name = ans to New Questions #1
exam = 70-217
I'm not sure about each answer, corrections are welcome !!!
1)You are the network administrator for your company. Your company's main office is in Seattle Branch offices are in New York, Rome, and Tokyo The local administrators at each branch office need to be able to control local resources
You want to prevent the local administrators from controlling resources in the other branch offices. You want only the administrators from the main office to be allowed to create and manage user accounts. You want to create an Active Directory structure to accomplish these goals
What should you do?
A. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office. Grant the local administrators membership in the Domain Admins group in their child domains.
B. Create a domain tree that has a top-level domain for the main office and a child domain for each branch office Grant the local administrators membership in the Enterprise Admins group in the domain tree .
C. Create a single domain Create a group named Branch Admins Grant the local administrators membership in this group. Assign permissions to the local resources to this group.
D. Create a single domain. Create an organizational unit (au) for each branch office and an additional OU named CorpUsers. Delegate authority for resource administration to the local administrators for their own OUs. Delegate authority to the CorpUsers OU only to the Domain Admins group
A
2) You are the administrator of your company's network. Your company has two domains in six sites as shown in the exhibit (Click the Exhibit button)
Each site has one or more domain controllers For fault-tolerance and load-balancing purposes, one domain controller in each site is configured as a global catalog server. Users report that, several times a day, network performance and data transfer for an application located in Site A are extremely poor.
You want to improve network performance.
What should you do?
A. Configure at least two domain controllers in each site as global catalog servers
B. Configure the domain controllers in only one site as global catalog servers
C. Create site links between all sites and use the default replication schedules
D. Create site links between all sites and set less frequent replication schedules
E. Create connection objects between each domain controller Use RPC as the transport protocol.
F. Create connection objects between each domain controller. Use SMTP as the transport protocol
A
3) You are the administrator of a Windows 2000 domain. The domain is in native mode. The domain contains 15 Windows 2000 Server computers that are functioning as domain controllers and 1,500 Windows NT Workstation client computers
During a power outage, the first domain controller that you installed suffers a catastrophic hardware failure and will not restart. After the power outage, users report that password changes do not take effect for several hours. In addition, users are not able to log on or connect to resources by using their new passwords.
What should you do to correct this problem?
A. Using the Ntdsutil utility, connect to another domain controller and transfer the PDC emulator role.
B. Using the Ntdsutil utility, connect to another domain controller and seize the PDC emulator role.
C. Using the Ntdsutil utility, connect to another domain controller and transfer the domain naming master role
D. Using the Ntdsutil utility, connect to another domain controller and seize the domain naming master role
B
4) When you run DCPromo .exe to install the new domain, you receive an error message stating that the existing domain cannot be contacted. Installation of the new child domain will not proceed.
What should you do to correct this problem?
A. Create an Active Directory integrated zone for the child domain on the new domain controller
B. Install WINS on the new domain controller.
C. Configure the new domain controller with the address of an authoritative DNS server for the existing domain
D. Configure the new domain controller with the address of an existing WINS server
E. Add SRV (service) records for the domain naming master to a Hosts file on the new domain controller
C
5) You are the administrator of your company's WAN Your company has four locations connected by dedicated 256-Kbps leased lines. You install and configure a Windows 2000 domain controller at each location. For network performance reasons, you want to control the bandwidth usage and replication schedule of directory information to each domain controller in each location.
What should you do? (Choose two.)
A. Create a site for each location
B. Create a site that spans all the locations
C. Create server objects for each domain controller in every site
D. Create server objects for each domain controller in its own site
E. Copy all server objects from Default-First-Site-Name to each site
F. Move each server object from Default-First-Site-Name to the appropriate site
A,D
6) You are the administrator of your company's network. Your company has its main office in North America and has branch offices in Asia and Europe The locations are connected by dedicated 256-Kbps lines The network consists of one Windows 2000 domain. To minimize logon authentication traffic across the slow links, you create a site for each office and configure the site links between the sites.
Users in the branch offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in the North America site.
What should you do to correct this problem?
