| 1. The Windows 2000 domain that you administer
includes five domain controllers. You are in the process
of planning a backup strategy for the domain controllers,
DC5. You use the Backup wizard to schedule a normal backup
of the System State data to occur daily. Several weeks
later you accidentally delete several organizational units
(OUs) from Active Directory on DC5. Before you can stop
it, the change is replicated to the other domain controllers
in the domain.
Which of the following actions should you take to
restore the deleted OUs to Active Directory?
A. Run the Ntdsutil.exe program after you restore
the backup of the System State to DC5, but before you
reboot the computer.
B. Restore the backup from the previous day to DC5 and reboot the computer.
C. Use the Backup Wizard to restore just SYSVOL to DC5.
D. Nothing should be done. During the next replication, the deleted OUs
will be restored automatically.
Answer: A
In order to restore the deleted OUs to Active Directory,
you must run the Windows 2000 Ntdsutil.exe program
after you restore the backup of the System State to
DC5, but before you reboot the computer. Active Directory
objects contain sequence numbers that increase with
time. Therefore, if you simply restored an Active Directory
backup from a previous day, the sequence number of
the backup would be seen by the current Active Directory
as outdated, and would subsequently be overwritten.
To prevent this from happening, you must perform an
authoritative restore. An authoritative restore will
give the restored data priority, causing equivalent
objects on other domain controllers to be overwritten
during the next replication. The Ntdsutil.exe program
is used to perform an authoritative restore by changing
the sequence numbers of the restored data so that it
appears to be the latest version of the data.
The following describes the two different types of
restore:
1) Non-Authoritative Restore
2) Authoritative Restore
1) Non-Authoritative Restore: In this type of restore
you just restore the data from backup after booting
in Active Directory restore mode, which is accessible
by pressing F8 during startup. Here the data that you
restore will not be maintained, as the update sequence
number for this data is older then what you currently
have. So this will not give the desired result in the
above scenario.
2) Authoritative Restore: In this you first restore
the data from backup and run NTDSUTIL before rebooting
the computer(As described above in option A). In this
utility, change the prompt to Authoritative Restore
and then restore the desired OU's. When you restore
the data using NTDSUTIL it increases the version number
for this data by 100,000 so that this data will be
considered as new and not overwritten by replication.
The SYSVOL directory contains data and files common
between domain controllers and Active Directory. SYSVOL
is included in the System State backup. While critical
to Active Directory, simply restoring the SYSVOL folder
will not accomplish the objectives in this scenario.
Objective 1: "Installing, Configuring, and Troubleshooting
Active Directory"
2. The Windows 2000 domain that you administer includes
an organizational unit (OU) named Finance. You have
created a Group Policy object (GPO) linked to the Finance
OU that defines a policy that prevents users from accessing
the Settings tab in the Display Properties dialogue
box. The GPO also contains a policy that prevents users
from changing the security zone configurations in Internet
Explorer (IE). The Managers OU is a child of the Finance
OU. You want to enable members of the Managers OU to
access the Settings tab of the Display Properties dialogue
box, but you do not want them to be able to change
the security zone configurations in IE. Therefore,
you create another GPO linked to the Managers OU that
only disables the policy that prevents users from accessing
the Settings tab in the Display Properties dialogue
box.
What additional step should you take to accomplish
your objective?
A. Enable the "Block Policy inheritance" option
for the Managers OU.
B. Enable the "No Override" option for the GPO linked to the
Finance OU.
C. Define a policy in the GPO linked to the Finance OU that grants Full
Control permissions for Display Properties.
D. Define a policy in the GPO linked to the Managers OU that grants Full
Control permissions for Display Properties.
E. Do nothing.
Answer: E
Because the Managers OU is a child of the Finance
OU, nothing more needs to be done to accomplish your
objective. The GPO linked to the Finance OU will first
be applied to the Managers OU. Then the GPO linked
to the Managers OU will be applied. The GPO linked
to the Managers OU will override the GPO linked to
the Finance OU, thereby disabling the policy, which
prevents users from accessing the Settings tab in the
Display Properties dialogue box. Because no policy
concerning the security zone configuration for IE has
been defined in the GPO linked to the Managers OU,
the policy defined in the GPO linked to the Finance
OU will still be in effect.
Enabling the "Block Policy inheritance" option
for the Managers OU would prevent the Managers OU from
inheriting the policy that prevents users from changing
the security zone configurations in Internet Explorer
(IE).
