking
b. Object access
c. Delete subfolders and files
d. Directory Services access
e. Privileged use

Answer: B, C

48. You are the administrator of a single domain Windows 2000 network. Your
domain spans multiple subnets. You will be using DNS for hostname
resolution throughout the entire network. You are in the process of
configuring DNS.

You must accomplish the following goals:

Administrative effort for maintaining DNS zone files will be minimized

DNS zone transfer traffic will be minimized on the network

All zone updates will come only from authorized DNS servers

All zone transfer information will be secured as it crosses the network

 Unauthorized host computers will not have records created in the zone

You take the following actions:

In the Zone Properties dialog box, set the Allow Dynamic Updates option to
Yes

On the Name Servers tab of the Zone Properties dialog box, enter the names
and addresses of all DNS servers on the network

Create an Active Directory integrated zone

Which result or results do these actions produce? (Choose all that apply)

a. Administrative effort for maintaining DNS zone files is minimized

b. Unauthorized host computers do not have records created in the zone
c. All zone updates come only from authorized DNS servers
d. DNS zone transfer traffic is minimized on the network
e. All zone updates come only from authorized DNS servers
f. All zone transfer information is secured as it passes through the network

Answer: A, D

49. You are the head administrator of your company’s Windows 2000 network.
Your company has its main office in San Francisco and branch offices in Los
Angeles, Seattle, and New York. The local administrator at each branch office
must be able to control users and local resources. You must prevent local
administrators at each branch office from controlling resources in other
branch offices. You will create an Active Directory structure to accomplish this
goal. What should you do?

a. Create child OUs for each office. Delegate control of these OUs to
administrators at the main office
b. Create a top-level OU. Delegate control of this OU to administrators at
the main office
c. Add the local administrators to the Domain Admins group
d. Create child OUs for each office. Delegate control of each OU to the
local administrators at each office
e. Create users groups for each office. Grant the local administrators the
appropriate permissions to administer these user groups

Answer: D

50. You are the administrator of a single domain Windows 2000 network. You
have been assigned the task of creating a network security model for the
network. The network has several servers that are used to store very critical
information that only qualified personnel must be allowed to view. You will
need to configure security auditing on these servers to monitor access made
to specific folders and files. You will need to ensure that users cannot gain
access to these folders and files when the security log becomes too full. What
should you do?
 a. Create a Group Policy Object (GPO) that applies to the servers.
Configure the GPO to enable auditing for object access. Set up the
individual objects to be audited in Windows Explorer. Configure the
security event log so that it does not overwrite events. Then configure
the GPO to enable the Shut down system immediately if unable to log
security audits setting.
b. Create a Group Policy Object (GPO) that applies to the servers.
Configure the GPO to enable auditing for directory service access.
Setup the individual objects to be auditing in Windows Explorer.
Configure the security event log so that it does not overwrite events.
Then configure the GPO to enable the Shut down the system
immediately if unable to log security audits setting.
c. Create a Group Policy Object (GPO) that applies to the servers.
Configure the GPO to enable auditing for object access. Setup the
individual objects to be audited in Windows Explorer, and then
customize the Event Viewer logs to limit the size of the security log to
1,024KB.
d. Create a Group Policy Object (GPO) that applies to the servers.
Configure the GPO to enable auditing for directory service access.
Setup the individual objects to be audited in Windows Explorer, and
then customize the Event Viewer logs to limit the size of the security
log to 1,024KB. Configure the security event log so that it does not
overwrite events.

Answer: A

51. You are the administrator of a multiple-domain Windows 2000 network. The
network has seven domains in a domain tree. You add an eighth domain to
the domain tree. One of your domain controllers in the root domain suffers a
critical hardware failure and is now unavailable. You are now unable to add an
additional domain to the domain tree. What should you do?

a. Promote a Windows 2000 Server computer to be a replica domain

controller in the root domain
b. On one of the other domain controllers, seize the infrastructure master
role.
c. On one of the other domain controllers, seize the domain naming
master role.
d. In the Active Directory Sites and Services console, select a domain
controller from the root domain and force replication

Answer: C

52. You are the administrator of a single domain Windows 2000 network. You are
configuring a Windows 2000 DNS server on your company’s network. The
network is currently already configured to use a Windows NT 4.0 Server
computer as its DNS server. You will need to use dynamic updates on the
DNS database. Due to budget restrictions, you will not be allowed to upgrade
or remove the Windows NT Server 4.0 DNS server. You must ensure that all
DNS information is synchronized between the two DNS servers. What should
you do? (Choose three)

a. Create a standard secondary zone on the Windows 2000 DNS server

 b. Create a standard primary zone on the Windows 2000 DNS server and
import the existing zone file
c. Delete and re-create the primary zone on the Windows NT DNS server
d. Configure the primary zone on the Windows NT DNS server as the
master zone for the secondary zone on the Windows 2000 DNS server
e. Delete the existing zone and create a new secondary zone on the
Windows NT DNS server
f. Configure the secondary zone on the Windows NT DNS server to use
the Windows 2000 standard primary zone as its master zone

Answer: B, E, F

53. You will need to install Windows 2000 Professional onto 2,000 client
computers. You install and configure an RIS server to assist you in the
deployment process. All of the client computers meet the requirements for
RIS deployment. You boot one of the client computers to test its ability to
connect to the RIS server. You are unable to connect to the RIS server. You
use the pre-existing client computers to test the availability of network
resources and you encounter no problems connecting to resources. You need
to enable the client computers to connect to the RIS server. What should you
do? (Choose two)

a. The RIS server is not trusted for delegation

b. The RIS server has no client-side tools installed
c. The client computers are not configured to use DHCP
d. The RIS server is not authorized in Active Directory
e. The RIS server is not configured to respond to client computers’
requesting service

