Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment

1. You are the network administrator for Blue Yonder Airlines. The company has offices in Toronto, New York, and Chicago. The network connections are shown in the exhibit.
(Click the Exhibit button.)

The network consists of two Active Directory domains. User objects for users in the Toronto office and the New York office are stored in the blueyonderairlines.com domain. User objects for users in the Chicago office are stored in the roduction.blueyonderairlines.com domain. Active Directory is configured as shown in the following table.

Users in the New York office frequently report that they cannot log on to the network, or that logging on takes a very long time. You notice increased global catalog queries to servers in the Toronto office during peak logon times.  You need to improve logon performance for users in the New York office without increasing WAN traffic that is
due to replication. What should you do?
A. Configure the domain controller in the New York office as a global catalog server.
B. Configure Active Directory to cache universal group memberships for the Toronto office.
C. Install an additional domain controller in the New York office.
D. Configure Active Directory to cache universal group memberships for the New York office.
Answer: D

2. You are the network administrator for Litware, Inc. The company has offices in Chicago, New York, and Toronto. Each office employs 500 people. The network consists of a single Active Directory forest with one domain in each office. Each domain contains two domain controllers named Server1 and Server2. All domain controllers run Windows Server 2003. Each office is configured as an Active Directory site. The domain structure is shown in the exhibit. (Click the Exhibit button.)

The Windows Server 2003 computer named Server1.litwareinc.com holds all operations master roles for its domain, and it holds both forest-level operations master roles. The Windows Server 2003 computers named Server1.sales.litwareinc.com and Server1.prod.litwareinc.com hold all operations master roles for their respective domains. WAN connectivity between the offices is unreliable. You need to plan the placement of global catalog servers for the network. You need to ensure that each user can log on in the event of the failure of a single domain controller and WAN connection. You need to ensure that the consistency of universal group membership information remains intact.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)
A. Configure both domain controllers in litwareinc.com as global catalog servers.
B. Configure only Server1 in each domain as a global catalog server.
C. Configure only Server2 in each domain as a global catalog server.
D. Enable universal group membership caching for each site.
E. Enable universal group membership caching for the Chicago office.
F. Enable universal group membership caching for the Toronto office and the New York office.
Answer: C AND D

3. You are a network administrator for Humongous Insurance. The network consists of a single Active Directory forest that contains 30 domains. The company has 400 offices. The network contains 150,000 user objects. All servers run Windows Server 2003. You are responsible for administering the marketing department, which has offices in North America and Europe, as shown in the work area. Offices in Toronto, Chicago, and New York are part of the america.humongousinsurance.com domain. Offices in Paris, Bonn, and Rome are part of the europe.humongousinsurance.com domain. The number of users in each office is shown in the following table. Users in the Bonn, New York, and Toronto offices require access to a directory-enabled application that stores configuration information in the global catalog.

You need to plan the placement of domain controllers for the network. You need to ensure that each user can log on without using cached credentials and that users have access to the application if a WAN connection fails. You need to achieve this goal while minimizing the increase in WAN traffic. What should you do?
To answer, drag the appropriate domain controller configuration or configurations to the correct location or locations in the work area.

4. You are a network administrator for your company. The network consists of two Active Directory domains. All servers run Windows Server 2003. The company has offices in several cities as shown in the exhibit. (Click the Exhibit button.)

Each office is configured as an Active Directory site. There are global catalog servers in the Toronto and Paris sites. You enable universal group membership caching for all other sites. Users in your company use an application that is integrated with Active Directory. The application reads data from the global catalog. Users report that during periods of peak activity, the application responds slowly. You need to improve the response time of the application. What should you do?
A. Disable universal group membership caching in the Chicago, New York, Bonn, and Rome sites.
B. Decrease the replication interval on the site links that connect the Chicago and New York sites to the Toronto
site, and on the site links that connect the Bonn and Rome sites to the Paris site.
C. Configure global catalog servers in the Chicago, New York, Bonn, and Rome sites.
D. Perform an offline defragmentation of the Active Directory database on the domain controllers in the Toronto and Paris sites.
Answer: C

5. You are a network administrator for Litware, Inc. The network consists of two Active Directory domains with three sites. All servers run Windows Server 2003. The company has offices in three cities, and each office is configured as a separate site. The network configuration is shown in the exhibit. (Click the Exhibit button.)

