Professional Documents
Culture Documents
AD-txtbk Answers
AD-txtbk Answers
PLANNING,
IMPLEMENTING, AND
MAINTAINING A
MICROSOFT
WINDOWS SERVER
2003 ACTIVE
DIRECTORY
INFRASTRUCTURE
(70-294)
2 CHAPTER 1 OVERVIEW OF ACTIVE DIRECTORY
CHAPTER 1
OVERVIEW OF ACTIVE DIRECTORY
CHAPTER EXERCISES
Exercise 1-1: Logical Versus Physical Structure
Use the following scenario to answer the questions below.
Southridge Video is about to set up a completely new network. The network will
consist of approximately 10 servers and 500 client computers. The servers will run
Windows Server 2003, and the clients will run Windows XP Professional. The plan
is to connect the corporate headquarters to each of the company’s five regional
offices. Each regional office has several retail locations. Regional offices are con-
nected to the corporate headquarters through leased fractional T-1 lines and rout-
ers that provide no less than 1 Mbps throughput. Retail locations are connected to
regional offices through 56 Kbps dial-up connections. All client computers are
expected to obtain resources and standard computer settings from the corporate
headquarters and regional offices. Retail locations will have only two to five
computers. All systems use TCP/IP for network communications.
3. If the company decided to configure sites, where would you expect them
to be located?
ANSWER
Sites would likely be configured around regional offices and corporate head-
quarters because the scenario mentions routers between these locations.
Routers mean IP subnets are configured.
4. What type of decisions would Southridge Video have to make about the
logical structure of Active Directory?
ANSWER
Decide how many forests, domains, and OUs to create. Most likely they’d use a sin-
gle forest and domain with multiple OUs. In that case, there would probably be OUs
for regional offices and retail locations. They might even configure OUs for the
computers and users (separately) in each regional office (depending on how fine
a control they decided to use over each).
A. Datum Corporation currently uses a Windows NT 4.0 domain model. There are
five Windows NT Server 4.0 computers configured as domain controllers. A. Datum
has decided to upgrade the Primary Domain Controller (PDC) to Windows Server
2003.
1. Which two types of forest functional levels will the company be able to
select? Which functional level is the default?
ANSWER
Windows Server 2003 interim mode and Windows 2000. The Windows 2000 for-
est functional level allows Windows 2000 domain controllers in the forest. Win-
dows Server 2003 interim mode does not. The default is Windows 2000.
2. If the company chooses the default forest functional level, which domain
functional levels can the company use? Which domain functional level is
the default?
ANSWER
Since the default forest functional level is Windows 2000, the options to use
Windows Server 2000 mixed mode (default), Windows 2000 native mode,
and Windows Server 2003 would be available.
ANSWER
A multi-master model is one in which all domain controllers have equal authority
to make database changes. When a change is made in one location, the change is
replicated to all locations. Changes can be initiated from any domain controller in
a domain. A single-master model has only one domain controller from which all
database changes must originate.
Domains, OUs, and Sites are container objects. Leaf objects are stored in con-
tainer objects.
8. What is the default forest functionality set to when the first Windows
Server 2003 domain controller is installed?
a. Mixed mode
b. Native mode
c. Windows Server 2003
d. Enterprise mode
ANSWER
b. Native mode is the default forest functionality setting.
ANSWER
The iNetOrgPerson object for migration from Novell to Windows 2003 and the
domain and forest functional levels. The iNetOrgPerson object will assist you by
6 CHAPTER 1 OVERVIEW OF ACTIVE DIRECTORY
providing a common LDAP object between both Novell and Windows 2003. The
domain and forest functional levels will allow you to use a phased approach as you
move toward full Windows Server 2003 forest functionality.
ANSWER
You need to establish a cross-forest trust to accomplish your goal. To do this, you
need to make sure that both networks are set for Windows Server 2003 forest
functionality. If not, you will need to bring all servers up to the required specifica-
tions and then raise the forest functional level.
CHAPTER 2 IMPLEMENTING ACTIVE DIRECTORY 7
CHAPTER 2
IMPLEMENTING ACTIVE DIRECTORY
CHAPTER EXERCISE
margiestravel.com
phoenix.margiestravel.com dallas.margiestravel.com
chicago.margiestravel.com
GT02xx21
ANSWER
The figure above shows the solution for Exercise 2-1. Students will create a simple
design that should reflect something similar to the solution provided here.
2. What two tools allow you to begin the Active Directory installation process?
ANSWER
The two tools that allow you to begin the Active Directory installation process are
the Manage Your Server Web page and the dcpromo.exe command line tool.
4. Which of the following are key points related to the Sysvol folder struc-
ture in Active Directory?
a. It contains user data that should be backed up.
b. It contains replicated data such as logon scripts.
c. It contains the operating system boot files.
d. It must be placed on a FAT32 partition.
e. It must be placed on an NTFS partition.
ANSWER
b and e are correct. Answer a is incorrect since user data should not reside in the
same location as system files. Operating system boot files are stored at the root
of C: by default and system files are stored in the systemroot directory. This
makes answer c incorrect. If answer e is correct because of NTFS permission
requirements, answer d is incorrect.
5. Before you are able to create an application directory partition, you must
be a member of which group?
a. Domain Users
b. Domain Admins
c. Schema Admins
d. Enterprise Admins
ANSWER
d is the correct answer. Since application directory partition information can be
configured to replicate to any domain in the forest, creating this partition is an
enterprise-level task and requires enterprise permissions to do so.
3. John’s computer has an error in its DNS configuration. Use ipconfig to check
the current settings for John’s network connection. If IP is being obtained from
a DHCP server, attempt a renewal of the information using ipconfig /renew. If IP
is manually configured, check the properties of John’s network connection.
4. The record in DNS for SERVER1 is old and has not been updated. Check the
record in DNS to verify this is a problem. If it is, modify the record to reflect
the correct information or you can use ipconfig /registerdns from SERVER1 if
dynamic updates are enabled.
7. You are the administrator for a large automotive parts company. Manage-
ment has just released the names of several vendors that you will need to
allow access to network resources. These vendors either have Microsoft
Windows NT 4.0, Windows 2000, or Windows Server 2003 domains. You
have established a domain that holds all the information that vendors will
need to access within your forest. The vendors want to be able to gain
access to these resources without permitting access for your company to
their network. What do you need to do to make this happen?
ANSWER
You need to establish an external one-way trust between the vendor resource
domain in your forest and the appropriate user domain in their forest.
8. What are the default names of the application directory partitions created
by the DNS installation within the Active Directory Installation Wizard?
ANSWER
DomainDnsZones
ForestDnsZones
9. Using nslookup’s /? switch, what would be the syntax needed to view all
SRV records?
ANSWER
nslookup ls –t SRV
10. You have just installed a new application that has modified the schema by
adding a new object. Another administrator at a different location does
not have this object listed on his domain controller. What is the most
likely reason for this? What should he do to resolve the problem?