Answer: D, E

54. You are the administrator of a two domain Windows 2000 network. The
domains are named Sales.coolmusic.com and Coolmusic.com. Your network
has one DNS server. You configure the DNS server and create separate zones
for each domain. A few months later, you add a second DNS server to the
network. The second DNS server will also act as a domain controller. You
convert the Coolmusic.com to an Active Directory integrated zone and set the
zone to allow only secure updates to the zone database. Shortly afterwards,
you discover that unauthorized computers are registering themselves in the
Sales.Coolmusic.com domain. You check the zone ‘s properties and discover
that the zone is allow unsecured dynamic updates. You are unable to select
the option to secure dynamic updates. What should you do?

a. Reinstall Coolmusic.com as a standard primary zone

b. Reinstall Sales.Coolmusic.com as a standard secondary zone
c. Convert Sales.Coolmusic.com to an Active Directory integrated zone
d. Initiate a zone transfer between the Sales.Coolmusic.com and the
Coolmusic.com zone

Answer: C

55. You are the administrator of a single domain Windows 2000 network. You will
be deploying a new application named Stocks. The Stocks application came
 with a Microsoft Windows Installer Package. The Stocks application will be
deployed in two separate phases. During the first phase, only the members of
a security group named Stock Brokers will receive the Stocks application.
During the second phase, all members of the domain users group will receive
the Stocks application. You must accomplish the following goals:

During the first phase, the Stocks application will not be installed
automatically when users log on

During the first phase, users who are members of the Stock Brokers will be
able to install the Stocks application by using a Start menu shortcut

During the first phase, users who are not members of the Stock Brokers
group will not be able to install the Stocks application by using a Start menu
shortcut

The Stocks application will be installed automatically the first time any user in
the domain logs on after the second phase has been initiated

You take the following actions:

Create a new Group Policy Object (GPO) named Stocks App and link the
Stocks App GPO to the domain

Configure the Stocks App GPO to publish the Stocks application to users

For the first phase, configure the Stocks App GPO permissions. Remove the
apply Group Policy permission for the Authenticated Users group. Grant the
Apply Group Policy permission for the Stock Brokers group

For the second phase, configure the Stock App GPO permissions. Grant the
Apply Group Policy permission for the Authenticated Users group. Remove the
Apply Group Policy permission for the Stock Brokers group.

Which results do these actions produce? (Choose all that apply)

a. During the first phase, users who are members of the Stock Brokers group
can install the Stocks application by using a Start menu shortcut
b. During the first phase, the Stocks application is not installed automatically
when users log on
c. The Stocks application is installed automatically the first time any user in
the domain logs on after phase 2 has begun
d. During the first phase, users who are not members of the Stock Brokers
group can not install the Finance application by using a start menu
shortcut

Answer: B, D

56. You are the administrator of a single domain Windows 2000 network. The
network consists of one RIS server, one Active Directory server, and one DNS
server. You will be using the RIS server to deploy Windows 2000 Professional
to several workstations in the domain. You will test the RIS server by
attempting to install Windows 2000 Professional onto the computers of two
 users, Joe and Mike. You are unable to connect to the RIS server from either
Joe or Mike’s computer. Two other users, Robert and Steven, used the
Windows 2000 Professional CD-Rom to install Windows 2000 and were
successful. All four users are located on the same network segment. What
should you do to allow Joe and Mike to connect to the RIS server?

a. Install a DHCP server and authorize it in Active Directory

b. Install a WINS server and configure the DNS server to use it for name
resolution
c. Create computer accounts in Active Directory for Joe and Mike, and
specify the name of the RIS server on the Remote Install tab of the
Computer Accounts property sheet.
d. Integrate the DNS Server’s zones into Active Directory

Answer: A

57. You are the administrator of a Windows 2000 network. You have been
auditing all security events on the network since it was created. Recently, a
user named Robert Stevens came to you and informed you that he is no
longer able to change his password. You have not made any recent changes
to account policies that would cause this to happen. You suspect that an
unauthorized individual has been modifying the properties of user accounts in
Active Directory. Due to the lengthy period that you have been auditing
security events, there are thousands of entries in the event logs. You will
need to isolate and review the events pertaining to this particular security
event as quickly as possible. What should you do?

a. In the directory service log, create a filter for events matching the
following criteria: Event Source – NTDS Security, Category – Security.
Search the remaining items for events referencing Robert Stevens
account.
b. In the security log, create a filter for events matching the following
criteria: Event Source – Security, Category – Account Management,
User – Rstevens
c. In the security log, create a filter for events matching the following
criteria: Event Source – Security, Category – Account Management.
Search the remaining items for events referencing Robert Stevens
account.
d. In the directory service log, create a filter for events matching the
following criteria: Event Source – NTDS Security, Category – Global
Catalog, User – Rstevens

Answer: C

58. You are the administrator of a financial institution’s Windows 2000 network. It
has come to your attention that hackers are using brute force attacks to
attempt to gain access to your network. You must ensure that all of the user
accounts in the domain will be well protected. You will need to strengthen
password security to protect against these brute force attacks. What should
you do? (Choose two)

a. Enable the Store Password Using Reversible Encryption For All Users In
The Domain setting
 b. Enable the Users Must Log On To Change Password setting
c. Increase minimum password length
d. Decrease Minimum password length
e. Enable the Password Must Meet Complexity Requirements setting

