The ultimate dump for Microsoft 70-218 1. You are the administrator of your company's Windows 2000 file servers. Users on the network secure some of their files by using Encrypting File System (EFS). An employee named Marc leaves the company. An employee named Maria needs access to some of Marc’s files. The files are in a shared folder for which all users have permission to read these files. However, some of Marc’s files are protected EFS. You need to allow Maria access to all of Marc’s files. What should you do? A. Move the files to a partition that is formatted as either FAT or FAT32. B. Use an EFS Recovery Agent to decrypt the files. C. Take ownership of the files and assign Maria the Allow-Read permission for the files. D. Assign Maria the Allow-Take Ownership permission for the files. Answer: B Explanation: An EFS recovery agent must be used to decrypt the files. After the files are decrypted Maria would be able to access them; she already has read access to them through the network share. Incorrect Answers: A:By moving encrypted files to a FAT or FAT32 partition the encryption would be lost and Maria would be able to read the files. However, in order to move the files you would have to take ownership of the files. C:The files are encrypted. Even if Maria would have read permission she wouldn’t be able to get access to the files. Maria already has read permission to the files. D:The right Take Ownership cannot be assigned to a third party. Only you, as an administrator, could take ownership. 2.You are the administrator of a Windows 2000 Server computer named ServerA. ServerA has Internet Information Services (IIS) installed and is used to host your company's public Internet web site. The company is developing a new web site where business partners can exchange information about customer purchases, order history, and credit card information. You are asked to ensure that all information transmitted between ServerA and each business partner’s computers is encrypted. What should you do? A.Install a Web server certificate and enable Digest authentication. B.Install a Web server certificate and enable SSL for the new Web site. C.Configure the new web site to use Integrated Windows authentication. D.Configure the new Web site folder to enable Encrypting File System (EFS). Answer: B Explanation: Secure Sockets Layer (SSL) encrypts the content and the data. Most popular browsers have built- in SSL support. Certificates are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. The certificate-based SSL features in IIS consist of a server certificate, an optional client certificate, and various digital keys. Note: Certificates are digital identification documents that allow both servers and clients to authenticate each other. Server certificates usually contain information about your company and the organization that issued the certificate. Incorrect Answers: A: Digest authentication encrypts client-supplied passwords in compatible browsers (Internet Explorer), but it doesn't encrypt the content and data. C: Integrated Windows authentication would not, by itself, secure the connections. D: Encrypting the Web Site folder on the server would protect the information for anyone gaining access to that folder. However, it would not secure the data when it is send out from the Web server to the clients. The data would be unencrypted when it left the server. 3.You are a network administrator for your company. The company has 10 branch offices and has plans to add at least 25 more branch offices during the next 12 months. The network is configured as shown in the exhibit. Each branch office has only one server. These servers are multifunction servers that are domain controllers and application-based Terminal servers. The users of the remote client computers connect to these servers by using Terminal Services over the internet so that they can access a financial application. You need to ensure that remote users can log on to the Terminal servers and not to any other domain controllers at the main office. You must also ensure that remote users cannot log on to any other domain controller that is not an application-based Terminal Server. When new application-based Terminal servers are added to the domain, you want the servers to automatically configure settings to meet these requirements. You create a new group named Terminal Server-Users, and you make the user accounts of all the users who need access to these application-based terminal servers members of this group. What should you do next? Exhibit A.Create a new Group Policy Object and link it to the domain level. Configure this GPO by assigning the Terminal-Server-Users group the Log on locally right. B.Create a new Group Policy Object and link it to the domain Controllers Organizational unit (OU). Configure this GPO by assigning the Terminal-Server-Users group the Log on locally right. C.Create a new OU and move all terminal servers into this organizational unit (OU). Create a Group Policy Object and link it to this new OU. Configure this GPO by assigning the Terminal-Server- Users group the Log on locally right. D.Modify the local security policy on all of the application-based Terminal servers by assigning the Terminal-Server-Users group the Log on locally right. E.Modify the Domain Controller security policy on one of the application-based Terminal servers by assigning the Terminal-Server-Users group the Log on locally right. Answer: C Explanation: The Terminal Servers are also Domain Controllers which is not the best security scenario. We must ensure that the remote users only can log on the Terminal Servers and not to any other server. In order to that we must create a Group Policy Object and assign the Terminal-Server-Users group the right to Log on Locally. We must create an OU which contains all the Terminal Servers and link the new GPO to this OU. This way the remote users would only be allowed to log on to the Terminal Servers. Note: Terminal Server clients use the Terminal Server remotely and need the right to log on locally in order to use it. Incorrect Answers: A: Linking the GPO, which allows the Terminal-Server-User group log on locally, to the domain level would allow the remote users to log on to any computer in the domain. B: If we link the GPO to the Domain Controllers OU the remote users would be allowed to log on to every domain controller. But we only want them to be able to log onto the Terminal Servers. D: We want the configuration of the Terminal Servers to be automatic when they are joined the domain. Modifying the local security policy would require a manual, not automatic, administration effort. E: The application-based Terminal servers must not be domain controllers out of security reasons. If the Terminals servers not are domain controllers the Domain Controller Security policy doesn’t apply to them. 4.You are the administrator of a Windows 2000 web server named ServerA. ServerA is a member of a Windows 2000 Domain. A folder on ServerA named I:\\WebData\Public_Information is shared as a virtual directory named Public. You also want users to be able to access the virtual directory named Public. You also want users to be able to access the virtual directory by using the URLs http://serverA/PI and http://ServerA/Information. What should you do? A. In the Web sharing properties for the folder, add the aliases PI and information. B. Create two new shares for the folder and name PI and information. C. Create two new folders name PI and Information. Copy the files from the existing folder to the new folders. Share each of the new folders with the default settings. D. Create two new Web sites named PI and Information. Configure I:\\WebData\Public_Information to be the root directory for both web sites. Answer: A Explanation: Virtual directories are a mechanism that allows Web content to be stored in locations other than the default directory. This is done by mapping an alias to the physical location. In this scenario the alias Public is mapped to the folder I:\\WebData\Public_Information. We just have to add another alias which maps the name PI to the I:\\WebData\Public_Information folder. Steps to configure a virtual directory (for a folder that already has a virtual directory): 1- Open Windows Explorer and browse to the appropriate folder (here I:\\WebData\Public_Information). 2- Right click on the folder and choose Properties. 3- Select the Web sharing tab. 4- Click the Add button. 5. Enter the first virtual directory name of the alias (here PI) in the Alias field. Click OK. 6- Enter the second virtual directory name of the alias (here information) in the Alias field. Click OK. 7- Click OK. After this procedure we have three virtual Directory aliases pointing to the same folder. Reference: HOW TO: Reference Folders Stored on Other Computers from Your Web Site (Q308150). Incorrect Answers: B: There is no need to create new shares for the virtual directory just to make two new virtual directories. C: There is no need to create new folders for the virtual directory just to make two new virtual directories. D: There is no need to create any Web site. A virtual directory has already been set up so a web site must already exist. 