- You are the administrator for your company's Windows 2000 domain. Your network consists of a Windows 2000 Server Primary Domain Controller (PDC) and 200 Windows 2000 Professional client computers. The network uses static IP addresses. The network connects to the Internet over a T1 line, as shown below:
15 Tips for Troubleshooting VPN Connections | Technet Tips | Troubleshooting VPN Disconnects-Stanford University Notes | Windows 2000 Documentation |
You set up a Routing and Remote Access Server, named R1, on your domain to allow access to your Virtual Private Network (VPN) resources. Your company's salesmen use laptop computers while on the road. One of the salesmen can connect to the Internet through a local ISP and wants to connect to the company VPN. After configuring all of the appropriate components, he informs you that he cannot communicate with the VPN. From a Windows 2000 Professional client computer on the domain, you ping R1 and receive a reply. You then discover that another computer on the domain has the same IP address as R1. How might you have discovered this problem?
A. By using the RSH utility
B. By using the Netsh utility
C. By using the Telnet utility
D. By using the IPCONFIG utility
Answer: D - On systems running Windows NT / 2K, use the utility ipconfig to obtain network information, simular to the winipcfg utility in Windows 9x. This utility is also avaliable in Windows 98, and is run from a command prompt. Click on Start->Run and type command to open a new shell windows. At the dos prompt type ipconfig to see basic adapter information (this includes the assigned IP address, subnet mask, and default gateway). There are also several switches that may be used with ipconfig:
ipconfig /all Shows all information about the adapters. The most relevant information from this is the description of the adapter, the physical address, IP address, and if they have dhcp enabled for the adapter. ipconfig /release Release an IP address leased from a DHCP server ipconfig /renew If the client has DHCP enabled then it will renew an IP address from a DHCP server No two computers on a network may have the same network and host id. Should a user change their IP address and it conflicts with another user, a warning message will be displayed that a conflict has occurred. The conflicting IP address must be changed to a non-conflicting address. When changing IP addresses use a table for available IP addresses or DHCP to avoid IP conflicts.
When assigning an IP address the network ID and the host ID must be correct. Recall the network ID is shared by all hosts on the network, while the host ID is unique to each host. In addition, the subnet mask must be configured properly to match the network ID. An incorrect subnet mask can block a user's access to the network.
If a user is experiencing difficulty connecting to a web resource, confirm that DNS is configured. An IP Address for a DNS server is required to access a web site. In addition, check that the default gateway IP address has been entered properly.No doubt, you checked that the network cable was attached to the network card and that a link light existed, right? Use PING to test connectivity to other hosts on the network, ping the router, and then beyond the router.
References: |
- You must share the C:\user data folder on a Windows 2000 server. The C: partition of the Windows 2000 drive is an NTFS partition. The name of the Windows 2000 server is Server1. You have created three Windows 2000 groups on the server named Employees, Board Members, and IT Staff. John is a member of the Users group and the IT Staff group. Mark is a member of the Board Members group. Max is a member of the Employees group and the Users group. Bob is a member of the IT Staff group and the Board Members group. You must share the folder and file so the following users have access to the share:
Mark must have read-only access to the folder when he accesses the folder remotely.
Max must be able to modify the contents of the folder when he accesses the folder remotely.
John must be able to take ownership of the folder when he is logged on to the server.
Bob must be able to add files to the folder when he accesses the folder remotely.
The permissions for each group are shown below:
Which users have appropriate access to the folder? (Choose all that apply.)
A. Max
B. Bob
C. John
D. Mark
E. None of the users will have the appropriate access
Answer: B,C,D - One of the benefits of using Windows 2000 over using the consumer versions of Windows (such as Windows 95, 98 or ME), is the ability to use file and folder permissions. With just a few simple steps, you can control which users and/or groups have access to the files or folders on your computer. The one catch is that file and folder permissions require the use of NTFS for a filing system: they are not available on FAT partitions.