ANSWER
Replication has not taken place yet. He should wait for the replication process to
take place. There is a normal latency when the schema is modified.
The company has decided to migrate to Windows Server 2003 using Active Direc-
tory in order to take advantage of centralized administration and better security. To
assist you in consulting with your customer, answer the following questions.
ANSWER
1. Register a second DNS name that closely resembles the first, that is, using
the .com and .net suffixes.
2. Use a domain name such as internal.company.com for the internal domain name.
3. Use the .local suffix for the internal domain.
CHAPTER 3 WORKING WITH ACTIVE DIRECTORY SITES 11
CHAPTER 3
WORKING WITH ACTIVE DIRECTORY SITES
CHAPTER REVIEW QUESTIONS
1. The KCC is responsible for calculating intrasite replication partners.
During this process, what is the maximum number of hops that the KCC
will allow between domain controllers?
a. 2
b. 3
c. 4
d. 5
ANSWER
b. The maximum number of hops that the KCC will allow between domain controllers
is three. This allows a maximum replication latency of 15 minutes, since each
domain controller holds a change for five minutes before forwarding it.
Two of the locations have standard IP links to the main office, while the
third branch office is a separate domain and uses an Internet connection
for e-mail. How should you configure the site links for the three branch
offices to the main office?
ANSWER
Configure RPC over IP for the two standard link branch offices and configure SMTP
for the remote office that is part of a separate domain. This solution follows the
guidelines that include using RPC over IP in most situations and SMTP when there
is an Internet-based connection from a separate domain.
6. You are the administrator for a network that has several sites. There is a
site link from the main headquarters to each remote site for file transfer
and replication purposes. You have been asked to create five new users
on the network, and several of the users need immediate access to net-
work applications. When asked by your manager how long replication of
these new accounts will take, you answer with which of the following
responses?
a. Replication occurs every 180 minutes by default.
b. Replication occurs at 15-minute intervals.
c. Replication occurs as soon as the account is added.
d. Replication occurs only between 12:00 A.M. and 6:00 A.M.
ANSWER
a. The default intersite replication schedule is set for every 180 minutes.
8. What is the advantage of creating your sites and subnets prior to installing
subsequent domain controllers?
ANSWER
CHAPTER 3 WORKING WITH ACTIVE DIRECTORY SITES 13
When your domain controllers are installed and an IP address is assigned, they will
automatically be placed in the site associated with their network address. This will
save you the step of moving them later.
■ There will be three new servers installed in the Canada facility with the
following specifications:
❑ Server 1: 2.4-GHz processor with 2 GB RAM will be installed as a domain
controller.
❑ Server 2: 2.0-GHz processor with 1 GB RAM will be installed as a domain
controller.
❑ Server 3: 2.0-GHz processor with 2 GB RAM will be installed as an
application server.
■ There are two links between the United States and Canada facilities that
will be available. They are as follows:
❑ A T-1 link for the primary connection
❑ A 256-Kbps link for a backup connection
■ Bandwidth should be used during the day mainly for file transfers and
e-mail. Any network maintenance that requires bandwidth should be
done only between 11:00 P.M. and 4:00 A.M. on weekdays. Weekends are
available anytime for maintenance procedures.
Sketch a design that will meet the previous requirements and consider the follow-
ing questions:
ANSWER
You can disable site link bridging and manually create the appropriate site link
bridges. This solution works since the five sites are not fully routed, which is one of
the reasons to create manual site links. In order to create manual site links, site
link bridging must be disabled first.
CHAPTER 4 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 15
CHAPTER 4
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER
OPERATIONS (FSMO) ROLES
CHAPTER REVIEW QUESTIONS
1. What is the database that serves as a central repository for all Active
Directory objects called?
a. Main database
b. Central catalog
c. Global database
d. Global catalog
e. Enterprise catalog
ANSWER
d. Global catalog is the term used to refer to the central repository database
that contains all Active Directory objects. All other answers are not valid terms.
ANSWER
All five FSMO roles will reside here along with at least one global catalog server.
b. While trying to add new user accounts to the domain, you receive an
error that the accounts cannot be created. You are logged on as a
member of the Domain Admins group. What is most likely causing
the problem?
ANSWER
The RID master is down. If the domain controller you are trying to create accounts
on has run out of identifiers to assign to new objects, the RID master needs to
provide an additional pool to the domain controller.
DC6 DC7
DC1 DC2 DC3
Lansing Site
New York Site
Domain D
Domain B
DC8
DC9 DC10
Additional suggestion for answer: Enable universal group membership caching for
Site B, since no global catalog is present in New York.
In the Detroit site, you could place all roles on one of two servers and create a
manual replication link between both servers. The second server can be consid-
ered a standby server in case of a role failure on the primary server.
ANSWER
The plan should include a recovery method for the schema master, domain naming
master, infrastructure master, RID master, and PDC emulator roles. Each should
have a standby list in case the role needs to be seized or transferred.
CHAPTER 5 ACTIVE DIRECTORY ADMINISTRATION 19
CHAPTER 5
ACTIVE DIRECTORY ADMINISTRATION
CHAPTER EXERCISE
Exercise 5-1: Viewing Group Object Properties
To practice viewing group object properties and memberships, complete the
following steps:
ANSWER
No. Built-in groups do not allow their type or scope to be changed. This behavior is
by design.
4. Click the Members tab, and view and record the members of the Domain
Admins group. Close the Properties window for the Domain Admins group.
2. Your company has just purchased a new printer that the owner wants all
employees to be able to use. You currently have only one domain with two
servers running Windows Server 2003. All users have accounts to authenti-
cate daily to the network. As the administrator, what is the simplest and
most secure way to assign permissions to all of the users in your domain?
a. Create a domain local group with the proper permissions assigned to
the printer and place all user accounts in the domain local group.
b. Create a global group and place all of the user accounts on the
membership list. Assign the global group permission to access the
resource directly.
20 CHAPTER 5 ACTIVE DIRECTORY ADMINISTRATION
c. Create a global group and place all of the user accounts on the mem-
bership list. Create a domain local group and add it to the ACL of the
printer assigning the necessary permissions. Place the global group
in the membership list of the domain local group.
d. Create a domain local group and add it to the ACL of the printer
assigning the necessary permissions. Place the built-in Domain Users
account in the membership list of the domain local group.
e. Create a domain local group and add it to the ACL of the printer
assigning the necessary permissions. Place the Everyone special
identities group account in the membership list of the domain
local group.
ANSWER
d. Creating a domain local group with the access permissions to the printer and
adding the Domain Users group to the domain local group’s membership list is the
most secure and easiest method of granting access. All users added to the
domain are automatically added to the domain users group.