5.You are the administrator of a Windows 2000 file and web server named ServerA. ServerA is a member of a Windows 2000 Domain. A folder on ServerA named: I:\Data\Accounting_vacation_requests is shared as AcctVac with default NTFS and share permissions. Users in the domain local group named AcctGrp save vacation requests as Microsoft Word documents to AcctVac by using a mapped drive. You want other users in the domain to be able to view the vacation requests by using the URL://ServerA/Vacation. What should you do? A. Rename the folder to I:\Data\Vacation. Modify NTFS permissions for the folder to assign the Everyone group the Allow-Read permission and to assign the AcctGrp group the Allow-Full Control permission. B. Create a new share named Vacation for the folder. Modify NTFS permissions for the folder to assign the Everyone group the Allow-Read permission and to assign the AcctGrp group the Allow-Full Control permission. C. Configure the folder as virtual directory with the alias of Vacation. Assign the Read and the Directory browsing access permissions for the virtual directory. D. Create a new Web site named Vacation on ServerA. Create a virtual directory with the default settings in the new Web site. Answer: C Explanation: We must set up a Virtual directory to the network share. The Virtual Directory should use the alias Vacation. We also need to configure the appropriate NTFS permission on the folder. Assigning Read and Directory browsing permissions would allow the users read only access and they would also be able to see contents of the folder. Steps to configure a virtual directory: 1- Open Windows Explorer and browse to the appropriate folder (here I:\Data\Accounting_vacation_requests). 2- Right click on the folder and choose Properties. 3- Select the Web sharing tab. 4- Select Share this folder. Note: by default the Virtual Directory will be put in the Default Web site. 5- Click the Add button. 6- Enter the first virtual directory name of the alias (here Vacation) in the Alias field. 7- Click OK. We have now created a Virtual Directory in the default Web site. Reference: HOW TO: Reference Folders Stored on Other Computers from Your Web Site (Q308150). Incorrect Answers: A: A Virtual directory must be set up in order to map the alias Vacation to the folder. B: A Virtual directory must be set up in order to map the alias Vacation to the folder. D: There is no need to create a Web site. Just configure the folder as a Virtual Directory in the Default Web Site and assign appropriate permissions. 6.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. All servers run Windows 2000 Server. All client computers run Windows 2000 Professional. The manager of the accounting department reports that files located in shared folders on a server named ServerA are being deleted and must continually be restored from backup. You are asked to configure the local security policy on ServerA to find out who is deleting the files. You enable auditing on the affected files and folders for all users in the domain. Which audit policy or security policy should you enable on ServerA? A. Audit Access of Global System Objects security policy. B. Account Logon Events-Success audit policy. C. Logon Events-Success audit policy. D. Object Access-Success audit policy. E. Privilege Use-Success audit policy. Answer: D Explanation: Object Access will enable auditing of access to a files, folders, and printers. We should audit for success since we want to find out who is successfully deleting the files. Incorrect Answers: A: We must use an audit policy, not a security policy, since we want to audit events. B: Account Logon Events audits when a domain controller received a request to validate a user account. We are interested in auditing files that are deleted though. C: Account Logon Events audits when a user logs on or logs off the domain. We are not interested in this kind of information in this scenario. E: We are not interested in when a user use a privilege right. Deleting a file is not a privileged right it is an object access event. 7.You are the desktop administrator for your company. The client computers you administer are either Windows 95 or Windows 98 desktop computers. The network consists of a single Windows 2000 Active Directory domain. The company is implementing a fault-tolerant distributed file system (DFS). You need to ensure that users on all of your client computers can access the resources on the fault-tolerant distributed file system. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Install the Active Directory client on all of the Windows 95 computers. B. Install the standard DFS client on all of the Windows 95 computers. C. Install the Windows 2000 Administration Pack on all of the Windows 95 computers. D. Install the Active Directory client on all of the Windows 98 computers. E. Install the standard DFS client on all of the Windows 98 computers. F. Install the Windows 2000 Administration Pack on all of the Windows 98 computers. Answer: A, D Explanation: The Active Directory client for Windows 95, Windows 98 and Windows NT 4.0 includes a DFS component. This component is the DFS fault tolerance client which provides access to Windows 2000 distributed file system (DFS) fault tolerant and fail-over file shares specified in Active Directory. Note: In order for Windows 95 clients to access Domain Based DFS folders the client for Dfs 4.x and 5.0 add- on can be installed. In order for Windows 98 clients to access Domain Based DFS folders client for Dfs 5.0 add- on must be installed. Reference: How to Install Distributed File System (DFS) on Windows 2000 (Q241452). Incorrect Answers: B: The standard DFS client, Dfs 4.x and 5.0 add-on, would allow Windows 95 clients to accesss DFS shares on the network. However, they would not be able to access fault-tolerant DFS shares since they are included in the Active Directory and Windows 95 isn’t Active Directory aware. C: The Windows 2000 administration pack allows Windows 2000 to be administered from downlevel clients such as Windows 95. It wouldn’t, however allow the clients to use DFS. E: The standard DFS client, Dfs 5.0 add-on, would all Windows 98 clients to accesss DFS shares on the network. However, they would not be able to access fault-tolerant DFS shares since they are included in the Active Directory and Windows 98 isn’t Active Directory aware. F: The Windows 2000 administration pack allows Windows 2000 to be administered from downlevel clients such as Windows 98. It wouldn’t, however allow the clients to use DFS. 8.You are a domain administrator for your company. The network consists of a single Windows 2000 Domain. All client computers run Windows 2000 Professional. Each department has its own Organizational Unit (OU) structure. Each department has departmental administrators who are responsible for the administration of the OU structure. Top-level departmental OUs are created by the domain administrators, and the departmental administrators are delegated full control of these OUs. Child OUs are created by the departmental administrators as necessary. The departmental administrator for the finance department is out of the office. The manager of the finance department asks you to publish a shared folder named FinanceDocs on a server named ServerA to Active Directory so that users can easily find the folder. When you attempt to create the shared folder in the Finance OU, you receive the following error message: You need to publish the shared folder. What should you do? Exhibit A. Assign the Domain Admins group the Allow-Full Control share permission for FinanceDocs. B. Assign the Domain Admins group the Allow-Read & Executive NTFS permission for FinanceDocs. C. Assign the Domain Admins group the Allow-Create Child Objects permission for Finance OU. D. Assign the Domain Admins group the Allow-Modify Owner share permission for Finance OU and then take ownership. Answer: C Explanation: The exhibit indicates that this is an access problem on the Finance OU, not an NTFS problem. You must be given access to the OU in order for you to be able to publish the folder. The Permission Create Child Objects would allow you to publish the share in the OU. Incorrect Answers: A: This is not an NTFS permission problem. You must be given access to the Finance OU. B: This is not an NTFS permission problem. You must be given access to the Finance OU. D: The Modify Owner permission allows the current owner, or any user with the Full Control permission, to give another user the right to take ownership of the object. You wouldn’t be able to use this permission since you are not the owner of the OU and you don’t have Full Access (we know this from the exhibit). 