So what are permissions? Permissions describe the actions that can be taken on a file or folder, and are things like reading, writing, changing, etc. On the following page, you can find a list of the permissions that can be used with files, as well as those that can be used with folders. Assigning or viewing permissions is a relatively simple task. Simply right-click the file or folder while in Windows Explorer, and choose Properties from the menu that appears. This will cause a Properties box to appear. Click on the Security tab, and you will see two areas: a top and a bottom. The top area shows which users and/or groups have permissions to the file or folder, and the bottom area shows what those permissions are. Highlight a user or group in the top area, and you will see which permissions they have in the bottom area. If a box is checked but grayed out, that means that the permission applies, but has been inherited from a higher folder.
To add to the list of users or groups with permissions, click the Add... button, click the user or group to be added, then click Add and OK. Then, with the user or group highlighted, click in the Allow or Deny box for those permissions you wish to grant or deny to the user or group.
Be sure to use caution when applying a Deny permission. This is because the deny permission takes precedence over any other Allow permission. All other permissions are cumulative, or additive. For instance, if a user has been assigned the "Read" permission to a file, but is also a member of a group that has been assigned the "Write" permission, the user's effective permissions to the file are "Write." However, if a user has been assigned the "Deny Write" permission, then he will not be able to write to the file or folder, even if he also belongs to a group that has been assigned Full Control.
By default, permissions assigned at the folder level will apply to all files in the folder, and all subfolders as well. However, if a file is specifically assigned different permissions than the folder that it is in, those file permissions will take precedence over the folder permissions. For instance, if a user has "write" permission to a folder, but to one of the files in that folder he has been assigned only "read," then the user's effective permissions to that file are only "read."
It is also important to note what happens to file permissions when files and folders are copied or moved. The following guidelines apply when copying files or folders:
When copying a file or folder within the same NTFS partition, the copy of the file or folder takes on the permissions of the destination.When copying a file or folder between different NTFS partitions, the copy also takes on the permissions of the destination.
When copying a file or folder to a non-NTFS partition, the file or folder will lose all permissions.
When moving files or folders:
When moving a file or folder within the same NTFS partition, the file or folder will retain its permissions.When moving a file or folder between different NTFS partitions, the file or folder takes on the permissions of the destination (because a move operation is actually a copy and delete).
When moving a file or folder to a non-NTFS partition, the file or folder will lose all permissions.
In Windows 2000, as with any Microsoft product, the way that you provide access to file and folders over a network is by "sharing" them. There are several shares that are created automatically by the operating system on every Windows 2000 computer, and the permissions are not configurable. However, any shares that you create can and should be modified so that the permissions allow access by only the appropriate users and/or groups.
By way of review, sharing a folder to give access to the files and subfolders, is as simple as right-clicking the folder, and choosing "Sharing..." Once the Properties box comes up, with the Sharing Tab selected, click the "Share this folder" radio button, and enter a Share Name. Click "Apply" or "OK" and the folder is shared. One important thing to note, however, is that by default, the Everyone groups will have the Full Control permission to the share. This could mean that any user can perform any action on the files or subfolders, including changing or delete them (depending on the actual file/folder permissions). If that is not the level of permissions that you desire for your share, then you will have to change the share permissions to restrict the level of access.
To change the permissions on a share, click the Permissions button (on the same Properties page mentioned above (right-click folder, click "Sharing...")). As in the case of file and folder permissions, you will see two areas on the Share Permissions page, a top and bottom. The top area shows which users have permissions to the share, and the bottom area shows the permissions that those users have been assigned. To add users or groups, click the "Add..." button, highlight a user or group, and click the Add button, and the OK button. The user or group will then appear in the top section. In the bottom section, place a check mark next to the permission(s) to be granted or denied. Except for the Deny permission, the permissions assigned will be cumulative. For instance, if a user is assigned Read to a share, but belongs to a group that has been assigned Full Control, the user will experience Full Control for the share.