The company has 1,750 users in the Paris office, 1,750 users in the Rome office, and 25 users in the Bonn office. Global catalog servers are configured in each site. Automatic site link bridging is disabled. A written company policy requires that no WAN connection exceed 70 percent peak utilization. You examine the WAN connection between the Rome and Paris offices and discover that the utilization reaches 95 percent during Active Directory replication. You need to reduce the WAN traffic associated with Active Directory replication on the connection between the Rome and Paris offices. You need to ensure that users in the Rome office can log on to the domain if a WAN connection fails.
What should you do?
A. Decrease the replication interval on the site link connecting the Paris and Rome sites.
B. Remove the global catalog server from the Rome office. Enable universal group membership caching in the Rome site.
C. Enable slow link detection in the Default Domain Policy Group Policy object (GPO) in the rome.litwareinc.com domain.
D. Configure a site link bridge between the site link that connects the Rome and Paris sites and the site link that connects the Paris and Bonn sites.
Answer: B

6. You are a network administrator for a company that has five regional offices and 3,000 branch offices. Each branch office contains 10 users. Branch offices are connected to the nearest regional office by a 56-Kbps WAN connection.  The network consists of a single Active Directory forest that contains one domain for each regional office. All servers run Windows Server 2003. Each branch office contains one domain controller that is configured as an additional domain controller in the regional domain for the branch office. The site link between each branch office and the corresponding regional domain is configured to replicate every 30 minutes. Users in the branch offices report that applications respond slowly when they access resources in the corresponding regional office. You monitor the WAN connection that connects several of the branch offices and discover that utilization increases from 30 percent to more than 90 percent on a regular basis. You need to improve the response time of applications when they access resources in the regional office. You need to ensure that users can log on without using cached credentials if the WAN connection fails. What should you do?
A. Remove Active Directory from the file and print server in each branch office. On the site link between each branch office and the corresponding regional office, increase the replication interval.
B. Enable universal group membership caching in each branch office. Configure the site link between each branch office and the corresponding regional office to be available only during off-peak hours.
C. Configure the domain controller in each branch office as a global catalog server.
D. On the site link between each branch office and the corresponding regional office, decrease the replication interval. 
Answer: B

7. You are a network administrator for Consolidated Messenger. The network consists of 20 Active Directory domains. All servers run Windows Server 2003. The company has 240 offices. Each office is configured as an Active Directory site. The company has a branch office that contains four users. User objects for these users are stored in the east.consolidatedmessenger.com domain. The branch office is connected to the corporate network by a 56-Kbps WAN connection. The branch office contains a domain controller named DC1 that is configured as an additional domain controller for the east.consolidatedmessenger.com domain. An Active Directory site is configured for the branch office. DC1 is a member of this site. An IP site link exists between the branch office and the main office. The WAN connection is available only during business hours. Users in the branch office report slow response times on the WAN connection. You examine the WAN connection and discover that the problem is caused by Active Directory replication. You need to improve the performance of the WAN connection. What should you do?
A. Configure DC1 as a global catalog server.
B. Enable universal group membership caching in the branch office.
C. Remove Active Directory from DC1 and configure DC1 as a member server.
D. On the site link that connects the branch office to the corporate network, increase the replication interval.
Answer: C

8. You are a network administrator for your company. The network consists of two Active Directory domains. All servers run Windows Server 2003. The company has offices in New York and Rome, and the two offices are connected by a 128-Kbps WAN connection. Each office is configured as a single domain. Each office is also configured as an Active Directory site. The company stores printer location information in Active Directory. Users frequently perform searches of Active Directory to find information on printers by selecting the Entire Directory option. Users in the New York office report that response time is unacceptably slow when searching for printers. You need to improve the response time for users in the New York office. What should you do?
A. Place a domain controller for the Rome domain in the New York office.
B. Place a domain controller for the New York domain in the Rome office.
C. Enable universal group membership caching in the New York office.
D. Configure a global catalog server in the New York office.
Answer: D

9. You are a network administrator for Contoso, Ltd. The network consists of a single Active Directory forest as shown in the exhibit. (Click the Exhibit button.)