A. Schedule replication to occur more frequently between the sites
B. Schedule replication to occur less frequently between the sites
C. Create a subnet for each physical location, associate the subnets with the North America site, and move server objects to the North America site
D. Create a subnet for each physical location, associate each subnet with its respective site, and move each server object to its respective site
D
7) You are the administrator of your company's network . Your company's main office is in Seattle Large regional offices are located in Chicago, Los Angeles, and New York, as shown in the exhibit (Click the Exhibit button)
Three smaller branch offices are located within each region. The regional offices are connected to the main office by T1 lines. The branch offices are connected to the regional offices by ISDN lines Branch offices in Boston, Dallas, and San Diego also have direct ISDN connections with Seattle.
The network consists of one Windows 2000 domain. For fault-tolerance and load-balancing purposes, each office has its own Windows 2000 domain controller. Each office is configured as its own site. All site links have been created.
You want to create a replication topology that allows only the regional offices to communicate with the main office. You want to ensure that each branch office communicates only with the closest regional office
What should you do?
A. Manually create connection objects between the domain controllers in the main office and the regional offices Use SMTP as the transport protocol
B. Manually create connection objects between each branch office and the closest regional office. Use SMTP as the transport protocol
C. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the main office and all other offices.
D. Allow the Knowledge Consistency Checker (KCC) to automatically create the connection objects between the branch offices and the regional offices
B
8) You are the administrator of your company's network. Your company's main office is in Chicago. Company operations are divided into two regions East and West. The East region has an office in Miami and an office in New York. The West region has an office in Denver and an office in Seattle.
The offices in the East region contain the human resources (HR) and marketing (Mktg) departments. The offices in the West region contain the sales and finance departments. Company IT policy states that Group Policy must be applied only at the organizational unit (OU) level, and that user groups must correspond to departments.
You want to accomplish the following goals:
Control of users and resources can be delegated to local and departmental administrators.
The IT department can control Group Policy for the entire enterprise.
A single Group Policy object (GPO) can be applied to the sales and marketing departments.
User environments can be customized by city.
You implement an au structure as shown in the exhibit (Click the Exhibit button)
Which result or results does your implementation produce? (Choose all that apply)
A. Control of users and resources can be delegated to local and departmental administrators
B. The IT department can control Group Policy for the entire enterprise
C. A single GPO can be applied to the sales and marketing departments
D. User environments can be customized by city
9) You are the network administrator for the Lucerne Real Estate Company. The network consists of one Windows 2000 domain named lucernerealestate local. The network is not currently connected to the Internet.
You are installing a new domain named lucernerealestate1 local. During the promotion process, you receive the following error message "The domain name specified is already in use on the network"
What is the most likely cause of the problem?
A. The default-generated DNS domain name is already in use
B. DNS domain names cannot be named interactively
C. The default-generated NetBios domain name is already in use.
D. NetBios domain names cannot be named interactively
B
10)You are the administrator of your company's network. The Network consists of one Windows 2000 domain. Your company has two locations, which are connected by a dedicated T11ine
Users frequently report that logons to the network, file transfers, and directory searches are extremely slow. When you monitor the network, you discover that replication between domain controllers is generating excessive network traffic between the locations.
You want to accomplish the following goals:
Replication traffic between locations will be reduced.
Logon response time for users will be improved.
Average file transfer rates for users will be improved
Directory search response times will be improved
All domain controllers will have up-to-date replicas of the directory
Fault tolerance for domain logons and directory searches will be maintained
You take the following actions:
Configure a domain controller in each location to be a global catalog server
Create a new subnet in Active Directory for each location
Modify the location attribute of each domain controller's server object
Which result or results do these actions produce? (Choose all that apply)
A. Replication traffic between locations is reduced
B. Logon response time for users is improved.
C. Average file transfer rates for users are improved.
D. Directory search response times are improved.
E. All domain controllers have up-to-date replicas of the directory
F. Fault tolerance for domain logons and directory searches is maintained
11) You are the administrator of a newly installed Windows 2000 network for a call center. You need to rename the Administrator account on all computers on your network. You do not want to manually edit each account. Because of a recent security breach, you must implement this policy immediately.