Use caution when assigning the Deny permission, however. If a user has a Deny permission assigned, they will be denied access, even if they are granted another permission through another means, such as through group membership. There are three permissions that can be assigned to users for a share:
Permission Allows user to... Read See folder, subfolder and file names & attributes, run applications, open files. Change Create folders, add new files, open and change files, delete files, and all of the Read permission abilities. Full Control All of the Read and Change permission abilities, plus changing permissions on files, taking ownership
To remove users or groups from the control list, simply highlight the user or group in the top section, and click the Remove button. To stop sharing a folder altogether, just click the Do Not Share this Folder radio button on the Properties page. Another useful way to work with Shares is through the Computer Management utility (right-click My Computer on the Desktop, choose Manage). Under System Tools, there is a Shared Folders tool that will allow you to view and modify Share properties, including permissions.The hard part is figuring out what permissions users will actually have, since permissions can be assigned to multiple groups and users for the same files or for the same share. Add to that the complexity of accessing files through shares, and permissions can be quite confusing. The key to properly calculating permissions is to calculate them first for files/folders, then separately for shares, using the "least restrictive" rule. After you have those calculations, then calculate the total effective permissions using the "most restrictive" rule to combine the two.
So first of all, remember that permissions for files/folders and permissions for shares are additive, or "least restrictive." For example, if a user has been assigned Read permission to a file, and also belongs to a group that has Full Control to the same file, the user's permission to the file will be Full Control (the least restrictive of all the permissions that apply to the user.
In a similar way, the permissions for shares are additive, or "least restrictive." For example, if a user belongs to one group that has been assigned Change permission to a share, and also belongs to another group with only Read permission, the end result for that user will still be Change permission to the share, because that is the permission that is least restrictive.
So that brings us to the case of figuring out the combined permissions for a user accessing files and folders through a share (this is called the user's "effective permissions"). After all, unless the files or folders are on the local computer, they are being accessed through a share. In the case of calculating total effective permissions to files and folders through a share, we switch to the "most restrictive" permission between the two.
In the two examples above, we calculated that the user has Full Control to the file, and Change permission to the share. If that user were accessing the file through the share, his effective permission then would be Change, since that is the "most restrictive" of the permissions. Here is another example:
JoeUser is assigned Read Only permission to the Accounting folder on the D: drive.The Accounting folder on the D: drive is shared out as Acct.
JoeUser is assigned Change to the Acct share.
In the above example, JoeUser's effective permissions to the files in the Accounting folder on the D: drive would be Read Only, since that is the most restrictive permissions between the file permissions and the share permissions.
Here is a more complex example:
JoeUser is assigned Read Only permission to the Accounting folder on the D: drive.JoeUser is a member of the Accountants group.
The Accountants group is assigned Full Control permissions to the Accounting folder on the D: drive.
The Accounting folder on the D: drive is shared out as Acct.
JoeUser is assigned Change to the Acct share.
The Accountant group is assigned Read Only to the Acct share.
JoeUser's effective permissions to the files in the Accounting folder on the D: drive would be Change. JoeUser's file permissions would be Full Control, because the Accountants group has Full Control, and he is a member of that group (and that is the least restrictive permission). JoeUser's share permissions would be Change, because he was assigned Change permission (and that is the least restrictive permission). However, JoeUser's effective permissions would be Change, because that is the most restrictive permission between the share permission and the file permission.
References: | Windows 2000 Server Security Checklist - Microsoft Technet | NTFS Vs Share Permissions |
So to summarize again, use least restrictive to figure out what the user's permissions to the files are, and use least restrictive to figure out what the user's permissions to the share are, then compare those two permissions, taking the most restrictive of the two. Clear as mud, right?
- You are the administrator of your company's Windows 2000 domain controller. The domain controller contains three 5-GB hard drives. They are configured as follows:
Understanding & Implementing Raid | Q138364 - Windows NT Partitioning Rules During Setup | Q175761 - Dynamic vs. Basic Storage in Windows 2000 |
- The system partition is a 2-GB NTFS partition and is assigned the C: drive letter. - There is a RAID 5 volume that is composed of 2 GB from each drive and is assigned the D: drive letter. - There is a 1-GB FAT partition on DISK 0 that is assigned the E: drive letter. - There are two 3-GB FAT32 partitions that fill the remaining space on the other two drives. They are assigned letters F: and G: respectively.