9.You are a network administrator for your company. The network contains 200 Windows 2000 Professional computers. One of the client computers is named Client1. Client1 contains a shared folder named Public that is configured with the default settings. The employee who uses Client1 wants all users on the network to map a persistent drive to Public. However, many users report that they cannot map a persistent drive to Public. What should you do to resolve the problem? A. Enable the Guest account on Client1. B. Modify the user limit for Public to allow 200 or more users. C. Relocate the share and the folder to a Windows 2000 Server computer. D. Assign the Authenticated Users group the Allow-Full Control permission for Public. Answer: C Explanation: The maximum number of concurrent connections to a share on a Windows 2000 Professional computer is 10. If more connections are needed, as in this scenario where up to 200 users could connect simultaneously, the share must reside on a Windows 2000 server which doesn’t have this kind of limit. In this scenario everything works when 10 or fewer users connect to the share, but when more than 10 users try to connect some will not be able to gain access. Incorrect Answers: A: The guest account is not required or already enabled, since users are able to connect to the share. B: The maximum number of concurrent connections to a share on a Windows 2000 Professional computer is 10. 200 users cannot be simultaneously connected to a share on a Windows 2000 Professional computer. D: This is not a permission problem. Users can connect to the share as long as no more than 10 users connect at a time. 10.You are a domain administrator for your company. You are installing a new Windows 2000 Server computer named ServerA, which has Internet Information Services (IIS) installed. You want to use ServerA to provide a corporate intrasite to your employees. You create a Web site on ServerA. You want to enable users to access the intrasite by using the URL http://CLInfo. You want to accomplish this task with the least amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Create a DNS entry for CLInfo that specifies the TCP/IP address of ServerA. B. Create a WINS entry for CLInfo that specifies the TCP/IP address of ServerA. C. Create a Hosts file entry for CLInfo that specifies the TCP/IP address of ServerA. Then copy the Hosts file to each network computer. D. Create the CLInfo Web site as virtual directory. E. Configure hosts headers on ServerA to include CLInfo. Answer: D, E Explanation: First we must create a Web Site and configure a Virtual Directory with the alias of CLInfo for the Web Site. We cannot directly map the CLInfo alias name to an IP address. The alias is just a mapping to a web site on the server. Instead we must use IIS to configure host headers on ServerA to include CLInfo. Note: Each Web site has a unique, three-part identity it uses to receive and to respond to requests: a port number, an IP address, and a host header name. Incorrect Answers: A: We cannot use a host name to IP address mapping. B: We cannot use a host name to IP address mapping. WINS is not used for host names. C: We cannot use a host name to IP address mapping. Host files requires manual administration. 11.You are the administrator of a Windows 2000 Server computer named ServerA. ServerA has Internet Information services (IIS) installed and is used to host your company's public internet web site. The company plans to create a secure web site where customers can access their account and billing information. Customers will access this web site by using a variety of web browsers. A new web site has been created and configured to use Basic authentication. You are asked to ensure that all information transmitted between ServerA and the customers’ computers is encrypted. How should you configure the new web site? A. Enable the web site to use Integrated Windows Authentication. B. Enable the web site to use Digest authentication for Windows domain servers. C. Enable the web site to use a web server certificate and enable SSL for the web site. D. Enable the web site to use a web server certificate and enable IPSec on ServerA. Answer: C Explanation: Secure Sockets Layer (SSL) encrypts the content and the data. Most popular browsers have built- in SSL support. Certificates are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. The certificate-based SSL features in IIS consist of a server certificate, an optional client certificate, and various digital keys. Note: Certificates are digital identification documents that allow both servers and clients to authenticate each other. Server certificates usually contain information about your company and the organization that issued the certificate. Incorrect Answers: A: Integrated Windows authentication would not, by itself, secure the connections. B: Digest authentication encrypts client-supplied passwords in compatible browsers (Internet Explorer), but it doesn't encrypt the content and data. D: To be able to use IPSec both the server and the clients must be enabled for IPSec. 12.You are the administrator of your company's file servers. An employee named Maria is prompted to the new position of manager in the marketing department. Maria needs to be able to review all the documents that are used by other employees in the marketing department. However, she does not need to make changes to these documents. All the marketing documents are stored in subfolders in a single marketing folder, which is shared as Marketing. Each employee in the marketing department has a subfolder in the Marketing folder. Currently, only the employee, the Administrators group, and the Power Users group have permissions for each employee’s subfolder. Permissions inheritance is enabled on the Marketing folder. The resources and permissions are shown in the following table. You need to allow Maria to review the documents of all of the other marketing employees without giving her unnecessary permissions. What should you do? A. Make Maria a member of the Power Users group. B. Share each existing subfolder and assign Maria the Allow-Read permission for each of the new shares. C. Assign Maria the Allow-Read NTFS permission for the Marketing folder. D. Assign Maria the Allow-Read permission for the Marketing share. Answer: C Explanation: We need to allow read access for Maria. She must be able to read but must not be able to change the files. She already has full Share permission to the Marketing share. We must give Maria NTFS permissions as well. By giving Maria NTFS Read Permission on share her permission on the folders would be read (NTFS:Read + Share:Full = Read). Note: The calculation of effective permission on a share can be done by: 1. Calculate the NTFS permissions. They are accumulative except for DENY that overrides all permissions. 2. Calculate the Share permission. They are accumulative. 3. Combine the calculated NTFS and Share permissions. The result is the most restrictive permission. Incorrect Answers: A: Adding Maria to the Power Users group would give her modify permission (NTFS: modify + Share: Full = Modify) on the all the file and folders on the share. B: By creating shares for each subfolder and give Maria the read share permission would not give Maria access to the files, since she doesn’t have any NTFS permissions (NTFS: none + Share: read = none). D: Giving Maria Read permissions on the share would not give Maria any more rights since she already has Full Control Share permission as a member of the Everyone group. Maria would have no permission to the folders (NTFS:none + Share:Full = none). 13.You are the administrator of a Windows 2000 file server named ServerA. ServerA is a member of a Windows 2000 Domain. On a volume that is formatted as NTFS, you create and share folders for the sales department. Managers in the sales department need to read and modify files in all of the department’s folders. Users named Peter, Maria, and Marc need to read files in the G:\Sales\Reports folder, and they need full control of files in their personal folders. You configure folder and share permissions as shown in the following table. A user in the Managers group informs you that she can read the files in Marc’s folder but cannot update them. You need to allow all users in the Managers group to update all of the files in the sales department’s folder. What should you do? A. Instruct the users in the Managers group to access the files by using the Sales share. B. Assign the Managers group the Allow-Full Control permission for the Marc$ share. C. Re-create the Marc$ share as Marc. D. Ensure that the Managers group has the Allow-Full Control permission for the published share object in Active Directory that is associated with the Sales share. Answer: A Explanation: The Managers has full Share Permissions on the Sales share and full NTFS permissions the Sales folders and all its subfolders. The combined permission is also full permission (Share:Full + NTFS:Full=Full). Note: The calculation of effective permission on a share can be done by: 1. Calculate the NTFS permissions. They are accumulative except for DENY that overrides all permissions. 