Your company's written security policy requires that all domain controllers in the child1.contoso.com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group. You need to configure the domain controllers in the child1.contoso.com domain to meet the new security requirements. Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)
A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.contoso.com domain.
B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.contoso.com domain.
C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.contoso.com domain.
D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.contoso.com domain.
E. Run the system key utility (syskey) on each domain controller in the child1.contoso.com domain. In the Account Database Key dialog box, select the Password Startup option.
F. Run the system key utility (syskey) on each domain controller in the child1.contoso.com domain. In the Account Database Key dialog box, select the Store Startup Key Locally option.
Answer: C AND E

10. You are a network administrator for your company. The network consists of a single Active Directory forest that contains one root domain and multiple child domains. The functional level of all child domains is Windows Server 2003. The functional level of the root domain is Windows 2000 native. You configure a Windows Server 2003 computer named Server1 to be a domain controller for an existing child domain. Server1 is located at a new branch office, and you connect Server1 to a central data center by a persistent
VPN connection over a DSL line. Server1 has a single replication connection with a bridgehead domain controller in the central data center. You configure DNS on Server1 and create secondary forward lookup zones for each domain in the forest. You need to minimize the amount of traffic over the VPN connection caused by logon activities.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the DNS zones to be Active Directory-integrated zones.
B. Configure Server1 to be the PDC emulator for the domain.
C. Configure Server1 to be a global catalog server.
D. Configure universal group membership caching on Server1.
Answer: C AND D

11.
 You are the network administrator for your company. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003. The forest contains several Active Directory sites that represent branch offices and a site named MainOffice that represents the central data center. A site named Branch1 contains one domain controller named Server1 that is not
a global catalog server. The MainOffice site contains one domain controller named Server2 that is a global catalog server.  You need to use universal group membership caching in the Branch1 site. Which component or components should you configure?
To answer, select the appropriate component or components in the work area.

12. You are the network administrator for your company. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003. The forest includes two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers that are global catalog servers named Server1 and Server2. Site2 contains two domain controllers that are not global catalog servers named Server3 and Server4. The two sites are connected by a WAN connection. Users in Site2 report that logon times are unacceptably long. You need to improve logon times for the users in Site2 while minimizing replication traffic on the WAN connection.  How should you configure the network? To answer, drag the appropriate configuration option or options to the correct location or locations in the work area.

13. You are the network administrator for Adventure Works. The network consists of a single Active Directory forest that contains a forest root domain named adventure-works.com and a child domain named child1.adventure-works.com. The functional level of the forest is Windows Server 2003. The company uses universal groups to prevent temporary employees from accessing confidential information on computers in the forest. The hild1.adventure-works.com domain contains a Windows 2000 Server computer named Server1. Server1 runs an application that makes frequent LDAP queries to the global catalog. Server1 is located on a subnet associated with an Active Directory site named Site2 that has no global catalog servers. Site2 is connected to another site by a WAN connection. You need to enable the application on Server1 to run at high performance levels and to continue operating if a WAN connection fails. You also need to minimize traffic over the WAN connection. What should you do?
A. Enable universal group membership caching in Site2.
B. Configure at least one global catalog server in Site2.
C. Add the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures key to the registry on all domain controllers in Site2.
D. Remove Server1 from the child1.adventure-works.com domain and add it to a workgroup.
Answer: B

14. You are the network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. You support 100 mobile users who have portable computers that run Windows NT Workstation 4.0, Windows 98, Windows 2000 Professional, Windows XP Professional, or Windows ME.
Your company's written security policy requires that any remote access solution must provide both data integrity and data origin authentication. You need to implement a VPN-based remote access solution. Which three actions should you take? (Each correct answer presents part of the solution. Choose three.)
A. Install certificates on all VPN client computers.
B. Install a certificate on the VPN server computer.
C. Implement L2TP-based connections on the Windows 2000 Professional computers and the Windows XP
Professional computers. Implement PPTP-based connections on all other portable computers.
D. Install the L2TP/IPSec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier.
Implement L2TP-based connections on all portable computers.
E. Install the L2TP/IPSec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement PPTP-based connections on all portable computers.
Answer: D AND B AND A

