|
Hi all Can you plz help me to have a good papers or links to prepare for Exam??? Many Thanks
|
HI. Any latest dumps will be greatly appreciated. thank you
|
Question 1.
You are the network administrator for ITCertKeys. The company has a main office and six branch offices.
Each branch office employs fewer than 15 users.
The network consists of a single Active Directory domain configured as a single site. All servers run Windows Server 2003. Domain controllers are located in the main office. All branch offices are connected to the main office by WAN connections.
All users are required to change their password every 10 days. They are further restricted from reusing a password until after they have used five different passwords. You discover that users in the branch office can log on by using recently expired passwords and access local resources during a WAN connection failure that lasts for 24 hours or longer.
You need to ensure that users can log on to the domain only by using a current password.
What should you do?
A. Enable universal group membership caching in the site.
B. Instruct all users to log on by using their principal names (UPNs).
C. In Active Directory Users and Computers, require all users to change their passwords to the
next time they log on to the domain.
D. Configure the Default Domain Policy Group Policy object (GPO) to prevent logon attempts that
use cached credentials.
Answer: D
Explanation:
When the client computers are unable to contact a domain controller at the main office, the users are being logged on using ‘cached credentials’. This means that the client computer remembers that the user successfully authenticated with the domain controller recently, so the client computer assumes it is ok to log the user on again after failing to contact a domain controller. We can disable this behaviour using a group policy.
Incorrect Answers:
A: Enabling universal group caching won’t prevent the logons.
B: This won’t prevent the users’ ability to log on.
C: This won’t prevent the users’ ability to log on.
Reference:
MS Press: MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, 2004, p. 5-19.
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, p. 5-41.
MS Press: MCSE Self-Paced Training Kit (Exam 70-297); Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure, 2004, pp. 5-11.
Question 2.
You are a network administrator for ITCertKeys. The network consists of a single Active Directory domain named Itcertkeys.com. All servers run Windows Server 2003. Most of the client computers are located in the offices of individual users. Some client computers are located in publicly accessible locations.
The company’s written security policy includes the following requirements.
• All users must use smart cards to log on to a client computer.
• Users using the publicly accessible client computers must be logged off if the smart card is removed from the smart card reader.
You configure all user accounts to require smart cards for interactive logon. You create an organizational unit (OU) named Public.
You need to ensure that the appropriate result occurs on each client computer when a smart card is removed.
You must achieve this goal without affecting other computers.
What should you do?
A. Place all computer accounts for the publicly accessible client computers in the Public OU.
Create a new Group Policy object (GPO) and link the GPO to the Public OU.
Configure the Interactive Logon: Smart card removal behavior setting to Force Logoff.
B. Place the user accounts of all users who use the publicly accessible client computers in the
Public OU.
Create a new Group Policy object (GPO) and link the GPO to the Public OU.
Configure the Interactive logon: Smart card removal behavior setting to Force loggoff.
C. On the Default Domain Policy Group Policy object (GPO), configure the Interactive logon:
Smart card removal behavior setting to Force logoff.
D. On the Default Domain Controllers Policy Group Policy object (GPO), configure the
Interactive logon:
Smart card removal behavior setting to Force Logoff.
Answer: A
Explanation:
We can place the public computers in the Public OU; this will enable us to apply a group policy to the public computers. The question states that users must be logged off if the smart card is removed from the smart card reader. There is a specific setting in group policy for this. We can configure the Interactive Logon:
Smart card removal behaviour setting to Force Logoff.
MS White Paper
Planning a Smart Card Deployment
Selecting Group Policy Settings to Manage Smart Card Use
Several Group Policy settings are specific to smart card management. You can use these Group Policy settings to manage smart cards in your organization.
Note:
Other security policy settings, such as lockout policy or restricted logon times, can also impact smart card users if they use their cards for account logon.
Smart card required for interactive logon
When you set this policy on a user account, the user cannot log on to the account by using a password. They can only log on by using a smart card.
The advantage of using this policy setting is that it enforces strict security. However, if users are unable to log on by using conventional passwords, you must provide an alternate solution in the event that smart cards become unusable.
Note:
This policy setting applies to interactive and network logons only. It does not apply to remote access logons, which are managed by policy settings that are configured on the remote access server.
The Smart card required for interactive logon policy is not recommended for users who need to:
• Join a computer to a domain.
• Perform administrative tasks such as installing Active Directory on a member server.
• Configure a network connection for remote access.
If you choose not to use this security policy setting, users can revert to their standard network passwords if their smart cards are damaged or unavailable. However, this weakens security. In addition, users who use their passwords infrequently might forget them, and either write them down, or call the help desk for a password reset, increasing help desk costs to the organization.