2. Calculate the Share permission. They are accumulative. 3. Combine the calculated NTFS and Share permissions. The result is the most restrictive permission. Incorrect Answers: B: Assigning Full Control permission to the Managers group on Marc$ share would solve the problem for this particular share. Managers would still be denied access if they connected to the Maria$ or the Peter$ share though. C: A share that ends with a $ sign is a hidden share, which means it cannot be seen while browsing the network. A hidden share uses the Share permissions in exactly the same way as a non-hidden share. Recreating the Marc$ share as Marc wouldn’t change anything. D: Access to a share is decided by NTFS and Share permissions, not by permissions assigned in the Active Directory. The Active Directory can be used to publish a share to users to make it more convenient for them to access the share. 14.You are a network administrator for your company. The network is configured as shown in the exhibit. You notice that connectivity from the New York office to the London office is inconsistent. You need to find out where the network packets are being dropped and what percentage of packets is being dropped. What should you do? Exhibit A. On NYDC01, run the tracert LONDCO01 command. View the results and find out where the results time out. B. On LONDC01, run the tracert NYDCO01 command. View the results and find out where the results time out. C. On NYDC01, run the ping LONDC01 command. View the results. D. On LONDC01, run the ping NYDC01 command. View the results. E. On NYDC01, run the pathping LONDC01 command. View the results. F. On TORDC01, run the pathping LONDC01 command. View the results. Answer: E Explanation: We must troubleshoot the connection from New York to London. We should issue any troubleshooting from source location New York. The pathping combines features of the ping and tracert commands to identify which routers are on the path. It also provides additional information that neither of those commands provides. It sends pings periodically to all of the routers over a given time period, and computes statistics based on the number returned from each. Since pathping shows the degree of packet loss at any given router or link, you can determine which routers or links might be causing network problems. Incorrect Answers: A: Tracert doesn’t provide as much useful information as pathping. B: Tracert doesn’t provide as much useful information as pathping. The command should be issued at New York not at London. C: The ping command only provides a result of either success or failure (and ping time). It will not provide any information on where the problem is located. D: The ping command only provides a result of either success or failure (and ping time). It will not provide any information on where the problem is located. The command should be issued at New York not at London. F: The command should be issued at New York not at London. 15.You are a network administrator for Fabrikam, Inc. The network consists of a Windows 2000 Domain named ad.fabrikam.com. The domain contains two DNS servers that host an Active Directory integrated zone for ad.fabrikam.com. A Windows 2000 web server named ServerA is a member of ad.fabrikam.com. An intranet web site was recently created on ServerA. You want users to access the new Web site by using the URL home.portal.fabrikam.com. What should you do? A. Create a new domain record named portal in the ad.fabrikam.com zone. In portal, create CNAME (canonical name) record named home and specify ServerA.ad.fabrikam.com as the target host. B. On one of the DNS severs, create a new zone named portal.fabrikam.com. In portal.fabrikam.com, create a CNAME (canonical name) record named home and specify ServerA.ad.fabrikam.com as the target host. C. In ad.fabrikam.com, create CNAME (canonical name) record named home and specify home.portal.fabrikam.com as the target host. D. In ad.fabrikam.com, create CNAME (canonical name) record named home.portal and specify ServerA.fabrikam.com as the target host. Answer: B Explanation: A DNS zone can only provide host to IP resolution within the namespace of the zone. It cannot provide name resolution for host names that are not included in the zone. In this scenario we have a zone ad.fabrikam.com and we want to use the name home.portal.fabrikam.com as an alias for the resource ServerA.ad.fabrikam.com. We do this by creating a new zone portal.fabrikam.com, add a CNAME (alias) record which maps the host name home (which in the zone equals home.portal.fabrikam.com) to ServerA.ad.fabrikam.com. Incorrect Answers: A: Adding a CNAME record portal in the ad.fabrikam.zone with ServerA.ad.fabrikam.com target host would map portal.ad.fabrikam.zone to ServerA.ad.fabrikam.com, but we want to map home.portal.fabrikam.com to ServerA.ad.fabrikam.com. C: Adding a CNAME record portal in the ad.fabrikam.zone with home.portal.fabrikam.com target host would map portal.ad.fabrikam.zone to home.portal.fabrikam.com. But no source with that name exists. D: A CNAME record home.portal in the ad.fabrikam.com would map the home.portal.ad.fabrikam.com to the destination host, but we want to map home.portal.fabrikam.com. 16.You are a network administrator for your company. The network contains a DNS server. All client computers are configured to use the DNS server for name resolution. The network also includes four Windows 2000 Server computers, which function as file and print server; 100 Windows 95 client computers; and 100 Windows 2000 Professional computers The network is currently configured as a single logical subnet. The company adds two additional subnets, which are connected to the original subnet by routers. All client computers are distributed between the two new subnets. The servers remain on the original subnet. Users of the Windows 95 computers now report that they cannot access server-based files and printers. Users of the Windows 2000 Professional computers can successfully access the servers. You verify that the Windows 95 computers are configured with the correct DNS server address. You need to ensure that all users can access server-based files and printers. What should you do? A. Create an Lmhosts file on each Windows 95 computer. In the file, include the name and IP address of the DNS server. B. Install WINS on a Windows 2000 Server computer. Configure all computers to use the WINS server in addition to the DNS server for name resolution. C. Configure the Windows 95 client computers to use b-node for NetBIOS name resolution. D. Install a WINS Proxy Agent on each of the new subnets. Configure the WINS Proxy Agents to use the DNS server’s IP address for WINS name resolution. Answer: B Explanation: Downlevel clients, like Windows 95 and Windows NT 4.0, use WINS, not DNS, for name resolution. On the other hand Windows 2000 computers only use DNS for name resolution by default. We must provide the Windows 95 clients with a method of resolving NetBios names to IP addresses. The most practical solution with least administration would be to configure one Windows 2000 server as a WINS server. Incorrect Answers: A: Lmhosts files do provide host name to IP address resolution, and an appropriate lmhosts will on each Windows 95 computer would allow the Windows 95 clients to use the DNS server. This would require a lot of administrative effort. C: By default Windows 95 clients are configured for H-mode Wins resolution; first they use Wins server and then they use broadcasts to resolve NetBios names. Changing the node type to b-node would make the clients only try broadcasts, so this is not an improvement. Note: there are four Wins Node types. They are: •? B-node, broadcast mode, only tries to resolve NetBios names with broadcasts. •? P-node, peer-peer node, only tries to resolve NetBios names through WINS server. •? M-mode, mixed mode, first use broadcast then in use broadcasts. •? H-mode, hybrid node, is the default Wins node type. H-mode first tries the WINS server then it tries broadcast. D: WINS Proxy agent is used to enable non-WINS clients to communicate with WINS-clients. Windows 95 is a WINS client so a WINS proxy agent would not be any improvement. UNIX clients, for example, could benefit from a Wins proxy agent. 