Answer: C, E

59. You are the enterprise administrator of a single domain Windows 2000
network. Two junior administrators named Lisa and Joe makes change to
Active Directory at approximately the same time on two different domain
controllers named PDC1 and PDC2. Lisa deleted an empty Organizational Unit
(OU) named Department1 from PDC1. PDC 1 replicates to PDC2. Before the
changes that Lisa made can be replicated to PDC2, Joe moves several users
from Department2 to Department1 on PDC2. Several minutes later, Joe
discovers that the Department1 OU has been deleted from active directory.
You will need to reinstate the configuration that Joe attempted to accomplish.
What should you do? (Choose all that apply)

a. Perform a non-authoritative restore of the Department1 OU at PDC1

b. Perform an authoritative restore of the five users at PDC2
c. Perform an authoritative restore of the Department1 OU at PDC1
d. At PDC2, create a new Department1 OU. Move the five users from the
LostAndFound container to the new Department1 OU
e. At PDC1, create a new Department1 OU. Move the five users from the
Department2 OU to the new Department1 OU
f. At PDC2, move the Department1 OU from the LostAndFound container
to its original location

Answer: C, D

60. You are the administrator of a single domain Windows 2000 network. You
have created an Organizational Unit (OU) named Junior Admins. All users in
the Junior Admins OU use an application named Repair. The Repair
application is deployed using a Group Policy Object (GPO) named Repair App
on the Junior Admins OU. The Repair App GPO is configured to publish the
Repair application to users by using a Microsoft Windows Installer Package for
the application. Previously, only the users in the Junior Admins OU were
allowed to start the Repair application. You would now like to enable all of the
users in the domain to be able to install the Repair application by using a
Start menu shortcut. What should you do?

a. Create a new GPO named Repair Everyone. Assign the Repair

Everyone GPO to the domain. Configure the Repair Everyone GPO to
assign the Repair application to computers.
b. Remove the Repair App GPO link to the Junior Admins OU. Assign the
Repair App GPO to the domain. Change the configuration of the Repair
App GPO to assign the Repair application to users.
c. Configure the Repair App GPO to assign the Repair application to
computers. Configure the Repair Windows Installer Package to
upgrade the installed Repair application. Set the Windows Installer
policy to disable rollback.
 d. Configure the Repair App GPO to assign the Repair application to
users. Configure the permissions on the Repair App GPO to assign the
Apply Group Policy permission to the Authenticated Users group

Answer: B

61. You are the administrator of a single domain Windows 2000 network. You
have configured the organizational units (OU) as follows: there is a single top-
level organizational unit named Parent and five child OU’s. The child OU’s are
named after five departments in your organization; Legal, Administrative,
Accounting, Editorial, and Helpdesk. All of the accounts for the users and
computers in each department are defined in their respective OU for the
department. All of the users in the Legal, Administrative, Accounting and
Editorial OU’s are required to have identical desktop settings. The users and
computers contained within the Helpdesk OU are not required to have such
restrictive settings enforced.

You will need to accomplish the following goals:

All the assigned Group Policy settings as defined by the administrator in the
Parent OU will be applied to all users and computers in the Legal,
Administrative, Accounting and Editorial OU’s.

Group Policy from the Parent OU will not be applied to the Helpdesk OU

Administrators in the Helpdesk OU will be able to change the Group Policy

settings

When new child OU’s are added to the domain, the Group Policy will be
applied to them automatically.

Users will not be able to change their Group Policy settings.

You take the following actions:

Create the Group Policy object, configure the appropriate settings, and link
the GPO to the Parent OU.

In the Group Policy Options dialog box for the Parent OU, select the No
Override checkbox.

In the Group Policy dialog box for the Helpdesk OU, select the block policy
inheritance check box.

Assign the Authenticated Users group Full Control Permission to the GPO

Which results do these actions produce? (Choose all that apply)

a. Group Policy from the Parent OU is not applied to the Helpdesk OU

b. All the assigned policy settings as defined by the administrator in the
Parent OU are applied to all users and computers in the Legal,
Administrative, Accounting and Editorial OU’s
c. Administrators in the Helpdesk OU can change the Group Policy settings
 d. Users can not change their Group Policy settings
e. When new child OU’s are added to the domain, the Group Policy is applied
to them automatically

Answer: B, C, E

62. Your Windows 2000 domain contains two domain controllers named
DomainC1 and DomainC2. The server DomainC1 contains the Active Directory
database file. DomainC1 is running low on disk space and you will need to
move the Active Directory database file from it’s current volume to another
volume on DomainC1. What should you do?

a. Use Windows Backup to create a backup of the system state data of

DomainC1. Restart DomainC2 in Directory Services Restore mode.
Restore the system state data to the empty volume
b. Use the Logical Disk Manager console to mount the empty volume in
the folder that contains the Active Directory database file
c. Stop the Netlogon service on DomainC1. Use Windows Explorer to
move Ntds.dit to the empty volume. Start the NetLogon service again.
Force replication from DomainC2
d. Restart DomainC1 in Directory Services Restore mode. Use the
Ntdsutil utility to move the database file to the empty volume

Answer: D

63. Your Windows 2000 domain contains three domain controllers named
Server1, Server2, and Server3. Server1 was the first domain controller
installed and is thus the oldest. Server1 no longer meets the hardware
requirements that your network requires and must be replaced. Server1 will
be replaced with a newer server computer named Server4. Server4 will act as
a domain controller. Server1 will no longer act as a domain controller. What
should you do?

a. Install Server4 as a stand-alone server in a workgroup named WG.

