Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure

Overview
A. Datum Corporation is a company that provides technical classes at locations across North America. The company primarily offers instructor-led courses, on a Monday-through-Friday schedule.
Physical Locations The company’s main office is located in Atlanta. The company has three branch offices in the following locations:
 Chicago
 Dallas 
 Seattle

In Addition to the main office in Atlanta, there are also two satellite offices: Atlanta East and Atlanta West. There is no IT staff in the satellite offices
Planned Changes The company has evolved into a single business unit from four separate technical schools in each of the cities where the company’s offices are currently located.
The company recognizes that a cohesive administrative structure will better serve its employees and better secure critical resources.
Recently, the company has begun to offer classes from Atlanta that is available online via the Internet. The company wants to begin offering online content from all offices, not just from Atlanta.
Business Process
Currently, the offices of A. Datum Corporation operates as four independent business units: Atlanta,
Chicago, Dallas, and Seattle.

The IT staff in each office functions independently. Network resource access is primarily localized to each office with the exception of the student records database and the current online courseware, which are hosted on servers in Atlanta only.
The student records database contains students’ personal data and their transcripts. Currently, the branch offices e-mail the students’ enrollment and transcript information to the Atlanta office for entryinto the student records database. The admissions department enters personal student data and the registrar’s department enters grades. The student records database currently cannot be updated from any other location.
The online course content is already developed and in use.

Directory Services
The servers are configured as shown in the Available Servers exhibit.

The Atlanta office currently has a Windows 2000 Active Directory domain.
The Chicago and Dallas branch offices are both running in workgroup configurations.
each office manages its own users and groups.
Network Infrastructure
The existing network is shown in the Existing Network Infrastructure exhibit.

Wan connections between the Atlanta main office and Atlanta East can be unreliable. There are DHCP servers in Atlanta and the branch offices. All servers are Pentium III 550-MHz or greater processors with at least 512 MB of memory. All of the offices run various client operating systems, which include Windows 98, Windows NT
Workstation 4.0, Windows 2000 Professional, Windows XP Professional, and UNIX. The instructors run either Windows 2000 Professional or Windows XP Professional on their desktop computers at the office. UNIX instructors use a UNIX client computer to access the network when working from home.
Problem Statements
The following business problems must be considered:

 The company recognizes that its biggest security vulnerability is the methodology that it uses to update the student records database in Atlanta. In the past, there have been problems with students gaining access to and altering their student records.
 There has been reason to suspect that courseware has been compromised because of weak passwords on instructors’ computers.

Chief Executive Officer I am pleased with the performance of our staff at A. Datum Corporation. However, I am concerned about protecting our intellectual property. Both our online curriculum and the student records database need protection. Our primary focus must be that no one outside of the organization can view or modify this information.
Chief Information Officer We need to provide an adequate security structure for our network environment. It is important that wecreate a centralized network operations team. I am confident in the ability of our IT staff in Atlanta to take a lead administrative role in our envisioned environment.
The practice of sending student information through e-mail must stop. I think our strategy of a single, centralized student records database is valid. We need to make this database directory-aware so that users who have the responsibility for updating the student records will need only a single set of credentials to make the necessary changes.
Additionally, instructors are not receiving updated teaching schedule information on a timely basis. The issue should be addressed by ensuring that our new scheduling program is installed on all instructor computers, including the computers that the instructors use when accessing our network remotely.
Registrar, Atlanta Office

I am concerned about the network changes. The good news is that they will tell me that I will need only one logon name. However, the other news I am hearing is not good. I am told that the password I use cannot be a word. How am I going to remember a password that is not a word? I have a hard time remembering passwords as it is.
My other major concern is that I am being told that the instructors in each location will be able to enter
grades. Recording grades should be my job exclusively.

Business Drivers
The following business requirements must be considered:

  For its Web site, A. Datum Corporation is using the registered domain name adatum.com.
 The company anticipates more focus on the online course offerings in the future.

Organizational Goals The following organizational requirements must be considered:
 The student records database must be available to all offices from Atlanta during the hours of
9:00 A.M. to 8:00 P.M. Eastern Time, Monday through Friday.
 The online courseware must be available 24 hours a day, seven days a week.

Security
The following security requirements must be considered:

 The student records database server must be secured to allow only those with the appropriate authorization to modify or add data. These authorized personnel include both instructors and staff in each of the company’s offices.
 Instructors will require the necessary permissions to modify the content for the online courseware for which they are responsible.
 Instructors are required to make changes to the online courseware and post grades from the LAN only.

Customer Requirements
The following customer requirements must be considered:

 Remote access will be required for all instructors when they need to access their business offices from home. Some instructors will use UNIX client computers for remote access.
 Instructors will need the new scheduling application to be installed both on their office and home computers that are members of the domain, even if using a dial-up connection.
 Windows 98 is currently the operating system on the sales representatives’ computers. These computers will not be upgraded in the near future. However, the Active Directory client will be installed on these computers. There are sales representatives in all of the company’s offices.
 Web access to the online curriculum is required by the students enrolled in the online classes, and must be limited to enrolled students only.

Active Directory
The following Active Directory requirements must be considered:

 The goals of the new Active Directory structure are to provide a centralized method of service administration for supporting the administrative staff and provide secure access to student records.
 Administration of the Active Directory service will be in Atlanta. Resource administration will occur in Atlanta and the branch offices.
 Students must not have any permission to any resource other than the online courses.

Network InfrastructureThe following infrastructure requirements must be considered:
 Because the company has a limited budget, it will need to continue working with the existing physical network.
 For updating student grades, authorized computers in the registrar’s office will require smart card support.
 The Atlanta, Chicago, Dallas, and Seattle offices will each host DNS subdomains to support the online courseware.
 The amount of DNS zone transfer or replication must be minimized.
 Unauthorized updates of DNS records must be prevented.
 All computers, including client computers, must have host (A) resource records in DNS.
 UNIX instructors require support of pointer (PTR) resource records for several applications used from their home computers.
 Network traffic needs to be minimized across the WAN links.
 Remote access policies for Atlanta, Chicago, Dallas, and Seattle should be centralized.

Case Study #1 A. Datum Corporation (10 Questions)

1. You are designing the new forest structure and migration strategy to meet the business and technical requirements. What should you do?
To answer, move the appropriate actions from the list of actions to the answer area, and arrange them in the appropriate order. (Use only actions that apply)

Answer:

 

2. You are designing a DNS strategy to meet the business and technical requirements. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Create a dynamic reverse lookup zone for each subnet.
B. Create a dynamic forward lookup for each domain.
C. Install caching-only DNS servers in the branch offices.
D. Enable the BIND secondaries option for each DNS server.
Answer: A, B

3. You are designing the Group Policy settings to meet the business and technical requirements. You are reviewing a possible logical structure for the company as shown in the diagram in the work area. The Domain Controllers OU and the Seattle OU are created at the domain level. The Instructor OU and Student OU are children of the Seattle OU. The diagram does not cover all organizational requirements. Based on this diagram, how should you design the Group Policy settings?
To answer, drag the appropriate Group Policy object (GPO) option or options to the correct location or locations in the work area.

Answer: 

 

4. You need to ensure that only authorized personnel are able to modify student grades. Which desktop environment or environments should you use? (Choose all that apply)
A. Windows XP Professional
B. Windows 2000 Professional
C. Windows 98 with Active Directory client installed
D. Windows NT Workstation 4.0 with the latest service pack and Active Directory client installed
Answer: A, B

5. You need to ensure that the sales representatives are provided with adequate NetBIOS name resolution.
What should you do?
A. Install WINS on the PDC emulator.
B. Install WINS on servers in Atlanta and Seattle.
C. Enable WINS lookup on the DNS server in Atlanta.
D. Enable WINS on one domain controller in each office.
Answer: D

6. You are designing a strategy to install the new scheduling application. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Assign the scheduling application package to the Instructor OU.
B. Publish the scheduling application package to the Instructor OU.
C. Ensure that the scheduling application can install across slow WAN links.
D. Prevent the scheduling application from installing across slow WAN links.
Answer: A, C

7. You are designing a VPN authentication strategy to meet the business and technical requirements.
What should you do?
A. Implement the RADIUS service in Atlanta.
B. Implement the RADIUS service in each branch office.
C. Configure network address translation (NAT) on all VPN servers.
D. Configure the Connection Manager Administration Kit (CMAK) on the PDC.
Answer: A

8. You are designing a DHCP strategy for the new Active Directory environment.Which two groups have the necessary rights to authorize the DHCP servers? (Each correct answer presents part of the solution. Choose two)
A. IT staff in Atlanta
B. IT staff in Seattle
C. DHCP administrators in all offices
D. DHCP administrators in Atlanta only
E. Members of the Enterprise Admins group
Answer: A, E

9. You are designing the placement of operations master roles in the new environment. In which location or locations should a PDC emulator be designated? (Choose all that apply)
A. Atlanta
B. Chicago
C. Dallas
D. Seattle
Answer: A

10. You are designing a DNS and DHCP implementation strategy to support the new environment.
What should you do?
A. Create a WINS resource record in the Active Directory DNS zone.
B. Create a WINS referral zone in the DNS zone that supports Active Directory.
C. Configure a DNS domain name on the DHCP server.
D. Configure the DHCP server to update DNS for DHCP clients that do not support dynamic updates.
Answer: D

Case Study #2, City Power & Light
Overview City Power & Light is a large provider of electrical services for residential and business customers throughout Europe.
The company purchases electricity from large power-producing companies, as well as from small wind-energy providers, such as local farmers and ranchers.
Physical Locations The company’s main office is located in Amsterdam. The company has three branch offices in the following locations:
 Berlin
 Brussels
 Paris

Each branch office has two or more satellite offices in the region. The number of satellite offices and the number of users in each office is shown in the following table.

Planned Changes The company has experienced rapid growth in the past 12 months, and continued growth is anticipated. It is critical to business that the company provides reliable, uninterrupted service 24 hours a day, seven days a week. To meet these demands, the company wants to implement a Windows Server 2003 environment.
Business Processes
The organizational structure of the company is shown in the Organizational Structure exhibit.

The Amsterdam office and each branch office have its own IT staff. The majority of the IT staff is at the Amsterdam office. There is no IT staff at the satellite offices. The IT staff at the branch offices support their respective satellite offices.
Regional customer support is provided by the branch offices and satellite offices.
The company uses a mission-critical application named App1 that monitors the power network and detects any failures. When failures are detected, App1 automatically sends detailed information about the power failure to the nearest available field technicians. All users within the company have access to App1. App1 logs on to the App1 database by using a shared user account. The App1 database handles security within the database.
Directory Services App1 runs on UNIX servers at the Amsterdam office and the branch offices. Each UNIX server has its own security accounts database.
Each office uses a standard user account and password for all servers in that office. Network administrators in each office know the user account and password combination. Network administrators in each office work independently, but company- wide decisions are made at the Amsterdam office.
Currently, the company does not use Windows domain structure.
Network Infrastructure Each office uses a switched 100-Mbps Ethernet network. All client computers run Windows XP Professional.
The company uses its own private leased lines to connect the branch offices and most of the satellite offices. Some satellite offices are connected to the nearest branch office by using ISDN lines. The company wants to reduce telephone costs of these satellite offices by minimizing network traffic through
the ISDN lines. The company uses VPN connections over the Internet as a backup to connect the different offices.
Problem Statements
The following business problems must be considered:

 A service-level agreement states that the company must resolve power failures within one day. Currently, the company cannot guarantee this requirement. Last year, there were more than 30 power failures that could not be resolved within one day. The primary cause of the delay in resolution was that the company could not identify where the problem occurred.
 Another service-level agreement states that the IT department must guarantee an available bandwidth of 28 Kbps to ensure adequate bandwidth for App1. Currently, the available bandwidth decreases every month, and it is uncertain how long the company can continue to guarantee this requirement. The available bandwidth is shown in the Available Bandwidth exhibit.
 The company is experiencing problems with the confidentiality of customer information. This is occurring because the data is not centrally managed and the security settings are inadequate.

Chief Executive Officer To ensure that customers of City Power & Light receive the most reliable service possible, we want to invest in upgrading App1 to a new application named NewApp. Power failures are inevitable, but if we quickly detect the problem and identify the source, we can restore power more quickly.
Chief Information Officer Data from App1 is now saved in different locations. I am concerned about who has access to the data and how to reconstruct the data in the event of a disaster.

 

The following organizational requirements must be considered:
 Upgrades of bandwidth are discouraged. However, upgrades of bandwidth can be permitted if justified.
 There are no plans to open more offices in the near future. However, the new environment must allow for future company growth.
 The company anticipates a 50-percent increase in the number of customers over the next two years.

Security
The following security requirements must be considered:

 Security of NewApp must be Active Directory integrated.
 DNS servers will be administered only by network administrators from the Amsterdam office.
 Network administrators must have Full Control permissions for NewApp.
 Internal users must be able to access information about customers and power failures. Customers must be allowed to access only public information.
 A complete power failure in one location must not affect other locations.
 Network administrators should only be allowed to access NewApp database servers by using smart card authentication. However, network administrators must be able to log on to users’ computers to fix problems without using a smart card.
 Computers that have smart card readers installed must automatically get the NewApp
management tools installed.

Customer Requirements
The following customer requirements must be considered:

 NewApp must be available 24 hours a day, seven days a week.
 Client applications that connect directly to NewApp must use the NetBIOS name of NewApp.
 To minimize WAN traffic, the branch offices need to use their local resources as much as possible.
 Wind-energy providers must be able to see how much electricity they have delivered. These providers should be able to connect to NewApp by using the Internet.

Active Directory
The following Active Directory requirements must be considered:

 City Power & Light must achieve better control of resources.
 The company must ensure that data can be recovered in the event of a disaster.
 Replication latency between sites must be minimized.

Network InfrastructureThe following infrastructure requirements must be considered:
 To improve customer service, information from App1 databases in all locations must be
consolidated in the NewApp database.

 The number of services at the satellite offices must be kept to the absolute minimum.
 Client computers must always obtain a valid IP address, even when a DHCP server is not
available for 24 hours.

 Field technicians must be able to connect directly to the NewApp database from their portable computers by using a remote connection. They will connect to the nearest branch office when they have to make a remote connection.

Users
The following user requirements must be considered:

 All users must have Microsoft Office and NewApp automatically deployed on their desktop computers. Network administrators at the branch offices must be able to decide which components of Office get installed at their locations.
 Resetting user passwords will be delegated to each user’s manager. All customer service representatives need to be able to reset the passwords of the wind-energy providers.

Case Study #2, City Power & Light (9 Questions)

1. You need to evaluate whether the currently available network bandwidth is adequate to run NewApp. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three)
A. Use a debug version of NewApp to collect information about NewApp.
B. Use Performance Monitor to collect data about the saturation of each WAN link.
C. Use Network Monitor to analyze the data that is transmitted over the network for App1.
D. Install SNMP on all computers that are connected to App1 to obtain information about App1.
E. Build a test environment for NewApp to analyze how much bandwidth is required for NewApp.
Answer: B, C, E

2. You need to ensure that there is adequate bandwidth available to meet the service-level agreement requirements. Which action or actions should you perform? (Choose all that apply)
A. Upgrade all WAN lines in six months.
B. Upgrade all WAN lines prior to implementing NewApp.
C. Analyze the cause of a peak in network usage in February.
D. Analyze network usage characteristics for NewApp.
Based on these results, create an upgrade plan for the WAN lines.

Answer: C, D

3. You need to ensure that the network administrators are able to administer the NewApp database servers. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Create an organizational unit (OU) for all users who log on to any of the NewApp servers.
B. Create an organizational unit (OU) named NewApp Users for the NewApp users.
C. Create an organizational unit (OU) named NewApp Servers for the NewApp servers.
D. Create a Group Policy object (GPO) for the NewApp Users OU to enforce the use of IPSec.
E. Create a global group for all NewApp servers. Add this group to the NewApp Servers OU.
F. Create a Group Policy object (GPO) for the NewApp Servers OU to enforce the use of smart cards.
G. Use the account properties to force all users who have to log on to the NewApp servers to use smart cards.
Answer: C, F

4. You are designing a strategy for migrating the UNIX user accounts to Active Directory. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three)
A. Import the user accounts as inetOrgPerson objects.
B. Import the user accounts into Active Directory by using the Ldifde command-line tool.
C. Export all user accounts from the UNIX servers to a text file.
D. Export all user accounts and their passwords from the UNIX servers to a text file. Encrypt this file to achieve extra security.
E. Assign random passwords to each user object, and securely distribute the password to the users.
F. Create the same strong password for each user object, and require users to change their passwords at first logon.
G. Instruct users to use the same name and password as they used on the UNIX servers.
Answer: B, C, F

5. You are designing a site topology to meet the business and technical requirements.
What should you do?
A. Increase the replication interval between sites,
B. Use SMTP as the transport protocol for replication.
C. Create site links to represent the physical topology.
D. Disable the Knowledge Consistency Checker (KCC) and manually configure site replication.
Answer: C

6. You are designing a NetBIOS name resolution strategy for all computers in all offices.
What should you do?

To answer, drag the appropriate name resolution component or components to the correct location or locations in the work area.

Answer:

 

7. You are designing a strategy to optimize the DNS name resolution for the satellite offices that connect to
the branch offices by using ISDN lines.
What should you do?
A. Use caching-only DNS servers at these satellite offices.
B. Configure a Hosts file for all client computers at these satellite offices.
C. Configure a DNS server to use WINS forward lookup at these satellite offices.
D. Place a DNS server with secondary zones of all domains at these satellite offices.
Answer: A

8. You are designing the Active Directory infrastructure to meet the business and technical requirements. You run ADSizer, and find that it provides a solution that contains only one domain controller for Amsterdam. What should you do?
A. Place at least two domain controllers in Amsterdam.
B. Configure the domain controller as a bridgehead server.
C. Configure the domain controller as a global catalog server.
D. Distribute the users among sites in ADSizer and recalculate the number of domain controllers.
Answer: A

9. You are designing a DHCP solution to meet the business and technical requirements.
What should you do?
A. Increase the default lease time on all DHCP servers.
B. Split all address ranges across multiple DHCP servers.
C. Configure duplicate scopes on at least two DHCP servers.
D. Force client computers to obtain an IP address from Automatic Private IP Addressing (APIPA).
Answer: B

Case Study #3, Coho Vineyard

Overview
Coho Vineyard is an importer and distributor of fine wines from around the world.

Physical Locations

The company’s main office is located in Los Angeles. The company has two branch offices in the following locations:
 Paris
 Sydney

The company plans to open two additional branch offices within the next year. These offices will be located in Barcelona and Lisbon.
Planned Changes
To reduce costs and streamline business processes, the company wants to implement a Windows Server
2003 Active Directory environment.

Business Processes
Coho Vineyard consists of the following departments:

 Accounting
 Distribution
 Human resources (HR)
 Information technology (IT)
 Marketing
 Purchasing
 Sales

The IT department maintains all internal servers and resources. Currently, the company outsources its e-mail infrastructure to an ISP in Los Angeles.
A Windows NT Server 4.0 computer named Server1 in the Los Angeles office hosts a mission-critical application. This application is accessed by users from all departments and offices in the company. The application vendor currently does not support running other than Windows NT Server 4.0. this application on any operating system
Directory Services The company has three Windows NT 4.0 domains configured in a single master domain model as shown in the Existing Domain Model exhibit.

All user accounts are maintained in the cohovineyard domain. Client computer accounts are managed locally in each regional domain.
IT responsibilities for the company are shown in the following table.

 

 

Currently, all offices connect to the Internet directly through Windows 2000 Server computers that perform network address translation (NAT). These servers also provide a PPTP tunnel between all offices.
The existing server hardware is shown in the following table.

 

Client Computers and Users
 The current user population for each office and department is shown in the following table.

The current operating systems installed on the client computers are shown in the following table.

Problem Statements
The following business problems must be considered:

 Because of security limitations of Windows NT Server 4.0, all IT staff has been added to the Administrators group of the cohovineyard domain. IT staff should be allowed administrative rights only to their specific areas of responsibility.
 Lack of control over IT procedures and processes have made the current environment costly to maintain.

Chief Executive Officer The current IT infrastructure at Coho Vineyard is negatively affecting business operations. IT operations need to be streamlined to accommodate the anticipated growth.
Chief Information Officer The current IT environment needs to be reorganized. Corporate standards need to be implemented. Users currently install unauthorized and unlicensed software. These installations need to be implemented. Administrative roles have been clearly defined, but now need to be enforced.
The IT budget for the next year has already been allocated. No new server hardware is to be purchased for the existing offices. New server hardware has been budgeted for the new offices.
After the deployment of Active Directory is complete, e-mail services will be implemented by using Microsoft Exchange Server 2003. The Exchange Server 2003 infrastructure will be maintained by the internal IT staff.
Also we want to provide all users VPN access to the network.

Network Administrator There is a need to provide standardized settings for all users and computers. The current IT administration practices need to be reevaluated, and new practices that are more effective need to be enforced.
Office Worker The current environment is difficult to use. Information is scattered on the network, making it difficult to find. There does not seem to be any clear definition as to who is responsible for responding to network and computer problems. Because of this confusion, most users manage their own computers.
Also, we want to be able to connect to the network when working remotely.
Business Drivers
The following business requirements must be considered:
 The current namespace used for the externally hosted e-mail infrastructure is cohovineyard.com. This namespace will be used when e-mail services are implemented internally.
 The new environment must provide fault tolerance in the event of a single domain controller failure.
 The ISP provides extremely reliable service for each location. No plans are being made to provide for redundant links. The current level of network outages caused by WAN link failures is considered to be acceptable.
 To improve network support, Windows Server 2003 will become the corporate standard for all server computers wherever possible. Client computers will be standardized over the next two years to run Windows XP Professional.

Organizational Goals The following organizational requirements must be considered:
 Branch offices in Lisbon and Barcelona will be implemented in the next year. The Lisbon branch office is expected to have 65 users and client computers. The Barcelona branch office will have no more than 10 users and client computers.
 Because of the small size of the Barcelona branch office, it will have no IT staff and no servers. The Lisbon IT staff will manage users and computers for both the Lisbon and Barcelona branch offices.
 Two servers have been purchased for the Lisbon branch office. One will be designated as a domain controller. The other server will be a VPN server and will also provide NAT services.
 Regional network administrators must have only limited control over the Active Directory service. They will be responsible for managing user and computer accounts for their regions. They will also manage local servers.
 The network administrator in the Los Angeles office will manage all domain controllers, configure sites, and perform other high-level administrative tasks.
 Users will have limited access to their computers. They will be allowed to modify only certain desktop settings, and they will not be allowed to install unauthorized applications.
 Some users currently have blank passwords. Password security standards must be implemented.
 Security auditing must be implemented to track all unauthorized logon attempts to the domain. Auditing must not be enabled on any client computers.

Security
The following security requirements must be considered:

Active Directory
The following Active Directory requirements must be considered:

 Centralized control over Active Directory must be maintained by the network administrator in the Los Angeles office. Limited access to Active Directory will be given to the help desk staff and the regional network administrators.
 Although bandwidth is not currently an issue, incremental increase in bandwidth usage is anticipated. To accommodate this projected growth, all designs should minimize WAN traffic.
 Departments within Coho Vineyard have their own unique needs, which include, but are not limited to, specialized departmental applications.

Network InfrastructureThe following infrastructure requirements must be considered:
 Remote access security and restrictions for all offices must be implemented and managed centrally by the network administrator in the Los Angeles office. Only one set of remote access policies must exist for the company.
 A domain-naming strategy must be identified that reduces administrative complexity and is intuitive to the users.
 One domain controller in each of the current offices will have the DNS service installed. DNS name resolution traffic must be minimized over all WAN links.

Case Study #3, Coho Vineyard (12 Questions)

1. As part of your design, you are evaluating whether to upgrade all domains to Windows Server 2003. Based on current configurations, which server or servers prevent you from achieving this goal? (Choose all that apply)
A. DC2
B. DC3
C. DC4
D. DC5
E. DC6
F. Server1
Answer: D, E

2. You are designing the Windows Server 2003 Active Directory forest structure to meet the business and technical requirements.Which forest structure should you use?
A. One Active Directory forest with one domain.
B. One Active Directory forest with three domains.
C. One Active Directory forest with four domains.
D. Two Active Directory forests with one domain in each forest.
E. Three Active Directory forests with one domain in each forest.
Answer: A

3. You are designing the top-level organizational unit (OU) structure to meet the business and technical requirements. Your design must accommodate the anticipated growth of the company. Which top-level OU structure should you use?
A. Paris OU, Sydney OU, Los Angeles OU, Lisbon-Barcelona OU
B. IT Administration OU, All CohoVineyard Departments OU, All CohoVineyard Offices OU
C. Sales OU, Purchasing OU, Marketing OU, Accounting OU, Distribution OU, Human Resources OU
D. CohoVineyard Users OU, CohoVineyard Computers OU, CohoVineyard Servers OU, CohoVineyard Applications OU
Answer: A

4. You are designing a plan for applying the security policy settings to meet the business and technical requirements. Where should you implement the auditing password policy settings?
To answer, drag the appropriate policy setting or settings to the correct location or locations in the work area.

Answer: 

 

5. As part of your design, you are evaluating whether a second-level organizational unit (OU) structure is required. Which factor necessitates the need for a second-level OU structure?
A. Audit policy settings
B. Software deployment needs
C. Client operating systems in use D. Delegation of administrative authority
Answer: B

6. You are designing a DNS name resolution strategy to meet the business and technical requirements. Which action or actions should you perform? (Choose all that apply)
A. Create an Active Directory-integrated zone named cohovineyard.com on a domain controller in Los Angeles.
B. Create an Active Directory-integrated zone named paris.cohovineyard.com on a domain controller in Paris.
C. Create an Active Directory-integrated zone named sydney.cohovineyard.com on a domain controller in Sydney.
D. On a domain controller in Los Angeles, delegate paris.cohovineyard.com to a domain controller in Paris.
E. On a domain controller in Los Angeles, delegate sydney.cohovineyard.com to a domain controller in Sydney.
Answer: A

7. You are designing a plan for maintaining the WINS infrastructure on the new Windows Server 2003 Active Directory environment. Which factor or factors necessitate the need to maintain the WINS infrastructure? (Choose all that apply)
A. Client operating systems in use.
B. Server operating systems in use.
C. VPN client access by using PPTP.
D. Installation of Active Directory client software.
Answer: A, B

8. You are designing a DNS implementation strategy for the Paris office.Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Create an Active Directory-integrated zone named cohovineyard.com.
B. Create an Active Directory-integrated zone named paris.cohovineyard.com.
C. Create a standard primary zone named paris.cohovineyard.com.
D. Configure all computers in Paris to use DC3 as their DNS server.
E. Configure all computers in Paris to use DC6 as their DNS server.
Answer: A, D

9. You are designing a strategy for implementing Internet Authentication Service (IAS) to meet the business
and technical requirements.
What should you do?
A. Install IAS on VPN1, VPN2, and VPN3.
B. Install IAS, on VPN1.
Configure VPN2 and VPN3 as RADIUS clients.
C. Install IAS on VPN1.
Configure VPN1, VPN2, and VPN3 as RADIUS clients.
D. Install IAS on DC1. Configure VPN2 and VPN3 as RADIUS clients. Create all remote access policies on VPN1.
E. Install IAS on DC2.
Configure VPN2 and VPN3 as RADIUS clients.
Configure remote access logging on VPN1.

Answer: C

10. You are designing a DNS infrastructure to meet the Internet name resolution requirements.
What should you do?
A. Create a standard primary zone named “.” on all DNS servers.
B. Create an Active Directory-integrated zone named “.” on a DNS server on Los Angeles.
C. Configure all DNS servers to use forwarders. Specify the IP address of the DNS server at the local ISP.
D. Enable default root hints on all DNS servers.
E. Disable recursion on all DNS servers.
Answer: C

11. You are designing the placement of the PDC emulator role to meet the business and technical requirements. In which location should you place the PDC emulator role? (Choose all that apply)
A. Los Angeles
B. Paris
C. Sydney
D. Lisbon
E. Barcelona
Answer: A

12. You are designing the IP addressing scheme for the new Barcelona office. Which network address or addresses are valid for your design? (Choose all that apply)
A. 10.10.10.0/28
B. 10.10.255.0/24
C. 131.15.0.0/24
D. 151.10.10.0/24
E. 192.168.11.0/25
Answer: A, B, E

Case Study #4, Litware, Inc

Overview
Litware, Inc., is a corporate management company that manages the internal operations for its business
customers.

Internal operations include sales, accounting, and payroll.

Physical Locations
Litware, Inc., has two main offices in the following locations:

 New York
 Chicago

Each office has approximately 300 users.

The New York office has a branch office in Boston. The Boston office has approximately 100 users.

Staff in the Boston exclusively office work on projects for customers in the New York office. The Boston office has no customers of its own.
Planned Changes As part of its initiative to streamline the IT environment and increase network security, the company has decided to implement a Windows Server 2003 Active Directory environment.
The New York office is currently in negotiations to secure Contoso, Ltd., as a new customer.

Business Processes Litware, Inc., manages the business operations for eight business customers. For each customer, Litware, Inc. has a dedicated staff that works exclusively with that customer.
Users require access only to project data for the customers to which they have been directly assigned. The New York and Chicago offices are responsible for their own customers and maintain them separately. Each individual customer project is listed in the following table.
Customers name
Managed by
Alpine Ski House
New York
Baldwin Museum of Science
Chicago
Coho Vineyard
New York
Fabrikam, Inc.
New York
Humongous Insurance
Chicago Lucerne Publishing
New York
Wingtip Toys
Chicago
Woodgrove Bank
Chicago

 

 

The chief information officer is the only person who is authorized to implement any changes that will impact the entire company. Roles and responsibilities in the IT department are shown in the following table.

Job title
Responsibilities
Office
Chief information officer
Approves all major IT decisions, manages the IT budget, functions as liaison between network administrators in the New York and Chicago offices.
New York
Network administrator, New York
Manages the day-to-day operations of the New York and Boston networks. Installs and manages servers and domain controllers
New York
Network administrator, Chicago
Manages the day-to-day operations of the Chicago network. Installs and manages servers and domain controllers.
Chicago
IT support
Provides day-to-day troubleshooting and maintenance of the network. This includes the installation of operating systems for end users and some server configuration. Each office has its own it support staff
New York, Chicago, Boston
Help desk
Provides telephone support for all users in all offices.
New York Directory Services Currently, Litware, Inc., has two Windows NT 4.0 domains configured a shown in the Existing Domain Model exhibit.

The New York domain contains user and computer accounts for both the New York and Boston offices. The Chicago domain contains user and computer accounts for the Chicago office.
Litware, Inc., users require access only to project data for the customers to which they have been directly assigned.They also require access to internal company resources,such as a time-building application that is hosted in the New York office.

Accounting auditors and executives require access to data from all customer projects to perform quarterly reports,account reviews,and billing verifications.Account auditors and executives are located in both New York and Chicago offices,and frequently travel between offices.

Network Infrastructure
The existing network infrastructure is shown in the Existing Network Infrastructure exhibit.

All internet access is provided through a proxy server located in the New York office.The proxy server provides Internet name resolution on behalf of the clinet computers.

Currently,all servers run windows NT Server 4.0 with the latest service pack installed.A time-billing application is installed on a Microsoft SQL Server computer named SQL1.SQL1 is managed by the network administrators in the New York office,and is accessed by all Litware,Inc.,users.

The company's servers,including their domain membership,physical locations,and network functions,are shown in the following table.

Most required network resources are available locally.
All client computers in the company run Windows 2000 Professional.
Problem Statements
The following business problems must be considered:

 Contoso, Ltd., requires that the new Active Directory infrastructure is completely in place prior to obtaining the contract.
 Administrative authority for network administrators in the New York and Chicago offices must remain equal.

Chief Executive Officer The addition of Contoso, Ltd., as a customer will likely increase annual revenue by 50 percent. Additional funds and resources have been allocated to secure this contract. All efforts should be made to demonstrate to the Contoso, Ltd., representatives that we will address all of their security concerns. This will be done on part though a migration to the Windows Server 2003 Active Directory environment.
Any short-term costs associated with a technology deployment are acceptable if they allow for growth and flexibility in the future.
Chief Information Officer A Web-based interface for the time-billing application will be implemented in the near future. The current network administrators in the New York and Chicago offices perform their jobs well.
To reduce the burden on IT staff, trusted individuals within the organization should be identified to help reduce the IT administrative burden.
Office Worker
We want to be able to access the internal network from our home computers.

Business Drivers
The following business requirements must be considered:

 The company wants access to the network to remain easy and intuitive. A company policy now states that user logon names and e-mail addresses should be identical. Currently, each user has an e-mail address made up of that user’s first initial and last name, and an additional domain name indicating the region that manages that user’s account. For example, the user Nicole Caron from the New York office has the e-mail address of ncaron@ny.litwareinc.com. The user Luis Bonifaz from Chicago has the e-mail address of lbonifaz@chi.litwareinc.com. 
 The domain name litwareinc.com has been registered.
 To ensure reliability in the event of a single WAN link failure, users should continue to authenticate on the network. Additionally, all domains should be fault tolerant in the event of a single domain controller failure.
 VPN access will be provided to enable user access to customer data outside of regular business hours. VPN connections will be assigned through the New York office.

Organizational Goals The following organizational requirements must be considered:
 As part of the negotiations between Contoso, Ltd., and the New York office, Litware, Inc., has agreed to ensure that all users who require access to Contoso, Ltd., data must have complex passwords that are a minimum of 10 characters in length.
 The company has also agreed that management of Contoso, Ltd., data must be completely isolated from all other Litware, Inc., data. This included the ability to manage security of Contoso, Ltd., resources. There will be no exceptions.
 Planning for other aspects of how Contoso, Ltd., will integrate with the Litware, Inc., environment is premature at this point. However, a quick migration solution for the existing environment must be identified to allow for this anticipated growth.
 Litware, Inc., account auditors and executives from the New York and Chicago offices will require limited access to Contoso, Ltd., data.

Security
The following security requirements must be considered:

 A new Web-based interface will be implemented for the time-billing application running on SQL1. This application will use IIS, and will require the use of IP filtering that uses computer host names for security purposes.
 Only authorized computers within the internal Litware, Inc., network will be given access to the time-billing application.

Active Directory
The following Active Directory requirements must be considered:
 The network administrators in the Chicago and New York offices will retain their current responsibilities, such as the management of user accounts, servers, and domain controllers for their regions. There should be no overlap between their administrative authority.
 There is a need to allow trusted individuals responsible for each customer project to manage user account information. Responsibilities will include the ability to reset passwords and define personal user information on user accounts, such as phone numbers and addresses. The trusted individuals will be allowed to manage only user accounts within the customer project to which they have been assigned.

Network InfrastructureThe following infrastructure requirements must be considered:
 Users in the Chicago office access Internet-based resources frequently. This Internet-related traffic accounts for most of the bandwidth used between the Chicago and New York offices. Bandwidth utilization between these two offices is currently a cause for concern. Network traffic between the Chicago and New York offices must be minimized whenever possible.
 Because of the Boston office’s data access requirements, a high level of availability and reduced latency between the New York and Boston offices is required. Bandwidth utilization between the Boston and New York offices is minimal and is not a concern in the foreseeable future.
 A Windows Server 2003 computer will provide VPN access to the network by using both L2TP and PPTP. Usage statistics will be gathered over time to identify which users establish VPN connections to the network, and the duration of their connections. These usage statistics will help the company track trends and plan for future growth.
 The network administrator in Chicago has extensive knowledge of DNS, and will manage the implementation of the DNS infrastructure for the Litware. Inc., network.
 The DNS structure must be secured against any unauthorized modifications, but also must be easy to maintain and manage.

Case Study #4 Litware, Inc. (9 Questions)

1. You are designing a forest and domain structure to address the concerns of Contoso, Ltd., and to meet the business and technical requirements. You want to use the minimum number of domains and forests that are required. Which domain structure should you use?
A. One forest and two domains.
B. One forest and three domains.
C. One forest and four domains.
D. Two forests and three domains.
E. Two forests and four domains.
Answer: E

2. You are designing the top-level organization unit (OU) structure to meet the administrative requirements. What should you do?
A. Create a top-level OU named New York. Place all user and computer accounts from New York in the New York OU.
B. Create a top-level OU named Chicago. Place all user and computer accounts from Chicago in the Chicago OU.
C. Create a top-level OU named Coho. Place all user and computer accounts that are assigned to the Coho Vineyard customer project in the Coho OU.
D. Create a top-level OU named Sales. Place all user and computer accounts from the sales department in the Sales OU.
Answer: C

3. You are designing a security group strategy to meet the business and technical requirements.
What should you do?
A. Create one global group named G_Executives. Make all executives user accounts members of that group.
B. Create two global groups named G_Executives and one universal group named U_Executives. Make the two global members of U_Executives. Make the executive user accounts members of the appropriate global group.
C. Create three global groups named G_NY_Executives and G_Chi_Executives and G_Executives. Make G_NY_Executives and G_Chi_Executives members of G_Executives. Make the executive user accounts members of the appropriate global group.
D. Create one domain local group named DL_Executives. Make all executive user accounts members of that group.
Answer: B

4. You are designing an Active Directory implementation strategy to present to executives from your
company and from Contoso, Ltd.
Which implementation strategy should you use?
A. Upgrade the New York domain. Upgrade the Chicago domain. Create a pristine forest for Contoso, Ltd.
B. Create a pristine forest. Upgrade the New York domain. Upgrade the Chicago domain. Do nothing further.
C. Create pristine forest. Upgrade the New York domain.
Upgrade the Chicago domain.
Create a pristine forest for Contoso, Ltd.
D. Create a pristine forest. Upgrade the New York domain. Upgrade the Chicago domain. Create a new child domain for Contoso, Ltd.
Answer: C

 

5. You are designing the DNS infrastructure to meet the business and technical requirements.
What should you do?
A. Create an Active Directory-integrated zone on DC4. Set the replication scope to all DNS servers in the domain.
B. Create an Active Directory-integrated zone on DC5. Set the replications scope to all DNS servers in the forest.
C. Create an Active Directory-integrated zone on any domain controller in the forest root domain. Set the replication scope to all domain controllers in the domain.
D. Create a standard primary zone on DC4
E. Create a standard primary zone on any domain controller in the forest root domain.
Answer: B
 
6. You are designing a DNS implementation strategy for the network.  Which two zone types should you use? (Each correct answer presents part of the solution. Choose two)
A. Reverse lookup zones
B. Standard primary zones
C. Standard secondary zones
D. Active Directory-integrated zones
Answer: A, D

7. You are designing a strategy to upgrade the DHCP servers after the new Active Directory structure is in place. Who can authorize the DHCP servers? (Choose all that apply)
A. Chief information officer
B. IT support staff in Boston
C. IT support staff in New York
D. Network administrator in Chicago
E. Network administrator in New York
Answer: A

8. You are designing the placement of the global catalog servers. You want to use the minimum number of global catalog servers that are required. Which design should you use?
A. One global catalog server in New York.
B. Two global catalog servers in New York.
C. One global catalog server in Chicago and one global catalog server in New York.
D. Two global catalog servers in Chicago and two global catalog servers in New York.
E. One global catalog server in Chicago, one global catalog server in New York, and one global catalog server in Boston.
Asnnswer: E

9. You are designing an IP addressing strategy for your VPN solution.
How many public addresses should you use?
A. 1
B. 25
C. 50
D. 255
Answer: A

 
Case Study #5 Trey Research

OverviewKilltest.com is a new Government-funded organization, established to consolidate medical research performed at universities in to a single electronic library.
The Company has been allocated a large budget to start the project, and more funds will be made available as more universities integrate their research with Killtest.com.
Physical Location
The Company has one office located in Dallas. The Office currently has 100 users.

Planned Changes A New Office in Seattle will be opened soon. The Seattle office will have 100 users when it opens. An additional 100 users will be hired in the Dallas office over the next year. The number of users is expected to grow by 60 percent over the next five years.
An external Network will be established to allow universities to share medical research. At launch, the user population will be minimal. It is expected that the external network will have more that 10,000 active users in the next two years.
Business Processes
Killtest.com will reorganize its internal staff to include the following departments:

 Accounting
 Administration
 Information Technology(IT)
 Knowledge Management
 Marketing
 Projects

The Project department will work directly with universities to help them integrate data with Killtest.com.
A separate project team will be dedicated to each university that partners with the Company. This project team is in charge of making external security available, creating user accounts, and establishing security for the university whose resources are made available through the Company's external network.
The Company has a small internal IT staff that manages internal resources for internal users. The internal IT staff includes a network administrator and technical support team.
The external network will have its own IT staff. This IT staff will include a network administrator, a technical support team, and a development team. External and internal resources will be managed independently.
Internal users will require access to data located on both the internal network and the external network. External users and partners from universities will have access only to external resources. Under no circumstances will external users be given access to internal resources. This includes the external IT staff.
Infrastructure  Directory Services To provide a quick solution to allow for information sharing, an unplanned Windows 2000 network was established when the company was first established.
A Windows 2000 Active Directory Environment was implemented with the domain name of research.com and the NetBIOS domain name of research. The domain name research.com has been registered by another organization and this name is not available to the company. The domain contains two domain controllers. A single file server exists on the network to store shared data for the internal users. 
Network InfrastructureThe company has a 10-Mbps Internet connection. The use of the Internet connection is minimal at present, but is expected to grow once external resources are made available to universities.
Problem Statements
The Following business problem must be considered:

 The Current internal network was not properly planned and need to be completely redesigned.
 Information such as user accounts must be migrated from the current environment to a new Windows Server 2003 Active Directory Environment.
 A clean separation must exist between external and internal resources.

Chief Executive Officer Funding for Killtest.com has been finalized and it is time to move forward with the design and implementation of the internal and external network. A stable environment that has the ability to grow is of at most importance for the external network.
Chief Information Officer The internal and external networks will have very different needs and audiences. For that reason, we have decided to have a separate IT staff to manage each network. Access to internal resources will be made available to internal users only.
Planned VPN access will allow internal users access to internal data while traveling. A Microsoft Exchange server 2003 deployment will be implemented for internal users with a dedicated Exchange Server 2003 computer in each office.
To avoid confusion, all internal users need to be able to gain access to both internal & external resources by using a single set of credentials. Internal users should not be prompted for alternate credentials when accessing external resources.
During the migration, internal users must have access to resources in the existing domain. We do not want to manually redefine the security on existing resources. Network Administrator I will manage server deployment and configuration for all external resources. Technology decisions and implementation done for the internal network should not affect me.
My technical support team will manage day-to-day server maintenance. The development team will deploy a knowledge management patrol to streamline information sharing with external partners.
Project teams for the internal network will help in the management of security and will be given strict security areas in which they will be able to manage security for their specific university. The project teams will manage the data security and create user accounts for the university they are managing.
Business Requirements Business Drivers The following business requirements must be considered:
 Killtest.com has registered the domain name treyresearch.com. Internal and External naming needs to be intuitive and easy to manage. Internal and external naming will be managed independently.
 No new domain names will be registered, and naming decisions must not cause conflicts with any Internet hosts.
 The naming strategy for the external resources must be as short as possible to make it easy for external partners to access.
 The company already has a small web site accessible at www.treyresearch.com
 The company will require two domain controllers in each office. A single domain controller failure or WAN link failure between the Dallas and Seattle offices must not affect the operations of the Exchange Server 2003 environment.

Organizational Goals The following Organizational requirements must be considered:
 External users will only require access to a server named web1. Web1 will provide a web interface to the external users and retrieve resources from other external servers. External resources for universities will be provided by using HTTPS.
 All external users who require access to resources will require a username and password to gain access to the external resources.
 Web1 will also host the interface for the public web site. Anonymous access will be provided for the public web site.
 Internal users will be granted VPN access by connecting to VPN1.
 Domain based DFS servers will be implemented in the Dallas and Seattle offices. DFS replication must not occur during regular business operation. DFS replication must occur between the hours of 9:00 P.M. and 5:00 A.M Central Time.
 Users in each office should automatically be redirected to the DFS server in their current physical location. In the event of a single DFS server failure, users should be automatically redirected to an available DFS server.

Security
The following security requirements must be considered:

 To maintain the security of both the internal network and the external network, only traffic that is required by the company to meet its goal will be allowed to pass through the perimeter firewall.
 All other traffic must be blocked.

Technical Requirements Active Directory The following Active Directory requirements must be considered:
 External and Internal resources must be managed independently. This includes high-level modifications to the directory service, such as the installation of Exchange Server 2003 or other directory aware applications.
 During the first two years, many new users will be added to the network. To provide a consistent environment, the replication of internal domain user accounts must occur within a maximum time delay of one hour between the Dallas and Seattle offices.
 The internal DNS structure must be secured to prevent unauthorized systems from registering their names with DNS.
 To reduce the impact that name resolution of Internet based resources might have on WAN links, a solution must be identified that allows name resolution to occur without generating excessive and unnecessary traffic. A single domain controller in each office will be configured as a DNS server.
 A single DHCP server will be present at each office. The DHCP server will configure local client computers to have the appropriate IP settings, including the address of a local DNS server. All users accessing the internal network must receive their IP configurations from one of these DHCP servers.
 An external DNS server will be required to perform only name resolution for the namespace treyresearch.com. It will not be allowed to resolve any other name for external users, including names of other Internet based hosts.

Network InfrastructureThe following infrastructure requirements must be considered:
The network infrastructure will be configured as shown in the planned network infrastructure exhibit. 

 

Case Study #5 Killtest.com (13 Questions)

1. You need to identify the features that will be available immediately after the domain migration to the new environment is complete. Which feature or features will be available? (Choose all that apply)
A. Global group nesting.
B. Universal group nesting.
C. Domain local group nesting.
D. Universal security groups.
E. Sid history attributes.
Answer: A, B, C, D, E

2. You are designing a NetBIOS naming strategy for the internal domain. What are two possible NetBIOS domain names you can use to achieve your goal? (Each correct answer presents a complete solution.)(Choose two)
A. ad
B. dallas
C. internal
D. external
E. Research
Answer: C, D

3. You are designing a strategy for performing the migration of the internal network. You need to identify the actions that you should perform to achieve this goal. What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the appropriate order. (Use only actions that apply.)

Answer:

 

4. You are designing the site topology for the internal domain. Which action or actions should you perform?
(Choose all that apply.)
A. Create a Single Site.
B. Create a site for each physical location.
C. Set the replication interval on the default IP site link to 60 Minutes.
D. Configure the schedule of the default IP site link to only allow replication between the hours of 9:00
P.M and 5:00 A.M
E. Configure the schedule of the default IP site link to only allow replication between the hours of 3:00
A.M and 11:00 A.M
Answer: B, D

5. You are designing the DNS name resolution strategy for the internal network. What should you do?
A. Configure all internal DNS servers to use the default root hints.
B. Disable recursion on the DNS server in Seattle. Configure the Seattle DNS to use Dallas DNS server as a forwarder.
C. Create a root zone on the DNS server in Dallas. Configure the Seattle DNS server to use the Dallas DNS server as a forwarder.
D. Create a root zone on the DNS server in both Dallas and Seattle.
Answer: B

6. You are designing a strategy to allow users to gain VPN access to the internal network. What should you do?
A. Allow all inbound VPN traffic to pass through the internal firewall and the perimeter firewall.
B. Allow all inbound VPN traffic to pass through the perimeter firewall only.
C. Allow all VPN traffic from the source IP address of 131.107.1.14 to pass through the internal firewall.
D. Allow all VPN traffic from the source IP address of 191.168.1.0/24 to pass through the perimeter firewall.
Answer: B

7. You are designing a strategy to allow internal users in Dallas to resolve domain names. What are three possible ways to achieve the goal? (Each correct answer presents a complete solution. Choose three)
A. Configure the internal DNS server to have a root zone.
B. Configure the Dallas DNS server to use the default root hints.
C. Configure the Dallas DNS server to forward all request for the external namespace to the external DNS server.
D. Create a caching-only DNS server on the perimeter network.
E. Create a stub zone for the external namespace on the Dallas DNS server.
Answer: B, C, E

8. You are designing the configuration of the external DNS server to meet the business and technical requirements. What should you do?
A. Configure a root zone on the external DNS server.
B. Configure a stub zone for.com on the external dns server.
C. Configure the external DNS server to use the default root hints.
D. Configure the External DNS server to use the ISP'S DNS server as a forwarder.
Answer: A

9. You need to identify the types of inbound traffic that should pass through the perimeter firewall while maintaining the security of the network. Which inbound traffic should be allowed? (Choose all that apply?)
A. VPN Traffic
B. DNS Traffic
C. LDAP Traffic
D. HTTP Traffic
E. HTTPS Traffic
F. Traffic from the network address of 192.168.10/24
Answer: A, C, D, E

10. You are designing a strategy to ensure that VPN users are able to access all internal resources. What should you do?
A. Specify a static routing table entry on VPN1 for the Dallas network.
B. Specify a static routing table entry on VPN1 for the Seattle network.
C. Implement Internet Authentication Service (IAS) on VPN1.
D. Define a User Class option for Routing & Remote Access Clients on the DHCP Server.
Answer: C

11. You are designing a strategy to migrate user accounts. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Change the functional level.
B. Create an external trust relationship.
C. Run adprep to prepare the research.com forest.
D. Run adprep to prepare the research.com domain.
Answer: A, B

12. You are designing a naming strategy for the new internal and external domains. You need to identify the appropriate domain name for each domain. What should you do?
To answer, drag the appropriate domain name or names to the correct location or locations in the work area.

Answer:

 

13. You are designing the top-level OU structure for the external domain. On which factor/s should you base the top-level OU structure?
A. Physical locations
B. External partners and universities
C. The company’s internal departments D. The company’s software deployment needs
Answer: B

Case Study #6 Fourth Coffee

Overview Fourth Coffee is company that specializes in the retail sale of packaged coffee. The Company has more than 500 retails outlets throughout the United States.
Physical Location The Company's main office is located in Atlanta. The Company has six branch offices in the following locations:
 Boston
 Chicago
 Dallas
 Denver
 Los-Angeles
 Seattle

Each Branch office manages at least 60 retail outlets.
Planned Changes The company plans to upgrade the network to make provision for future expansion of the company product line. This will be the first upgrade in six years.
Business Processes The Atlanta office manages the six branch offices, as well as the retail outlets in the Atlanta area. The branch offices manage the retail outlets in their respective cities and regions. Some of the very large retail outlets have managers who are responsible for daily reporting. Each of those managers has a desktop computer for the purpose of creating reports.
A single group of network administrators, located in the Atlanta office, controls all network resources and access. Two employees per branch office have been trained to assist the administrative group by performing tasks from the branch office whenever necessary.
In each branch office a point-of-sale application, named the retail outlet employees of sale application, is installed on servers that run Windows NT 4.0 Terminal Server Edition. The Retail outlet employees currently do not have access to any other applications.
Employees in the Atlanta office and the branch offices work between the hours of 8:00 A.M and 5:00 P.M, Monday through Friday. The network administrators are required to work on weekends to support the retail outlets. Employees in the retail outlets work in two shifts between the hours of 6:00 A.M and
11.00 P.M.
Infrastructure Directory Services The network consists of a single Windows NT 4.0 Domain named Fourth coffee. One PDC and Three BDC’s are located in the Atlanta Office.
Each branch office has a BDC. The Domain Controllers are not used for any other network service. Each group has been named for the function of the Group. For example, the group name of the users in the finance department of the Atlanta office is Atlanta Finance Users.
Network Infrastructure The network connections between the Atlanta office and the branch offices are shown in the Existing Network Infrastructure exhibit

The Atlanta office and the branch offices have 100-Mbps Ethernet networks.
Each retail outlet connects to the associated branch office by using a fractional T1 line with a committed rate of 256 kbps or greater.
All WAN links are reliable. There is an agreement between Fourth Coffee and its telecommunications provider to have any WAN failure resolved within one hour. The amount of bandwidth currently seems to be sufficient during business hours.
The Atlanta office and the branch offices have servers running Windows NT Server 4.0, Terminal Server Edition. The number of servers per office is based on the number of retail outlets that connect to the Atlanta office or branch offices, and the number of terminals at the retail outlets. The distribution of servers is shown in the following table.

 

 

network services when they are at work.
A market survey has shown that we need to establish a web presence to remain competitive. We need to provide information about what we do, where we are located and what our business hours are.
Chief Information Officer The existing network was designed and implemented almost six years ago. Only minor changes have taken place since that time, the only thing that has changed is an upgrade to our WAN links last year. This upgrade did not solve the performance problems experienced by the retail outlets. It has since been established that the performance problems are related to hardware.
With the changes in our product line, we anticipate a growth in the number of customers. This ensures that terminals must be upgraded to provide for the increased connection to our servers from the retail outlets. We do not expect to add a vast number of terminals.
Substantial funds are available for this project. We hope to once again have a network that will last six years without major changes.
Network Administrator We have noticed in System Monitor that most servers are running high processor and memory utilization. We currently instruct the retail outlets on which terminal server to connect to, to achieve manual load balancing.
The individual users in the retail outlets must have access to personal data in the new environment. We currently do not have any DNS servers or Internet access available.
Even though I am a newly appointed network administrator, I found that the current management of our groups is incorrect. We use only local groups for the assignment of permissions. This is done by using groups that contain all the users located in the branch offices. Sometimes we may be more specific and focus on the function of the group within the office. Users can also be managed very easily, because we know that almost all of the passwords are "password". Only a few users change their passwords. Complex passwords need to be implemented.
The users at the retail outlets sometimes leave the terminal connected to the application for weeks without disconnecting. This results in failed backups of the application data. All of the users in the branch offices also leave their computers on for long periods of time.
We plan to implement a naming strategy that will identify users by first name, followed by the first character of their surname. Group names will indicate the department, as well as "GG" for global groups or "UG" for universal groups. Domain local groups will be identified by the type of access they will receive.
Retail Manager We have noticed that the network is gradually becoming slower. No one in the retail outlets has access to e-mail and we do not have Internet access.
All employees in our retail outlet use the same username and password to connect to the terminal server. As a result, we do not have any privacy and cannot even have our own desktop background. Employees in the branch offices have very nice games and other software on their computers that we are not able to access.
Business Requirements Business Drivers The following business requirements must be considered:
 A Web site, named www.fourthcoffee.com, must be established to enable customers to search for the retail outlet nearest to them.
 An online ordering system must be established, which will allow customers to order company merchandise online.

Organizational Goals The following organizational requirements must be considered:
 Retail outlets will be expanded over the next three years to provide seating and to allow for increased business. Future expansion might include providing customers with Internet access while they are having their coffee in the store.
 A manager will be appointed in each retail outlet with the task of improving customer service. The manager’s desktop computer will be used by other staff members to access the Internet and their e-mail by using their own usernames and passwords.

Security
The following security requirements must be considered:

 All security settings must be equal to or more restrictive than the default Windows Server 2003 settings.
 As a part of these requirements, all users must be forced to change their passwords at least once a month.
 Users with desktop computers should no longer be allowed to log on to the local computer as an administrator.
 The duration of logon hours must be strictly enforced.
 Users must not be allowed to shutdown the terminal servers.

Technical Requirements Active Directory The following active directory requirements must be considered:
 The Active Directory design must specify how the management of user and group permissions will be established and maintained.
 The new design must overcome the existing performance issues and also provide all employees with e-mail and Internet access. Employees in the retail outlets will be allowed to use these services only while they are on their lunch or coffee breaks. Employees will be able to use only their own user accounts for network access.
 The design must also facilitate the use of Group Policy to control all user accounts within a branch office. Group Policy settings for users in the branch offices must be different from the Group Policy settings for users in the retail outlets.
 User accounts for users in the finance department must be managed separately.

Network InfrastructureThe following network infrastructure requirements must be considered:
 A new T1 WAN link from the Atlanta office to the ISP will be installed.
 All server computers must have Windows Server 2003 installed. All desktop computers must have Windows XP professional installed. This must be achieved as quickly as possible.
 All terminal servers in a single office must be configured to use Network Load Balancing. All users must use roaming profiles to ensure that they have a consistent desktop appearance and access to applications. Terminal server user profiles must be stored on a network shared folder. Redundancy for all other servers is required.

Case Study #6 Fourth Coffee (11 Questions)

1. You are designing a strategy for configuring a newly installed Windows Server 2003 computer to meet the Active Directory DNS requirements. How should you configure the computer?
A. As a caching-only DNS servers
B. As the primary DNS server for the fourthcoffee.com DNS zone
C. With a stub zone for the fourthcoffee.com DNS zone hosted by the ISP
D. As a secondary DNS server for the fourthcoffee.com DNS zone hosted by the ISP
Answer: B

2. You are designing the forest and domain structure to meet the business and technical requirements.  Which structure should you use?
A. A single forest with one tree, and one domain
B. A single forest with one tree two domain
C. A single forest with two trees, each with a single domain
D. Two forests, each with a single tree and a single domain
E. Two forests, each with two trees, with a single domain in each tree.
Answer: A

3. You are designing a group management strategy for users in the finance department. You need to identify the appropriate changes that need to be made to the current group management strategy. You want to accomplish this goal by using the minimum number of groups. What should you do?
A. Add the finance users to the financeData group to which the necessary permissions have been assigned.
B. Add the finance users to the financeGG group to which the necessary permissions have been assigned.
C. Add the finance users to the financeGG group. Then add the financeGG group to the financeData group to which the necessary permissions have been assigned.
D. Add the finance users to the financeGG group. Add the financeGG group to the financeUG group to the financeDat group to which the necessary permissions have been assigned.
Answer: B

4. You are designing a strategy of enforce the corporate security policy. Which action or actions should you perform? (Choose all that apply.)
A. Configure a password policy that requires strong passwords
B. Configure a password policy that requires all users to change their passwords once a month.
C. Allow users in the branch offices to log on between the hours of 8:00 A.M and 5:00 P.M., Monday through Friday.
D. Allow users in the retail outlets to log on between the hours of 6:00 A.M and 11:00 P.M., daily. 
E. Enable a policy that forces users to log off when their logon hours expire.
Answer: A B, C, D, E

5. You are designing a migration strategy to meet the business and technical requirements. What should you do?
A. Upgrade the fourthcoffee BDC to Windows Server 2003. Then upgrade the PDC to Windows Server 2003
B. Upgrade an existing domain controller to Windows Server 2003. Establish a two-way trust relationship with the fourthcoffee domain.
C. Install and configure a new Windows NT 4.0 BDC. Promote the BDC to a PDC. Then upgrade the PDC to Windows Server 2003
D. Create a new Windows 2000 Server Active Directory domain. Establish a two-way trust relationship with the fourthcoffee domain. Use the Active Directory Migration Tool (ADMT) to migrate all user and computer accounts.
Answer: C

6. You are designing for implementing Group Policy objects (GPOs) to meet the business and technical requirement. What should you do?
A. Create one new GPO to enforce software restriction policies. Link this GPO to the domain.
B. Create one new GPO to enforce software restriction policies. Link this GPO to the appropriate
organizational unit (OU).
C. Create one new GPO to enforce software restriction policies. Link this GPO to all organizational units (OUs).
D. Create new GPOs to match the number of organizational units (OUs).configure these GPOs to enforce software restriction policies. Link this GPO to its respective OU.
Answer: A

7. You are designing a DNS name resolution strategy to allow all users access to internal and external web sites. What should you do?
A. Allow zone transfers to any DNS server.
B. Create a new stub zone for the DNS zone on the DNS server.
C. Configure the DNS server to forward all unanswered queries to a DNS server located at the ISP
D. Add the DNS server located at the ISP to the list of name servers for the fourthcoffee.com DNS zone
Answer: C

8. You are designing a strategy to assign the IP addresses to meet the business and technical requirement. Which two actions should you perform? (Each correct answer presents part of the solution. choose two)
A. Install and Configure one DHCP server in Atlanta and one DHCP server in each branch office.
B. Install and Configure two DHCP servers in Atlanta and two DHCP servers in each branch office.
C. Create one scope on each DHCP server. Specify one DHCP server to always update DNS records. Configure the scope to assign half of the IP addresses available to each office.
D. Create two scopes on each DHCP server. Specify one DHCP server to update DNS records only for client computers that request it. Specify a second DHCP server to never update DNS records.
Answer: B, C

9. You are designing a name resolution strategy for the retail outlets to ensure that the existing bandwidth is used efficiently. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. Configure the DNS server service on the terminal servers as caching-only servers.
B. Configure multiple sites to have site links and set up a specific replication schedule.
C. Configure the default site to have the subnets of Atlanta and the branch offices.
D. Create a new DNS zone and configure zone transfers to name servers only.
E. Create an application partition to be used for DNS
F. Specify the scope of replication to be used for DNS
Answer: D, E, F

10. You are designing a strategy for installing Windows server 2003 on the new domain controllers. Which method should you use?
A. Unattended installation
B. Remote Installation Services (RIS)
C. Automated Deployment Services (ADS)
D. Microsoft Systems Management Server (SMS)
Answer: A

11. You are designing a strategy to ensure that all employees have Internet access. For each branch office,
what should you do?
A. Configure a DNS server to function as caching-only servers
B. Configure Internet Connection sharing on terminal servers.
C. Install and configure an Internet Security and Acceleration (ISA) Server Computer
D. Install and configure a server running Routing and Remote Acess to function as a VPN server
Answer: C

Case Study #7 Consolidated Messenger

Overview
Consolidated Messenger is a transportation and express delivery company serving the continental United
States.