15. You are the network administrator for your company. All Web servers on the network run Windows 2000 Server. The Web servers run several applications, including a collaborative Web-based application that uses ASP.NET and Web Distributed Authoring and Versioning (WebDAV). You plan to migrate the Web servers to Windows Server 2003. You use the Configure Your Server Wizard to configure a Windows Server 2003 computer as an application server, and you enable ASP.NET in the process. You install the Web-based application on the server. Users now report that when they attempt to access the collaborative Web-based application, they receive the error message shown in the exhibit. (Click the Exhibit button.)

Users can successfully access other applications on the Web servers.
You need to enable the collaborative Web-based application to function on Windows Server 2003 while maintaining Web server security. What should you do?
A. Use IIS Manager to disable anonymous access.
B. Use IIS Manager to allow the WebDAV Web service extension and to allow Httpext.dll.
C. Use IIS Manager to grant the users of the Web-based application permissions for the default Web site.
D. Use IIS Manager to allow the Active Server Pages Web service extension and to allow Asp.dll.
Answer: B

16. You are the network administrator for your company. The network consists of a single Active Directory domain that contains only one domain controller. The domain controller is named Server1. The domain contains only one site named London. You are adding a new site named Paris. You need to promote an existing Windows Server 2003 member server named Server2 to be an additional domain controller of the domain. A 56-Kbps WAN connection connects the London and Paris sites. You need to install Server2 as a new domain controller in the Paris site. You need to minimize the use of the WAN connection during this process. What should you do?
A. Set the site link cost between the London and Paris sites to 50. Promote Server2 to be an additional domain controller in the Paris site.
B. Restore the backup files from the system state data on Server1 to a folder on Server2 and install Active Directory by running the dcpromo /adv command.
C. Promote Server2 to be an additional domain controller by running the dcpromo command over the network.
D. Promote Server2 to be an additional domain controller by using an unattended installation file.
Answer: B

17. You are the network administrator for Proseware, Inc. The network consists of a single Active Directory forest that contains one forest root domain named proseware.com and two child domains named europe.proseware.com and usa.proseware.com. The functional level of the forest is Windows 2000 native. The proseware.com domain contains a Windows 2000 Server domain controller named Server3 that is running Service Pack 4 or later. You take Server3 offline. You also remove all references to Server3 from the Configuration container in Active Directory. Five days later, you upgrade all remaining domain controllers to Windows Server 2003. You then raise the functional level of the forest to Windows Server 2003. You need to integrate Server3 into the new Active Directory infrastructure. You want Server3 to be an additional domain controller of the europe.proseware.com domain. What should you do?
A. Upgrade Server3 to Windows Server 2003. Add the computer account for Server3 into the Computers container
of the europe.proseware.com domain.
B. Demote Server3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Upgrade
Server3 to a Windows Server 2003 member server. Run the dcpromo command to promote Server3 to be an
additional domain controller of the europe.proseware.com domain.
C. Demote Server3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Add the
computer account for Server3 into the Domain Controllers organizational unit (OU) of the europe.proseware.com
domain. 
D. Upgrade Server3 to Windows Server 2003. Add the computer account for Server3 into the Domain Controllers
organizational unit (OU) of the europe.proseware.com domain.
Answer: B

18. You are the network administrator for your company. Your user account is a member of the Schema Admins group. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named Server1 holds the schema master role.
An application named Application1 creates additional schema classes. You notice that this application created some classes that have incorrect class names. You need to correct the class names as quickly as possible. What should you do?
A. Deactivate the Application1 classes that have the incorrect class names. Set the default security permission for
the Everyone group for those schema classes to Deny.
B. Deactivate the Application1 classes that have the incorrect class names. Create the Application1 classes with
the correct class names.
C. Rename the description of the Application1 classes to the correct class name. Instruct the developers of
Application1 to change the code of the application so that the renamed schema classes can be used.
D. Instruct the developers of Application1 to change the code of the application so that the application creates the
new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the
Active Directory Schema console.
Answer: B

