Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions biweekly.

Questions (October 20, 2000) \[links to questions\]
Answers (October 20, 2000) \[links to answers\]

Questions (October 20, 2000)
This week's questions test your understanding of basic Active Directory (AD) administration and planning. If you've already upgraded your Windows NT domains to Windows 2000 domains, you'll find these questions straightforward. However, if you have yet to upgrade, these questions will help prepare you to face some common pitfalls.

AD's most significant pitfalls result from its flexible architecture. As many of us transition to Win2K next year, I believe we'll find that the rule of thumb is to spend at least as much time assessing requirements and planning as we spend implementing the plan. Use the following questions to start thinking about your transition.

Question 1
As the network administrator, you're in the process of migrating your organization's network to Windows 2000. The network consists of both Windows NT and Win2K domain controllers. After successfully migrating your users and groups to the Users container, you decide to reengineer the organization's existing groups to take advantage of Win2K's new features. As you begin to make changes to the groups, you find that you can't nest global groups within other global groups. What prevents you from doing this?

  1. You aren't a member of the enterprise administrators group, and only members of the enterprise administrators group can nest groups.
  2. Group nesting is a special right that an administrator must assign to you before you can perform that task.
  3. The domain must be in native mode before you can nest groups.
  4. You must perform group nesting on the Global Catalog (GC) server, not on just any domain controller.

Question 2
You are one of five administrators on your organization's Windows 2000 system administration team. You initially migrated your five Windows NT 4.0 domains to Win2K domains but have since collapsed all five into one of the Win2K domains. However, when you removed the other four domains, you didn't choose the option that specifies the remaining domain controller as the last domain controller in the domain, so the system failed to delete the other four domains. How can you delete the domains?

  1. Use Active Directory Domains and Trusts to remove the domains.
  2. Use eseutil to remove the domains.
  3. Use ntdsutil to remove the domains.
  4. Use Active Directory Users and Computers to remove the domains.

Question 3
As your organization's senior Windows 2000 administrator, you're responsible for planning and implementing the Active Directory (AD) site, domain, and organizational unit (OU) structures. You have created a root domain, mcsejobs.net, and two child domains, America and Europe. You have also created a second tree, techjobs.com, with child domains America and Europe. Your organization has just merged with another company, and the merged company will become mcsejobs.com. How can you rename the root domain?

  1. Install a new domain controller in the new root domain mcsejobs.com and then reinstall all the other domain controllers in both the root and child domains and the second tree.
  2. Rename the existing root domain controller as the new root domain mcsejobs.com. Next, rename all the other domain controllers in the root domain, rename all the domain controllers in the child domains, and rename the second tree.
  3. Create a new DNS zone for the new AD root named mcsejobs.com. Next, rename the existing root domain controller as the new root domain mcsejobs.com. Finally, rename all the other domain controllers in the root domain, rename all the domain controllers in the child domains, and rename the second tree.
  4. Create a new DNS zone for the new AD root named mcsejobs.com. Next, demote the domain controller acting as the Global Catalog (GC) server in the root domain and re-promote it to the new root domain.

Answers (October 20, 2000)

Answer to Question 1
The correct answer is C—the domain must be in native mode before you can nest groups. Neither NT 4.0 nor Win2K mixed mode supports nested global groups. Answer A is incorrect because you don't have to be a member of the enterprise administrators group to nest groups. You don't need any special rights to nest groups, so answer B is incorrect. Finally, answer D is incorrect because you can perform group nesting on any domain controller or even remotely with the administrative tools you can find on a Win2K Professional machine.

Answer to Question 2
The correct answer is C—use ntdsutil to remove the domains. Ntdsutil is a command-line utility that lets you add and remove domains. You can't remove domains with Active Directory Domains and Trusts or Active Directory Users and Computers, so answers A and D are incorrect. Answer B is incorrect because eseutil is a command-line utility that lets you repair, check, move, compact, and dump the directory database files (in fact, ntdsutil often calls eseutil to perform these various operations).

The scenario this question presents illustrates the fact that to use Win2K's GUI tools, you must perform some tasks in the proper order. If you forget or neglect the proper order or if you want to automate a particular process, you should become familiar with the command-line utilities that come with Win2K and the Win2K Server Resource Kit.

Answer to Question 3
The correct answer is A—install a new domain controller in the new root domain called mcsejobs.com and then reinstall all the other domain controllers in both the root and child domains and the second tree. If you rename your root domain controller, you must recreate your entire AD structure. Unfortunately, there's currently no way to rename the root domain controller without reinstalling all domain controllers in your forest.