Answer E would include any guest users and the group membership list cannot be
administratively modified. Microsoft recommends avoiding the use of the Everyone
group as a general security guideline.
Answers a, b, and c do not follow proper group usage guidelines.
3. You work for a local school district as the district wide network adminis-
trator. Currently the district has a UNIX database that contains all student
records. The district board of educators would like you to use the same
user names on the Windows Server 2003 network that are currently are
being used on the UNIX server. They have asked you how you intend to
accomplish this task. What will you tell them?
ANSWER
The best strategy for this is to export the UNIX database information to a file.
This file can be edited and used either with CSVDE, LDIFDE, or WSH. As an admin-
istrator you should consider that some of the accounts may need to be modified
or deleted at a later date. LDIFDE or WSH provide this flexibility.
4. Having just hired a new employee to help you with some administrative
tasks, you would like this person to be responsible for network backups.
Without giving more access than is necessary to perform this task, to
which group should you add the new employee’s user account?
a. Server Operators
b. Administrators
c. Everyone
d. Backup Operators
e. Domain Admins
ANSWER
The correct answer is d, Backup Operators.
CHAPTER 5 ACTIVE DIRECTORY ADMINISTRATION 21
ANSWER
Your domain is in mixed mode due to the Windows NT Server 4.0 servers. Mixed
mode does not offer universal group support.
ANSWER
Distribution groups cannot be assigned resource access permissions. Security
groups offer both distribution list capabilities and security permission assignments.
7. What is the difference between a domain local group and a local group?
ANSWER
Domain local groups are stored in Active Directory. They can be centrally managed
and can be given permission to access domain resources. Local groups are stored
on the computer in which they are created, cannot be centrally managed, and
cannot be given permission to domain resources.
humongousinsurance.com
west.humongousinsurance.com east.humongousinsurance.com
All domains are Windows Server 2003 domains. The forest root domain has
10 domain controllers. Five of those domain controllers are configured as DNS
servers and two are configured as global catalog servers. The West domain has
three domain controllers. Two of those domain controllers are configured as DNS
servers. One of those domain controllers is configured as a global catalog server.
The East domain has two Windows Server 2003 domain controllers and three
Windows NT Server 4.0 Backup Domain Controllers (BDCs).
The forest root domain is located in College Station, Texas. The East domain is
located in Gainesville, Florida. The West domain is located in San Diego, Califor-
nia. There is also an Active Directory site configured for each of these locations.
The site for College Station is named Main_Site. The Gainesville site is named
East_Site. The San Diego site is named West_Site.
You are one of several network administrators assigned to handle the forest root
domain and College Station site. Your manager, Jean Trenary, has called a meeting
of all network and desktop administrators. She wants to address several issues.
1. Jean says there are four internal auditors in the forest root domain. There
are two internal auditors in each of the child domains. Each set of internal
auditors has been placed in a global group within each domain. These
groups are named IA_Main, IA_East, and IA_West after their respective
locations. Jean wants all of the members of these groups to be able to
access the same resources in every domain. What is the recommended
way to configure the groups to allow the desired functionality?
ANSWER
Create a universal group to which all individual global groups can become a member.
This allows each internal auditor to have access to resources granted to the uni-
versal group. Choose a name for the group that represents the entire company
such as Humongous_IA.
CHAPTER 5 ACTIVE DIRECTORY ADMINISTRATION 23
2. The network administrators from the East domain want to know why the
option to create a universal group is not available in their domain. What
can you tell them?
ANSWER
Universal groups are available only to domains that have a functional level of Win-
dows 2000 native mode or later. When using the mixed mode functional level, you
cannot create universal groups. In order to change the functional level, all of the
existing Windows NT Server 4.0 BDCs must be removed or upgraded. Once the
domain functional level is raised, the two Windows Server 2003 domain controllers
will no longer replicate the domain database to Windows NT Server 4.0 BDCs.
3. The network administrators from the West domain want to know why
everyone always recommends placing global groups into universal
groups, instead of just placing the users directly into the universal groups.
What should you tell them?
ANSWER
Universal group membership changes cause forest-wide replication. If you use glo-
bal groups as members of universal groups instead of users, it is less likely that
there will be membership changes to the universal groups. If you decided to place
users directly into universal groups, forest-wide replication will take place each
time a user was added to, or deleted from, a universal group. In most domains the
user accounts are modified more frequently than the groups themselves. Once you
are able to upgrade all of the domain controllers in the forest, you’ll be able to
raise the domain functional level to Windows Server 2003, which would alleviate
this issue and concern.
4. Jean approves a plan to hire assistants for each domain to create and
manage user accounts. How can you give the assistants the immediate
ability to help in this way, without making them domain administrators?
ANSWER
Place the assistants in the Account Operators group of the domains for which
they are expected to be assistants.
5. Two employees have been hired to back up data, maintain the Windows
Server 2003 domain controllers, and manage printers for the Main_Site.
Which Built-in groups will give these users the permissions they require
to manage the domain controllers? How should you set up their accounts
and group memberships?
ANSWER
These users will need permissions assigned to the Backup Operators, Account
Operators, and Server Operators. You should create a global group specifically for
these users. For example, you can create the Maintenance_Main global group.
Make that group a member of the Backup Operators, Account Operators, and
Server Operator domain local groups. Then place the user accounts for these new
employees in that new global group.
24 CHAPTER 5 ACTIVE DIRECTORY ADMINISTRATION
Part I. Describe each type of scripting that can be used to add users to Active
Directory. List an example of when you might use each one.
ANSWER
The correct answers are:
Batch files – used to create simple scripts using .bat and .cmd files. Batch files
can be used to add or remove users from Active Directory using commands such
as dsadd.
CSVDE – used to import or export Active Directory objects. Files are saved with a
.csv extension and require a header record. Example of usage: You have an Excel
spreadsheet containing names of people you wish to add to Active Directory.
LDIFDE – used to import, export, modify, or delete Active Directory objects. Uses
a line-separated file format. Example of usage: You have the need to create new
users and modify existing entries.
WSH – Used for just about any scripting need. Supports VBScript and Jscript
files. Wscript.exe runs the script from a Windows desktop interface by double-
clicking the script file, while Cscript runs the script from a command prompt.
Example of usage: Create, delete, and modify users, customize their logon/logoff
scripts, set all parameters for user objects such as home directories, drive
mappings, and so on.
Part II. Using the Internet as your resource, find an example of one of the script
types and write a short description of the script and what it accomplishes.
ANSWER
Sample scripts can be located by using a search engine and Active Directory
Scripts as your keyword.
CHAPTER 6 SECURITY PLANNING AND ADMINISTRATIVE DELEGATION 25
CHAPTER 6
SECURITY PLANNING AND ADMINISTRATIVE
DELEGATION
CHAPTER EXERCISES
Exercise 6-1: Planning a Naming Standard
and Password Strategy
Create a naming standard and password strategy based on the fact that your net-
work consists of Windows XP, Windows 98, and several Windows 95 workstations.