On smart card removal
Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best if users either log off or lock their computers when they leave. The On smart card removal policy allows you to force users to log off or lock their computers when they remove their smart cards.
Note:
If you select the forced logoff option, users need to make sure they have saved changes to documents and other files before they remove their smart cards. Otherwise, they lose any changes they have made.
Whether or not you set the On smart card removal policy depends on how your users interact with their computers. For example, this policy is a good choice if using computers in an open floor or kiosk environment.
This policy might not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.
Note:
The On smart card removal policy is a local computer policy that is administered on a per computer basis. Set the On smart card removal policy on a per user account basis, along with other domain security policy settings.
Incorrect Answers:
B: This is a computer setting, not a user setting.
C: This will force logoff all users in the domain. Only users of the public computers should be logged off when they remove their smart cards.
D: This will force logoff all users who log on to a domain controller. Only users of the public computers should be logged off when they remove their smart cards.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-4 to 10-12, 10-15 to 10-19, 10- 24 to 10-28.
Question 3.
You are a network administrator for ITCertKeys. Your network consists of a single Active Directory domain named Itcertkeys.com. All servers run Windows Server 2003.
The company has users who work in the main office and users who work remotely by connecting to a server running Routing and Remote Access. The company’s written security policy requires that administrators in the main office log on by using smart cards. The written security policy also requires that remote users use smart cards to access network resources. No other users are required to use smart cards.
You issue portable computers that contain smart card readers to administrators and remote users. You issue smart cards to administrators and remote users. Administrators and remote users report that they can log on without using a smart card.
You need to ensure that only administrators are required to use smart cards when working in the main office. You must also ensure that remote users are required to use smart cards when accessing network resources.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. In the computer configuration settings of the Default Domain Policy Group Policy object (GPO),
enable the Interactive logon: Require smart card setting.
B. On the server running Routing and Remote Access, select the Extensible authentication
protocol (EAP) check box and require smart card authentication.
C. In the properties of each administrator account, select the Smart Card Required for
Interactive Logon check box.
D. In the computer configuration settings of the Default Domain Controllers Policy Group Policy
object (GPO), enable the Interactive logon: Requires smart card setting.
E. In the properties of each user account that requires remote access, select the Smart Card
Required for Interactive Logon check box.
Answer: B, C
Explanation:
We can require remote users to log on using smart cards only by configuring the RRAS server that the remote users connect to require smart card authentication.
We can configure the administrators’ user accounts to require smart cards for interactive logons. This setting is defined in the user properties in Active Directory Users and Computers.
Incorrect Answers:
A: This would require that all users log on using a smart card.
D: This would require that users use a smart card to log on to only the domain controllers. The administrators must use smart cards to log on to any machine in the domain.
E: This would require that the remote users log on using a smart card to any machine. They don’t need a smart card logon if they are using a machine in the office.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 7-9 to 7-10.
Sybex, Mastering Windows Server 2003, 2003, p. 655.
Question 4.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named Itcertkeys.com. The domain contains Windows Server 2003 computers and Windows XP Professional client computers. The domain contains two organizational units (OUs) named Sales and Marketing. Both OUs have multiple Group Policy Objects (GPOs) linked to them.
The Sales OU needs to be moved under the Marketing OU.
You need to find out which objects in the Sales OU are adversely affected by GPOs linked to the Marketing OU.
You need to achieve this goal without disruption to users.
What should you do?
A. Use Resultant Set of Policy (RSoP) in logging mode for the Marketing OU.
Review the policy results for the users in the OU.
B. Use Resultant Set of Policy (RSoP) in logging mode for the Sales OU.
Review the policy results for the users in the OU.
C. Use Resultant Set of Policy (RSoP) in planning mode for the Marketing OU.
Choose the Sales OU to simulate policy settings.
D. Use Resultant Set of Policy (RSoP) in planning mode for the Sales OU.
Choose the Marketing OU to simulate policy settings.
Answer: D
Explanation:
We need to view the effective group policy without actually applying the group policy and disrupting the users. For this, we can use RSoP in planning mode.
RSoP Modes
Planning Mode
In planning mode, you can determine how policy settings are applied to a target, and then analyze the results before deploying a change to Group Policy. For example, you can use planning mode to simulate moving a user to a different group, or to see the effects of placing the user in different security groups.
In planning mode, the Group Policy Data Access Service mimics the function of the Windows logon service.
Planning mode simulates calling each Group Policy client-side extension to allow the extension to write policy data to the Common Information Model Object Manager (CIMOM) database.