19.You are the network administrator for Proseware, Inc. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest contains a root domain named proseware.com and two child domains named europe.proseware.com and usa.proseware.com. All domain controllers run Windows Server 2003. Each domain contains one DNS server. The DNS server in proseware.com is named DNS1, the DNS server in europe.proseware.com is named DNS2, and the DNS server in usa.proseware.com is named DNS3. Each DNS server in a child domain is responsible for name resolution in only its domain. The TCP/IP properties of all client computers in the child domains are configured to use only the DNS server in their domain. All records of all DNS servers are stored in Active Directory. You create a new application directory partition named DNSdata.proseware.com. You enlist DNS1 and DNS2 in this application directory partition. You need to enable all users in the proseware.com domain to access resources in the europe.proseware.com domain by using host names. Users in the proseware.com domain do not need to access resources in the usa.proseware.com domain. You need to configure the zone replication scope of the europe.proseware.com domain at DNS2. What should you do? To answer, configure the appropriate option or options in the dialog box.

20. You are the network administrator for Tailspin Toys. The network consists of a single Active Directory forest root domain named tailspintoys.com. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named DC1.tailspintoys.com is the Active Directory-integrated DNS server for tailspintoys.com. All servers and client computers in the tailspintoys.com domain use DC1.tailspintoys.com as their DNS server for name resolution. Your company acquires a company named Contoso, Ltd. The Contoso, Ltd., network consists of a single Active Directory forest root domain named contoso.com. The functional level of this domain is Windows Server 2003. A Windows Server 2003 domain controller named DC1.contoso.com is the Active Directory-integrated DNS server for contoso.com. All servers and client computers in the contoso.com domain use DC1.contoso.com as their DNS server for name resolution. You create a two-way forest trust relationship with forest-wide authentication between tailspintoys.com and contoso.com. You need to ensure that all users in both companies can log on to both forest root domains. You need to achieve this goal without adversely affecting Internet access. What should you do?
A. Set Stub Zone as the zone type for the tailspintoys.com domain on DC1.tailspintoys.com and for the contoso.com domain on DC1.contoso.com.
B. Select the Do not use recursion for this domain check box on DC1.contoso.com and on DC1.tailspintoys.com.
C. Add the fully qualified domain name (FQDN) and the IP address of DC1.contoso.com to the Root hints list on DC1.tailspintoys.com. Add the FQDN and the IP address of DC1.tailspintoys.com to the Root hints list on DC1.contoso.com.
D. Configure conditional forwarding on DC1.tailspintoys.com to forward all requests for resources in the contoso.com domain to DC1.contoso.com. Configure conditional forwarding on DC1.contoso.com to forward all requests for resources in the tailspintoys.com domain to DC1.tailspintoys.com.
Answer: D

21. You are the network administrator for your company. The network consists of a single Active Directory domain. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits.
What should you do?
A. Create a custom security template and apply it by using Group Policy.
B. Create a custom IPSec policy and assign it by using Group Policy.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
Answer: A

22. You are the network administrator for City Power & Light. Your network consists of a single Active Directory forest that contains a forest root domain named cpandl.com and one child domain named miami.cpandl.com. All domain controllers run Windows 2000 Server. The miami.cpandl.com domain contains one Windows Server 2003 member server named Server2. You attempt to promote Server2 to be an additional domain controller of the miami.cpandl.com domain. The promotion fails and you receive the error message shown in the exhibit. (Click the Exhibit button.)

You need to resolve the error in order to promote Server2 to be an additional domain controller of the miami.cpandl.com domain. Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)
A. Force replication between the schema master and the PDC emulator of only the cpandl.com domain.
B. Force replication between the schema master and the PDC emulator of the cpandl.com domain and the miami.cpandl.com domain.
C. Run the adprep /forestprep command on the schema master of the cpandl.com domain.
D. Run the adprep /domainprep command on the infrastructure master of only the cpandl.com domain.
E. Run the adprep /domainprep command on the infrastructure masters of the cpandl.com domain and the miami.cpandl.com domain.
Answer: E AND C