Using your own name as an example, complete the standards chart in Table 6-2
according to your strategy.
ANSWER
Students will use their own names to develop a naming standard and password
strategy. They should not use the example already printed earlier in the text. This
exercise can be shared in groups and analyzed for the differences between strong
and weak passwords.
The password contains a complete dictionary word. It should contain at least one
symbol if possible. Suggested solutions include: T!g3r01, TlG3r_01.
5. Which tool must you use to move a user object from one domain to
another domain?
a. Active Directory Users And Computers
b. Drag and drop
c. Movetree
d. Dsmove
ANSWER
CHAPTER 6 SECURITY PLANNING AND ADMINISTRATIVE DELEGATION 27
c. Movetree must be used to move objects between domains. All other options can
be used to move objects within the same domain structure.
6. You are attempting to use the Run As program to open Active Directory
Users And Computers, but you receive an error message and are unable
to do this. What should you check?
a. Check to make sure you are logged on locally.
b. Check to make sure certificate services is functioning properly.
c. Check to make sure that the Log On Locally policy has not been
changed.
d. Check to make sure the Secondary Logon service is running.
ANSWER
d. The Secondary Logon service must be running for you to create a second
connection using another set of credentials.
7. What must you have in order to be able to create a smart card on behalf
of a user in your organization?
a. An enrollment certificate
b. A token-style card
c. An administrator user account
d. Full control in the Active Directory domain
ANSWER
a. You must have an enrollment certificate in order to create smart cards on
behalf of users in your organization.
8. List the hardware requirement for each workstation from which you wish
to gain smart card access to your network.
ANSWER
You must have a smart card reader attached to the station.
The company currently is using a Microsoft Windows NT Server 4.0 domain and
will be transitioning to Active Directory with the migration of their network to Win-
dows Server 2003. The company currently has a single domain and will be expand-
ing to include a single forest and one domain for each of their five locations when
the new network is installed. An administrator has been designated for each loca-
tion. In addition, the accounting and human resource departments, which are
located at the main site, want to be able to manage their own containers.
2. How will you achieve the goal set forth by the accounting and human
resource departments?
ANSWER
You should run the Delegation Of Control Wizard from the accounting and human
resource containers and assign the appropriate user or group permission to man-
age their container.
you have implemented strong passwords and educated your users on the impor-
tance of following company policy, you feel that you need to convince upper man-
agement that smart cards will alleviate your problems. In order to do this, you will
need to come up with the following information:
Address each one of these points in a plan for this new program.
ANSWER
Students should come up with a list of points that includes the following smart
card benefits:
■ Users no longer have to remember complex passwords.
■ All information is stored on the smart card making it difficult for anyone,
except the intended user, to use or access.
■ Security operations such as cryptographic functions are performed on the
smart card, rather than on the network server or local computer. This pro-
vides a higher level of security for sensitive transactions.
■ Smart cards can be used from remote locations such as a home office to
provide authentication services.
■ The risk of remote attacks using a username and password combination is
significantly reduced by smart cards.
Students should come up with a list of necessary budget items to implement this
technology. This list should include at a minimum the following items:
■ If you do not have Certificate Services installed in your environment, you
must do so. Depending on how you choose to structure the CAs, this may
require an additional server.
■ PC/SC compliant smart cards and readers. You should plan for one reader for
each workstation in addition to one smart card per user. You will need to
determine the type of reader that is best for your corporate needs and then
research projected costs.
■ You must set up at least one computer as a smart card enrollment station.
Depending on the company security policies and guidelines, this may be a
separate workstation requiring a budget line item.
■ You should also plan budget dollars for support and maintenance.
Students should create a rough plan that identifies the phases and appropriate
order for implementing smart cards into the environment. This plan should include
the overall tasks as follows:
■ Set up Certificate Services. This may include implementing an offline root CA.
Create template for certificate enrollment.
■ Set appropriate permissions for certificate autoenrollment.
■ Set up a smart card enrollment station and install the smart card reader. If
you will be creating smart cards with certificates on behalf of each user,
make sure the person responsible for creating smart cards for users is set
up as an Enrollment Agent.
30 CHAPTER 6 SECURITY PLANNING AND ADMINISTRATIVE DELEGATION
CHAPTER 7
INTRODUCTION TO GROUP POLICY
CHAPTER EXERCISES
Exercise 7-1: Viewing and Comparing the GPC and GPT Folders
To view and compare the GPC and GPT structures for your domain, complete the
following steps:
NOTE Advanced Features If Advanced Features already has a check mark next
to it, clicking it again hides the Advanced Features view options. Make sure there
is a check mark next to Advanced Features before proceeding to step 2.
ANSWER
The GUIDs are the same. They represent the two default policies that were cre-
ated when Active Directory was installed.
3. You have just completed the installation of Active Directory on the first
domain controller in a new forest. How can you confirm that the two
default policies have been created?
ANSWER
Using the Advanced Features view in Active Directory Users And Computers, you
can view the GPC. There are two policies represented by GUIDs. In addition, in the
Systemroot\Sysvol\SYSVOL\Domainname\Policies folder, there are two subfolders
named according to the same GUID numbers as in the GPC.
4. While studying the Group Policy folder structure, you notice that there is
a Registry.pol file in one of the policies’ \Machine subfolder, but not in
another policy’s \Machine subfolder. What is the difference between
these two policies?
ANSWER
The first group policy that has the Registry.pol file has a setting that has been
configured within the Administrative Templates subnode of the Computer Configu-
ration node, while the second policy does not have any modified Administrative
Templates settings.
ANSWER
CHAPTER 7 INTRODUCTION TO GROUP POLICY 33
Enable the Loopback setting and set it to Replace. This causes the policies to
reprocess the computer policy and replace any user settings that were part of the
individual user policies.
8. You have created a policy for your organization at the site level that
includes several security settings that no other policies within your Active
Directory structure should override. What can you do to ensure this will
happen?
a. Set the container to Block Policy Inheritance.
b. Set the policy to No Override.
c. Set the Loopback policy setting to Enabled.
d. Set the Policy to Block Policy Inheritance and also No Override.
ANSWER
b. No Override prevents any of the settings from being overwritten by other policies
lower in the Active Directory structure.
9. You have created a container that holds all of the administrator user
accounts. This container should not have any of the group policies applied
to it from any of the parent containers. How do you accomplish this?
ANSWER
On the administrator accounts container, set the container properties to Block
Policy Inheritance.
10. You are fairly new to using group policies and administrative templates.
What features are available to help you understand what each setting in
Administrative Templates will do?