What should you do? (Choose all that apply)
A. Use Group Policy to rename the Administrator account at the Default Domain Group policy.
B. Use Group Policy to implement a user logon script
C. Send a network message to all users to restart their computers.
D. Use Group Policy to force all users to log off within 30 minutes.
A,C
12) You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU You want to monitor the number of DNS queries that are handled by the DNS server
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log
C. Use the monitoring function of the server properties in the DNS console .
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogondns file
D
13) You are the administrator of your company's network. You have been auditing security events on the network since it was installed. A user on your network named John Thorson recently reported that he was no longer able to
change his password.
Because there have been no recent changes to account policies, you suspect that someone has been modifying the properties of user accounts in Active Directory. There are thousands of entries in the event logs, and you need to isolate and review the events pertaining to this problem in the least possible amount of time.
What should you do?
A. In the security log, create a filter for events matching the following criteria:
Event source: Security
Category: Account Management
User: JTHORSON
B. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security
Category: Security
Search the remaining items for events referencing John Thorson's account
C. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security
Category: Global Catalog
User: JTHORSON
D. In the security log, create a filter for events matching the following criteria:
Event source: Security
Category: Account Management
Search the remaining items for events referencing John Thorson's account
D
14) You are the administrator for a Windows 2000 network. Your network consists of one domain and two organizational units (OUs). The OUs are named Corporate and Accounting
A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created, but you cannot find a record of the user account deletion. You want to find a record that identifies the person who
deleted the account
What should you do?
A. Search the security event logs on each domain controller for account management events
B. Search the security event logs on each domain controller for object access events
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
A
15) You are the administrator of your company's network. The network is configured in a Windows 2000 domain as shown in the exhibit (Click the Exhibit button)
You want to strengthen the security of communications between client computers and servers in the Reps organizational unit (OU). You do not want to decrease overall productivity of the domain.
What should you do?
A. Create one Group Policy object (GPO) in the Sales OU. Increase maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO
B. Create one Group Policy object (GPO) in the Sales OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO
C. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and increase maximum lifetime that a user ticket can be renewed in the GPO
D. Create one Group Policy object (GPO) in the Reps OU. Decrease maximum service ticket lifetime in the GPO, and decrease maximum lifetime that a user ticket can be renewed in the GPO
B
16) You are the administrator of your company's network. Your event log shows that hackers are using brute force attacks to attempt to gain access to your network. You do not want user accounts to be easily accessible. You want to strengthen security to protect against brute force attacks.
What should you do? (Choose two)
A. Enable the Users must log on to change the password setting
B. Enable the Store password using reversible encryption for all users in the domain setting
C. Enable the Password must meet complexIty requirements setting
D. Increase minimum password length
E. Increase minimum password age
C,D
17) You are the administrator for Arbor Shoes. Administrative control of Active Directory has been delegated to several people in the company. You need to track changes made to the arborshoescom domain. To ensure accountability of the other administrators' actions, you want to monitor user and computer account creation and deletion.
What should you do?
A. Modify the default Group Policy object (GPO) on the arborshoes.com domain
Configure the local audit policy to audit account management and directory services access for success and failure.Monitor the security logs for activity on the domain controllers
B. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU) Configure the local audit policy to audit account management and directory services access for success and failure. Monitor the security logs for activity on the domain controllers
C. Modify the default Group Policy object (GPO) on the Domain Controllers organizational unit (OU) Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers
D. Modify the default Group Policy object (GPO) on the arborshoes.com domain.
Configure the local audit policy to audit account logon events and object access for success and failure. Monitor the security logs for activity on the domain controllers
B
18) You are the administrator of a Windows 2000 network. Recently, your network security was compromised and confidential data was lost You are now implementing a stricter network security policy You want to require encrypted TCP/IP communication on your network
What should you do?
A. Create a Group Policy object (GPO) for the domain, and configure it to assign the Secure Server IPSec Policy
B. Create a Group Policy object (GPO) for the domain, and configure it to assign the Server IPSec Policy and to enable Secure channel: Require strong session key.