Disconnect Server1 from the network. Rename Server4 to Server1. On
Server2, force replication of Active Directory to all of its replication
partners
b. Install Server4 as a member server in the domain. On Server4, use
the Active Directory Installation wizard to install Active Directory on
Server4. On Server1 use the Active Directory Installation wizard to
remove Active Directory from Server1
c. Install Server4 as a member server in the domain. On Server1 use the
Ntdsutil utility to copy the Active Directory files to Server4. Use the
Active Directory Installation wizard to remove Active Directory from
Server1
d. Install Server4 as a stand-alone server in a workgroup named WG.
Restore a System State data backup of Server1 on Server4. On
Server1, Use the Active Directory Installation wizard to remove Active
Directory from Server1

Answer: B
64. You are the administrator of the JonesBooks.com domain. The
JonesBooks.com domain is hosted on a server named ADServ1 as an
integrated zone and on ADServ3 as a secondary zone. There are two network
segments in the JonesBooks.com domain, Segment 1 and Segment 2. All of
the client computers located on Segment 2 are running Windows 2000
Professional. All of the client computers located on Segment 1 are running
Windows NT Workstation 3.5. All of the client computers on both segments
have been configured to use DHCP. The computers on Segment 1 have
shared resources that users on Segment 2 regularly access. You attempt to
connect to a shared resource on a computer located in Segment 1 from a
computer located in Segment 2 but are unable to resolve the hostname of the
client computer in Segment 1. What should you do?

a. Configure the JonesBooks.com domain to allow zone transfers to all

the computers on the network
b. On ADServ1 for the JonesBooks.com zone, change the value of Allow
Dynamic Updates from the default settings to Yes
c. On ADServ3, enable updates for DNS clients that do not support
dynamic
updates
d. On the DHCP server, set the DNS Domain Name scope option to
JonesBooks.com

Answer: C

65. You are implementing DHCP on your corporate network. The printers on the
network will be using static addresses. You create an exclusion range for all of
the printers on the network. You also create address reservations for each
printer. However, none of the printers are able to receive IP address
information from the DHCP server. What should you do?

a. Remove the exclusion range for the printers

b. Disable address conflict detection
c. Remove address reservations for the printers
d. Enable address conflict detection

Answer: C

66. You are the administrator of a Windows 2000 network. The members of your
sales group are all using portable computers. All of these portable computers
are running Windows 2000 Professional. When these portable computers are
on the local network, they receive their IP addressing information from a
DHCP server. You would like to change the default DHCP lease time to 3
hours for all of these portable computers. What should you do? (Choose
three)

a. Set the DHCP vendor class ID setting on the portable computers to

Windows 2000
b. Manually configure a DHCP lease of 3 hours on the portable computers
c. Set the DHCP class ID setting on the portable computers to Windows
2000 portable computer
d. Set the lease duration on the DHCP server to null
 e. Create a superscope on the DHCP server with two ranges—one for the
portable computers, and one for the non-portable computers
f. Define a new user class on the DHCP server that has the ID specified
on all portable computers
g. Configure a lease time of 3 hours for the portable computer class on
the DHCP server

Answer: C, F, G

67. You are in the process of configuring a single domain Windows 2000 network.
The network consists of 2 Windows 2000 Server computers and 68 Windows
2000 Professional computers. The two server computers are named Server1
and Server2. Server1 is connected to the Internet with DSL. Server1 has
been configured to use the IP address 170.30.23.1. Automatic private IP
addressing (APIPA) is in use throughout the network. Server2 hosts a Web
site which Internet users must access via the Network Address Translation
protocol. Server2 has been configured to use the IP address 170.30.23.2.
Which of the following will be the best configuration for the network?

a. Implement DHCP first, then implement a Proxy server; the current

configuration cannot be adjusted to provide external access to the
Web site on Server2
b. Using Network Address Translation, configure a special port that maps
the Web server port to IP address 170.30.23.1
c. Configure Network Address Translation to associate the IP address of
Server1 with the NetBIOS name of Server2
d. Configure Server1 so that it has a static route on the private network
with 170.30.23.2 as the destination address

Answer: B

68. You are the administrator of a single domain Windows 2000 network. The
network consists of 3 sites, San Francisco, Los Angeles, and Seattle. Each site
contains one domain controller and one DNS server. The names of each
server are as follows:

San Francisco –
DNS Server: Server A
Domain Controller: Server B

Los Angeles –
DNS Server: Server C
Domain Controller: Server D

Seattle –
DNS Server: Server E
Domain Controller: Server F

A site link exists between San Francisco – Los Angeles and San Francisco –
Seattle. Server A is configured with the primary zone for the domain. Server
C and Server E are configured with the secondary zones for the domain. You
discover and error that is preventing client computers in Seattle from
accessing shared resources. You make the necessary corrections on Server A.
 These changes will need to be propagated to Server E in Seattle as quickly as
possible. What should you do?

a. On Server A, stop and start the DNS Server service.

b. On Server E, select Allow Zone Transfers for the domain
c. On Server E, perform the Transfer from Master action for the domain
d. On the Action menu for the domain, click Update Server Data Files

Answer: C

69. You are the network administrator for WalletWare Inc. You are configuring a
Windows 2000 network that will consist of two sites, New York and Boston.
Each site will contain one DNS Server and one domain controller. The names
of each server are as follows:

New York –
DNS Server: Server A
Domain Controller: Server B

Boston –
DNS Server: Server C
Domain Controller: Server D

Each server has a standard primary zone named WalletWare.com. The

domain is running in native mode. You attempt to contact Server D from
Server B by its name but are unable to do so. You are able to ping both
Server B and Server D from any computer in either site. You will need to be
able to resolves the names of servers in either site. You will also need this
information to be updated regularly. What should you do?

a. Reinstall Server D as a member server in the same domain as Server B.