23. You are the network administrator for A. Datum Corporation. The company has a subsidiary named Contoso, Ltd. The A. Datum Corporation network consists of a single Active Directory forest. The forest contains one domain named adatum.com. The functional level of the domain is Windows Server 2003. The Contoso, Ltd.,
network consists of a single Windows NT 4.0 domain named CONTOSO.
A file server named Server1 is a member of the adatum.com domain. All users in both domains need to save files on Server1 every day. You need to allow users in the CONTOSO domain to access files on Server1. You need to ensure that the domain
administrators of the CONTOSO domain cannot grant users in the adatum.com domain permissions on servers in the CONTOSO domain. What should you do?
A. Upgrade the CONTOSO domain to Windows Server 2003 and make this domain the root domain of a second tree in the existing forest.
B. Upgrade the CONTOSO domain to Windows Server 2003 and make this domain the root domain of a new forest. Create a two-way forest trust relationship.
C. Create a one-way external trust relationship in which the adatum.com domain trusts the CONTOSO domain.
D. Create a one-way external trust relationship in which the CONTOSO domain trusts the adatum.com domain.
Answer: C

24. You are the network administrator for City Power & Light. Your network consists of a single Active Directory forest that contains two domains named cpandl.com and chicago.cpandl.com. The functional level of the forest is
Windows Server 2003. The network contains two sites named New York and Chicago. A 128-Kbps site link connects the New York and Chicago sites. The cpandl.com domain contains a domain controller named DC1 in the New York site. The chicago.cpandl.com
domain contains a domain controller named DC2 in the Chicago site. DC1 is an Active Directory-integrated DNS server and a global catalog server. There are 1,500 users in the New York site and 80 users in the Chicago site. Users in the Chicago site report that it takes a long time to log on to the network. You need to ensure that the users
in the Chicago site can log on faster. What should you do?
A. Decrease the value of the Maximum lifetime for user ticket Kerberos policy in the Default Domain Policy Group Policy object (GPO) of the chicago.cpandl.com domain.
B. Enable universal group membership caching for DC2 in Active Directory Sites and Services.
 C. Enable the Interactive Logon: Number of previous logons to cache security policy in the Default Domain Policy Group Policy object (GPO) of the chicago.cpandl.com domain.
D. Decrease the the value of the replication interval at the site link between the Chicago and New York sites.
Answer: B

25. You are the network administrator for Trey Research. Two of your company's customers are Contoso Pharmaceuticals and City Power & Light. Your domain infrastructure is shown in the exhibit. (Click the Exhibit button.)

All users in the treyresearch.com domain need to access resources in the contoso.com domain. Some users in the treyresearch.com domain need to access resources in the sales.cpandl.com domain. No users in the treyresearch.com domain need to access resources in the sales.contoso.com domain. Although a two-way trust relationship exists between the treyresearch.com and cpandl.com domains, you discover that the users in the treyresearch.com domain cannot access resources in the sales.cpandl.com domain.
You need to ensure that all users in the treyresearch.com domain can access the appropriate resources in the other forests. What should you do?
A. Enable the routing status of the sales.contoso.com name suffix on the forest trust from treyresearch.com to
contoso.com.
Disable the routing status of the sales.cpandl.com name suffix on the forest trust from treyresearch.com to
cpandl.com. 
B. Disable the routing status of the sales.contoso.com name suffix on the forest trust from treyresearch.com to
contoso.com.
Enable the routing status of the sales.cpandl.com name suffix on the forest trust from treyresearch.com to
cpandl.com. 
C. Enable the routing status of the sales.contoso.com name suffix on the forest trust from treyresearch.com to
contoso.com.
Enable the routing status of the sales.cpandl.com name suffix on the forest trust from treyresearch.com to cpandl.com. 
D. Disable the routing status of the sales.contoso.com name suffix on the forest trust from treyresearch.com to contoso.com. Disable the routing status of the sales.cpandl.com name suffix on the forest trust from treyresearch.com to cpandl.com. 
Answer: B

26. You are the network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. The network contains servers that have Terminal Server enabled. The terminal servers host legacy applications
that currently require users to be members of the Power Users group. A new requirement in the company's written security policy states that the Power Users group must be empty on all resource servers. You need to maintain the ability to run the legacy applications on the terminal servers when the new security requirement is implemented. What should you do?
A. Add the Domain Users global group to the Remote Desktop Users built-in group in the domain.
B. Add the Domain Users global group to the Remote Desktop Users local group on each terminal server.
C. Modify the Compatws.inf security template settings to allow members of the local Users group to run the applications. Import the security template into the Default Domain Controllers Policy Group Policy object (GPO).