C. Implement TCP/IP packet filtering, and open only the ports required for your network services .
D. Edit the local security policies on the servers and client computers, and enable Digitally sign client and
server communications
A
19) You are the administrator of your company's network. The network consists of one Windows NT 40 domain You create and implement a security policy that is applied to all Windows 2000 Professional client computers as they are staged and added to the network.
You want this security policy to be in effect at all times on all client computers on the network. However, you find out that administrators periodically change security settings on computers when they are troubleshooting or doing maintenance. You want to automate the security analysis and configuration of client computers on the network so that you can
track changes to security policy and reapply the original security policy when it is changed.
What should you do?
A. Use Windows NT System Policy to globally configure the security policy settings on the client computers
B. Use Windows 2000 Group Policy to globally configure the security policy settings on the client computers
C. Use the Security and Configuration Analysis tool on the client computers to analyze and configure the security policy
D. Schedule the Secedit command to run on the client computers to analyze and configure the security policy
B
20) You want to implement a password policy for all users in an organizational unit (OU) named Sales in a Windows 2000 network All the users in the Sales OU are in a group named Sales Users You create a Group Policy object (GPO) named PassB to enforce a minimum password length of six characters. You assign the Pass6 GPO to the Sales OU.
There are no other GPOs assigned that specify a minimum password length However, the week after you assign the PassB GPO to the Sales OU, users from the Sales OU report that they can still change their passwords to consist of fewer than six characters
How should you correct this problem?
A. Ensure that the Sales Users group has Read and Apply Group Policy permissions on the PassB GPO
B. Apply the PassB GPO to the domain instead of to the Sales au. Filter the policy for the Sales Users group
C. For the Sales OU, block policy inheritance
D. For the Sales OU, enforce policy inheritance on the PassB GPO
C
21) You are the administrator of a Windows 2000 network for Lucerne Real Estate The network has 1,200 users. You are delegating part of the administration of the domain to three users.
You delegate the authority to create and delete computer accounts to Carlos You delegate the authority to change user account information to Julia You delegate the ability to add client computers to the domain to Peter. You want to track the changes made to the directory by these three users.
What should you do?
A. Create a Group Policy object (GPO) for the domain controllers.
Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter.
Configure the GPO to audit directory services access and account management
B. Create a Group Policy object (GPO) for the domain.
Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter
Configure the GPO to audit directory services access and audit object access
C. Create a Group Policy object (GPO) for the domain controllers.
Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter
Configure the GPO to audit directory services access and audit object access
D. Create a Group Policy object (GPO) for the domain.
Assign Read and Apply Group Policy permissions to only Carlos, Julia, and Peter
Configure the GPO to audit object access and process tracking
A
22) You are the Windows 2000 network administrator for your company You are implementing the company's network security model. Your network has several servers that contain sensitive or confidential Information. You want to configure security auditing on these servers to monitor access to specific folders. You also want to prevent users from gaining access to these servers when the security logs become full.
What should you do?
A. Create a Group Policy object (GPO) that applies to the servers Configure the GPO to enable auditing for object access Set up the individual objects to be audited in Windows Explorer, and then customize the Event Viewer logs to limit the size of the security log to 1 ,024 KB
B. Create a Group Policy object (GPO) that applies to the servers Configure the GPO to enable auditing for directory service access. Set up the individual objects to be audited in Windows Explorer, and then customize the Event Viewer logs to limit the size of the security Jog to 1 ,024 KB. Configure the security event log so that it does not overwrite events
C. Create a Group Policy object (GPO) that applies to the servers. Configure the GPO to enable auditing for directory service access Set up the individual objects to be audited in Windows Explorer Configure the security event log so that it does not overwrite events Then configure the GPa to enable the Shut down the system immediately if unable to log security audits setting.
D. Create a Group Policy object (GPO) that applies to the servers Configure the GPO to enable auditing for object access Set up the individual objects to be audited in Windows Explorer Configure the security event log so that it does not overwrite events. Then configure the GPa to enable the Shut down the system immedlately If unable to log security audits setting.
D
23) You are the administrator of your company's network The network consists of one Windows 2000 domain that has organizational units (OUs) as shown in the exhibit (Click the Exhibit button)
All domain controllers in the domain are in OU1. Resources for two separate office buildings are in OU2 and OU3. Nonadministrative users, groups, and computers are in OU4 and OU5 Administrative users, computers, and resources are in OU6.
You are designing a domain-wide security policy.
You want to accomplish the following goals:
The same password and account lockout policies will be applied to all users.
Different security settings will be applied to administrative and nonadministrative computers Strict audit policies will be enforced for only domain controllers and servers.
The number of Group Policy object (GPO) links will be minimized
You take the following actions:
Create a single GPO.
Create one security template that has all required settings .
Import the security template into the GPO
Link the GPO to the domain.
Which result or results do these actions produce? (Choose all that apply)
A. The same password and account lockout policies are applied to all users
B. Different security settings are applied to administrative and nonadministrative computers
C. Strict audit policies are enforced for only domain controllers and servers
D. The number of GPO links is minimized
A,D
24) You are the administrator of a Windows 2000 network. Your network has one domain named
parnellaerospace.com The parnellaerospace.com domain supports 8 ,000 users at three locations The network has three sites connected by T1 lines, as shown in the exhibit (Click the Exhibit button )
The West site has 2,500 users; the East site has 3,000 users; and the Central site has 2,500 users Each site contains a global catalog server. The global catalog server in the West site is named LAX01-GC. The global catalog server in the Central site is named TUL01-GC. The global catalog server in the East site is named NYC01-
GC.
You want users located in the West site to query TUL01-GC if the West site global catalog server is offline. What should you do?
A. Create a new subnet, assign it to the West site, and move TULO 1-GC to the West site
B. Configure the site link between the Central site and the West site to have a lower cost than the site link between the West site and the East site
C. Add a global catalog server to the Central site that has an IP address in the West site subnet
D. Configure TUL01-GC as a preferred bridgehead server
E. Set the query policy on LAXO 1-GC to the default query policy
B
25) You are the administrator of a Windows 2000 network named contoso.com Your network is configured as shown in the exhibit (Click the Exhibit button)
Your company plans to open a new office in Dallas Members of your IT staff will be on-site in Dallas next week to install the new 10 1 3.0/24 network You want to prepare the network in advance so that when the IT staff installs a new domain controller, it will automatically join the appropriate site.
What should you do?
A. Delete the Default-First-Site-Name object in Active Directory Sites and Services
B. Create a new subnet for the Dallas network Create a new site and associate the new subnet with the new site .
C. In the Domain Controller OU, create a computer account that has the name of the new domain controller.
D. Use RIS to prestage the new domain controller.
E. Copy the installation source files to the new domain controller. Create an unattended install file with an automated DCPromo.bat file
B
26) You are the administrator of a large Windows 2000 network. You have three domains named adatumcom, us.adatum.com, and eur.adatum.com. Eric has recently been hired to assist you with network administration. You want him to be able to manage user accounts, back up servers, and configure services on all workstations and
servers only in the eur.adatum.com domain.
What should you do?
A. Add Eric to the Enterprise Admins group and delegate control only at the adatum.com domain
B. Move Eric's user account to the Domain Controllers organizational unit (OU) in eur.adatum.com.
C. Add Eric's user account to the Domain Admins group in eur.adatum.com
D. Add Eric's user account to the Server aperators and Account aperators group in eur.adatum.com.
D
27) You create an organizational unit (OU) structure for the blueskyairlines.com domain. You want to delegate administrative control of user objects on your Windows 2000 network
The User OU is a child of the Research OU. You create a group named Research User Admin that includes users who have permissions to create and manage the workstations in the Workstation OU. The Research User Admin group has Full Control permission on the Research OU. You want user accounts to be created only in the User
OU.
Which three actions should you take? (Choose three)
A. Grant Full Control permission to the Research User Admin group on the User OU for computer objects.
B. Remove the Research User Admin group from the Research OU ACL.
C. Grant Create Contact objects permission on the User OU.
D. Disable inheritance of permissions from the Research OU to the User OU
E. Deny Create User objects permission on the Research OU.
F. Grant Read and Write permissions to the blueskyairlines.com domain