Create a new site, and promote Server D to a domain controller within the
new site
b. Configure Server A and Server C to allow zone transfers to any server.
Then configure the DNS notification options to notify each server of
updates
c. Re-create the WalletWare.com zone on Server C as a secondary zone.
Configure Server C to replicate DNS data from Server A
d. Configure Server A and Server C to allow dynamic updates in DNS

Answer: C

70. You are the administrator of a single domain Windows 2000 network. The
network is divided into three separate sites. There are four organizational
units (OU) and 16,000 users in the domain. There are six domain controllers
being used throughout the domain. You have been assigned the task of
creating and implementing newer, more stringent security settings for all
domain controllers in the domain. You configure one of the domain controllers
to meet the new security requirements. You will now need to duplicate these
security settings out to the remaining five domain controllers. You will need to
do this as quickly as possible and with the least amount of administrative
effort. What should you do?
 a. Open Security Configuration and Analysis on the secured domain
controller. Export the secured domain controller’s security
configuration information to a template file. Copy the template file to
the Sysvol folder on each domain controller.
b. Create a Group Policy Object (GPO) for the Domain Controllers OU.
Configure the GPO settings to match the settings of the secured
domain controller.
c. Create a Group Policy Object (GPO) for the domain. Assign Domain
Users Read and Apply Group Policy permissions. Configure the GPO
settings to match the settings of the secured domain controller
d. Open Security Configuration and Analysis on the secured domain
controller. Export the secured domain controller’s security
configuration information to a template file. Open Security
Configuration and Analysis on the other domain controllers, import the
template file, and then select Analyze Computer Now.

Answer: B

71. You are the administrator of a single domain Windows 2000 network. Your
network contains three organizational units (OU), Enterprise, Computers, and
Users. Computers and Users are child OU’s of Enterprise. A junior
administrator named Ronald has been granted the Create User Objects
permission for the Enterprise OU. Ronald attempts to create users objects in
the Users OU but is unable to. However, Ronald is able to create users objects
in the Computers OU. What should you do to enable Ronald to create users
objects in the Users OU?

a. Clear the Allow inheritable permissions from parent to propagate to

this object check box in the Enterprise OU properties
b. Add Ronald to the Server Operators group
c. Move the Users OU to the same level as the Enterprise OU
d. Select the Allow Inheritable permissions from parent to propagate to
this object check box in the Users OU properties

Answer: D

72. You are the network administrator for WalletWare Inc. The network is a single
Windows 2000 domain named WalletWare.local. The network has no internet
connections configured. You will be installing a new domain named
WalletWare1.local. During the installation process, you receive an error
message stating “The domain name specified is already in use on the
network”. What is the cause of this error?

a. The default-generated NetBIOS domain name is already in use.

b. NetBIOS domain name cannot be named iteratively
c. DNS domain names cannot be named iteratively
d. The default-generated DNS domain name is already in use.

Answer: A

73. You are the administrator of a single domain Windows 2000 network. You
have delegated administrative control of Active Directory to several junior
administrators. You will need to track the changes made to the domain by the
 junior administrators. You will need to specifically monitor user and computer
account creation and deletion. What should you do?

a. Modify the default Group Policy Object (GPO) on the Domain

Controllers organizational unit (OU). Configure the local audit policy to
audit account logon events and object access for success and failure.
Monitor the security logs for activity on the domain controllers.
b. Modify the default Group Policy Object (GPO) for the domain.
Configure the local audit policy to audit account logon events and
object access for success and failure. Monitor the security logs for
activity on the domain controllers.
c. Modify the default Group Policy Object (GPO) for the domain.
Configure the local audit policy to audit account management and
directory services access for success and failure. Monitor the security
logs for activity on the domain controllers.
d. Modify the default Group Policy Object (GPO) on the Domain
Controllers organizational unit (OU). Configure the local audit policy to
audit account management and directory services access for success
and failure. Monitor the security logs for activity on the domain
controllers.

Answer: C

74. You are the administrator of a Windows 2000 network. The network consists
of three domains named test.local, north.test.local, and south.test.local. Each
domain has been configured with it’s own DNS server. You have created two
delegated subdomains for the child domains. Shortly thereafter, you discover
that reverse lookups for hosts in the child domains are not working correctly.
You discover that the PTR records are not being registered or updated in the
subdomains. What should you do?

a. Configure secondary zones for the reverse lookup zones on the

subdomains DNS servers
b. Configure primary zones for the reverse lookup zones on the
subdomains DNS servers
c. Create new undelegated subdomains in DNS. Add PTR records for the
hosts in the child domains
d. Create new undelegated subdomains in DNS. Add the addresses for
the name servers in the delegated subdomains to these new domains.

Answer: B

75. You are the administrator of a Windows 2000 network that consists of two
domains running in native mode. There are six Windows 2000 Server
computers and 800 Windows 2000 Professional computers. Two of the servers
in each domain function as domain controllers. In the first domain, you are
required to take one of the domain controllers offline for upgrades. Shortly
after, users begin receiving error messages stating that the domain controller
cannot be located. None of the users are able to logon to the domain despite
the fact that the other domain controller is still operational. What should you
do?

a. Configure at least one other domain controller as a PDC emulator

 b. Configure at least one other domain controller as a WINS server
c. Configure at least one other domain controller as a global catalog
server
d. Create a primary DNS zone
e. Create a secondary DNS zone

Answer: C

76. You are the administrator of a single domain Windows 2000 network. The
network contains one domain controller. There are three Windows 2000
Server computers on the network configured as member servers. You would
like to convert one of the member servers to a domain controller. What
should you do?

a. Run DCPromo.exe to promote the member server to a domain

controller
b. Reinstall Windows 2000 on the member server and specify that you
are installing a domain controller
c. In the Network Identification dialog box, enter the domain name.
d. In the Network Identification dialog box, change the computer name to
reflect the DNS domain name of the Windows 2000 domain

Answer: A

77. You are designing a network infrastructure for your company. You will
primarily be using Windows 2000 Server computers but will also be using
some older Windows NT Server 4.0 computers that function as domain
controllers. You would like to allow for backwards compatibility with the
Windows NT Server 4.0 domain controllers. What mode should the domain be
running in?