D. Modify the Compatws.inf security template settings to allow members of the local Users group to run the applications. Apply the modified template to each terminal server.
Answer: D

27. You are the network administrator for your company. The company is deploying a public Web server farm on Windows Server 2003 computers. This Web server farm will allow the public to view company information. The Web servers in the Web server farm will be placed in the company's perimeter network, which uses a public Internet address space. The company wants to reduce the probability of external unauthorized users breaking into the public Web servers. You need to make the Web servers less vulnerable to attack. You also want to ensure that the public will be able to view information that is placed in the company's perimeter network. What should you do?
A. Configure each Web server's IP address to a private reserved Internet address.
B. Configure the Web servers to allow only IPSec communications.
C. Disable any unneeded services on the Web servers.
D. Disable TCP/IP filtering on all adapters in the Web servers.
Answer: C

28. You are the network administrator for your company. The network consists of a single Active Directory domain. The company has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet. You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web
pages.  The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design. You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements. What should you do?
A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO).
B. Create a task on each application server that runs Security and Configuration Analysis with Baseline1.inf every day.
C. Create a task on each application server that runs the secedit command with Baseline1.inf every day.
D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit command with Baseline1.inf.
Answer: C

29. You are the network administrator for A. Datum Corporation. The network consists of a single Active Directory forest that contains two domains named adatum.com and na.adatum.com. The functional level of the forest is Windows Server 2003.
Your company merges with a company named Proseware, Inc. The Proseware, Inc., network also consists of a single Active Directory forest. The forest contains two domains named proseware.com and sa.proseware.com. The functional level of both domains is Windows 2000 native. All domain controllers in the forest run Windows 2000 Server. 
Users in the na.adatum.com domain and the sa.proseware.com domain must be able to easily share information. The data is located on Windows Server 2003 member servers in both domains. You need to configure the trust relationships between the domains so that the users can easily share the information. You want to achieve this goal by using the minimum amount of administrative effort. What should you do?
A. Create a two-way forest trust relationship between the adatum.com domain and the proseware.com domain.
B. Create a one-way external trust relationship in which the na.adatum.com domain trusts the sa.proseware.com domain. Create another one-way external trust relationship in which the sa.proseware.com domain trusts the na.adatum.com domain.
C. Create a one-way external trust relationship in which the na.adatum.com domain trusts the proseware.com
domain. Create another one-way external trust relationship in which the sa.proseware.com domain trusts the
adatum.com domain.
D. Create a one-way external trust relationship in which the proseware.com domain trusts the na.adatum.com
domain. Create another one-way external trust relationship in which the adatum.com domain trusts the
sa.proseware.com domain.
Answer: B

30. You are the network administrator for City Power & Light. You are implementing a new Windows Server 2003 network environment. You install one Active Directory forest root domain named cpandl.com. You install the first domain controller named DC1. You configure DC1 as a DHCP server and as an Active Directory-integrated DNS
server with dynamic updates enabled. Later you install an additional domain controller named DC2. You cannot raise the functional level of the domain to Windows Server 2003. You discover that the service locator (SRV) resource records of DC1 are not created in the cpandl.com zone on the DNS server. You run the Dcdiag tool on DC1 and receive the output shown in the exhibit. (Click the Exhibit button.)

You need make it possible to raise the functional level of the domain to Windows Server 2003. What should you do?
A. Upgrade DC2 to a global catalog server.
B. Use the DHCP server locator utility to find out which DHCP servers are available in the cpandl.com zone.
C. Start the Net Logon service on DC1.
D. Restart the DNS Server service on DC1 to enable DNS clients to resolve host names by answering queries and
update requests.
Answer: C