ANSWER
The Extended tab in Group Policy, Administrative Templates Help, and the Explain
tab in a particular setting’s Properties dialog box are available to provide explanation
about the Administrative Templates settings.
implementation and your boss has several key policies that you need to decide
where to place. Using Figure 7-11, complete Table 7-2 documenting how you can
accommodate the following goals.
contoso.com
West East
Accounting Sales
FT07xx11
ANSWER
of your corporate network, you have some policies that you want to become
part of their environment, and others that you do not want to implement at this
time. As you discuss this with your IT team, your manager asks you to explain
which features in Windows Server 2003 allow you to provide the Group Policy
flexibility needed by the new Active Directory structure. List several of the features
in Windows Server 2003 Group Policy that will allow Coho Winery, Inc. to achieve
their post-acquisition goals. Be prepared to discuss your answers in class.
ANSWER
You should discuss the No Override and Block Policy Inheritance features. In addi-
tion, you should discuss the importance of a carefully planned OU structure that
facilitates Group Policy implementation.
36 CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY
CHAPTER 8
CONFIGURING THE USER AND COMPUTER
ENVIRONMENT USING GROUP POLICY
CHAPTER EXERCISES
Exercise 8-1: Documenting Log File Settings
2. Right-click the Application log and select Properties.
QUESTION What are the current and maximum sizes of your Application log and
what action takes place when the log is filled?
ANSWER
The current size of the log file will vary depending on the number of entries it con-
tains. The maximum size by default for the Application log on a computer running
Windows Server 2003 is 16 MB. By default, when the log file fills up, the oldest
events will be overwritten.
QUESTION What is the current size of your Security log and what action will
take place when the log is filled?
ANSWER
The current size of the Security log file will vary depending on the number of entries
it contains. The maximum, default size of the security log file is 16 MB. By default,
when the log file fills up, the oldest events will be overwritten.
QUESTION What is the current size of your System log and what action occurs
when the log is filled?
ANSWER
The current size of the System log file will vary depending on the number of entries
it contains. The maximum, default size of the security log file is 16 MB. By default,
when the log file fills up, the oldest events will be overwritten.
QUESTION Are there any other logs located in Event Viewer on your computer? If
so, what are they and what type of events are most likely logged here?
ANSWER
The answer to this question will vary based on installed services. For example,
if your server is running DNS, a DNS log will be available. This is true for other
services such as Active Directory, File Replication, and DHCP. Student answers
will vary depending on what is configured on their servers.
CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY 37
ANSWER
The article is number 298444 and it is titled, “A Description Of The Group Policy
Update Utility.”
4. In this article, find the description of the /force switch and briefly
describe it here.
ANSWER
The gpupdate /force command will force all policy settings to be reapplied. By
default, only policy settings that have changed are applied.
2. Since you have expanded your organization and are now following a
decentralized approach to network management, you want to make sure
that you track when Active Directory objects are created or removed, in
addition to when changes to certificate services take place such as denial
of certificate requests and so on. How can you do this?
ANSWER
You need to configure an audit policy to Audit Account Management and Audit
Object Access. These two settings log activity to the Security log of the domain
controller.
3. Due to new corporate policies that have stronger security guidelines for
your network, you decide to increase the minimum password length,
enforce strong passwords, and make sure user accounts are locked after
three invalid logon attempts within a 15-minute time frame. These settings
38 CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY
should apply to all domain users on your network. Where do you configure
these settings?
ANSWER
These settings can be defined in the Default Domain Policy GPO under the Com-
puter Configuration\Windows Settings\Security Settings\Account Policies node.
ANSWER
The Security log contains information on security events that are specified in the
audit policy.
5. You are the administrator for a mid-sized accounting firm with approxi-
mately 50–100 users and three servers in a single domain environment.
Over the past few months, you have been monitoring the amount of
available drive space weekly and have noticed that users seem to be
using more and more space. You want to somehow control the amount of
space each user has access to on the servers, so that you do not run into
trouble later. You want users to each have a limit of 500 MB and receive
notification when they have only 50 MB left. Some users only use mini-
mal space, while others, such as the marketing department, use quite a bit
of space. What should you do?
ANSWER
You should implement a disk quota policy that ensures enough space is included to
serve the high-storage needs of marketing users. This will allow more than what is
needed for the typical user and have a limit that will accommodate high-storage
users in the marketing department. If the marketing users need more than 500 MB,
the limit should be raised accordingly.
6. Based on your answer to question 5, list the steps you will take to
accomplish this.
ANSWER
. 1. Open Group Policy Object Editor for your Domain Policy GPO.
2. Expand the Computer Configuration/Administrative Templates/System/Disk Quo-
tas extension.
3. Enable Disk Quotas and set the Default Quota Limit And Warning Level setting.
7. Consider that you have enabled the Autoenrollment settings on the
Default Domain Policy GPO so users begin using their smart cards imme-
diately. To test your configuration, you immediately attempt to use your
smart card from your workstation by inserting it into the reader. When
you try to log on, your attempt fails. What could be causing this to occur?
ANSWER
Your policy has not been refreshed. You must restart your computer in order for
the new settings to apply.
8. The CEO of your company has been speaking with a friend who
informed him that he can have his files from his laptop redirected to the
server. He has created a file system structure on his local hard drive that
CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY 39
ANSWER
You first need to explain that as the structure is currently set up, you cannot
redirect it. You must move the \data\workfiles structure to his My Documents
folder. Then you can redirect these files and make them available for offline use.
Recently, several publishing projects stored in electronic format were lost when an
employee’s laptop was stolen from a publishing convention. Previously, another
employee lost important publishing project files during a fire sprinkler system inci-
dent in which the employee’s computer was destroyed.
Employees typically store documents in the My Documents folder on their local sys-
tems. Linda wants all employees to store their data on the network servers. The data
on the network servers is backed up regularly. Linda tells you that her editors tend
to work on sensitive data that requires special handling. She is especially worried
about that data being backed up and secured.
All client computers have P drive mappings that are supposed to be used for
storing files. However, many employees do not understand drive mappings. They
often store files in their My Documents folder and then copy them over to the
P drive. This is also an issue because many employees forget to copy their files to
the server until something occurs, such as a data loss.
Given the concerns of Lucerne Publishing as outlined above, answer the following
questions:
1. How would you address Linda’s concern that some employees do not
understand drive mappings and others forget to store their data on
the server?
ANSWER
This situation is perfectly suited to using Folder Redirection. Group Policy offers
the ability to redirect many different special folders on a client system to an
alternate location. In this case, this involves redirecting users’ My Documents
folders to a network share.
2. How can you address the situation concerning the sensitive data editors use?
ANSWER
40 CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY
Redirecting the files is an excellent start, since the files are then stored on the
network and backed up regularly. If the editors’ documents are deemed more
valuable, one thing to consider is using Advanced Redirection. Basic Redirection
redirects all users’ documents to the same file share, typically storing the docu-
ments in a folder below that share. By using Advanced Redirection, it is possible
to redirect files to different locations based on the security group membership of
the user. You may choose to redirect the editors’ documents to a file server that
is more secure and reliable. You may also ask that the editors use EFS encryption
on their documents.