a. Native
b. Mixed
c. RIS
d. FIIP

Answer: B

78. You are the administrator of a Windows 2000 network. For security reasons,
you will need to rename the Administrator account on all computers on the
network. You will need to accomplish this as quickly as possible and with the
least amount of administrative effort. What should you do? (Choose two)

a. Use Group Policy to implement a user logon script.

b. Send a network message to all users to restart their computers
c. Use Group Policy to force all users to log off within 30 minutes.
d. Use Group Policy to rename the Administrator account at the Default
Domain Group policy level

Answer: A, C

79. You have been assigned the task of administrating a Windows 2000 Server
computer that acts as a DNS server. For the past month, the DNS server has
 been using over 80% of its CPU. You would like to monitor the number of
DNS queries that are handled by the DNS server. What should you do?

a. Use the Event Viewer and monitor the DNS server log
b. Use the monitoring function of the server properties in the DNS
console
c. Run the Nslookup command-line utility
d. Use the DNS counters in System Monitor
e. Check the contents of the Netlogondns file

Answer: D

80. You are the administrator of a single domain Windows 2000 network. There
are over 2,000 users in the domain. You will be delegating administration of
the domain to three newly hired junior administrators named Robert, Steven,
and Joe. You delegate the authority to create and delete computer accounts
to Robert. You delegate the authority to change user account information to
Steven. You delegate the ability to add client computers to the domain to Joe.
You want to track the changes made to the directory by these three users.
What should you do?

a. Create a Group Policy object (GPO) for the domain. Assign Read and
Apply Group Policy permissions to only Robert, Steven, and Joe.
Configure the GPO to audit directory services access and audit object
access
b. Create a Group Policy object (GPO) for the domain controllers. Assign
Read and Apply Group Policy permissions to only Robert, Steven, and
Joe. Configure the GPO to audit directory services access and account
management
c. Create a Group Policy object (GPO) for the domain. Assign Read and
Apply Group Policy permissions to only Robert, Steven, and Joe.
Configure the GPO to audit object access and process tracking.
d. Create a Group Policy object (GPO) for the domain controllers. Assign
Read and Apply Group Policy permissions to only Robert, Steven, and
Joe. Configure the GPO to audit directory services access and audit
object access

Answer: B

81. You are the administrator of a Windows 2000 corporate network. Your
company will be opening a new office in Seattle. The Seattle office has been
assigned the IP range of 10.4.1.0/24. You would like to prepare the network
in advance to expedite the installation process. You must ensure that when a
new domain controller is installed into the Seattle office it will automatically
join the appropriate site. What should you do?

a. Create a new subnet for the Seattle network. Create a new site and
associate the new subnet with the new site.
b. In the Domain Controller OU, create a computer account that has the
name of the new domain controller
c. Use RIS to prestage the new domain controller
d. Copy the installation source files to the new domain controller. Create
an unattended install file with an automated DCPromo.bat file
 e. Delete the Default-First-Site-Name object in Active Directory Sites and
Services

Answer: A

82. You are the administrator of a Windows 2000 network that consists of three
domains named walletware.com, us.walletware.com, and eur.walletware.com.
You have recently hired a junior administrator named Frank to assist in the
administration of the eur.walletware.com domain. You want Frank to be able
to manage user accounts, back up servers, and configure services on all of
the workstations and servers that are located in the eur.walletware.com
domain. Frank must not be able to make any changes to any accounts or
computers outside of the eur.walletware.com domain. What should you do?

a. Move Frank’s user account to the Domain Controllers organizational

unit (OU) in eur.walletware.com
b. Add Frank’s user account to the Server operators and Account
operators group in eur.walletware.com
c. Add Frank to the Enterprise Admins group and delegate control only at
the walletware.com domain
d. Add Frank’s user account to the Domain Admins group in
eur.walletware.com

Answer: B

83. You are creating a Windows 2000 network for a company. You have
successfully installed and configured two Windows 2000 Server computers.
You will be installing Windows 2000 Professional onto 200 computers. You
have purchased exactly 200 licenses for Windows 2000 Professional and
cannot exceed that amount. You will need to restrict the deployment of
Windows 2000 Professional to ensure that it is only installed on the 200
computers that need it. You will need to minimize user intervention during the
deployment and centralize the installation files. What should you do?

a. Install RIS on one of the servers. Create user accounts for all licensed
users. Accept connections from only known computers. Perform an
unattended installation for all connecting computers
b. Install RIS on one of the servers. Create computer accounts on the
domain for only the licensed computers. Configure the RIS server to
accept connections from only known computers. Allow users to
perform unattended installations from the shared folder on the
licensed computers
c. Create a shared folder on one of the servers. Restrict access to the
share so that only 250 users can connect. Copy the source files from
the Windows 2000 Professional CD-ROM to the shared folder. Allow
users to perform unattended installations from the shared folder on
the licensed computers
d. Create a shared folder on one of the servers. Copy the source files
from the Windows 2000 Professional CD-ROM to the shared folder.
Allow users to perform an unattended installation from the shared
folder on the licensed computers

Answer: B
84. You are the administrator of a Windows 2000 network running in native
mode. You have created an Organizational Unit (OU) named Merchandising.
You would like to delegate control of the group policy settings for the
Merchandising OU to a global group named Junior Admins. Members of the
Junior Admins group need to be able to create and edit new Group Policy
Objects and assign these Group Policy Objects to the Merchandising OU. You
must prevent the members of the Junior Admins group from creating and
assigning Group Policy Objects to any other organizational units. What should
you do? (Choose two)

a. Create a new security group named Group Policy Administrator in the

Merchandising OU. Add the Junior Admins group to this new group
b. Add the Junior Admins group to the Group Policy Creator Owners
security group
c. On the existing GPO, assign read and write permission to the Junior
Admins group
d. On the Merchandising OU, delegate the predefined task name manager
group policy links to the Junior Admins group
e. On all the OUs in the domain except the Merchandising OU, deny write
permissions to the Junior Admins group
f. On the Merchandising OU, assign the Apply Group Policy permission to
the Junior Admins group