17.You are a domain administrator for your company. The network contains two TCP/IP subnets that are connected by a router. The router is configured to forward BOOTP packets. The two subnets contain a total of 180 Windows 2000 Professional computers. A Windows 2000 Server computer named ServerA provides DHCP services for the network. The DHCP scope on ServerA is configured as shown in the following table. You are adding a new Windows 2000 Server computer named ServerB. You install the DHCP service on ServerB. You want ServerB to provide load balancing and redundancy for ServerA. How should you configure DHCP on ServerB? A. Configure one scope with an IP address range of 172.30.10.1 to 172.30.10.100. Configure a second scope with an IP address range of 172.30.11.1 to 172.30.11.100. B. Configure one scope with an IP address range of 172.30.10.101 to 172.30.10.200. Configure a second scope with an IP address range of 172.30.11.101 to 172.30.11.200. C. Configure one scope with an IP address range of 172.30.10.1 to 172.30.10.200. Configure an IP address exclusion of 172.30.10.1 to 172.30.10.100. D. Configure one scope with an IP address range of 172.30.11.1 to 172.30.11.200. Configure an IP address exclusion of 172.30.11.1 to 172.30.11.100. Answer: B Explanation: For redundancy, two (or more) DHCP servers must split the DHCP scope into two non- overlapping IP address ranges. Typically they are split with the 75/25 rule (or 80/20 etc.) that specifies that the local DHCP server will use 75% of the DHCP scope and the remote DHCP server will use 25% of the DHCP scope. The other scope is split in the same fashion: the local DHCP server use 75% of the scope and the remote DHCP server use 25% of the scope. This provides redundancy and load balancing as required. In this scenario the solution would use a 50% split. This is not the optimal solution but it would provide redundancy and load balancing. Incorrect Answers: A: Two DHCP servers leasing IP addresses in the same range must not have overlapping scopes. Server a already uses the 172.30.10.1 to 172.30.10.100 range so ServerB cannot lease IP addresses in this range. C: Redundancy and load balancing must be provided for both scopes. ServerB must be configured to lease address in the 172.30.11.0/24 scope as well. D: Redundancy and load balancing must be provided for both scopes. ServerB must be configured to lease address in the 172.30.10.0/24 scope as well. 18.You are a network administrator for your company. The network uses static IP addresses on servers and client computers. Exhibit You add a new client computer to subnet A of the network. Your router administrator informs you that the new client computer is incorrectly configured. The relevant portion of the network is shown in the exhibit. You need to configure the client computer so that it can connect to all local and remote computers. What should you do? A. Modify the IP address of the client computer so it is the same as the IP address of the file server. B. Modify the IP address of the client computer so it is the same as the IP address of the router. C. Modify the subnet mask of the client computer so it is the same as the subnet mask of the file server. D. Modify the subnet mask of the file server so it is the same as the subnet mask of the client computer. Answer: C Explanation: In order to be able to communicate with other computers using the TCP/IP protocol a computer must have a unique address and an appropriate subnet mask. The new client must be given an IP address in the same subnet as the other clients on subnet. By studying the exhibit we see that this is the case. The subnet mask of the new client is not correct however. It must be configured with the same subnet mask as the file server. Note: In order for the new client to connect to the remote servers the default gateway setting must be set to the IP address of the Router. Incorrect Answers: A: All computers using the TCP/IP protocol must use a unique IP address. They new client cannot be configured with the same IP address as the File server. B: All computers using the TCP/IP protocol must use a unique IP address. They new client cannot be configured with the same IP address as the router. D: Changing the subnet mask of the file server to the same subnet mask as the new client would allow these two computers to communicate. However, they would not be able to communicate with other computers on the local subnet or with clients on the remote subnet. 19.You are a network administrator for your company. The network contains Windows 2000 Professional computers and Windows 2000 Server computers. A server named ServerA provides DNS, WINS, and DHCP services. DHCP is configured to issue ServerA’s IP address for DNS and WINS name resolution. ServerA’s DNS zone is configured to use DNS dynamic update protocol. All other computers on the network are configured to use DHCP to obtain IP addressing information. Your company purchases another company and relocates the new employees to your company's main office. The new employees use Windows 98 client computers that are configured to use static IP addresses. You need to ensure that the Windows 98 computers obtain dynamic IP addresses, and that they register themselves with ServerA by using DNS dynamic update protocol. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Configure the Windows 98 client computers to use ServerA for DNS name resolution. B. Configure the Windows 98 client computers to use ServerA for WINS name resolution. C. Configure the Windows 98 client computers to use DHCP to obtain IP addressing information. D. Configure the DNS server service on ServerA to perform lookups by using WINS. E. Configure the DHCP service on ServerA to register clients by using DNS dynamic update protocol. Answer: C, E Explanation: We have downlevel Windows 98 clients that are not able to use DNS as the only way to resolve host names. However by integrating WINS and DNS they would be able to use host names to connect resources. C: The Windows 98 clients are configured with static IP address configuration. We must change this configuration so that the clients use DHCP to obtain addressing information. E: The downlevel Windows 98 clients don’t handle the dynamic registration in DNS the same way as the Windows 2000 clients. In order to allow them to register dynamically we must: 1. Enable the DNS zone to allow dynamic updates. This has already been done in this scenario. 2. Configure the DHCP server to Enable updates for DNS clients that do not support dynamic updates. This setting is disabled by default and must be enabled to allow the Windows 98 clients to be registered in DNS dynamically. Note: In a network with only Windows 2000 computers WINS would not be required. Incorrect Answers: A: Name resolution is not required in this scenario. We only want to be able to register the Windows 98 clients dynamically in the DNS zone. B: Windows 98 computers are configured to be WINS clients by default. They do not have to be configured to be able to use the WINS server. D: Integrating WINS and DNS is a good idea and would provide name resolution for the downlevel Windows 98 clients. However, the scenario only requires us to setup up dynamic registrations of the Windows 98 clients in DNS. Integrating DNS and WINS will not accomplish this. 20.You are the network administrator for one of your company's branch offices. The network is your office consists of two subnets. One subnet contains client computers and one subnet contains servers. You are using standard, classful subnet mask on the subnets. The relevant portion of the network is shown in the exhibit. Exhibit You need to configure the client computer so that it can connect to the file server and the domain controller on the network. How should you configure the computer? To answer click the select and place button, and then drag the appropriate configuration information to the client computer Select And Place A. Click to see answer.... Answer: A IP address: 192.168.12.12 Subnet mask: 255.255.255.0 Default gateway: 192.168.12.1 Explanation: Subnet mask: A classful subnet mask uses a subnet mask in one of the address classes A, B, or C. We should not use a subnet of the class. The IP address of the local interface of the Router is 192.168.12.1. This IP address belongs to a Class C network. Class C networks use a default subnet mask of 255.255.255.0 and have 192-223 as their first octet. IP address: The IP address must be included in the same subnet as the local IP address of the router (192.168.12.1) so it must have the pattern 192.168.12.xx (the subnet mask is 255.255.255.0). The only available choice is 192.168.12.12 since we cannot choose the same address as the router. Default gateway: The default gateway must be set to the IP address of the local router interface which is 192.168.12.1. Incorrect Answers: The subnet mask 255.255.0.0 is used for Class B networks. The first octet of an IP address in a class B network must be in the 128-191 range. The IP address 192.168.12.1 cannot be used since all computers must have a unique IP address and the router is already using the 192.168.12.1 address. The IP addresses 192.168.13.1 and 192.168.13.12 cannot be used since they belong to another subnet than the router. 