3. How would you address the users with mobile computers so that they
could work on their files while traveling?
ANSWER
An excellent strategy would be to augment the Folder Redirection policy by config-
uring the files to be available offline as well. When these users are connected
to the local area network (LAN), accessing their My Documents folder would show
the contents of the redirected location on the network file server. When users are
on the road, they are still able to access their My Documents folder, but they are
accessing the copies of the documents cached locally. Any changes they might
make, or any new documents they create, are synchronized with the network the
next time they are connected to the LAN.
4. Linda warns that some users may have huge amounts of data already
stored in the My Documents folder on their local computer. How might
this affect your recommendations?
ANSWER
At the very least, you must ensure that there is adequate storage available on
the network file servers. Furthermore, you should consider the effect on the net-
work when the users log on for the first time after you implement this policy. The
default behavior when the redirection is first implemented is to move the existing
contents of the local My Documents folder to the network file server. This is
usually a good idea.
ANSWER
You need to implement certificate autoenrollment.
CHAPTER 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY 41
ANSWER
No, only Windows XP Professional and Windows Server 2003 computers support
the Autoenrollment Group Policy option.
ANSWER
An Enterprise CA needs to be installed on one of the Windows Server 2003 com-
puters, a certificate template needs to be configured, each user needs to have
Read ACE on the template, and the Default Domain GPO needs to be set to allow
autoenrollment.
42 CHAPTER 9 MANAGING SOFTWARE
CHAPTER 9
MANAGING SOFTWARE
CHAPTER EXERCISES
Exercise 9-1: Using Msiexec to Deploy Software Applications
and Patches
To learn the syntax for deploying software from the command line, complete the
following steps:
5. Continue exploring the options for Msiexec by expanding the plus signs
(+) next to each option. You can print the output of this Help screen by
clicking the Print icon above the right window pane.
QUESTION Based on what you have learned in this exercise, what would be the
correct syntax for advertising the C:\SharedApps\WPapp.msi to all users and
applying the C:\SharedApps\WPapp.mst transform to it when it is installed?
ANSWER
The correct syntax for advertising the C:\SharedApps\WPapp.msi to all users
and applying the C:\SharedApps\WPapp.mst transform to it when it is installed
is as follows:
msiexec /jm C:\SharedApps\wpapp.msi /t C:\SharedApps\wpapp.mst
ANSWER
The Unrestricted Properties window description reads as follows:
Software access rights are determined by the access rights of the user.
QUESTION In your own words, what does the message here mean?
ANSWER
The description means that the Unrestricted property allows any software appli-
cation to run as long as the user has the appropriate file system permissions.
Any rules defined begin under this premise.
3. As part of your efforts to deploy all new applications using Group Policy,
you discover that several of the applications you wish to deploy do not
include the proper package files. What are your options?
ANSWER
You can repackage the software using a third-party tool or you can create a .zap
file for deployment.
ANSWER
If you choose to repackage the application, you must create a snapshot of a
computer that is identical to the computers that obtain the software via Group
Policy. If you choose to use a .zap file, the application can be published only, not
assigned. In addition, .zap files do not support automatic repairs, automatic
removal, unattended installations, or custom installations.
5. Your company has just purchased 200 new workstations that need to be
deployed to user desktops as soon as possible. At a recent departmental
meeting, it was suggested that, rather than installing all applications on
each workstation, users should be responsible for installing their own
programs. What feature in Windows Server 2003 will allow users to
choose and install necessary programs to their computers?
ANSWER
Group Policy’s Software Installation Properties can be used from within the User
Configuration node. Applications should be published to permit selections to
appear in Add or Remove Programs in Control Panel. This will allow users to add the
programs they need to their workstations by installing them from a shared distri-
bution point. It is important to note that for this to work, the Add or Remove Pro-
grams option in Control Panel should not be blocked in some other Group Policy.
6. List the order of precedence from highest to lowest for software restric-
tion policy rules.
ANSWER
44 CHAPTER 9 MANAGING SOFTWARE
The order of precedence for software restriction policies is: hash, certificate,
Internet zone, and path rules.
ANSWER
You can create a software restriction policy with a path rule set to Disallowed on
the directory where e-mail attachments are stored. However, if your e-mail pro-
gram allows attachments to be saved to another location and then launched, this
may not entirely prevent the problem.
8. What two Default Security Levels can be used with a software restric-
tion policy?
ANSWER
Disallowed and Unrestricted are the two default software restriction policy security
levels. Unrestricted is the original default setting when a new policy is created.
9. You are the administrator for a Windows Server 2003 domain. Your
company has just purchased a new application that will be used by all
employees to create forms. You want to make sure that this application is
installed the next time users log on to the network. Explain the steps you
would follow to make this happen.
ANSWER
First, you need to make sure there is a software distribution point created on the
server from which the software will be deployed. Then copy the application files and
Windows Installer files to the software distribution point. Give users Read permis-
sions to the folder where these files reside. Create a Group Policy for the domain.
In the Software Installation folder under the User Configuration\Software Set-
tings node of the policy, add the package file used to deploy the application and
set this package to Assigned. On the Deployment tab of the Properties window for
the package, make sure there is a check mark on the Install This Application At
Logon option.
10. Using the same scenario as question 9, is it possible to have the programs
install automatically when the computer restarts, as opposed to when a
user logs on?
ANSWER
Yes, applications can be assigned within the Computer Configuration node.
decided that using software restriction policies in conjunction with standard user
access permissions will help to fulfill the necessary security requirements. You are
preparing an implementation plan that is based on user needs and security require-
ments. Users should not be able to access any programs with the exception of
those that are pertinent to their jobs. In addition, the user needs within the organi-
zation are as follows:
■ Software restriction policy settings should not affect settings that are already
in place within existing GPOs. If problems arise with restriction policies,
they should be easy to rectify, without affecting other security areas.
■ Administrator accounts should not be affected by software restrictions.
■ Other applications should not be affected by any of the restrictions.
List the key points that should be part of your implementation plan based on the
information provided here.
ANSWER
Create a GPO for an OU with a select group of users that can test the settings.
Set the Default Security Level for the software restriction policy to Disallowed.
Create individual path rules that point to the patient database and the e-mail
application and set these to Unrestricted so that they can function properly. Set
the Enforcement option within the software restriction policy so that the policy
applies to users, but not to administrators. Test the GPO on the pilot group of
users to make sure that all functionality and restrictions are present. Be sure
that administrators are not affected and that all other applications function
properly for the users. When testing is complete and the policy is solid, link this
policy to the domain. Do not modify any existing policies. Maintain a separate pol-
icy for the software restriction policies to allow them to be disabled or deleted,
without affecting any other settings.
The California and New York offices are connected by a dedicated T-1 line. There
are dedicated 256-Kbps fractional T-1 lines connecting the Florida office both to
the California and New York offices. Several of the Marketing users have mobile
computers, and a portion of their time is spent traveling the world. Access to the
main network is accomplished by dialing in to a local Internet service provider
(ISP), and then establishing a Layer Two Tunneling Protocol (L2TP) virtual private
network (VPN) to the California office. There are three domain controllers and one
file server at each location. The wide area network (WAN) links are used heavily
during the day, but Wide World does not plan to upgrade them any time soon. It
is important that the software deployment strategy you suggest does not adversely
affect the WAN links during business hours.
Max has indicated that he wants more control over software deployment and wants
to leverage his investment in Windows Server 2003. The main software require-
ments of the company include Office XP for all users, a third-party program used
by Marketing, an application used by Finance for billing and accounting, and a
proprietary shipping application developed for Wide World Importers. While all
users utilize Office XP, they don’t all use the same applications. Many users utilize
only Outlook and Word, while others also make use of Access and PowerPoint.
Still others use Excel on a daily basis.
Given the concerns of Wide World Importers as outlined above, answer the follow-
ing questions:
1. Utilizing GPO for software deployment, how can you configure the net-
work in a manner that will not negatively impact the business by saturat-
ing the WAN links during deployment?
ANSWER
On a single local area network (LAN), it is common to set up a single software dis-
tribution point to store the applications to be deployed using Group Policy. Band-
width cannot be totally disregarded, but it is much less of an issue locally, since
high bandwidth is assumed. When WAN links are involved, the best way to prevent a
deployment scenario where the client is installing the software over the WAN link is
to provide a software distribution point at each office. Once that is accomplished,
CHAPTER 9 MANAGING SOFTWARE 47
you could keep the GPOs separate for each office, with each GPO pointing to the
local software distribution point. A more elegant solution is to configure the three
software distribution points as replica links in a Microsoft distributed file system
(Dfs) topology. This way, all software deployment can reference the same software
distribution point, and client machines will automatically be referred to the soft-
ware distribution point in their own site.
3. How do you recommend resolving the issue that many users utilize dif-
ferent parts of the Office XP suite of applications?
ANSWER
Transforms are files that end with an extension of .mst. These files are deployed
along with the .msi file to alter the configuration. This is an option to address this
complication. It could be quite an administrative burden to develop .mst files for
each of the different configurations utilized, and then deploy multiple GPOs
with each of the different configurations.
It is important to understand transforms and when they are appropriate. In this
case, however, there was no indication that having extra software available would
cause trouble. Consider assigning Office XP to users at the domain level. This
makes all file extension associations on the client systems and advertises the
applications by making all of the Start menu shortcuts available. Essentially, all of
the applications are set to install on first use. If some users never launch Excel,
for example, then the program files to run Excel are simply not brought down for
that user. In this case, a complicated set of transforms would seem to be a waste
of administrative effort.
ANSWER
Group Policy–based software installation does not apply to Microsoft Windows
95, Microsoft Windows 98, Microsoft Windows Me, or Microsoft Windows NT sys-
tems. It might make sense to upgrade these systems to Windows 2000, Windows
Server 2003, or Windows XP as appropriate. If, for some reason, these options
don’t work for the company, installing the software manually or using some other
network management tool, such as Microsoft Systems Management Server, are
the remaining options.
CHAPTER 10
PLANNING A GROUP POLICY MANAGEMENT AND
IMPLEMENTATION STRATEGY
CHAPTER EXERCISES
Exercise 10-1: Navigating with GPMC
3. Click to select the node that refers to your domain name.
ANSWER
The following tabs are available in the right console pane: Linked Group Policy
Objects, Group Policy Inheritance, and Delegation.
QUESTION What tabs are now available in the right console pane for this policy?
ANSWER
The following tabs are available in the right console pane for this policy: Scope,
Details, Settings, and Delegation.
ANSWER
The Settings tab provides a detailed report that shows each policy setting and
the values assigned to that particular setting. This report can be saved in HTML
format or printed for documentation purposes.
6. In the left console pane, expand the Group Policy Objects node.
ANSWER
By default, the Default Domain Controllers Policy and the Default Domain Policy
are listed here. Any other policies that are listed are due to previous exercises or
demonstrations.
5. Use the GPResult Help screen output from step 1 and write the necessary
syntax to obtain the desired information. This command is not intended
to function in the current environment. This step helps to understand the
syntax of the command.
ANSWER
gpresult /u contoso.com\administrator /p MSPr3ss#1 /s 192.168.10.201
2. After deploying several new restrictive policies, you are unable to access
Control Panel from your workstation, even though you are logged on
as Administrator. You suspect that the policy settings are forcing this
behavior. What can you do so that the restrictive policy settings will not
affect your Administrator account?
ANSWER
On the restrictive GPOs, you can set the Apply group policy permissions for the
Administrator group to Deny. This will disallow the application of the group policy
settings for any users that are members of the Administrators group.
3. During a recent training session, you learned about WMI filters. Upon
returning to your office and exploring your group policy structure, you
implement a filter for a software deployment policy so that the software
will be deployed only to computers that have enough drive space and
memory. The software deploys to all computers that meet the criteria
with the exception of those running Microsoft Windows 98 and Microsoft
Windows 2000 Professional. Why is the software not being deployed to
these computers even though they have the appropriate drive space and
memory availability?
ANSWER
One reason is that group policies created in Windows Server 2003 are not
compatible with Windows 98 computers. Additionally, WMI filters are ignored
on computers running Microsoft Windows 2000.
5. What is the difference between the import and the copy features that are
available in GPMC?
ANSWER
The import feature allows settings from a GPO stored in the file system to be
brought into an existing GPO. All existing settings will be erased when the import
takes place. The copy feature copies settings from an existing GPO to a new GPO.
7. Once GPMC is installed, what changes will you see in the existing tools
such as Active Directory Users And Computers?
ANSWER
GPMC changes the group policy tab in the Properties windows for a container to
reflect that policies are no longer managed here. Instead, the tab indicates the
presence of GPMC and provides a button from which it can be launched.
2. Users in each location are currently all in one OU. There are certain
group policies that should only apply to users in some departments and
not others. What options should you consider that will allow for group
policies to only be applied to the necessary users?
ANSWER
One solution is to create groups, add the appropriate users to the groups, create
the policies, and use permissions to filter their application. A second and probably
better choice is to create additional OUs for each department and move the
user accounts into their respective departmental OUs. Creating policies on
the departmental OUs can then be done to implement the desired settings.
52 CHAPTER 10 PLANNING A GROUP POLICY MANAGEMENT AND IMPLEMENTATION STRATEGY
Using the filtering solution first suggested can become cumbersome to manage
and difficult to troubleshoot.