Answer: C, D

85. You are the administrator of a small Windows 2000 network. The network has
a single Windows 2000 Server computer configured as a domain controller.
The domain controller has been configured with an Organizational Unit (OU)
named Legal. You have accidentally deleted the Legal OU and would like to
restore it. What should you do?

a. Copy the Legal OU from another domain controller in the domain to

the first domain controller
b. In Active Directory Sites and Service Console, force replication from
another domain controller in the domain
c. Perform an authoritative restore of the Legal OU from the last backup
d. Move the tombstoned Legal OU from the LostAndFound containers to
the original location

Answer: C

86. You are the administrator of a single domain Windows 2000 network. You
have configured two top level Organizational Units (OU) to define all
resources in the domain. You have named the two OU’s North and South.
Jody is the administrator of the North OU. Barry is the administrator of the
South OU. You will be moving a laser printer named Laser4 from the North
OU to the South OU. You move the printer and Barry is able to control it as a
resource. However, you find that Jody is still able to remove print jobs from
the printer. You would like to prevent Barry from being able to modify the
printer in any way. What should you do?
 a. Configure the security properties for Laser4 to disallow inheritable
permissions to propagate
b. Use the Delegation of Control wizard on the South OU to assign Laser4
permission to Jody
c. Configure the printer permission on the North OU to apply to only the
North OU
d. Remove the permissions for Barry from Laser4

Answer: D

87. You will need to backup the Active Directory database files from two domain
controllers once a week. How can this be done?

a. Schedule a backup job and select the Schema.ini file in the System32
folder and all files in the NTDS folder to be backed up once a week
b. Schedule a task that will copy the Ntds.dit file and the Sysvol folder
once a week
c. Schedule a backup job that will back up the System State data once a
week
d. Schedule a task that will run Ntdsutil once a week

Answer: C

88. You are the administrator of a single domain Windows 2000 network that is
connected to the Internet. You must prevent users from using the nslookup
command to view the computers on your network. However, you would like to
retain your ability to use the nslookup command for diagnostic purposes. You
must also ensure that your DNS server is able to respond to legitimate name
resolution requests from the Internet. What should you do?

a. In the zone properties set the permission on the zone to allow only the
administrators group to access the zone
b. In the DNS server properties, select the Disable Recursion advanced
option
c. In the zone properties set the option to allow zone transfers only to
specified IP addresses
d. In the DNS server properties restrict the interfaces on which DNS will
respond to request

Answer: C

89. You are the administrator of a multi-location Windows 2000 domain. There
are five locations in the domain that are all connected by T1 leased lines.
Each location has been configured to use a Windows 2000 Server that will act
as a domain controller. You would like to control the bandwidth usage and
replication schedule of directory information to each domain controller in each
location. What should you do? (Choose two)

a. Create server objects for each domain controller in every site

b. Copy all server objects from Default-First-Site-Name to each site
c. Create server objects for each domain controller in its own site
d. Create a site for each location
 e. Move each server object from Default-First-Site-Name to the
appropriate site
f. Create a site that spans all the locations

Answer: D, E

90. You are the administrator of a single domain Windows 2000 network. You
have created an Organizational Unit (OU) named Technicians. The members
of the Technicians OU use portable computers with Windows 2000
Professional installed. These computers are also members of the Technicians
OU. Members of the Technicians OU store files on a Windows 2000 Server
named TechData1. The files are stored in a share named
\\TechData1\TechFiles.

You must accomplish the following goals:

Users in the Technicians OU will be able to access the files in the

\\Techdata\Techfiles share while using their portable computers and not
connected to the network

The total disk space used on the portable computers to automatically store
files from the \\TechData1\TechFiles share and other server locations will not
exceed 5 percent of the hard disk space

What should you do? (Choose all that apply)

a. Create a new Group Policy Object (GPO) named Exfolder. Assign the
Exfolder GPO to the Technicians OU. Configure the Exfolder GPO to
exclude the \\TechData\Techfiles folder from roaming profiles
b. Configure the TechFiles share on the TechData server to cache documents
automatically
c. Create a new Group Policy Object (GPO) named Maxsize. Assign the
Maxsize GPO to the Technicians OU. Configure the Maxsize GPO to limit
the size of each user profile to 5 percent of the hard disk space
d. Create a new Group Policy Object (GPO) named Maxdisk. Assign the
Maxdisk GPO to the Technicians OU. Configure the Maxdisk GPO to limit
the automatically cached offline files to 5 percent of the hard disk space

Answer: B, D

91. You will be installing Windows 2000 Professional onto 500 computers in your
domain. Your company contains 20 different departments, each of which will
require their own proprietary installation of Windows 2000 Professional with
custom third-party applications. You would like to accomplish the installation
of Windows 2000 Professional onto all 500 computers using the least amount
of administrative effort. What should you do?

a. Install and configure an RIS server on your network. Create different

installation script files for each department. Deploy the computers by
using RIS
b. Install and configure an RIS server on your network. Use RIPRep.exe
to create multiple images for each department. Connect the client
computers to the RIS server and deploy the custom images.
 c. Create a shared folder on one of the servers. Copy the source files
from the Windows 2000 Professional CD-Rom to the shared folder.
Perform attended installations from the shared folder, and then select
only the components you need for each department
d. Create a shared folder on one of the servers. Copy the source files
from the Windows 2000 Professional CD-Rom to the shared folder.
Perform unattended installations from the shared folder by using script
files, and then install the third-party applications