Logging Mode
In logging mode, you can assess which policy settings have been applied or failed to apply to a particular target (users or computers in Active Directory). Group Policy client-side extensions have a WMI interface that writes information (known as logging mode data) about their policy settings to a CIMOM database. You can use the RSoP user interface to query the CIMOM database for policy information RSoP logging is enabled by default. You can use a policy setting to disable this option. To do so, disable the Turn off Resultant Set of Policy Logging policy under the Computer Configuration\Administrative Templates\System\Group Policy node for computers or disable the Disallow Interactive Users from generating
Resultant Set of Policy setting under the User Configuration\Administrative Templates\System\Group Policy node for users.
Incorrect Answers:
A: We need to use planning mode, not logging mode.
B: We need to use planning mode, not logging mode.
C: We need to test the effects of applying the Marketing OU policies to the Sales OU, not vica versa.
Reference:
MS Knowledge Base article 323276: HOW TO: Install and Use RSoP in Windows Server 2003
Server Help: RSoP overview
Question 5.
You are the network administrator for Acme. The network consists of a single Active Directory forest root domain named acme.com. The functional level of the forest is Windows Server 2003.
A Windows Server 2003 domain controller named DC1.acme.com is the Active Directory-integrated DNS server for acme.com. All servers and client computers in the acme.com domain use DC1.acme.com as their DNS server for name resolution.
Acme acquires a company named ITCertKeys. The ITCertKeys network consists of a single Active Directory forest root domain named Itcertkeys.com. The functional level of this domain is Windows Server 2003.
A Windows Server 2003 domain controller named DC1.Itcertkeys.com is the Active Directory-integrated DNS server for Itcertkeys.com. All servers and client computers in the Itcertkeys.com domain use DC1.Itcertkeys.com as their DNS server for name resolution.
You create a two-way forest trust relationship with forest-wide authentication between acme.com and Itcertkeys.com.
You need to ensure that all users in both companies can log on to both forest root domains. You need to achieve this goal without adversely affecting Internet access.
What should you do?
A. Set the Stub Zone as the zone type for the acme.com domain on DC1.acme.com and for the
Itcertkeys.com domain on DC1.Itcertkeys.com.
B. Select the Do not use recursion for this domain check box on DC1.Itcertkeys.com and on
DC1.acme.com.
C. Add the fully qualified domain name (FQDN) and the IP address of DC1.Itcertkeys.com to the
Root hints list in DC1.acme.com.
Add the FQDN and the IP address of DC1.acme.com to the Root hints list on
DC1.Itcertkeys.com.
D. Configure conditional forwarding on DC1.acme.com to forward all requests for resources in the
Itcertkeys.com domain to DC1.Itcertkeys.com.
Configure conditional forwarding on DC1.Itcertkeys.com to forward all requests for resources
in the acme.com domain to DC1.acme.com.
Answer: D
Explanation:
To log on to a computer in acme.com with a user account in Itcertkeys.com, the acme.com DNS server needs to be able to locate a domain controller in Itcertkeys.com to authenticate the login. You can use Conditional forwarding which enables a DNS server to forward DNS queries based on the DNS domain name in the query.
Using Conditional Forwarding to Query for Names in Other Namespaces
If your internal network does not have a private root and your users need access to other namespaces, such as a network belonging to a partner company, use conditional forwarding to enable servers to query for names in other namespaces. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name.
Incorrect Answers:
A: A stub zone is a copy of a zone containing only those resource records necessary to identify the authoritative DNS servers for the master zone
B: Recursion is the process of a DNS server querying other DNS servers on behalf of an original querying client. If recursion is disabled, the client performs iterative queries by using root hint referrals from the DNS server. Iteration refers to the process of a DNS client making repeated queries to different DNS servers.
C: Root hints is a list of preliminary resource records used by the DNS service to locate servers authoritative for the root of the DNS domain namespace tree.
Reference:
Server Help
Sybex, Mastering Windows Server 2003, 2003, pp. 451.
Question 6.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named Itcertkeys.com. All computers are members of the domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
The network contains desktop client computers and portable client computers. The portable computers include both laptop computers and tablet computers. Client computer accounts are located in various organizational units (OUs) organized by department and division, along with desktop computer accounts.
A written company policy requires that no portable computer is to be left unattended and logged on to the network, unless protected by a password. Users are not allowed to override this requirement. This requirement does not apply to desktop computers because those computers are located in secured offices.
You need to configure your network so that portable computers comply with the written requirement.
What should you do?
A. Create a Group Policy object (GPO) that specifies a logon script.
Link this GPO to the domain.
Configure the logon script to read the Oeninfo.info file for manufacturer and model information,
and set the screen saver properties if the manufacturer and model number indicates one of the
portable computers.
B. Create a Group Policy object (GPO) that specified a logon script.
Link this GPO to the domain.
Configure the logon script to make a WMI query for manufacturer information and update the
user’s profile information in Active Directory if the user is using a portable computer.
C. Create a Group Policy object (GPO) that specifies a password-protected screen saver.
Link this GPO to the domain.
Use a WMI filter to query for the hardware chassis type information to ensure that the GPO
applies only to the portable computers.
D. Create a Group Policy object (GPO) that specified a password-protected screen saver.
Link this GPO to the domain.
Use a WMI filter to query for the specific edition of Windows XP Professional installed on the
computer to ensure that the GPO applies only to the portable computers.
Answer: C
Explanation:
We can use a WMI filter to query for the hardware chassis type information to ensure that the
GPO applies only to the portable computers.
Incorrect Answers:
A: This is a very difficult and impractical way of doing it.
B: Updating the user profile would not achieve anything.
D: The desktops would probably have the same version of XP as the laptops.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-20 to 10-21, 11-6.
Question 7.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named Itcertkeys.com. All servers run Windows Server 2003. User accounts for users in the finance department are in an organizational unit (OU) named Finance. You use Group Policy objects (GPOs) to manage these user accounts.
Users in the finance department need a new application installed on their computers. Several of these users volunteer to be pilot users to test the application before it is deployed throughout the department.
You configure a GPO to install the application. You create a group named PilotUsers in the Finance OU.
You make the pilot users’ user accounts members of the PilotUsers group. The pilot users’ user accounts are also in the Finance OU.
You need to allow only the pilot users to test the application.
What should you do?
A. Assign the PilotUsers group the Allow – Read and the Allow – Write permissions for the
gPLink property of the Finance OU.
B. Assign the PilotUsers group the Allow – Read and the Allow – Apply Group Policy
permissions for the GPO.
Remove the Authenticated Users group’s permissions to apply the GPO.
C. Assign the PilotUsers group the Allow – Generate Resultant Set of Policy (Logging)
permissions for the Finance OU.
D. Assign the PilotUsers group the Allow – Generate Resultant Set of Policy (Planning)
permission for the Finance OU.
Answer: B
Explanation:
We need to install the application for the pilot users only. We can do this by assigning the PilotUsers group the Allow – Read and the Allow – Apply Group Policy permissions for the GPO. To prevent the GPO applying to the other finance users, we need to remove the Authenticated Users group’s permissions to apply the GPO.
Incorrect Answers:
A: We need to assign permissions to apply the group policy, not link the policy.
C: This will allow the PilotUsers group to run RSoP in logging mode. It won’t configure the GPO to apply to just the pilot users.
D: This will allow the PilotUsers group to run RSoP in planning mode. It won’t configure the GPO to apply to just the pilot users.
Reference:
Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 408-411.
Question 8.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory forest that contains five domains and 30 remote sites located in cities throughout the world. There are a total of 40,000 users in the five domains. All remote sites are connected to the company network by unreliable 56-Kbps WAN connections.
Each site contains at least one domain controller and one global catalog server. All domain controllers in the forest run Windows Server 2003. The functional level of all the domains in the forest is Windows 2000 native.
You plan to deploy several Active Directory-enabled applications over the next six months. Each of these applications will add attributes to the global catalog or modify existing attributes in the global catalog.
You need to make modifications to the Active Directory infrastructure in order to prepare for these deployments. You plan to accomplish this task during off-peak hours. You need to ensure that you can minimize any potential network disruption that would be caused by the deployment of these applications in the future. You also need to ensure that the modifications do not disrupt user access to resources.
What should you do?
A. Decrease the tombstone lifetime attribute in the Active Directory Schema NIDS-Service object
class.
B. Remove the global catalog role from the global catalog servers in each remote site.
C. Raise the functional level of the forest to Windows Server 2003.
D. Configure universal group membership caching in each remote site.
Answer: C
Explanation:
To prepare for the new application the best option is to raise the forest functional level. This will enable us to deactivate any wrong schema class, and make DNS and AD partitions for the new applications
Extending the schema
When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network.
Schema extensions are not reversible
Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated.
Deactivating a class or attribute
Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated.
If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused).
If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it.
For example, the Unicode String syntax of an attribute called SalesManager could be changed to Distinguished Name. Since Active Directory does not permit you to change the syntax of an attribute after it has been defined in the schema, you can deactivate the SalesManager attribute and create a new SalesManager attribute that reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax. You must rename the deactivated attribute before it can be redefined.
Incorrect Answers:
A: The tombstone lifetime is the number of days that a deleted object will remain in the Active Directory before it's deleted. The garbage collector runs every 12 hours on each server to delete objects whose tombstone lifetimes have expired. However, we are not deleting Active Directory objects in this scenario.
B: The sites are linked to the company network through unreliable WAN connections. Removing the Global Catalog from these sites will result in log on problems for users as well as the application's access to Active Directory.
D: Universal group membership caching can be used to improve logon times for users. It will not affect the application's access to Active Directory.
Reference:
Server Help
Sybex, Mastering Windows Server 2003, 2003, p. 1539.
Question 9.
You are the network administrator for your company. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003.
A two-way forest trust relationship exists between the forests.
You need to achieve the following goals:
• Users in the contoso.com forest must be able to access all resources in the cpand1.com forest.
• Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com.
You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals.
Which three actions should you take?
(Each correct answer presents part of the solution. Choose three)
A. On a domain controller in the contoso.com forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
B. On a domain controller in the contoso.com forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
C. On a domain controller in the cpand1.com forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
D. On a domain controller in the cpand1.com forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access
to the Other Organization security group.
F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access
to This Organization security group.
Answer: A, D, E
Explanation:
Authentication between Windows Server 2003 forests
When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish one-way or two-way external trusts between the domains that require interforest authentication.
Selective authentication between forests
Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions.
If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions).
If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest.
When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context.
Incorrect Answers:
B: If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. However, users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. We should therefore use selective authentication for the cpandl.com forest to access the contoso.com.
C: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, they need forest-wide access.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 4-48 to 4-49.
Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, p. 254.
Question 10.
You are the network administrator for ITCertKeys. Your network consists of a single Active Directory domain named Itcertkeys.com. There is an organizational unit (OU) named DocProcessing. The DocProcessing OU contains user accounts for users in the document processing department.
You create a Group Policy object (GPO) and link it to the DocProcessing OU. You configure the GPO to publish a graphics application. Some of the users in the document processing department report that the application is not available from the Start menu, and other users report that the graphics application was installed successfully after they double-clicked a graphics application document.
You need to ensure that all users in the DocProcessing OU can successfully run the graphics application.
What should you do?
A. Instruct users who report a problem to run the gpupdate command on their computers.
B. Instruct users who report a problem to install the application by using Add or Remove
Programs in Control Panel.
C. Run the Resultant Set of Policy (RSoP) tool on the domain controllers on the network.
D. Run the gpresult command on each client computer and domain controller on the network.
Answer: B
Explanation:
You have published the applications to users. This setting makes the application available for users to install. In order to install a published application, users need to use the Add or Remove Programs applet in Control Panel, which includes a list of all published applications that are available for them to install.
Users in the document processing department report that the application is not available from the Start menu.
It won’t be available in the start menu because the application was published, not assigned.
Group Policy Management
Software installation
You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension.
Assigning Applications
When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.)
When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications.
When assigning applications to computers, the application is installed the next time the computer boots up.
Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package.
Publishing Applications
You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers.
Reference:
Server Help
Incorrect Answers:
A: This will refresh the group policy. It won’t make the application available in the start menu.
C: This will display the resultant policy. It won’t make the application available in the start menu.
D: This will display the resultant policy. It won’t make the application available in the start menu.
Question 11.
You are the network administrator for ITCertKeys Ltd. The network consists of a single Windows 2003 Active Directory domain named ITCertKeys.internal. The network includes 20 servers running Windows 2003 Server and 700 client computers running Windows 2000 Professional.
All servers belong to the default computer container. All client computers belong to an organization unit (OU) named Clients. All domain controllers belong to the default domain controller OU. Name resolution and IP addressing are controlled by DNS, WINS, and DHCP.
You need to ensure that the DNS suffix in the system properties of each client computer is set to ITCertKeys.com.
What should you do?
A. Create a new Group Policy object and link it to Clients.
Set the configuration of the primary DNS suffix to ITCertKeys.com.
B. Modify the default domain policy.
Set the configuration of the primary DNS suffix to ITCertKeys.com.
C. In the DHCP scope options, define the DNS domain name as ITCertKeys.internal.
D. In the DHCP scope options, define the NIS domain name as ITCertKeys.internal.
Answer: A
Explanation:
The best way to accomplish this task is to create a new group policy object and link it to clients. With the help of this group policy clients will be automatically set to use the Itcertkeys.com dns suffix.
Incorrect Answers:
B: The setting should apply to the clients only. Linking the GPO to the domain will apply the settings to all computers in the domain (including servers and domain controllers).
C: The question doesn't say that the servers have static IP addresses. If they are configured to use DHCP, then we can't use DHCP to apply the DNS suffix setting because it will apply the settings to all computers in the domain (including servers and domain controllers).
D: An NIS domain is a Unix/Linux domain. We have a Windows domain.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-4 to 10-7.
Question 12.
You are a member of the Enterprise Admins group in your company’s Windows 2003 network. The network consists of a single domain named ITCertKeys.com. The Bonn office has its own organizational unit (OU) named Bonn.
You hire an employee named Sophie as a LAN administrator for the Bonn office. Sophie needs to create child OUs for the Bonn OU. She also needs to verify the existence of the OUs she creates. You need to grant Sophie the minimum permissions on the Bonn OU so that she can accomplish these tasks.
Which permissions should you grant?
A. Read All Properties, Create Organizational Unit Object, Write All Properties.
B. Read All Properties, List Contents, Create Organizational Unit Objects.
C. List Contents, Create All Child Objects.
D. Write All Properties, All Extended Rights.
Answer: B
Explanation:
According to the questions, the Sophie needs are to define the child OUs and to confirm that the OUs have been created successfully. To do so you should only define “Read All Properties, List Contents, Create Organizational Unit Objects” permissions for Sophie. Doing so, she will only be able to create and verify the child OUs.
Incorrect Answers:
A: The write permission will allow a user to create or modify any object in the OU.
C: The Create All Child Objects will allow a use to create any object in the OU.
D: The write permission will allow a user to create or modify any object in the OU.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 9-18 to 9-20, 9-23 to 9-26.
Question 13.
You are the administrator of ITCertKeys Inc. The network consists of a single domain. The company’s main office is located in South Africa and branch offices are located in Asia and Europe. The offices are connected by dedicated 256-Kbps lines. To minimize logon authentication traffic across the slow links, you create an Active Directory site for each company office and configure site links between the sites.
Users in branch offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in South Africa.
You need to improve network performance. What should you do?
A. Schedule replication to occur more frequently between the sites.
B. Schedule replication to occur less frequently between the sites.
C. Create a subnet for each physical location, associate the subnets with the South Africa site,
and move the domain controller objects to the South Africa site.
D. Create a subnet for each physical location, associate each subnet with its site, and move each
domain controller object to its site.
Answer: D
Explanation:
The recommended way to manage the WAN authentication traffic is to create a subnet for each physical location, associate each subnet with its site and then move the domain controller objects to its site. Doing so, authentication traffic will be handled through the relevant domain controller present in the respective subnet.
Incorrect Answers:
A: No replication will occur between the sites, because all domain controllers in the same (default) site. The domain controller objects need to be moved to their respective sites.
B: No replication will occur between the sites, because all domain controllers in the same (default) site. The domain controller objects need to be moved to their respective sites.
C: We don't want all the subnets to be in one site. They should be in their respective sites.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 5-3 to 5-6.
Question 14.
You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows 2000 Professional in your customers' networks.
You use these security policies to configure a server named Server1. You want to deploy the security configuration on Server1 to computers in your customer's networks by using the least amount of administrative effort.
What should you do first?
A. Create a Group Policy Object (GPO) that configures the security settings for all computers to
match the settings on Server1, and then link the GPO to the domain.
Export the console list to a file.
B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security
template in a file.
C. In the System Information snap-in, save the system summary as a system information file.
D. In the Security Templates snap-in, export the console list to a file.
Answer: B
Explanation:
You can easily export the server1 security settings in the form of an .inf file. In the given situation, you should use the Security Configuration and Analysis snap-in, analyze Server1 and export the security template in a file. Then you can easily deploy this security template on the other computers.
Incorrect Answers:
A: You have already manually configured the settings on Server1. It would be quicker to export them to a template file, rather than manually enter the settings into a GPO.
C: The system summary does not contain the security settings.
D: The console list does not contain the security settings.
Reference:
MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 13-57 to 13-65, 13-70-13-80.
|
Pls send a latest dump to ec_fdshsf@hotmail.com
|
Question 1.
You are developing a method to decrypt data that was encrypted with the Triple DES Algorithm. The method accepts the following parameters: The byte array to be decrypted, which is named cipherMessage The key, which is named key An initialization vector, which is named iv You need to decrypt the message by using the TripleDES class and place the result in a string.
Which code segment should you use?
A. TripleDES des = new TripleDESCryptoServiceProvider();des.BlockSize =
cipherMessage.Length;ICryptoTransform crypto = des.CreateDecryptor(key,
iv);Memory Stream cipherStream = new Memory Stream(cipherMessage);CryptoStream
cryptoStream =
new CryptoStream(
cipherStream, crypto, CryptoStreamMode.Read); string message;message = new
StreamReader(cryptoStream).ReadToEnd();
B. TripleDES des = new TripleDESCryptoServiceProvider();des.FeedbackSize =
cipherMessage.Length;ICryptoTransform crypto = des.CreateDecryptor(key,
iv);Memory Stream cipherStream = new Memory Stream(cipherMessage);CryptoStream
cryptoStream =
new CryptoStream(
cipherStream, crypto, CryptoStreamMode.Read); string message;message = new
StreamReader(cryptoStream).ReadToEnd();
C. TripleDES des = new TripleDESCryptoServiceProvider();ICryptoTransform crypto =
des.CreateDecryptor();Memory Stream cipherStream = new
Memory Stream(cipherMessage);CryptoStream cryptoStream =
new CryptoStream(
cipherStream, crypto, CryptoStreamMode.Read); string message;message = new
StreamReader(cryptoStream).ReadToEnd();
D. TripleDES des = new TripleDESCryptoServiceProvider();ICryptoTransform crypto =
des.CreateDecryptor(key, iv);Memory Stream cipherStream = new
Memory Stream(cipherMessage);CryptoStream cryptoStream =
new CryptoStream(
cipherStream, crypto, CryptoStreamMode.Read); string message;message = new
StreamReader(cryptoStream).ReadToEnd();
Answer: D
Question 2.