You must optimize the disk space on the drives to meet the following requirements:
- You must check all volumes for errors. - You must optimize the speed with which your applications initialize. - You must ensure all files are arranged on the volumes in a contiguous manner. - You must ensure the RAID volume is adequately prepared to minimize install time and initialization time of the program.
You take the following actions:
-You use the Check Disk tool on all the drives.
-You use Disk Defragmenter to analyze and defragment all volumes.
Which requirements are met by the actions? (Choose all that apply)
A. All volumes are checked for errors
B. All files are arranged on each volume in a contiguous manner
D. The speed with which your applications initialize is optimized
D. The RAID volume is adequately prepared to minimize install time and initialization time of applications
Answer: A,B,C,D
References: | Definition of RAID |
- The administrator for your network has sent you, via email, a HOSTS file and an LMHOSTS file. She wants you to use these files until she resolves some DNS and WINS issues. Where do these files need to be placed for your workstation to use them?
A. %systemroot%\system32
B. %systemroot%\system32\tcpip
C. %systemroot%\system32\drivers\etc
D. %systemroot%\
Answer: C - The HOSTS and LMHOSTS files need to be placed in %systemroot%\system32\drivers\etc. %systemroot% is a system variable that represents the directory Windows 2000 was installed in (i.e., C:\WINNT).
References:| Q102908 - How to Troubleshoot TCP/IP Connectivity with Windows 2000 or Windows NT | Lmhosts Files | Overview of TCP/IP Name Resolution |- Which of the following is used to identify a DHCP client with a particular class option?
A. OptionID
B. DHCPID
C. CompID
D. ClassID
Answer: D - A ClassID is used to identify a DHCP client with a particular class option. There is no such thing as OptionID. There is no such thing as DHCPID. There is no such thing as CompID
- You are the network administrator for a large company. You were just notified that another network administrator was fired. Before leaving, the fired administrator changed the permissions on many sensitive documents, revoking all access to the files. He also took ownership of the files. What can you do to gain access to the files?
A. Take ownership and grant access.
B. Grant access.
C. Restore from backup.
D. Format the volume containing the files. Restore from backup.
Answer: A - Take ownership of the files and grant access. If you are the Creator/Owner of a file, you can still change permissions even if your access was revoked. By taking ownership, you become the Creator/Owner What is the role of the SYSVOL share on a domain controller?
- You are the administrator of your Windows 2000 network. The domain controller on the network had a hard drive fail in it. Click here to view a screenshot of the current disk configuration
Disk Configuration Screenshot [Note: This is a large picture and will load very slowly at 56K connection speeds or less]
The following requirements must be met:
You must replace the missing hard drive.
You must recreate all volumes that were affected by the missing hard drive.
You must restore the data to its original state.
You take the following actions:
You replace the hard drive with a 10-GB hard drive.
You make the new hard drive Dynamic.
You recreate the spanned volume allocating 1.19 GB of space for Disk 3 and all the other free space on the other 3 hard drives.
You restore the data from backup.
Which requirements do the actions meet? (Choose all that apply)
A. The missing hard drive is replaced
B. The data is restored to its original state
C. The actions do not meet any of the requirements
D. All volumes affected by the missing hard drive are replaced
Answer: D
References: | Windows 2000 Disk Management | Windows XP Disk Management | Windows NT 4.0 Disk Management |- What consistent value of the Logical Disk: Avg. Disk Bytes/Transfer counter may indicate that most of the drive activity is caused by too little physical RAM?
A. 32KB
B. 1MB
C. 4KB
D. 256B
Answer: C - A consistent value of 4KB for the Logical Disk: Avg. Disk Bytes/Transfer counter may indicate that most drive activity is caused by paging, which indicates too little physical RAM.