Answer: B

92. You will need to implement a custom security template named

SecureTemp.inf on your domain. This template will need to be used on seven
domain controllers within your domain. What should you do? (Choose two)

a. Configure the file replication service to replicate the template file to all
the domain controllers
b. Create a Group Policy Object (GPO) on the Domain Controllers
organizational unit (OU)
c. Import the SecureTemp.inf file
d. Create a new security database
e. Rename SecureTemp.inf to NTConfig.pol
f. Copy the SecureTemp.inf file to the Sysvol shared folder on one
domain controller

Answer: B, C

93. You are the administrator of a single domain Windows 2000 network. You edit
the default domain controller’s policy to require passwords to be at least nine
characters long. However, you find that users are able to make passwords of
any length that they want. What should you do?

a. Configure each client computer to have a local Group Policy that

requires passwords to be at least nine characters long
b. Edit the Default Domain Group Policy to require password to be at
least nine characters long
c. Edit the Default Domain Controllers Group Policy to force passwords to
meet complexity requirements
d. Initiate replication to make sure the Group Policy containers and the
Group Policy template (GPT) are replicated

Answer: B

94. You will need to configure three RIS servers to deploy Windows 2000
Professional to 600 client computers. You will need to ensure that none of the
RIS servers become overworked during the deployment process. What should
you do to ensure this?

a. Create computer accounts for all the computers. Complete the

Managed By properties for each account
b. Create one OU for each segment. Add user accounts for all the users
to the appropriate OUs. Specify the appropriate RIS server in the Log
On To property for each user’s account
 c. Create pre-staged computer accounts for all the computers. Specify
which RIS server will control each computer
d. Create one site for each segment. Move two RIS servers to each site

Answer: C

95. You are the enterprise administrator of a Windows 2000 domain named
test.local. The domain contains three domain controllers named DCA, DCB,
and DCC. DCA does not hold any operations master roles. You backed up the
System state data of DCA two weeks ago. Without warning, the DCA domain
controller's hard disk fails. You decide to replace DCA with a new Windows
2000 Server computer. What should you do?

a. Add the server to the domain. Do an authoritative restore of the

original backup of the original DCA System State data that you made
two weeks ago
b. Use the Active Directory installation wizard to make the new computer
a replica in the domain
c. Use the NTDSUTIL utility to copy the active Directory database from
DCB to the new DCA
d. Add the server to the domain. Use Windows Backup to create a backup
of the DCB System state data, and restore this backup on the new
DCA

Answer: B

96. You are the administrator of a Windows 2000 network. Your network has two
native-mode domains consisting of six separate sites. Each site has one or
more domain controllers. Users report that at times of high network usage,
authentication and directory searches are extremely slow. You want to
improve network performance. What should you do?

a. Install a DNS server in each site and configure it to use Active

Directory integration
b. Designate a domain controller in only one site as a global catalog
server (GC).
c. Move all domain controllers into one site
d. Designate a domain controller in each site as a global catalog server
(GC)
e. Promote more Windows 2000 Server computers in each site to be
domain controllers

Answer: D

97. When you run DCPromo.exe to install a new domain, you receive an error
message stating that the existing domain cannot be contacted and that
installation of the new child domain will not proceed. What should you do to
correct this problem?

a. Install WINS on the new domain controller

b. Create an Active Directory Integrated Zone for the child domain on the
new domain controller
 c. Configure the new domain controller with the address of an existing
WINS server
d. Configure the new domain controller with the address of an
authoritative DNS server for the existing domainAdd SRV (service)
records for the domain naming master to a Hosts file on the new
domain controller

Answer: D

98. You are the administrator of a Windows 2000 network. You have created an
organizational unit (OU) named IT Staff. A Group Policy (GPO) name Disable
Regedit is assigned to the IT Staff OU. The only policy setting defined in the
Disable Regedit GPO is the policy setting that disables the use of registry
editing tools. You would like to remove this restriction from the IT Staff OU.
What should you do?

a. On the computers used by user in the IT Staff OU, edit the registry to
allow the use of registry editing tools
b. On the computers used by user in the IT Staff OU, configure the local
GPO to allow the use of registry editing tools. On the computers used
by users in the IT Staff OU, delete the registry POL file from
systemroot\System32GroupPolicy folder
c. Assign a new GRP in the IT Staff OU that enables one of the registry
editing tools
d. Remove the Disable Regedit GPO from the IT Staff OU

Answer: D

99. You are the administrator of a single domain Windows 2000 network. The
network is located in three separate locations, North America, South America,
and Africa. North America is the primary location of your network. All three
network locations are connected by leased T1 lines. To minimize logon
authentication traffic across the slow links, you create a site for each office
and configure the site links between the sites. Users in South America and
Africa report that it takes a long time to log on to the domain. You begin to
monitor the network only to discover that authentication traffic from the
South American and African locations are being sent to the North American
location. What should you do to correct this problem?

a. Schedule replication to occur less frequently between the sites

b. Create a subnet for each physical location, associate the subnets with
the North America site, and move server objects to the North America
site
c. Create a subnet for each physical location, associate each subnet with
its respective site, and move each server object to its respective site
d. Schedule replication to occur more frequently between the sites

Answer: C

100. You are the administrator of a Windows 2000 network consisting of

two domains. The domains are named north.books.local and
west.walletware.com. The north.books.local domain is located in California.
The west.walletware.com domain is located in Australia. Most of the resources
that both domains use are located in the north.books.local domain. Members
of the west.walletware.com domain complain that it is taking an excessive
amount of time to access resources on the north.books.local domain. You
examine the network utilization between the two domains and find that it is at
seven percent. What should you do?

a. Create an explicit trust between north.books.local and

west.walletware.com
b. Schedule replication to occur less frequently between the sites
c. Create a subnet for each physical location, associate each subnet with
its respective site, and move each server object to its respective site
d. Schedule replication to occur more frequently between the sites

Answer: A