You need to create a class definition that is interoperable along with COM. You need to ensure that COM applications can create instances of the class and can call the GetAddress method.
Which code segment should you use?
A. public ref class Customer {
string addressString;public:
Customer(string address) : addressString(address) { }
String^ GetAddress() { return addressString; }}
B. public ref class Customer {
static string addressString;public:
Customer() { }
static String^ GetAddress() { return addressString; }}
C. public ref class Customer {
string addressString;
public: Customer() { }
String^ GetAddress() { return addressString; }}
D. public ref class Customer {
string addressString;public:
Customer() { }private:
String^ GetAddress() { return addressString; }}
Answer: C
Question 3.
You need to return the contents of an isolated storage file as a string. The file is machine-scoped and is named Settings.dat.
Which code segment should you use?
A. IsolatedStorageFileStream isoStream;isoStream = new IsolatedStorageFileStream(
“Settings.dat”, FileMode.Open); string result = new StreamReader(isoStream).ReadToEnd();
B. IsolatedStorageFile isoFile;isoFile = IsolatedStorageFile.GetMachineStoreForAssembly();
IsolatedStorageFileStream isoStream;isoStream = new IsolatedStorageFileStream(
“Settings.dat”, FileMode.Open, isoFile); string result = new
StreamReader(isoStream).ReadToEnd();
C. IsolatedStorageFileStream isoStream;isoStream = new IsolatedStorageFileStream(
“Settings.dat”, FileMode.Open); string result = isoStream.ToString();
D. IsolatedStorageFile isoFile;isoFile = IsolatedStorageFile.GetMachineStoreForAssembly();
IsolatedStorageFileStream isoStream;isoStream = new IsolatedStorageFileStream(
“Settings.dat”, FileMode.Open, isoFile); string result = isoStream.ToString();
Answer: B
Question 4.
You need to read the entire contents of a file named Message.txt into a single string variable.
Which code segment should you use?
A. String^ result = nullptr;StreamReader^ reader = gcnew
StreamReader(“Message.txt”);result = reader->Read().ToString();
B. String^ result = nullptr;StreamReader^ reader = gcnew
StreamReader(“Message.txt”);result = reader->ReadToEnd();
C. String^ result =String::Empty;StreamReader^ reader = gcnew
StreamReader(“Message.txt”); while (!reader->EndOfStream) {
result += reader->ToString();}
D. String^ result = nullptr;StreamReader^ reader = gcnew StreamReader(“Message.txt”); result =
reader->ReadLine();
Answer: B
Question 5.
You are writing a method to compress an array of bytes. The bytes to be compressed are passed to the method in a parameter named document.
You need to compress the contents of the incoming parameter.
Which code segment should you use?
A. Dim inStream As New Memory Stream(document)Dim zipStream As New
GZipStream( _inStream, Compression Mode.Compress)Dim result(document.Length) As
BytezipStream.Write(result, 0, result.Length)Return result
B. Dim objStream As New Memory Stream(document)Dim zipStream As New
GZipStream( _
objStream, Compression Mode.Compress)zipStream.Write(document, 0,
document.Length)zipStream.Close()Return objStream.ToArray
C. Dim outStream As New Memory StreamDim zipStream As New GZipStream(
_outStream, Compression Mode.Compress)zipStream.Write(document, 0,
document.Length)zipStream.Close()Return outStream.ToArray
D. Dim objStream As New Memory Stream(document)Dim zipStream As New
GZipStream( _objStream, Compression Mode.Compress)Dim outStream As New
Memory StreamDim b As IntegerWhile (b =
zipStream.ReadByte)outStream.WriteByte(CByte(b))End WhileReturn
outStream.ToArray
Answer: C
Question 6.
You are working on a debug build of an application.
You need to find the line of code that caused an exception to be thrown.
Which property of the Exception class should you use to achieve this goal?
A. Data
B. Message
C. Stack Trace
D. Source
Answer: C
Question 7.