- Your company network consists of both Windows NT and Windows 98 clients. The company recently implemented system policies on the network, where one group of people set up the users working on NT clients and another set up Windows 98 clients. Now you and your co-workers are getting calls at the help-desk from users who work on both NT and Windows 98 computers, some saying that they are having problems with Windows NT and others saying that they are having problems with Windows 98. What is the most likely cause for this problem
A. The list of users that work on both operating systems may have been divided in half, so that they were covered by either a Windows 98 policy file or a Windows NT policy file but not both. B. The people that implemented system policies for Windows NT made the NT Users group the highest priority and settings for Windows 98 users in a lower priority group. When these users log on for a Windows 98 session the settings are being overwritten by the settings in the higher priority group (NT), which are not compatible with Windows 98. The people that implemented system policies for Windows 98 users did the same thing, giving the Windows 98 Users group the highest priority. C. System Policy Editor was used to create the policy files for both Windows 98 and Windows NT clients. D. None of the above Answer: A - Windows 98 looks for a file named Config.pol while Windows NT looks for a file named Ntconfig.pol. Users who work on both Windows NT and Windows 98 must be included in both policy files, not just one or the other.
References: | Zero Administration Kit for Windows 98 | Windows Registry Guide |- Which command displays the NetBIOS name cache?
A. nbtstat -r
B. nbtstat -R
C. nbtstat -c
D. nbtstat
Answer: C - nbtstat -c will display the NetBIOS name cache. nbtstat -r will list all names resolved by WINS or broadcasts. nbtstat -R will purge the cache and reload the remote cache name table (NetBIOS names marked #PRE in the LMHOSTS file).
- Which step is required before installing the DNS service on a Windows 2000 server?
A. Installing the Active Directory service
B. Assigning a static IP address to the server
C. Installing the DNS client service
D. Assigning a DHCP range
Answer: B - Before the DNS service can be installed on a Windows 2000 server, the server must first have a static IP address.
- Which of the following is a computer on a network that receives its TCP/IP configuration parameters from a DHCP server.
A. DHCP Server
B. DHCP client
C. DHCP Option
D. DHCP Service
Answer: B - A DHCP client is a computer on a network that receives its TCP/IP configuration parameters from a DHCP server. A DHCP Server assigns addresses. A DHCP Option is a network setting applied DHCP.
- The Windows 2000 Professional workstation you are using receives its IP configuration via a DHCP server. You are having difficulty accessing resources on the network. You suspect that your system's IP configuration may be wrong. How can you view your current IP configuration?
A. winipcfg /view
B. ipconfig /all
C. show ip config
D. ipconfig /view
Answer: B - ipconfig /all will display all the IP configuration settings on the workstation.
- Which type of record creates an alias to a hostname?
A. PTR record
B. MX record
C. DS record
D. CNAME record
Answer: D - A CNAME record provides an alias to a hostname in DNS. A PTR record is a pointer record, MX is a mail exchanger record, and DS is a directory service record.
- When all Win16 applications are terminated, which of the following processes will remain in memory? [Check all correct answers]
A. WOWEXEC
B. All Win16 processes themselves
C. NTVDM
D. SYSTEM
Answer: A, C, D - The NTVDM and WOWEXEC processes that construct the Win16 environment will remain in memory even after the last Win16 application is terminated. The SYSTEM process, which is not directly linked to the Win16 environment, will remain in memory as well.
Once a Win16 process is terminated, it will be removed from memory.
- After an update is made to the schema, when is the update replicated?
A. Immediately
B. During the next Active Directory replication
C. When the schema cache is updated
D. Both b and c
Answer: C - The schema is updated when the schema cache is updated. Schema changes do not replicate immediately . Schema cache replicates at different intervals that active directory.
Listed below are a series of potential file system conversion paths. The goal is to perform a conversion from one file system to another, without losing any of the data already present on the partition to be converted. Which of the following file system conversion paths will accomplish this goal?