21.You are a network administrator for your company. The network is configured as shown in the exhibit. Exhibit Users in the London office report that they cannot connect to BOSFP01. You run the ping 10.1.4.253 command on NYROUTE1 and receive a reply. You run the tracert command on a client computer in the London office. The results are shown in the Tracert exhibit.. Tracert Exhibit You need to ensure that users in the London office can connect to BOSFP01. What should you do? A. On all client computers in the London office, run the following command: route add 10.1.5.0 mask 255.255.255.0 10.1.1.254 -p B. On NYROUTE1, run the following command: route add 10.1.5.0 mask 255.255.255.0 10.1.4.253 -p C. On LONROUTE1, run the following command: route add 10.1.5.0 mask 255.255.255.0 10.1.2.253 -p D. On BOSROUTE1, run the following command: route add 10.1.1.0 mask 255.255.255.0 10.1.5.254 -p Answer: C Explanation: We know that BOSROUTE1 is reachable from NYROUTE1 since we were able to PING BOSROUTE1 from NYROUTE1. From the tracert command we know that NYFP01 is able to reach NYROUTE1 but not BOSROUTE1. We must add a persistent route to BOSROUTE1 at the London office. We must use the NYROUTE1 as the default gateway in this route. The command route add 10.1.5.0 mask 255.255.255.0 10.1.2.253 -p would add a persistent route to BOSROUTE1 (10.1.5.0) through NYROUTE1 (10.1.2.253). This command doesn’t have to be issued on all clients in the London office, only on the router. Note: The route command with the -p switch adds a persistent route to the routing table. Syntax: route -p add [network] mask [netmask] [gateway] Incorrect Answers: A: We must specify a default gateway address of the NYROUTE1, not an address of LONROUTE1 (1.1.254). Adding a persistent route on all client computers in the London office would be a daunting administrative task. It would be better to add the persistent route at the LONROUTE1 server. B: NYROUTE1 is already able to reach BOSROUTE1, it was able to ping BOSROUTE1, and so no further configuration on NYROUTE1 is required. D: We most configure the source location, not the destination location BOSROUTE1 which is unreachable. 22.You are a domain administrator for your company. The network contains 75 Windows 2000 Server computers and 1,000 Windows 2000 Professional computers. The network also contains 50 UNIX client computers. The UNIX computers run applications with hard-coded IP addresses for each of the servers. One of the servers is configured to provide DHCP services for the network. All of the Windows 2000 computers are configured to use DHCP. Users of the UNIX client computers reports that on some days that cannot connect to various servers. You want to ensure that users of the UNIX client computers can successfully connect to the servers. What should you do? A. Create a DHCP client reservation for each UNIX client computer. B. Create a DHCP client reservation for each server. C. Create a DHCP scope for the servers that specifies a six-month lease time-out. D. Create a DHCP scope for the servers that includes a vendor option for the UNIX client computers. Answer: B Explanation: The UNIX computers are not always able to connect to the servers. We must make sure that the servers always use the same IP address in order for the UNIX application to be able to reach the servers. We do this by creating a DHCP client reservation for each of these servers. Note: A good solution, not listed here, would be to use static addresses on the servers. Incorrect Answers: A: Creating client reservations for the UNIX client computers would ensure that these clients would use the same IP address. But the problem is the hardcoded IP addresses of the Servers. The servers, not the UNIX clients, must have client reservation in DHCP.. C: Create a separate DHCP scope for the servers would require a lot of administrative effort. A six-month lease time would not solve the problem; only make it happen more seldom. D: The servers, not the clients, must use the same IP addresses. 23.You are the server and network administrator for a computer lab. The computer lab contains two multiple-subnet networks that do not have routing between them. The computer lab also contains a multihomed Windows 2000 Server computer that provides the DNS server service for both networks. Each network also contains a DHCP server. The initial network adapter configuration of the DNS server is shown in the following table: At any given time, the client computers in the computer lab might be running Windows 2000 Professional, Windows NT workstation 4.0, or a third-party operating system. All of the DNS clients in the computer lab receive their IP configurations from DHCP servers. After functioning successfully for several months, the DNS clients on the 10.10.6.0/24 network can no longer resolve host names. You want all computers in the computer lab to be able to resolve DNS names. What should you do? A. Configure the DHCP servers to dynamically update DNS for DHCP clients. B. Configure the DNS server service to listen only on LAN1. C. Enable DHCP on LAN1. D. Manually configure the IP address for LAN2 as 10.10.6.1. Answer: D Explanation: The DNS name resolution on LAN2 stopped working. The most probable cause is that the IP address on the LAN2 interface has changed. The LAN2 interface is DHCP enabled, which means that it assigned DHCP configuration settings dynamically from the DHCP Server on LAN2. It would be better to use a static IP address on LAN2 in order to avoid any changes of the IP address on the LAN2 interface. Incorrect Answers: A: DNS has been working flawlessly for a while. There should be no reason to reconfigure the DNS server. B: The LAN2 clients must have access to the DNS server as well. C: Enabling dynamic IP configuration, DHCP, on LAN1 would only make matters worse. LAN2 could eventually be hit by same problem as LAN1, if the IP address of the LAN1 interface would change. 24.You are a network administrator for your company. The network consists of a single Active Directory domain. The network contains one Windows 2000 Server computer, which runs the DNS server service, and 200 Windows 2000 Professional computers. All of the Windows 2000 Professional computers use DHCP to obtain IP addressing information. The network is connected to the internet through an internet service provider. On Monday, the ISP informs you that its network will be unavailable on Tuesday evening because of maintenance and changes. On Wednesday morning, all of your company's network uses report that they cannot access internet web sites. When they attempt to access internet web sites, they receive the following error messages; “Server not found or DNS error.” Users can successfully log on to the domain and access resources on the company's network, including the intranet web site. You contact the ISP and are informed that it has changed the IP address of its primary DNS server. The ISP informs you that the new IP address is 192.168.167.100. You need to reconfigure your company's network so that users can access internet web site. What should you do? A. Configure your company's DHCP server to configure client computers to use 192.168.167.100 for DNS name resolution. B. Configure your company's DNS server to forward requests to 192.168.167.100 C. Configure your company's Windows 2000 Professional computers to use 192.168.167.100 for DNS name resolution. D. Configure your company's DNS server to use 192.168.167.100 for DNS name resolution. Answer: B Explanation: The local DNS server must be configured to forward name resolution requests to the DNS server of the ISP. Then the clients would be able to access both local and external resources such as the internet web sites. Incorrect Answers: A: The clients must still use the local DNS server for name resolution on the local network. If the clients would be configured to use the DNS Server at the ISP for name resolution they would, theoretically, be able to access the internet web site but they wouldn’t be able to access local resources. C: The clients must still use the local DNS server for name resolution on the local network. If the clients would be configured to use the DNS Server at the ISP for name resolution they would, theoretically, be able to access the internet web site but they wouldn’t be able to access local resources. It would require a lot administration to configure each client manually. D: The DNS server must configured to forward requests to external DNS server, but it must still provide the local name resolution itself. 