You need to write a code segment that performs the following tasks:
* Retrieves the name of each paused service.
* Passes the name to the Add method of Collection1.
Which code segment should you use?
A. Management Object Searcher^ searcher =
gcnew Management Object Searcher(
“Select * from Win32_Service where State = ‘Paused’”);for each (Management Object^
svc in searcher->Get()) {
Collection1->Add(svc[“Display Name”]);}
B. Management Object Searcher^ searcher =
gcnew Management Object Searcher(
“Select * from Win32_Service”, “State = ‘Paused’”);for each (Management Object^ svc in
searcher->Get()) {
Collection1->Add(svc[“Display Name”]);}
C. Management Object Searcher^ searcher =
gcnew Management Object Searcher(
“Select * from Win32_Service”);for each (Management Object^ svc in searcher->Get()) {
if ((String^) svc["State"] == "'Paused'") {
Collection1->Add(svc[“Display Name”]);
}}
D. Management Object Searcher^ searcher =
gcnew Management Object Searcher();searcher->Scope = gcnew
Management Scope(“Win32_Service”);for each (Management Object^ svc in
searcher->Get()) {
if ((String^)svc["State"] == "Paused") {
Collection1->Add(svc[“Display Name”]);
}}
Answer: A
Question 8.
You need to serialize an object of type List (Of Integer) in a binary format. The object is named data.
Which code segment should you use?
A. Dim formatter As New Binary Formatter()Dim ms As New
Memory Stream()formatter. Serialize(ms, data)
B. Dim formatter As New Binary Formatter()Dim ms As New Memory Stream() For i As
Integer = 1 To 20
formatter. Serialize(ms, data(i - 1))Next
C. Dim formatter As New Binary Formatter()Dim buffer As New Byte(data. Count) {}Dim ms As
New Memory Stream(buffer, True)formatter. Serialize(ms, data)
D. Dim formatter As New Binary Formatter()Dim ms As New Memory Stream()While
ms. Can Read formatter. Serialize(ms, data)End While\
Answer: A
Question 9.
You are developing an application that dynamically loads assemblies from an application directory.
You need to write a code segment that loads an assembly named Company1.dll into the current application domain.
Which code segment should you use?
A. App Domain^ domain = App Domain:: Current Domain; String^ my Path =
Path :: Combine(domain->Base Directory,
“Company1.dll”);Assembly^ assm = Assembly :: Load From(my Path);
B. App Domain ^ domain = App Domain :: Current Domain; String^ my Path =
Path :: Combine(domain->Base Directory,
“Company1.dll”);Assembly^ assm = Assembly :: Load (my Path);
C. App Domain^ domain = App Domain :: Current Domain; String^ my Path =
Path :: Combine(domain->DynamicDirectory,
“Company1.dll”);Assembly^ assm = App Domain :: Current Domain::Load(my Path);
D. App Domain^ domain = App Domain :: Current Domain;Assembly^ assm =
Domain->GetData(“Company1.dll”);
Answer: A
Question 10.
You are testing a newly developed method named PersistToDB. This method accepts a parameter of type EventLogEntry. This method does not return a value. You need to create a code segment that helps you to test the method. The code segment must read entries from the application log of local computers and then pass the entries on to the PersistToDB method. The code block must pass only events of type Error or Warning from the source MySource to the PersistToDB method.
Which code segment should you use?
A. EventLog myLog = new EventLog(“Application”, “.”);
foreach (EventLogEntry entry in myLog.Entries)
{
if (entry.Source == "MySource")
{
PersistToDB(entry);
} }
B. EventLog myLog = new EventLog(“Application”, “.”);
myLog.Source = “MySource”;
foreach (EventLogEntry entry in myLog.Entries)
{
if (entry.EntryType == (EventLogEntryType.Error &
EventLogEntryType.Warning))
{
PersistToDB(entry);
} }
C. EventLog myLog = new EventLog(“Application”, “.”);
foreach (EventLogEntry entry in myLog.Entries)
{
if (entry.Source == "MySource")
{
if (entry.EntryType == EventLogEntryType.Error ||
entry.EntryType == EventLogEntryType.Warning)
{
PersistToDB(entry);
} } }
D. EventLog myLog = new EventLog(“Application”, “.”);
myLog.Source = “MySource”;
foreach (EventLogEntry entry in myLog.Entries)
{
if (entry.EntryType == EventLogEntryType.Error ||
entry.EntryType == EventLogEntryType.Warning)
{
PersistToDB(entry);
}
Answer: C
|
|
thanks buddy
|
anyone have OCP dump ad it plz thanks
|
Need Dumps for taking the exam ad it plz thanks
|
Its Rocking...... visit ITCertkeys thanks buddy
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.