Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.

Questions (August 24, 2001)
Answers (August 24, 2001)

This week's questions cover topics for Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure.

Questions (August 24, 2001)

Question 1
Windows 2000 includes a set of text-based security template files that you can use to apply uniform security settings on computers within an enterprise. Which of the following represents the order of the workstation security templates from least secure to most secure? (Choose the best answer.)

  1. basicwk.inf, compatws.inf, securews.inf, hisecws.inf
  2. basicwk.inf, securews.inf, hisecws.inf, compatws.inf
  3. compatws.inf, basicwk.inf, securews.inf, hisecws.inf
  4. hisecws.inf, basicwk.inf, securews.inf, compatws.inf
  5. securews.inf, hisecws.inf, basicwk.inf, compatws.inf

Question 2
Your company's Active Directory (AD) infrastructure consists of three native mode domains: The forest root domain, xyzcorp.comand, and two child domains, us.xyzcorp.comand and europe.xyzcorp.com. Recently, your company partnered with a supplier, and you want to let the two parties share certain resources. However, the supplier is running one Windows NT 4.0 domain and doesn't have any plans to migrate to Windows 2000. What solution would let share resources between the supplier's domain and your company's domains? (Choose the best answer.)

  1. You can add the NT 4.0 domain as a new tree within your existing AD forest.
  2. You can convert the NT 4.0 domain to native mode.
  3. You can manually create external trusts between your domains and the NT 4.0 domain.
  4. You can manually create a transitive trust between your forest root domain and the NT 4.0 domain.
  5. You can manually create a shortcut trust between the child domains in your company and the NT 4.0 domain.

Question 3
Your company's Active Directory (AD) network consists of a single-forest environment with seven domains. You have migrated from a Windows NT 4.0 multiple-master domain model. In the previous model, you had two master domains and four resource domains. When you migrated to Windows 2000, you created a new forest root domain named acmecorp.com. You installed two domain controllers (DCs) into the acmecorp.com domain. You upgraded the two NT 4.0 master domains to Win2K and named them us.acmecorp.com and ww.acmecorp.com.

One day, you arrive at the office to discover that there has been a fire. Both DCs for the forest root domain have been lost, along with all tape backups for these computers. What should you do to recover your forest root domain? (Choose the best answer.)

  1. Change the name of either the us.acmecorp.com domain or the ww.acmecorp.com domain to acmecorp.com.
  2. Use the dcpromo utility to create a new DC for the acmecorp.com domain using the dcpromo utility.
  3. Use the dcpromo utility to promote either the us.acmecorp.com domain or the ww.acmecorp.com domain to the new forest root domain.
  4. Seize the Operations Master roles from the non-functioning DCs and distribute them to other DCs.
  5. No procedure exists for recovering a forest root domain if all the DCs are lost.

Answers (August 24, 2001)

Answer to Question 1
The correct answer is C¾compatws.inf, basicwk.inf, securews.inf, hisecws.inf. The Compatible template, compatws.inf, opens the default permissions for the Local Users group so that legacy programs are more likely to run. The Compatible template doesn't create a secure environment.

The Basic template, basicwk.inf, specifies default security settings for all security areas, with the exception of user rights and group membership.

The Secure template, securews.inf, provides increased security for areas of the OS that aren't covered by permissions, including increased security settings for the account policy, increased settings for auditing, and increased security settings for some well-known security-relevant registry keys. This template doesn't modify Access Control Lists (ACLs) because the default Windows 2000 security settings are in effect.

Microsoft provides the Highly Secure template, hisecws.inf, for Win2K-based computers that operate only in native Win2K environments. Hisecws.inf requires that all network communications be digitally signed and encrypted at a level that can only Win2K can provide. Computers configured with this template can't communicate with Windows NT or Windows 9x clients.

For more information, see Microsoft article Q234926. http://support.microsoft.com/support/kb/articles/Q234/9/26.ASP

Answer to Question 2
The correct answer is C¾You can manually create external trusts between your domains and the NT 4.0 domain. Explicit trusts are trust relationships that you create yourself, as opposed to trusts that the system creates automatically during the installation of a domain controller (DC). Explicit trusts include external trusts and shortcut trusts. External trusts enable user authentication to a domain outside of a forest. Shortcut trusts shorten the trust path in a complex forest.

Using the Active Directory Domains and Trusts utility, you can establish a one-way external trust between a Win2K domain and NT 4.0 domains.

For more information, see "Explicit domain trusts" and "Understanding domain trusts" at the Microsoft Web site.

Answer to Question 3
The correct answer is E¾No procedure exists for recovering a forest root domain if all the DCs are lost. If you lose the forest root domain in a catastrophic event and you can't restore one or more DCs from a backup, your enterprise administrators and schema administrators groups are lost for good. Therefore, you should take the following precautions to protect the forest root domain:

  • Install at least two DCs in the forest root domain, regardless of the number of accounts that exist in that domain.
  • Place some of the forest root domain's DCs in separate locations to provide protection against geographically-centered catastrophes.
  • Keep three copies of backup tapes for DCs.
  • Keep at least one copy of the your backup tapes offsite to provide protection against location-specific catastrophes.

For more information, see Chapter 9 of Microsoft's Deployment Planning Guide.