25.You are a network administrator for your company. Until recently, the network consisted of one subnet. However, because of recent growth, all of the company's servers, the domain controller, and the DNS server are now on a second subnet. A server named Server1 separates the two subnets. Server1 has two network interfaces. Because of the addition of the new subnet you configure all servers and client computers with appropriate new IP addresses, class C subnet masks, and default gateway addresses. The relevant portion of the network is shown in the exhibit. You test the configuration from one of the client computers. You can ping other client computers and the nearside interface of Server1. However, you cannot ping any of the other servers by IP addresses or host name. You need to ensure that the client computers can connect to all of the servers. What should you do? Exhibit A. Change the subnet mask on all computers to 255.255.255.128. B. Enable IP routing on Server1. C. Configure a DNS server address on each client computer and on each server. D. Configure the IP addresses to be the same on both interfaces on Server1. Answer: B Explanation: In order for the computers on the different subnets to be able to communicate, communication must be routed between the subnets. You can use a Windows 2000 server as a software router simply by enabling routing on it. This is not a name resolution problem since pinging the IP addresses doesn’t work. Incorrect Answers: A: All computers have already been configured with appropriate Class C subnet mask (255.255.255.0). There is no need to change the subnet mask. C: This is not a name resolution problem since pinging with IP addresses doesn’t work. No data would be passed between the subnets until routing is enabled on the server. D: All network devices, including LAN interface, must use unique IP addresses. We cannot use the same IP address on the different interfaces. 26.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. The domain contains Windows 2000 Server computers, Windows 2000 Professional computers, and Windows NT workstation 4.0 computers. You administer two Windows 2000 DNS servers, two Windows 2000 WINS servers, and two Windows 2000 DHCP servers. All of the servers have static IP addresses and all of the client computers are DHCP clients. All servers and client computers are configured as WINS clients. You want all client computers in the domain to be dynamically registered in DNS. What should you do? A. For all computers in the domain, manually configure DNS parameters and run the ipconfig/registerdns command. B. Configure an Active Directory integrated zone for the domain. C. Configure the DHCP servers to register DHCP clients in DNS. D. Configure the DNS zone for the domain to use WINS forward lookup, and ensure that the Do not replicate this record check box is cleared. Answer: C Explanation: We must enable dynamic registrations of all client computers in the domain. This can be done by configuring the DHCP server to automatically update client information in DNS both for Windows 2000 clients and for downlevel clients. Steps: 1. Open the DHCP console. 2. Right-click on the DHCP server and choose Properties. 3. Select the DNS tab. 4. Select Automatically update DHCP client information in DNS. This allows the DHCP server to register Windows 2000 computers in the DNS zone. 5. Select Enable updates for DNS clients that do not support dynamic updates. This allows the DHCP server to register downlevel clients like Windows NT 4.0 in the DNS zone. 6. Click OK. Incorrect Answers: A: The ipconfig/registerdns command is used to manually force a refresh of the client name registration in DNS. This is a manual update not a dynamic update as was required. B: An Active Directory Integrated zone is not required for dynamically registration of clients in DNS. D: By configuring the DNS zone to use WINS forward lookup the DNS service would be able to use WINS servers to look up names not found in the DNS domain namespace by checking the NetBIOS namespace managed by WINS. By clearing the Do not replicate this record the would prevent the records retrieved from WINS from being replicated other servers during zone transfers. Neither of these two settings would enable clients to register dynamically in DNS. 27.You are a network administrator for your company. You are installing Windows 2000 Advanced Server on a new computer. The server contains two PCI network adapters and a PCI video adapter. The server’s motherboard has a built-in dual-channel SCSI adapter that hosts several devices, as shown in the following table: The installation process begins normally. However, prior to copying files, Windows 2000 Setup informs you that it cannot detect any mass storage devices on your computer. The installation will not resume. You need to correct this problem and complete the installation. What should you do? A. Reconfigure the second SCSI adapter to have a SCSI device ID of 7. B. Reconfigure the removable disk cartridge drive to have a SCSI device ID of 4. C. Reserve an IRQ for each SCSI adapter in the system BIOS. D. Restart setup and install the driver for the SCSI adapter during the initial file copy. E. Configure the system BIOS boot device option to boot from the SCSI hard drive. Answer: D Explanation: Apparently Windows 2000 doesn’t contain an appropriate device driver for the SCSI adapter, instead a device driver must be provided during the installation process. The SCSI device driver must be installed during the text phase of the installation process. The F6 button should be clicked when the system prompts you to click “F6” to install SCSI or RAID devices. Incorrect Answers: A: This is not the most likely problem. The SCSI adapter device could very well be the same on the two adapters. B: The removable Tape backup device is physically installed on SCSI adapter 1 while the hard disks are installed on SCSI adapter 0. There should be no conflict between the devices. The removable disk drive doesn’t need to be reconfigured. C: IRQs must only be reserved for legacy devices. A dual-channel SCSI adapter is most likely not a legacy device. E: The SCSI hard drive is not accessible. Windows 2000 Setup cannot find any mass storage devices. Changing the BIOS boot device option will not help. 28.You are the administrator of a Windows 2000 server computer that is used for software development and testing. The server contains two hard disks, which are configured as drive C and drive D. Both are formatted as NTFS. The server is configured with two installations of Windows 2000 Server. The server’s Boot.ini file is as follows: You want the server to start the Windows 2000 Server installation that is located on drive D, unless an administrator selects the other installation during startup. Which Boot.ini file should you use? A. [boot loader] timeout=10 default=multi(0)disk(0)rdisk(1)partition(1) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS=“Microsoft Windows 2000 Server I” /fastdetect multi(0)disk(0)rdisk(1)partition(1) \WINDOWS=“Microsoft Windows 2000 Server II” /fastdetect C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console”/cmdcons B. [boot loader] timeout=10 default=multi(0)disk(0)rdisk(0)partition(2) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS=“Microsoft Windows 2000 Server I” /fastdetect multi(0)disk(0)rdisk(1)partition(1) \WINDOWS=“Microsoft Windows 2000 Server II” /fastdetect C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console”/cmdcons C. [boot loader] timeout=10 default=multi(0)disk(0)rdisk(0)partition(1) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS=“Microsoft Windows 2000 Server I” /fastdetect multi(0)disk(0)rdisk(1)partition(1) \WINDOWS=“Microsoft Windows 2000 Server II” /fastdetect C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console”/cmdcons D. [boot loader] timeout=10 default=multi(0)disk(0)rdisk(1)partition(0) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1) \WINDOWS=“Microsoft Windows 2000 Server I” /fastdetect multi(0)disk(0)rdisk(1)partition(0) \WINDOWS=“Microsoft Windows 2000 Server II” /fastdetect C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console”/cmdcons Answer: A Explanation: We want to change the default boot partition. The line beginning with multi=0 defines the default boot partition. We should use the first partition on the second disk. The first partition is denoted partition(1) since partitions are numbered starting from 1. The second disk is denoted rdisk(1) since disks are numbered starting from 0. We should use the default line of: default=multi(0)disk(0)rdisk(1)partition(1) \WINDOWS Incorrect Answers: B: We should use the partition(1) parameter since the scenario doesn’t mention that the D hard drive is partitioned. We must use the first and only partition on drive D. C: The rdisk parameter on the default= line should be rdisk(1) not rdisk(0), since D is the second hard disk.. D: The partition parameter on the default= line should be partition(1) not partition(0). There is no partition 0. 