A. Use "convert.exe c: /fs:ntfs" to convert from FAT to NTFS
B. Use "convert.exe c: /fs:fat32" to convert from FAT to FAT32
C. Use "convert.exe c: /fs:fat" to convert from NTFS to FAT
D. Use "convert.exe c: /fs:ntfs" to convert from FAT32 to NTFS
Answer: A, D - You cannot convert from FAT to FAT32 and you cannot convert from NTFS to FAT or FAT32. To convert a partition, you simply use the convert.exe command line utility, specifiy the drive letter, and then specify the file system you wish to convert to by using the /fs switch. Windows 2000 can only convert to NTFS partitions.
- Which Windows 2000 utility provides a single format for managing applications?
A. Windows Installer
B. Windows Application Manager
C. Active Directory
D. Terminal Services
Answer: A - The Windows Installer provides a standard format for managing applications. The Windows Application Manager doesn't exist. Active Directory doesn't provide applications management functionality. Terminal Services relies upon applications installation programs for installation.
- You are planning to upgrade your Windows NT 4.0 domain environment to a Windows 2000 Server domain environment. As a result, you plan on first upgrading the Primary Domain Controllers to Windows 2000 Domain Controllers. After completing this upgrade process, you will then initiate a migration to upgrade all of the Windows NT 4.0 Backup Domain Controllers to Windows 2000 Domain Controllers. Prior to executing your Domain Controller migration strategy, you synchronize a Windows NT 4.0 Backup Domain Controller with the Primary Domain Controller and remove the Primary Domain Controller from the production network. To allow for administration of the existing network while you conduct your test, you promote the Backup Domain Controller to a Primary Domain Controller. You then run the WINNT32.EXE setup program to upgrade the Windows NT 4.0 Primary Domain Controller to a Windows 2000 Domain Controller. During the installation process, you receive an error message the reads "INACCESSIBLE_BOOT_DEVICE." What must you check in order to prevent this error from repeating as you upgrade the other Windows NT 4.0 Domain Controller machines?
A. Determine if there were any serial cables that were connected to a UPS device. B. Determine if there are any non-Plug and Play Industry Standard Architecture devices. C. Determine if there were changes made to the Window NT 4.0 Domain Controller Registry by the Windows 2000 setup program during the attempted upgrade. D. Determine if the there were any virus scanners or other client software that interfered with the attempted upgrade. Answer: B - During the upgrade process, Windows 2000 Professional attempts to take advantage of Plug and Play (automatic) configuration of all hardware on the machine. Since ISA devices are not able to report to Windows 2000 their hardware requirements (DMA, IRQ, etc.), Windows 2000 may actually assign resources required for these devices to Plug and Play devices installed in the machine. As a result, it is imperative that you reserve the hardware requirements for ISA devices in the system BIOS.
- Which domain object can be used as the functional equivalent of a Windows NT resource domain?
A. Group Policy
B. Universal group
C. Domain user
D. Organizational Unit (OU)
Answer: D - Administrative control can be delegated to an OU, thus providing much of the same functionality as a Windows NT resource domain. Group Policy provides a means of managing settings for the user environment, and the universal group
- What two events occur in Dynamic DNS (DDNS)? (Choose 2)
A. The client computer automatically queries DNS for a dynamic domain name.
B. The DHCP client automatically updates an a resource record on the DNS Server.
C. The DHCP server obtains a domain or host name for the DHCP client.
D. The DHCP server updates the PTR record in DNS.
Answer(s): B, D - DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder WINNT \System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database. Windows 2000 includes in DNS the ability to accept dynamic updates rather than just manual updates to the zone database. When a DHCP server leases an address, the client updates the A record in DNS and the server updates the PTR record in DNS - automatically.