CHAPTER 11
ACTIVE DIRECTORY MAINTENANCE, TROUBLESHOOTING,
AND DISASTER RECOVERY
CHAPTER EXERCISE
Exercise 11-1: Viewing System Services
4. Select several of the services from the list you created in steps 2 and 3 and
locate them within the Services tool. Double-click on each service and
select the Dependencies tab.
ANSWER
The Dependencies tab provides information on the dependencies required by the
selected service, in addition to the services that depend on the selected service.
4. You are the network administrator for a small legal firm that is using
a single-server Windows Server 2003 network. You are preparing to back
up your server for the first time and you need to ensure that the Active
Directory database, in addition to the Certificate Services database, is
backed up. What type of backup will you need to perform?
ANSWER
Perform a normal backup and make sure that you include the System State data.
For Windows Server 2003 operating systems, the System State data is com-
54 CHAPTER 11 ACTIVE DIRECTORY MAINTENANCE, TROUBLESHOOTING, AND DISASTER RECOVERY
prised of the registry, COM+ Class Registration database, system boot files, files
under Windows File Protection, and the Certificate Services database if the server
is a certificate server. If the server is a domain controller, Active Directory and the
Sysvol directory are also contained in the System State data. To back up Active
Directory, you must back up the System State data.
5. Describe a normal restore, when you might use it, and the tool that you
must understand to perform it.
ANSWER
A normal restore is performed in a situation in which you want to restore a domain
controller to a previous working state. In a multiple domain controller environment,
a domain controller that is restored using a normal restore obtains any changes
that it did not have at the time of backup through replication of data from other
domain controllers. Each restored directory partition is updated with data from
its replication partners. The Backup And Restore Wizard or the Ntbackup com-
mand line utility can be used to perform a normal restore.
6. Describe an authoritative restore, when you might use it, and the tool that
you must understand to perform it.
ANSWER
An authoritative restore can be used to retrieve Active Directory information that
has changed and has been overwritten throughout the domain after replication.
For example, if an OU was deleted and needed to be restored, an authoritative
restore allows an administrator to restore the OU. The OU is restored and repli-
cated throughout the domain. Any domain controllers still containing the old OU
are overwritten by the restored OU.
8. As part of your weekly monitoring review, you discover that the disk
that holds the Sysvol volume is extremely low on space. You recently
removed the global catalog role that was originally assigned to this server
in hopes of recovering some of the space. It seems that you need to find
another solution for your low drive space problem. You determine that
until you upgrade the server, you have no other location to which you
can move the Active Directory database and Sysvol contents. What can
you do to try to recover some of the space?
ANSWER
You could try moving any files, such as data files that are not pertinent to Active
Directory and the operating system, to another drive. However, the best solution
in this situation is to perform an offline defragmentation. Although you recently
moved the global catalog role to another server, the space that was used by this
service is not automatically reclaimed. You must perform an offline defragmenta-
tion to reclaim this space. This may be enough space until you can upgrade your
server as planned.
CHAPTER 11 ACTIVE DIRECTORY MAINTENANCE, TROUBLESHOOTING, AND DISASTER RECOVERY 55
Given this information about Margie’s Travel, answer the following questions:
2. Margie tells you that some of her domain controllers have multiple hard
disks. She tells you that the additional physical hard disks are not being
used. She wants to know if they can be used in some way to improve the
performance of Active Directory. What would you tell her?
ANSWER
You could improve performance by moving the Active Directory database
(ntds.dit) to the second physical hard disk. You could further improve performance
by moving the Active Directory log files to a third physical hard disk. This could be
done using the Ntdsutil tool.
3. Margie says that her local domain controllers operate slowly sometimes.
She theorizes that this could be due to the other domain controllers
synchronizing information with her local domain controllers. What could
you monitor to help solve Margie’s problem?
ANSWER
You would certainly use System Monitor in this case. In addition to the typical
server performance monitors, such as Server, Memory, and Pages/Sec, you should
look at DRA Inbound Objects Applied/Sec, which indicates how much replication
update activity is occurring on the server as a result of changes generated on
other servers.
56 CHAPTER 11 ACTIVE DIRECTORY MAINTENANCE, TROUBLESHOOTING, AND DISASTER RECOVERY
CHAPTER 12
UPGRADING AND MIGRATING TO WINDOWS
SERVER 2003
CHAPTER REVIEW QUESTIONS
1. What are the preparation steps necessary to prepare for the upgrade of
Windows NT Server 4.0 to Windows Server 2003?
ANSWER
The preparation steps required include documenting the existing domain, perform-
ing a backup, identifying versions and service packs on the network, assessing
hardware requirements, delegating a DNS zone for the new Windows Server 2003
domain, and relocating the LMRepl file replication service.
7. What type of trust should you create in order to migrate users and
computers from a different forest to a local one?
ANSWER
You must create a cross-forest trust.
58 CHAPTER 12 UPGRADING AND MIGRATING TO WINDOWS SERVER 2003
You have the task of developing a plan that includes restructuring the network to
consolidate to one domain with a forest root of wingtiptoys.com. The following
questions help you to develop your plan:
1. The New York and San Francisco locations can remain as they are, but both
locations must have all servers upgraded to Windows Server 2003. What
Windows 2000 domain do you upgrade to Windows Server 2003 first?
ANSWER
The forest root domain located in Dallas should be upgraded first.
2. What must you do before you run the upgrade from the installation
media for Windows Server 2003 on the first Windows 2000 domain
controller?
ANSWER
In addition to backing up the data, you must prepare the forest and domain by
using the adprep /forestprep and adprep /domainprep commands.
3. The Kansas City facility is closing. The users are relocated either to New
York or to San Francisco. The data and all user accounts must be trans-
ferred from the existing domain to the new domain structure. Where in
the Active Directory structure do you put the Kansas City users and what
tool do you use to get them there?
ANSWER
The Kansas City users can be relocated to OUs within the New York or San
Francisco child domains. ADMT is used to perform this procedure.
CHAPTER 12 UPGRADING AND MIGRATING TO WINDOWS SERVER 2003 59
4. You must take what considerations into account for the upgrade of the
Windows NT 4.0 domains?
ANSWER
Windows NT 4.0 domain controllers must be updated with Service Pack 4, or later.
Additionally, you must run the winnt32 /checkupgradeonly command to ensure
that the hardware meets the requirements for Windows Server 2003.
5. If you find that the BDC within one of the Windows NT 4.0 domains is
the best candidate for the first upgrade procedure, what must you do to
upgrade this server first?
ANSWER
Assuming that both the PDC and BDC involved are online, you must promote this
BDC to a PDC. This promotion automatically demotes the current PDC.
6. When you finish upgrading and migrating all of the desired domain
controllers, what must you do to take advantage of Windows Server 2003
features such as Universal Group Membership Caching?
ANSWER
You must raise the forest functional level to Windows Server 2003.