Enabling the "No Override" option for the
GPO linked to the Finance OU would prevent users in
the Managers OU from being able to access the Settings
tab.
Objective 3: "Installing, Configuring, Managing,
Monitoring, Optimizing, and Troubleshooting Change
and Configuration Management"
3. You manage a Windows 2000 domain that consists
of five domain controllers. One of the domain controllers
has experienced hardware failure. You remove the domain
controller from the network in order to perform the
repairs. The domain controller has been disconnected
from the network for a week, and Active Directory has
undergone some major changes during this time. You
need to synchronize the repaired domain controller
with the other domain controllers. The tombstone period
is set to its default value.
Which of the following actions should you take to
accomplish this task? (Choose three)
A. Reboot the computer normally.
B. Reboot the computer using the ERD.
C. Reboot the computer in Directory Services Restore Mode.
D. Use Ntbackup to restore the System State data.
E. Use Ntdsutil to perform an authoritative restore.
F. Use Ntbackup to perform a full restore.
Answer: A, C, D
To synchronize the repaired domain controller with
the other domain controllers, you should reboot the
computer in Directory Services Restore Mode and use
Ntbackup to restore the System State data (The backup
must not be older than the tombstone period, which
by default is 60 days). Once the restoration is complete,
reboot the computer normally and allow or initiate
Active Directory replication to occur. The Active Directory
database will be synchronized with the other domain
controllers in the domain.
You do not want to boot the computer with the Emergency
Repair Disk.
You would not want to perform an authoritative restore
in this scenario. A non-authoritative restore is the
default mode.
It is unnecessary to perform a full backup in this
scenario.
Objective 1: "Installing, Configuring, and Troubleshooting
Active Directory"
4. You are a network administrator for a large multinational organization.
The organization has many network administrators. Each administrator
is in charge of all operations for their specified Active Directory
object. You are responsible for the Phoenix organizational unit (OU).
The Phoenix office supports nearly 500 employees. Recently, security
has become more of a concern for your organization because of its rapid
growth. New employees are being added almost daily and the security
of network data is essential to the company's success. You have been
asked by management to create and implement an Active Directory security
policy for the Phoenix OU. You want the security policy to be implemented
as intelligently and efficiently as possible.
Which of the following actions should you take to
accomplish this task?
A. Create Group Policies with the appropriate settings.
B. Create system policies using the System Policy Editor.
C. Use the Security Configuration and Analysis tool on a Windows 2000
Server computer.
D. Configure the default domain controller policy with the appropriate
security settings.
Answer: C
You should use the Security Configuration and Analysis
tool on a Windows 2000 Server computer. The Security
Configuration and Analysis tool is a Windows 2000 utility
used for creating security profiles as well as managing
security configurations across many computers through
the use of security templates. Therefore, you can define
security settings once and store them in a file and
then apply this file to other computers. This prevents
you from having to manually edit the Registry on each
computer, which can be very tedious. Using the Security
Configuration and Analysis tool to create security
templates can help you to implement a consistent and
uniform security policy that will be easy to manage.
Objective 5: "Configuring, Managing, Monitoring,
and Troubleshooting Active Directory Security Solutions"
5. Keith is the administrator for a Windows 2000 domain
that consists of a single site. Confidential data is
stored on three member servers in the Research department.
Keith has created an OU that is just for the three
member servers. Keith wants to protect these servers
from unauthorized access, so he configures auditing
entries for all confidential folders and files on the
servers. So that he will be able to track unauthorized
user access attempts.
Which additional steps should Keith take to so that
he will be able to track unauthorized user access attempts?
(Choose all that apply)
A. He should define the appropriate audit policy in
a GPO.
B. He should assign the Apply Group Policy permissions for the GPO to
the OU that contains the member server.
C. He should configure an audit policy on each member server.
D. He should create a GPO linked to the domain that contains the three
member servers.
E. He should create a GPO linked to the OU that contains the three member
servers.
Answer: A, D
In addition to configuring auditing entries for all
the confidential folders and files on the member servers,
Keith should create a GPO that includes the appropriate
audit policy, and link the GPO to the OU that contains
the three member servers. Both of these steps are required
in order to monitor the file and folder access of the
member servers. By using a GPO linked to the OU, you
are prevented from having to configure a local policy
individually on each server.
Objective 5: "Configuring, Managing, Monitoring,
and Troubleshooting Active Directory Security Solutions"
|