- Karen is receiving messages that the C: drive on his Windows 2000 print server is running low on disk space. She notices that the %SYSTEMROOT%\SYSTEM32\SPOOL\PRINTERS directory is taking up a lot of space. Karen has several Gig of free space on the D: drive that she would like to use. How can Karen move the spool directories for his printers to the d: drive? (choose all that apply)
A. Karen can launch the registry editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers \<specific printer>\SpoolDirectory where <specific printer> is the name of one of Karen's printers. Karen can change the spool directory using this method for each of his printers. B. Windows 2000 does not support moving the spool directory. Karen will have to increase disk space on his C: drive. C. Karen should recreate all of the printers on his print server and choose alternate spool directory. she can then choose to put the spool directory on the D: drive. D. Karen can navigate to control panel - printers - file menu - server properties - advanced tab and type in the name of the new spool folder. Answer: A,D - Karen has two options. She can specify a new spool folder from control panel - printers - file menu - server properties - advanced tab. This setting is for all printers on that server. The other option is to use the registry editor to move the spool file on a printer by printer basis. This is done by navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers \<specific printer>\SpoolDirectory where <specific printer> is the name of one of the printers. The registry method is useful as spool directories can be split up over multiple drives. Windows 2000 supports both of the above options. Karen does not have to recreate his printers and there is no option available when creating printers to specify an alternate spool directory.
Reference: Q123747 - Moving the Windows Default Paging and Spool File
Where is the zone database stored for an Active Directory integrated zone in Windows 2000?
A. In an Active Directory object
B. In the WINNT \System32\DNS folder
C. In the Active Directory DNS Zone object
D. In the WINNT \System32\etc folder
Answer: A - DNS services in Windows 2000 support three types of zones: standard primary, standard secondary and Active Directory integrated. A standard primary zone is the master copy of the zone database and is stored as a standard text file and in the newly created folder WINNT \System32\DNS. A standard secondary is a copy (or replica) of the master database and are read-only. Active Directory integrated zones are zones that are stored in Active Directory and so are replicated during AD replication. Zone transfers in DNS are triggered two ways: a master server sends a change notification to the secondary servers, or the secondary server queries the master for changes in the master database.
- What is the name for the record of permissions associated with an object in the Active Directory structure?
A. Access Control List
B. Access Properties
C. Permission Control List
D. Permission Record
Answer: A - The Access Control List (ACL) is the database of permissions associated with Active Directory objects.
- After a security template is analyzed with the current system settings, new template settings are immediately implemented.
A. TRUE
B. FALSE
Answer: B - The settings in a security template are not implemented until the next time the computer starts. The settings in a security template are not implemented until the next time the computer starts- Jachamji has two users in different departments who need to communicate securely. These users need their communications on the LAN to each other to be both mutually authenticated and encrypted. However, they both need to communicate in the clear with other users on the LAN. How should Jachamji proceed?
A. Use VPN features to create a PPTP tunnel between the users computers. B. Secure the shared resources on both users' computers with local groups and restrict access to the shared resources to the two users. C. Put the two users on an isolated subnet. Enable packet filtering at the switch. D. Define and implement an IPSec policy for both users computers. Answer: D - In this case, both users are on the same LAN and have different communication needs with different users. The best way for Jachamji to accomplish her objective would be for her to implement IPSec policies. This way, he can configure communications between their computers to require mutual authentication and provide encryption based on IP filters in the policy. Likewise, communications to other users would be unaffected by this policy because there would be no matching filter. A Virtual Private Network (VPN) is designed to provide secure communication for remote users, and users on different networks. In our scenario, the users are on the same physical network. Securing resources with access control is good practice, but does not address the issues of authentication and encryption. Segmenting the users on an isolated subnet may be a good idea, but it does not address the issues of authentication and encryption either. Also, packet filtering would control the flow of communication from one side of the switch to the other, but this would not be necessary if they were both on the same side, and it might negatively affect their ability to communicate in the clear with other users.
| GO TO THE TOP | CLOSE THIS WINDOW | PRINT THIS DOCUMENT |
Buy 200+ test questions at only $9.99:
