Appendix A -- Questions and Answers

1. A client has asked you to recommend the appropriate server edition(s) of Windows 2000 for his environment. Your recommendation is based on the following characteristics:

• All remote offices are connected to the corporate headquarters and data center by high-speed (greater than 10 Mbps) connections.
• All 10,000 users run Windows 2000 Professional or Windows 98.

And the following functional requirements:

• All sites will access a high-availability server cluster running a Microsoft SQL Server 7.0 database. A two-server cluster with six processors per computer is adequate, and there are no plans to upgrade the cluster.
• All other servers will run an edition of Windows 2000 to provide Active Directory services, basic file and print services, and dial-in access to the network.
• These servers will run anywhere between one to four processors. Processor sizing will be based on the number of users supported at each site. For example, a small remote site will contain a single processor server while all servers in the corporate site will contain four processors. For simplicity, one server edition of Windows 2000 will be selected for all computers serving this role.
• Each domain in Active Directory services will support 2,500 users.

Windows 2000 Advanced Server is recommended for the SQL Server two-node cluster. Windows 2000 Advanced Server supports two-node clustering, eight-way SMP, and high availability. Windows 2000 Datacenter is also an option; however, this edition of the operating system exceeds the customer's requirements for clustering and SMP. Windows 2000 Server will not meet the customer's requirements for the SQL Server application because it does not support clustering or six-way SMP.

All other servers should run Windows 2000 Server because it meets the customer's requirements for a maximum of 4-way SMP, Active Directory services, dial-in via RAS, and file and print services. It easily scales to support 2,500 users/domain and over 10,000 users in the network.

2. Why is a WDM driver preferred over legacy Windows NT drivers?

WDM device drivers benefit from a common set of WDM I/O services. Therefore, a driver developed using the WDM driver development model should be binary-compatible with Windows 2000 and Windows 98.

The WDM driver model is based on a class/miniport structure that provides modular, extensible architectures for device support. This model allows each WDM class to abstract many of the common details involved in controlling similar devices.

3. How does Windows 2000 protect Executive services from user mode applications?

User mode applications request system services through the appropriate subsystem. The subsystem then makes a request on behalf of the application to the Windows 2000 Executive running in Kernel mode. While system services are available to both user mode subsystems and other components of the Windows 2000 Executive, the subsystem or component must call the exported support routine to make a request for Executive service.

4. What component of the Executive makes Windows 2000 preemptible?

The Process Manager suspends and resumes threads of running processes. This is an important feature of any multitasking operating system because the Process Manager will not allow a properly functioning process to monopolize the operating system and therefore stop all other processes from running.

5. What is the primary difference between a workgroup and a domain?

A workgroup is a distributed directory maintained on each computer within the workgroup. A domain is a centralized directory of resources maintained on domain controllers and presented to the user through Active Directory services.

6. What is the structure and purpose of a directory service?

A directory service consists of a database that stores information about network resources, such as computer and printers, and the services that make this information available to users and applications.

1. If you are installing Microsoft Windows NT in a dual-boot configuration on the same computer, which file system should you choose? Why?

The best choice is FAT. Although both Windows 2000 and Windows NT support NTFS, Windows 2000 supports advanced features provided by NTFS 5.0. For example, file encryption is supported in NTFS 5.0, but previous versions of NTFS did not support file encryption. Therefore, when Windows NT is running on a dual-boot computer, it will not be able to read encrypted files created in Windows 2000.

2. Which licensing mode should you select if users in your organization require frequent access to multiple servers? Why?

Per Seat licensing is the best choice for this environment. A Per-Seat license is more expensive per client computer than Per-Server licensing but becomes much less expensive when many client computers access several servers. If Per-Server licensing is used in this environment, each server must be individually licensed for client computer access.

3. You are installing Windows 2000 Server on a computer that will be a member server in an existing Windows 2000 domain. You want to add the computer to the domain during installation. What information do you need, and what computers must be available on the network, before you run the Setup program?

You need the DNS domain name of the domain that you are joining. You must also make sure that a computer account for the member server exists in the domain or you must have the user name and password of a user account in the domain with the authority to create computer accounts in the domain. A server running the DNS service and a domain controller in the domain you are joining must be available on the network. If dynamic IP addressing is configured during setup, a server supporting DHCP must be available to assign an address to the computer.

4. You are using a CD-ROM to install Windows 2000 Server on a computer that was previously running another operating system. There is not enough space on the hard disk to run both operating systems, so you have decided to repartition the hard disk and install a clean copy of Windows 2000 Server. Name two methods for repartitioning the hard disk.

Answer 1: Use a disk partitioning tool like MS-DOS fdisk to remove any existing partitions, and then create and format a new partition for the Windows 2000 installation.

Answer 2: Start the computer by booting from the Windows 2000 Server Setup disk. During the text-mode portion of installation, you can delete the partition and then create and format a new one. Continue the installation of Windows 2000 Server to the new partition.

5. You are installing Windows 2000 over the network. Before you install to a client computer, what must you do?

Locate the path to the shared installation files on the distribution server. Create a 671-MB FAT partition on the target computer (2 GB recommended). Create a client disk with a network client so that you can connect from the computer, without an operating system, to the distribution server.

6. A client is running Windows NT 3.5 Server and is interested in upgrading to Windows 2000. From the list of choices, choose all possible upgrade paths:

1. Upgrade to Windows NT 3.51 workstation and then to Windows 2000 server.
2. Upgrade to Windows NT 4.0 Server and then to Windows 2000 Server.
3. Upgrade directly to Windows 2000 Server.
4. Run Convert.exe to modify any NTFS partitions for file system compatibility with Windows 2000, and then upgrade to Windows 2000 Server.
5. Upgrade to Windows NT 3.51 Server and then to Windows 2000 Server.

Answer: b and e

Answer a is wrong because Windows NT Workstation (3.5x or 4.0) cannot be upgraded to Windows 2000 Server.

Answer c is wrong because Windows NT 3.5 cannot be directly upgraded to Windows 2000 Server.

Answer d is wrong because the Windows 2000 Setup process automatically upgrades NTFS to NTFS version 5.0.

7. In your current network environment, user disk space utilization has been a major issue. Describe three services in Windows 2000 Server to help you manage this issue.

Answer 1: Disk quotas in NTFS version 5.0 allow you to control per-user disk space usage by disk.

Answer 2: Disk compression allows you to compress data at the disk, directory, or file level. Disk compression does not affect a user's allocated quota. Quotas are calculated based on the uncompressed file size.

Answer 3: Remote Storage Services provides an extension to disk space by making removable media accessible for file storage. Infrequently used data is automatically archived to removable media. Archived data is still easily accessible to the user; however, data retrieval is slower than with unarchived data.

5. What folder appears directly under the win2000dist folder that does not appear in the i386 folder?

$oem$

18. What is the purpose of the UDF file?

The UDF file allows each automated setup to be customized with the unique settings contained in the file. To start an unattended setup, the UniqueID contained in the UDF file is specified on the command line. During setup the unique data in the UDF file is merged into the answer file.

1. What is the purpose of using the /tempdrive: or /t: installation switches with Winnt32.exe or Winnt.exe, respectively?

The Winnt32.exe /tempdrive: switch and the Winnt.exe /t: switch copy the Windows 2000 Server installation files to the drive specified with the switch. For example, Winn32.exe /tempdrive:d copies all Windows 2000 installation files to the D: partition. Using this switch also tells Setup which partition should be the boot partition for the installation of Windows 2000 Server.

2. You are asked to develop a strategy for rapidly installing Windows 2000 Server for one of your clients. You have assessed their environment and have determined that the following three categories of computers require Windows 2000 Server:

• There are 30 unidentical computer configurations currently running Windows NT Server 4.0 that need to be upgraded to Windows 2000 server.
• There are 20 identical computers that need a new installation of Windows 2000 Server.
• Remote sites will run a clean installation of Windows 2000 Server. You want to make sure that they install a standard image of Windows 2000 Server that is consistent with your local configuration of the operating system. You will provide them with hard disks that they will install in their servers.

What are the steps for your installation strategy?

For the 30 computers that need to be upgraded, build an answer file and a distribution share using Setup Manager. Further customize the answer file with a text editor. Use a product such as SMS to automate the distribution of operating system upgrades. If SMS is not available, run winnt32 with the /unattend switch and the other switches described in Lesson 1 that are designed to automate the installation process.

For the 20 identical computers, set up one computer with the operating system and all applications that you need to replicate on all other computers. Copy sysprep.exe, sysprepcl.exe, and sysprep.inf (answer file format) into the $OEM\$1\Sysprep folder. Make sure the [GuiRunOnce] section of the answer file calls sysprep.exe with the -quiet switch to continue the setup without any user interaction. Create an image with a third-party image utility, and copy this image to each of the 20 identical computers. Upon reboot, Mini-Setup will run using information in sysprep.inf to complete the setup.

For the remote sites, use /Syspart to prepare the disks for the second half of the installation. Ship the disks to the remote sites and instruct the local administrators to install them in their servers as the bootable drive, usually by setting the SCSI ID to 0 or 7, depending on the SCSI hardware.

You can also use the bootable CD-ROM method. If you use this method, include a floppy disk containing the winnt.sif file to automate Setup.

3. What is the purpose of the $OEM$ folder and the subfolders created beneath it by Setup Manager?

The $oem$ folder contains the optional cmdlines.txt file and subfolders for original equipment manufacturer (OEM) files and other files needed to complete or customize automated installation. Folders below $oem$ hold all files that are not part of a standard installation of Windows 2000 Server. These folders map to specific partitions and directories on the computer running an unattended installation. The following list describes the purpose of each folder below $oem$:

$$ – copies files from this distribution folder location to $windir$ or $systemroot$. For a standard installation of Windows 2000 Server, these variables map to C:\Winnt. There are other folders below this one too, such as Help for OEM help files and System32 for files that must be copied to the System32 directory.

$1 – copies files from this distribution folder location to the root of the system drive. This location is equivalent to the %systemdrive% variable. In a typical installation of Windows 2000 Server, this variable maps to the C:\ root. The $1 folder contains a drivers folder for third-party driver installation.

Drive letter — folders named after a specific drive letter map to the drive letter on the local computer. For example, if you need to copy files to the E: drive during setup, create an E folder and place files or folders in this folder.

Textmode – contains any special HALs or mass storage device drivers required for installing and running Windows 2000 Server.

4. How does Cmdlines.txt differ from [GuiRunOnce]?

Cmdlines.txt runs commands before a user is logged on and in the context of the system account. Any command line or installation that can occur without a user logon can complete using Cmdlines.txt. [GuiRunOnce], a section in the answer file, runs in the context of a user account and after the user logs on for the first time. This is an ideal place to run user specific scripts, such as scripts that add printers or scripts that automatically configure a user's e-mail configuration.

5. How does Syspart differ from Sysprep?

Syspart is a switch of Winnt32.exe. This switch completes the Pre-Copy phase of Windows 2000 Server Setup. After it is complete, the disk used for the Pre-Copy phase can be installed in another computer. Upon booting from this disk, the text mode phase of setup continues. Syspart is ideal for dissimilar systems that require a faster setup procedure than is provided by running Windows 2000 Setup manually. Syspart can be further automated by calling an answer file as well as Syspart from the Winnt32 command line.

Sysprep prepares a computer for imaging. After the operating system and applications are installed on a computer, Sysprep is run to prepare it for imaging. Next, an imaging utility is used to create an image of the prepared disk. The image is downloaded to identical or nearly identical computers, and Sysprep Mini-Setup continues to complete the installation. The Mini-Setup process can be further automated with a Sysprep.inf file.

1. You install a new 10-GB disk drive that you want to divide into five equal 2-GB sections. What are your options?

You can leave the disk as a basic disk and then create a combination of primary partitions (up to three) and logical drives in an extended partition; or you can upgrade the disk to a dynamic disk and create five 2-GB simple volumes.

2. You are trying to create a striped volume on your Windows 2000 Server to improve performance. You confirm that you have enough unallocated disk space on two disks in your computer, but when you right-click an area of unallocated space on a disk, your only option is to create a partition. What is the problem, and how would you resolve it?

You can create striped volumes on dynamic disks only. The option to create a partition rather than a volume indicates that the disk you are trying to use is a basic disk. You will need to upgrade all the disks that you want to use in your striped volume to dynamic disks before you stripe them.

3. You dual boot your computer with Windows 98 and Windows 2000. You upgrade Disk 1, which you are using to archive files, from basic storage to dynamic storage. The next time you try to access your files on Disk 1 from Windows 98, you are unable to read the files. Why?

Only Windows 2000 is able to read dynamic storage.

4. What is the default permission when a partition is formatted with NTFS? Who has access to the volume?

The Everyone group is granted Full Control permission. All users are members of the Everyone group, so they all have access.

The default permission is Full Control. The Everyone group has access to the volume.

5. If a user has Write permission for a folder and is also a member of a group with Read permission for the folder, what are the user's effective permissions for the folder?

The user has both Read permission and Write permission for the folder because NTFS permissions are cumulative.

6. What happens to permissions that are assigned to a file when the file is moved from one folder to another folder on the same NTFS partition? What happens when the file is moved to a folder on another NTFS partition?

When the file is moved from one folder to another folder on the same NTFS partition, the file retains its permissions. When the file is moved to a folder on a different NTFS partition, the file inherits the permissions of the destination folder.

7. If an employee leaves the company, what must you do to transfer ownership of his or her files and folders to another employee?

You must be logged on as Administrator to take ownership of the employee's folders and files. Assign the Take Ownership special access permission to another employee to allow that employee to take ownership of the folders and files. Notify the employee to whom you assigned Take Ownership to take ownership of the folders and files.

8. What is the best way to secure files and folders that you share on NTFS partitions?

Put the files that you want to share in a shared folder, and keep the default shared folder permission (the Everyone group with the Full Control permission for the shared folder). Assign NTFS permissions to users and groups to control access to all contents in the shared folder or to individual files.

9. Which folder represents a location on a server other than Server01?

The intranet folder's physical path on Server02 is C:\inetput\wwwroot.

10. Which folder represents a mounted drive to a previously empty folder?

The ftp folder was a previously empty folder on Server01. The empty folder path is C:\inetput\ftproot. This directory points to an extended partition on Disk0.

11. Earlier in this exercise, you created a replica of the Press Dfs link. The name of that replica is \\SERVER01\PressRepl. This Dfs link is a shared folder by the name of PressRepl and is located in C:\Public\Press. If you examine the contents of this directory, you will notice that it is empty. However, when you view the News Dfs link, you will notice that there is a file named Press.wri. Why is the PressRepl Dfs replica empty?

Because replication and synchronization are not supported in a stand-alone Dfs. Therefore, you must manually copy any files appearing in H:\Press (the \\Server01\Press share) to the directory C:\Public\Press (the \\Server01\PressRepl share) so that \\Server01\PressRepl can serve as a replica of \\Server01\Press. Once the files are copied over, the \\Server01\Public\News Dfs link will be fault tolerant because \\Server01\PressRepl will take over if \\Server01\Press becomes unavailable.

1. How does a mounted drive to an empty folder differ from a Dfs root?

A mounted drive to an empty folder allows for folder redirection. When you store files in a folder that points to a mounted partition, the files are redirected to the partition. This feature provides limited resource consolidation. A Dfs root provides a central point where disparate resources are consolidated through Dfs links. These links are then presented to the users as a single share containing folders. This feature provides robust resource consolidation.

2. In Exercise 1, you were asked to notice that New Root Replica and Replication Policy were not available options in the Distributed File System snap-in. Explain why these options are not available.

New Root Replica and Replication Policy are available only for domain Dfs roots. In Exercise 1 you configured a stand-alone Dfs root. A new root replica allows you to replicate the Dfs root to other servers on the network. This feature provides fault tolerance and load balancing. If a server hosting the Dfs root fails, users access the Dfs root from the other replicas. If all servers replicating the Dfs root are available, they will load balance user requests. Replication policy allows you to configure the settings for replicating the Dfs root and Dfs shares below it.

3. Why doesn't Dfs directly provide a security infrastructure?

Security is provided by the underlying file system. A Dfs link that points to an NTFS partition is secured using NTFS permissions or share rights; a FAT partition is secured with share rights. A Dfs link to another network operating system (NOS) is secured with native security provided by the operating system. For example, NetWare provides trustee directory and file assignments for security. A NetWare resource can be made available to Dfs through Gateway Services for NetWare.

4. How is the KCC involved in maintaining Active Directory store synchronization between domain controllers?

KCC creates a ring topology for intra-domain replication. This topology provides a path for Active Directory store updates to flow from one domain controller to the next. It also provides two replication paths, a path on either side of the ring to continue replication even if the ring structure is temporarily broken.

5. What data does the FRS replicate?

System Volume data and domain Dfs roots and Dfs links configured for replication.

3. Examine each of the nodes below microsoft.com. Do not modify any information that you see in these nodes.

What selections are listed under microsoft.com and what is their purpose? Hint, choose the properties of each node in the console tree to view their purpose.

Built-in – contains local groups created during installation of the domain controller.

Computers – this is the default container for upgraded computer accounts. You can move these computers to other containers if your design requires it.

Domain Controllers – this is the default container for new Windows 2000 domain controllers. You will see Server01 in this container.

ForeignSecurityPrincipals – this is the default container for object SIDs from external, trusted domains.

Users – this is the default container for upgraded and built-in user accounts.

4. Click the Start button, point to Programs, and then point to Administrative Tools.

Notice that all installed Administrative Tools applications appear under Administrative Tools rather than just the most recently used applications.

When Server01 was a stand-alone server, all the applications appeared under Administrative Tools except those specific to Active Directory, domain, and DNS maintenance. Using your mouse, point to each of the applications listed below to see the screen hint, and then write a description in the space provided.

Active Directory Domains and Trusts

Active Directory Sites and Services

Active Directory Users and Computers

DNS

Active Directory Domains and Trusts – manages the trust relationships between domains.

Active Directory Sites and Services – creates sites to manage the replication of Active Directory data information.

Active Directory Users and Computers – manages users, computers, security groups, and other objects in the Active Directory store.

DNS – manages the DNS Domain Naming System (DNS) service for IP host name resolution.

1. What is Ntdis.dit, and what is its purpose?

NTDIS.DIT is the file that contains the Active Directory store.

2. What is the one SYSVOL location requirement?

SYSVOL must be located on an NTFS 5.0 partition.

3. What is the function of SYSVOL, and what is the one disk requirement for SYSVOL?

SYSVOL stores the domain controllers copy of the domain's public files. The contents of this directory are replicated to all domain controllers in the domain.

4. What is the difference between an attribute and an attribute value? Give examples.

Attributes (also referred to as properties) are categories of information and define the characteristics for all objects of a defined object type. All objects of the same type have the same attributes. Values of the attributes make the objects unique. For example, all user account objects have a First Name attribute; however, the value for the First Name attribute can be any name, such as John or Jane.

5. What is the difference between modifying an object and modifying the attribute values of an object instance?

Modifying an object is an advanced procedure completed in tools such as the Schema Manager snap-in (Schmmgmt.msc). Modifying the attribute values of an object instance involves changing data stored with an instance of an object, for example, changing the primary phone number data for a user object named John Smith.

6. You want to allow the manager of the sales department to create, modify, and delete only user accounts for sales personnel. How can you accomplish this?

Place all the sales personnel user accounts in an OU, and then delegate control of the OU to the manager of the sales department.

7. What is the global catalog, and what is its purpose?

The global catalog stores key information about every object in a domain tree or forest. It contains a partial replica of the Entire Directory. Only the most important data about objects are stored in the global catalog, so replicating the global catalog is more efficient than replicating the entire Active Directory store. The global catalog enables a user to find information regardless of which domain in the tree or forest contains the data.

6. In what mode is the console running?

The console is running in author mode as shown in the Console Mode drop-down list box.

13. When will the account expire?

According to the current settings, the account will never expire. The Account Expires section at the bottom of the Account page shows that the expiration is set to Never.

5. Click OK to close the Change Password message box.

Were you able to log on successfully? Why or why not?

You were not allowed to log on locally since this right is not granted to regular user accounts. By default administrators have the right to log on locally to a domain controller, but regular users, like Jane Doe, do not.

1. When you use the Administrative Tools program group to open an MMC console provided with Windows 2000 Server, can you add snap-ins to it? Why or why not?

No, snap-ins cannot be added to the MMC consoles provided with the product when the consoles are opened from the Administrative Tools program group. These consoles are configured for User Mode operation. You can open these consoles in author mode by appending the name of the path and the name of the .msc file with MMC /a. For example:

mmc /a %SystemRoot%\system32\compmgmt.msc /s

opens the Computer Management console in author mode.

2. You receive a call from a member of the Help Desk support team. She tells you that a number of users are complaining of a window that appears every time they log on. The support person tells you there is nothing in the Startup menu. Additionally, she has closed the window and shut down and restarted the computer, but the window still appears at logon. What is the most likely cause of this issue, and how can you resolve it?

All the users complaining of this problem are using a mandatory shared profile. When the profile template was built, a window was left open on the desktop. To resolve this problem, make sure no users are accessing the profile, rename Ntuser.man to Ntuser.dat so that it is no longer mandatory. Log on with a user account that points to this profile, close the window that appears, and then log off. Upon logoff, the profile change will be saved to the network shared profile location. Next, rename Ntuser.dat back to Ntuser.man and instruct the users to log on again.

3. When should you use security groups instead of distribution groups?

Use security groups to assign permissions. Use distribution groups when the only function of the group is not security related, such as an e-mail distribution list. You cannot use distribution groups to assign permissions.

4. What are the implications of changing the domain mode from Mixed mode to Native mode?

Pre-Windows 2000 domain controllers cannot participate in a Native-mode domain.

Pre-Windows 2000 stand-alone servers and computers running Windows NT Workstation can still participate in the domain.

After you change to Native mode, you cannot change back to Mixed mode.

5. By default, in what order is group policy implemented through the Active Directory store hierarchy? How can you control this behavior?

Group policy is implemented in the following order: site, domain, and then organizational unit (OU).

You can control group policy inheritance through the Block Policy Inheritance check box. However, the No Override Link option set in higher levels of the hierarchy supersedes this option. Additionally, you can restrict who group policies are applied to by modifying the security settings for the group policy.

6. What is a GPO, GPC, and GPT?

A GPO is a group policy object. Group Policy configuration settings are contained within a GPO. You establish group policy settings in a GPO that you apply to a site, domain, or OU. GPOs store group policy information in two locations: a GPC and a GPT.

A GPC, or group policy container, is an Active Directory object that contains GPO properties and includes subcontainers for computer and user group policy information. The GPC contains the class store information for application deployment. The Windows 2000 class store is a server-based repository for all applications, interfaces, and application programming interfaces (APIs) that provide application publishing and assigning functions.

A GPT, or group policy template, is a folder structure in the system volume folder (Sysvol) of domain controllers. The GPT is the container for all software policy, script, file and application deployment, and security settings information. The folder name of the GPT is the globally unique identifier (GUID) of the GPO you created.

1. Explain the difference between a print device and a printer.

A print device is the hardware that creates printable pages or a file on a disk (print to file) that has been processed through a printer. A printer is the software interface to one or more print devices.

2. You are told by a colleague never to remove the Everyone system group from the permissions of a printer or no one will be able to manage the printer or its documents. Why is this statement incorrect? How could you configure this undesirable behavior?

Removing the Everyone system group from a printer's permissions still leaves a number of groups (Administrators, CREATOR OWNER, Printer Operators, and Server Operators) that have access to the printers by default. Removing the Everyone system group is not the same as specifically denying the Everyone system group with access to the printer. This configuration would result in the inability to manage the printer until the deny permission is removed by the CREATOR OWNER system account.

3. You have configured two Windows 2000 print servers on your network. When a user connects to one from Windows 95, printing is automatic. When the same user connects to the same print server for a different printer, she gets prompted to install a driver. Why is this happening?

One printer installed on the print server has been configured with additional drivers, specifically the Windows 95 or 98 printer driver. The other printer has not been configured with additional drivers.

4. In an environment where many users print to the same print device, how can you help reduce the likelihood of users picking up the wrong documents?

Create a separator page that identifies and separates printed documents.

5. Can you redirect a single document?

No. You can change only the configuration of the print server to send documents to another printer or print device; this change redirects all documents on that printer. The currently spooled or active document cannot be redirected.

6. A user needs to print a very large document. How can the user print the job after hours without being present while the document prints?

You can control print jobs by setting the printing time. You set the printing time for a document on the General tab of the Properties dialog box for the document. To open the Properties dialog box for a document, select the document in the Printers window, click Document on the Printers window menu bar, and then click Properties. Click Only From in the Schedule section of the Properties dialog box, and then set the Only From hour to the earliest time you want the document to begin printing after regular business hours. Set the To time to a couple of hours before normal business hours start. To set the printing time for a document, you must be the owner of the document or have the Manage Documents permission for the appropriate printer.

1. Your computer receives its TCP/IP configuration information from a DHCP server in the network. After DHCP information is received, you can connect to any host on your own subnet, but you cannot connect to or successfully ping any host on a remote subnet. You checked the DHCP Service to ensure that the router information specified for your address scope is correct. What is the likely cause of the problem and how would you fix it?

The default gateway is incorrectly specified on your computer. If default gateway information is specified on a client computer, these settings take precedence over settings downloaded from a DHCP server. To solve this configuration problem, simply remove the default gateway information from the client computer and then run IPCONFIG /renew from the command line. Other possibilities are that the default gateway is offline or that the subnet mask is incorrect.

2. You installed NWLink IPX/SPX and GSNW. After installing these components, you cannot communicate with one of the NetWare servers on your network. You have no trouble accessing this NetWare server from your client computer running Windows 2000 Professional, NWLink IPX/SPX, and CSNW. You must communicate with this NetWare server from your Windows 2000 Server because the NetWare server contains resources you must make available to users running the Microsoft Network Client. What is the likely cause of the problem?

Although the NWLink implementation in Windows 2000 can automatically detect a frame type for IPX/SPX-compatible protocols, it can only automatically detect one frame type. It's possible that the Windows 2000 Server detected the wrong frame type. If the network is configured for multiple frame types, you must manually configure the frame type that matches the frame type of the NetWare server you are attempting to access.

3. You notice that access to network resources seems slower on your computer running Windows 2000 Server than from another identical computer running Windows 2000 Server on the same network. The only difference you can determine is that the slower Windows 2000 Server computer is running multiple protocols. How could network protocol binding order potentially resolve this problem?

You specify the binding order to optimize network performance. For example, a computer running Windows 2000 Server has NetBEUI, NWLink IPX/SPX, and TCP/IP installed. However, most of the servers to which this computer connects are running only TCP/IP. You would adjust the binding order so that the Workstation service binding to TCP/IP is listed before the other Workstation service bindings for the other protocols. In this way, when you attempt to connect to another computer, the Workstation service first attempts to use TCP/IP to establish the connection.

4. When do DHCP clients attempt to renew their leases?

When 50 percent of the lease life has expired, the DHCP client attempts to renew its lease with the DHCP server that leased the address originally. If the lease isn't renewed, the DHCP client will renew its lease with any DHCP server after 87.5 percent of its current lease life has expired.

5. Why might you create multiple scopes on a DHCP server?

You might create multiple scopes on a DHCP server to centralize administration and to assign IP addresses specific to a subnet (for example, a default gateway). You can assign only one scope to a specific subnet.

6. How can you manually restore the DHCP database?

You can change the RestoreFlag key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters to 1 in the registry and then restart the DHCP Service, or you can manually copy the files in the DHCP backup folder to the DHCP directory and then restart the service.

7. What are the configuration requirements for a WINS server?

The requirements are a computer running Windows 2000 Server configured with WINS, and a static IP address, subnet mask, and default gateway.

You can also configure a static mapping for all non-WINS clients on the WINS server, WINS support on a DHCP server, and a WINS proxy agent on WINS-enabled clients.

8. Why would you want to have multiple name servers?

Installing multiple name servers provides redundancy, reduces the load on the server that stores the primary zone database file, and allows for faster access speed for remote locations.

9. Why do you create forward and reverse lookup zones?

A name server must have at least one forward lookup zone. A forward lookup zone enables name resolution.

A reverse lookup zone is needed for troubleshooting utilities, such as nslookup, and to record names instead of IP addresses in IIS logs.

10. What is the difference between dynamic DNS and DNS?

Dynamic DNS allows automatic updates to the primary server's zone file. In DNS, you must manually update the file when new hosts or domains are added.

Dynamic DNS also allows a list of authorized servers to initiate updates. This list can include secondary name servers, domain controllers, and other servers that perform network registration for clients, such as servers running WINS and the DHCP Service.

1. What is the purpose of demand-dial routing?

Demand-dial routing provides a facility for connecting one dial-up router to another dial-up router. This allows two routers on separate networks to use a dial-up infrastructure such as the public switched telephone network or the Internet to connect to each other and transfer information. A two-way initiated connection allows each router to accept inbound data from an opposing router and initiate outbound data to the opposing router.

2. What authentication providers are available in RRAS and how are they different from authentication methods?

There are two authentication providers: Windows authentication and RADIUS authentication. Windows authentication uses the Windows 2000 directory for authenticating user accounts. RADIUS authentication uses either the Microsoft IAS RADIUS server or a third-party RADIUS server to authenticate user accounts. Authentication methods are a security process where by the client and the server agree on a procedure for authenticated account information. RRAS supports EAP, MS-CHAP v2, MS-CHAP, CHAP, SPAP, PAP, and clear text authentication.

3. What is the purpose of VPN and what two VPN technologies are supported in Windows 2000 RRAS?

VPN or virtual private networking provides a facility to securely transfer data over a public network. The two VPN technologies supported in Windows 2000 RRAS are PPTP and L2TP.

4. If a remote access client begins to connect to the RAS server but the connection is dropped, what troubleshooting steps will help you to solve this error?

1. Verify that Event Logging is enabled and view the System Event log on the computer running RRAS.

2. On the remote access client, access the properties of the dial-up device, such as a modem, click the Diagnostics tab, and check the Record a Log check box. After attempting a connection, review the log file.

3. On the server, open the Authentication Methods dialog box and check the Allow remote systems to connect without authentication check box. After selecting this check box, attempt to reconnect from the client computer.

5. How is the remote access permission of Deny Access (in Mixed mode or Native mode), similar in function to the Native-mode domain default remote access policy?

The Deny Access remote access permission does not allow a user with this setting to use remote access to connect to the server. The native-mode domain remote access policy is Allow Access If Dial-In Permission Is Enabled. The default policy's properties, however, are Deny Remote Access Permission At All Times.

6. You need to configure 10 RRAS servers for a client. All 10 servers will have identical RRAS configurations. What is the most efficient way to complete this configuration?

Configure one RRAS server to act as the master configuration for all other RRAS servers. Then, use netsh to dump the configuration and then use the -f or exec command to run the script. For example, to dump the RAS configuration from a server named RRAS1 to a script file named Ras.scr, from RRAS1 type:

netsh -c RAS dump > ras.scr

Next, to apply this policy to a RRAS server named RRAS2 from RRAS1, type:

netsh -r RRAS2 -f ras.scr

1. Which key is associated with the creation of digital signatures, the public key or the private key? Explain your answer.

Private keys are associated with the creation of digital signatures. You use a private key to transform data in such a way that users are able to verify that only you could have created the encrypted data. Decrypting the data is achieved through the application of the public key. However, only the private key is used to create the digital signature.

2. What security credential(s) will be in use if you are supporting client computers running Windows 2000 and Windows NT that authenticate to servers running Windows 2000 Server, and Windows NT Server?

Windows NT client computers will authenticate to both Windows 2000 and Windows NT Servers using NTLM credentials (Windows NT domain name, username, and encrypted password). Windows 2000 client computers will authenticate to the computers running Windows 2000 Server using Kerberos authentication (domain name, username, Kerberos encrypted password), and they will authenticate to the computers running Windows NT Server using NTLM authentication.

3. How can a security template be used to facilitate configuration and analysis of security settings?

A template can be applied to a security configuration database created by the Security Analysis and Configuration snap-in. After the database is created, the current settings of the computer can be compared to the settings dictated by the policy. After reviewing discrepancies between policy and computer security settings, the same snap-in can be used to configure the computer's security settings to the template's settings.

4. Where is the Certificate Services Enrollment page and what is its purpose?

The Certificate Services Enrollment page is a Web page that allows for the easy creation and monitoring of certificate requests, and for the retrieval of CRLs and certificates.

5. What steps must you follow to enable auditing of specific file objects on domain controllers in a domain where Group Policy is enabled?

Use Active Directory Users And Computers to open a group policy (typically the Default Domain GPO or the Default Domain controller Policy GPO). Navigate to the Audit Policy node below the Windows Settings - Security Settings – Local Policies node. In the details pane, double-click Audit Object Access and enable success or failure attempts as appropriate. Using Windows Explorer, navigate to the specific file or folder that you need to access. Access the properties of the file or folder object, click the Security tab, then click the Advanced button. From the Access Control Settings dialog box, select View/Edit to modify the audit policy of a selected user or group or add a new user or group to audit. Be cautious about how much file object auditing you configure. This feature can be processor intensive if it is configured improperly.

1. You have configured a computer to boot Windows 2000 Server as the default operating system, and Windows NT 4.0 Server as the optional operating system. After modifying the attributes of files on %systemdrive% and deleting some of the files, the computer does not display Windows NT 4.0 Server as an operating system to start. Windows 2000 Server starts up properly. The problem is caused because you deleted a file. What is the name of the file, and what can you do to recover from this error?

You deleted the Boot.ini file. Boot.ini allows for multiboot. If this file is missing, the default operating system starts. To recover this file, run the ERD, choose Manual Repair, and then choose Inspect Startup Environment.

2. You have created three hardware profiles for your mobile computer: Docked, Undocked On The Network, and Undocked At Home. When you reboot the computer, the first two hardware profiles appear, but the third one does not. What is the most likely reason that the Undocked At Home profile does not appear?

In the properties of the Undocked At Home profile, the Always Include This Profile As An Option When Windows Starts check box is not selected.

3. Why would the Use Hardware Compression, If Available check box be unavailable in the Backup wizard?

This option is available only if an installed tape device and its driver supports hardware compression.

4. You performed a normal backup on Monday. For the remaining days of the week, you only want to back up files and folders that have changed since the previous day. What backup type do you select?

Incremental. The incremental backup type backs up changes since the last markers were set and then clears the markers. Thus, for Tuesday through Friday, you only back up changes made since the previous day.

5. How can you test the configuration of the UPS service on a computer?

You can simulate a power failure by disconnecting the main power supply to the UPS device. During the test, the computer and peripherals connected to the UPS device should remain operational, messages should display, and events should continue to be logged.

In addition, you should wait until the UPS battery reaches a low level to verify that a graceful shutdown occurs. Then restore the main power to the UPS device and check the event log to ensure that all actions were logged and there were no errors.

Note that this procedure requires a UPS that communicates with the computer through a COM port or a proprietary interface provided with the UPS.

1. You have used the Compact utility to compress the files contained in the Users subfolders on an NTFS partition. You have enabled the Folder Option, Display Compressed Files And Folders With Alternate Color. A week later you use Windows Explorer to see if files are being compressed. To your surprise, user account subfolders, located directly under the Users folder created after you ran the compress utility, are not compressed. Why did this happen and how can you fix it?

You ran the Compact utility and compressed each of the subfolders under the Users subfolder. As a result, all subfolders were marked for compression but the Users parent folder was not marked for compression. Therefore, new folders created directly below the Users folder are not compressed. There are a number of ways to fix this. You can use the Compact utility to mark the Users folder for compression and all subfolders below users. Open a command prompt, go to the driver containing the Users parent folder, and type compact /s:Users /c. Or you can use the Windows Explorer to compress the Users subfolder and then choose the Apply changes to this folder, subfolders and files radio button.

2. Your department has recently archived several GB of data from a computer running Windows 2000 Server to CD-ROMs. As users have added files to the server, you have noticed that the server has been taking longer than usual to gain access to the hard disk. How can you increase disk access time for the server?

Use Disk Defragmenter to defragment files on the server's hard disk.

3. You are the administrator for a computer running Windows 2000 Server that is used to store user's home folders and roaming user profiles. You want to restrict users to 25 MB of available storage for their home folder while monitoring, but not limiting, the disk space used for the roaming user profiles. How should you configure the volumes on the server?

Create two volumes: one to store home folders and another to store roaming user profiles. Format both volumes with NTFS, and enable disk quotas for both volumes. For the home folder volume, specify a limit of 25 MB and select the Deny Disk Space To Users Exceeding Quota Limit check box. For the roaming user profile volume, do not specify a limit and clear the Deny Disk Space To Users Exceeding Quota Limit check box.

4. You notice that a new server is not performing as well as you expected. You need to obtain summary information on a server's performance, and then you want to use a utility to obtain detailed reports of performance bottlenecks. After you have resolved the performance problem, what should you do to track the performance of the server as more users begin to access the server?

To obtain summary information on a server's performance, run Task Manager to observe common data points contained under the Performance tab. This can give you an idea of where your performance bottleneck is. Next, run the System Monitor snap-in and observe detailed performance metrics. Add resources as necessary or remove applications that are creating the bottleneck. After you have resolved the performance issue, use the Performance Logs And Alerts to log performance activity. These logs serve as your baseline for future performance monitoring. So that you are not caught off-guard by poor performance or a potential hardware failure, create alerts to track the activity of the server. If you think poor performance might be related to network activity, run the Network Monitor to analyze network activity.

5. You want to filter out all network traffic except for traffic between two computers, and you also want to locate specific data within the packets. Which Network Monitor filter features should you specify?

Filter for Address Pairs where you specify the media access control address of each computer, and then specify Pattern Matches where you filter for specific patterns in Hex or ASCII contained in the frames.

6. Your goal is to make sure that only two network management stations in your organization are able to communicate with the SNMP agents. What measures can you take when configuring the SNMP service to enhance security?

Using the Security tab of the SNMP Service Properties dialog box, make the following configuration changes:

• Specify a unique community name and remove the public community name.
• Adjust the community rights settings so that the NMS can complete the functions you want to enable. If you aren't sure of the community rights you need, configure this for READ ONLY and adjust it by NMS to SNMP service testing.
• Select the Accept SNMP packets from these hosts radio button, and then specify the host name, IP, or IPX address of the two network management stations.
• If you will be sending Traps to an NMS, make sure to specify the Trap destination(s) under the Traps tab.

7. With the Web Site tab active, record the TCP Port value appearing in the TCP Port text box.

Port value will vary but should be between 2000-9999.

1. Compare a virtual directory to a Dfs root.

A virtual directory is a term used to describe Web server directories that appear to be located below a Web server's home directory but could be located in any location accessible to the Web server. An alias is used to describe the virtual directory so that Web browser users are unaware of the virtual directories' physical location or path.

A Dfs root is also a symbolic share that provides centralized access to shares located throughout the network. The user is unaware of the physical location of the shares but is able to reach them by starting from the Dfs root. The Dfs root is similar to an Internet Information Services (IIS) home directory and the shares below the Dfs root are similar to virtual directories in IIS.

2. You are accessing the IIS 5.0 documentation from Internet Services Manager (HTML). All of the documentation appears and you are able to access information via the Index tab. Under the Index tab, you find the phrase Process Accounting. However, when you perform a search on this phrase, the Web browser reports that your search phrase cannot be found. What is the most likely reason that this is happening?

The indexing service has been started since the Web browser did not report the inability to perform a search. Because the phrase was not found it could be that you have not configured the Indexing Service to catalog the iisHelp folder or the Indexing Service has not completed the task of indexing this folder's contents.

3. You have created a virtual directory for the purpose of WebDAV publishing. The home directory of the Web site is accessible from Internet Explorer 5, but when you attempt to access the virtual directory for WebDAV publishing, access is denied. Name two reasons why this may happen and how you can solve this access problem.

WebDAV security is managed by the file system and Internet Services. Therefore, access could be denied because the physical directory for WebDAV has an ACL that does not allow the browser client to access the folder. If access is allowed at the file system level, verify that Read, Write, and Directory Browsing on the WebDAV virtual directory is enabled. For ASP support also make sure to enable Script source access.

4. Why is it important that the Microsoft Telnet Client and the Microsoft Telnet service support NTLM authentication?

NTLM authentication protects authentication information from being transmitted across a network from the Telnet client to the Telnet server. A user is authenticated in the context of the current logon. If authentication is necessary, NTLM challenge/response authentication protects logon information. This is an important security feature of Windows 2000 Telnet.

5. If Terminal Services is not licensed, what features of Terminal Services will work and for how long?

Remote Administration mode allows for two remote control sessions with the computer running Terminal Services. No Terminal Service client license is necessary for this function. In Application Server mode, a Terminal Service client license is required for each session. The Terminal Service will continue to function for 90 days without Terminal Service client licenses installed on the Terminal Services License server.