The company maintains a commitment to its customers to expedite deliveries within contracted guidelines and offers a 100 percent refund to the customers if the contract is not fulfilled.
Physical Locations
The company's main office is in Chicago. The company has two branch offices in the following locations:

 Boston
 San Diego

Planned Changes The company is expanding its business into the Asian market by acquiring Contoso, ltd., which is an Asian import company located in San Francisco. Contoso, Ltd has established relationships with shipping companies and various retail firms in China. Furthermore, Contoso, Ltd. has a strong background in working with the governmental trade protocol in china.
Consolidated Messenger is also planning changes to enable the office and the branch office to work together more effectively.
Business Processes
Consolidated Messenger consists of the following primary departments:

 Accounting
 Customer service
 Delivery
 Human Resources (HR)
 Information Technology (IT)
 Management

The company has a decentralized IT structure. The Chicago office and each branch office have its own IT staff.
Each office maintains its resources separately. Each office is using the same delivery tracking database, named Deliveries, but information is not shared between the three offices.
Each office uses an application named TrackingApp to update the tracking database.
Every morning, delivery personnel receive a printed list of deliveries to be made for the day. They can contact the appropriate office for additional information, as needed.
Infrastructure Directory Services
The existing domain model is shown in the Existing Domain Model exhibit. 

Consolidated Messenger has Windows NT 4.0 domains in the branch offices. The Chicago office has a Windows 2000 Active Directory domain named ad.consolidatedmessenger.com
The domain for the Chicago office contains four toplevel organizational units (OUs) named Accounting, Customer Service, Human Resources, and Delivery. The network consists of a single Active Directory site.
Contoso, Ltd., has a Windows NT4.0 domain in its San Francisco office.

Network Infrastructure: The company's existing network infrastructure is shown in the Existing Network Infrastructure exhibit.

Client computers in the accounting, IT and management departments, at Consolidated Messenger, run either Windows 2000 professional or Windows XP professional. Client computers in the customer service department run windows 98.
Client computers at Contoso, Ltd runs either Windows 98 or Windows NT workstation 4.0.
Consolidated Messenger has a web site hosted by an ISP in Chicago. The web site, named www.consolidatedmessenger.com, is available for Internet customers to place orders or track deliveries.
Contoso, Ltd., also has a web site, named www.contoso.com, which provides information to users about Contoso, Ltd. It is hosted by an ISP in San Francisco. The ISP in San Francisco has DNS on a Unix Server.
The IP address in use for Consolidated Messenger is shown in the Network addresses exhibit. 

Problem Statements
The following business problems must be considered:

 Consolidated Messenger needs to create a better delivery tracking mechanism for the existing offices. Currently, each office provides point-to-point delivery as orders come in.
 They are functioning adequately, but there is room for improved operational efficiency. For example, the Chicago office sometimes delivers into the northeast, which overlaps with the territory of the Boston office. Both the Chicago office and the Boston office might deliver to the west coast, which is the territory of the San Diego office. A centralized database is required to make tracking delivers more efficient.
 When Consolidated Messenger implements a centralized version of the Delivers database, there must be a way to ensure continuous access to up to date delivery data, regardless of WAN status.
 Consolidated Messenger wants to provide a better solution for delivery personnel to access information about scheduled deliveries, than printed delivery lists. 
 Consolidated Messenger will need to bring Contoso, ltd, up to its technology standards. Contoso, ltd., does not use much technology. Although there is a Windows NT 4.0 domain present, there is a network administrator and there has been a great deal of turnover in this job. As a result, there is not adequate security for its computers. It does not adequately track Shipments, Inventory, Payable, or Receivable. Although Contoso, ltd. uses a spreadsheet application for its inventory listings it is still primarily a paperbased company.

Chief Executive Office With the acquisition of Contoso, ltd., by Consolidated Messenger, I am concerned that it should be a part of our overall business model, yet remain separate because it is a new venture. This is a positive addition
to our current line of business. I want to be sure that have a method for clearly tracking the contributions
that Contoso, ltd., makes to our business.

Chief Information Officer I have two major goals for our Deliveries database. First, I want a method for integrating the data between the offices. Second, I want a directory services structure that provides a more straight forward model for maintenance.
I also want an improved user experience when accessing centralized resources in the Chicago office. Additionally, I have strong reservations regarding the inexperience of the new IT staff to be hired in the San Francisco office. I want to make sure that we are monitoring their activities.
I foresee substantial expenditure for upgrading desktop computers, and salaries for a new IT staff in the Contoso, Ltd., division. We need to provide sufficient access to Contoso, Ltd.; however, we need to spend only the money necessary to achieve this goal.
Managers, Contoso, Ltd I am unsure if the restrictions imposed by our new parent company will benefit the business of Contoso, Ltd. On the other hand, I fully recognize that being part of a larger company can provide us with more financial stability.
Business Requirements
The following business requirement must be considered: 

 Contoso, Ltd., will be a separate division within Consolidated Messenger, maintaining its line of business because Contoso Ltd., is a new endeavor, Consolidated Messenger has elected to keep the namespace separate so that the internal staff will not be confused. 
 The duplication of effort in maintaining the Deliveries database between Consolidated Messenger branch offices must be reduced.
 Contoso needs to replace spreadsheets. The database, to be named Inventory, will be created and administered in the Chicago office. The IT staff in the Chicago office will be responsible for the maintenance of this database, and will be replicated from the San Francisco office to the Chicago office. It is anticipated that database replication will exceed the available bandwidth provided by the VPN connection between the San Francisco office and the Chicago office.

Organizational Goals The following organizational requirements must be considered: 
 Integrating the separate database into a single nationwide database is extremely important to the business.
 Delivery workers will begin using PDAs to download delivery information from the Deliveries database. As a result, they will discontinue telephone check in for delivery information. As each delivery is completed, the customer will sign the PDA. At the end of each day, the delivery
information will be batch uploaded from each PDA to the Deliveries database either from a company office or, if delivery personnel are too far away from a company office, a remote connection.
 Each office must support wireless access for PDAs

Security
The following security requirements must be considered: 

 Appropriate permissions to trackingapp, the Deliveries database, and other resources will need to be established for users based on that user's job function. Job functions include customer service, delivery personnel, accounting, and management.
 The IT staff in the Chicago office will audit administrative activity in all domains, particulary in Contoso,Ltd., domain, this includes interactive logons; shutdowns and restarts of domain controllers; changes to security logging; and changes to user and group accounts.

Technical Requirements Active Directory The following Active Directory requirements must be considered: 
 Enterprise Active Directory administration will take place in the Chicago office. Additionally, the IT staff in the Chicago office has the primary responsibilities for administration of the Deliveries database.
 Each current Consolidated Messenger domain will undergo an in place upgrade. Contoso, Ltd., will be added to the forest, but will maintain its separate namespace. The Contoso, Ltd., domain will be named ad.contoso.com. Their will be a single forest design with a minimum number of domains.
 Upgrading the Windows NT 4.0 domains in the Boston and San Diego offices must be optimized to reduce the need for network administrators to travel between offices.
 Permissions must be maintained. Additional groups can be created for the Deliveries database, as needed.
 User and group accounts for Contoso, Ltd. will be recreated. However, desktop settings for
Contoso, Ltd., users must be preserved.

Network InfrastructureThe following Infrastructure requirements must be considered: 
 All Contoso, Ltd., client computers will run Windows XP Professional. Consolidated Messenger has decided to migrate the user settings from the existing Contoso, Ltd., client computers to ease the transition.
 The Deliveries database is a missioncritical resource for Consolidated Messenger. Database access for the Deliveries databases must be maintained in the event that WAN connectivity is lost.
 All domain controllers will be configured as DNS servers. Client computers will be configured to point to the local DNS server.
 DNS zones must be secured.
 VPNs will be implemented in all locations to support remote access for wireless devices.
 Remote access policies will be centralized.
 A single DHCP server will be configured in each office. In the event of a DHCP server failure, client computers must be able to obtain an IP address.