29.You are a network administrator for your company. The network contains 50 Windows 2000 Server computers, which are in the Servers Organizational Unit (OU) in Active Directory. The network also contains 1,500 Windows 2000 Professional computers, which are in the computers contains in Active Directory. You need to deploy the most recent Windows 2000 service pack. The service pack must update only the servers. You download the service pack and extract the file into a newly created shared folder named SPFiles. You need to install the service pack on all of the servers, and you want the installation to occur with on all of the servers, and you want the installation to occur with no user interaction. What should you do? A. Create a Group Policy Object and link it to the Servers OU. Under the computer configuration, configure the GPO to assign the Update.msi file from the SPFiles folder. Restart each server. B. Create a Group Policy Object and link it to the Servers OU. Under the computer configuration startup script, configure the GPO to assign the Update.msi file from the SPFiles folder. Restart each server. C. Create a Group Policy Object and link it to the Domain level. Under the user configuration logon script, configure the GPO to assign the Update.msi file from the SPFiles folder. Log on to each server as Administrator. D. Create a script that runs the Update.exe file from the SPFiles folder. Create a Group Policy Object and link it to the Servers OU. Modify the computer configuration of the GPO to run the script on startup. Restart each server. Answer: D Explanation: To apply a service pack we use the utility update.exe. Update.exe replaces the existing Windows 2000 files with the appropriate new files from the service pack. We use a script that is configured to run at startup to initiate the upgrade. Incorrect Answers: A: Update.exe not update.msi is used. Service packs are not assigned. Scripts are used to install service packs. B: Update.exe, not update.msi, is used to apply service packs. C: A GPO linked to domain level would be applied to all computers in the domain. We are only interested in updating the servers. Update.exe, not update.msi is used to apply a service back. 30.You are the administrator of a Windows 2000 Server computer in your company's accounting department. The server runs Terminal Services in application mode. All users in the accounting department run their business applications in Terminal Service sessions. A manager in the accounting department runs as application on the server. The application requires three hours to process financial and accounting data. This application must be run every Friday morning so that the data will be available to the director of accounting application to run with the least amount of performance impact on the other business applications. What should you do? A. Configure all other business applications to have High priority. B. Configure all other business applications to have RealTime priority. C. Configure the accounting application to have AboveNormal priority. D. Configure the accounting application to have BelowNormal priority. Answer: D Explanation: D The application should be run at a low priority level in order to make least performance impact on the other applications. Either the low or the belownormal priorities could be considered. Note: There are 5 priority levels in Windows 2000: Realtime: the highest level which are used by some system processes, but almost never should be used for user processes. High: Highest recommended priority level for user processes Above Normal Normal The default priority setting. Belownormal Low The lowest priority setting. Incorrect Answers: A: Running at a high priority would increase the load of the server. B: Running the application in Realtime would be the worst possible choice. The performance of the server would suffer. C: Running at a high priority would increase the load of the server. 31.You are a network administrator for your company. All servers run Windows 2000 Server. Users report that a file server named ServerA has very slow response time. It takes several seconds to open small files that are located on the server’s hard disk, and it can take several minutes to open large files. Users report that no problems occur when they access files that are stored on other servers. You monitor ServerA by using System Monitor. You discover that the values for Disk Queue Length and Split I/O are consistently high, even when users attempt to read small files. You also discover that the server has more than 40 GB of free space available.. You need to optimize disk read performance for ServerA. What should you do? A. Use Disk Defragmenter to optimize the file structure on ServerA. B. Use Disk Cleanup to remove unused files and folders from ServerA. C. Disable write caching on the hard disk to optimize file access. D. Configure the performance options on ServerA to optimize performance for background services. Answer: A Explanation: A fragmented hard disk would slow down the disk performance considerably. Microsoft recommends a defragmentation a month. Incorrect answers: B: The server has 40GB of free space. On a file this would slow down the disk performance. C: Disabling write caching would decrease, not increase, disk performance. D: Optimizing performance for background services could improve performance of a domain controller or a SQL Server computer. It would not, however improve the performance of a file server. 32.You are a network administrator for your company. Company executives plan to deploy 25 new Windows 2000 member servers and 25 new Windows 2000 Domain controllers. All Active Directory server accounts are in the default locations. You need to install 290 hot fixes as part of the operating system installation on the new computers. The hot fixes must not be installed on any current Windows 2000 Server computers. You create a distribution folder for the host fixes. What should you do next? A. Use Setup Manager to create an answer file that will run a script to install the hot fixes from the distribution folder during setup. B. Use Setup Manager to create an answer file. Add lines in the Cmdlines.txt file to install the hot fixes from the distribution folder during setup. C. Create a script that will install all of the hot fixes automatically. Configure a Group Policy Object and link it to the domain level to run the script on startup. D. Create a Group Policy Object and link it to the Domain Controllers OU and to the Computers container. Configure the GPO to assign the hot fixes as assigned applications. Answer: B Explanation: Hot Fixes are minor patches, usually limited to a few files covering a specific aspect of the product, which repair, replace, or enhance a function. Hot fixes are packaged as auto-extracting files that include a file called hotfix.exe that runs the install. The Cmdlines.txt file contains the commands that GUI mode runs when installing optional components, such as hot fixes that must be installed immediately after the installation of Windows 2000. Incorrect answers: A: The answer file cannot run installation scripts. Instead cmdlines.txt must be used. C: After creating a script that installs the hot fixes, configuring a GPO to run the script at startup, and linking the GPO at domain level would install the hot fixes on the existing Windows computers (except the Domain Controllers). But the hot fixes should not be installed on any current server. D: The hot fixes must not be installed on any current server. Assigned the hot fixes with a GPO linked to the Domain Controller OU would, if it were successful, install the hot fixes on all domain controllers. 33.You are the network administrator for your company's branch office. You receive a memo from the main office indicating that a new custom software application will be deployed to the Windows 2000 Professional computers in your office that evening. The following morning, the users in your office report that their computers will not start. Each computer stops a responding at the Windows 2000 Professional logon screen. You contact the main office and the application’s developers inform you that the new application includes a service named Data Listener. They discovered a problem with the service that is preventing the client computers in your office from starting. The programmers at the main office will attempt to correct the problem. Until the problem is corrected, you need to allow your users to start their client computers normally and to access network resources. You need to accomplish this task as quickly as possible. What should you do on each client computer? A. Restart the computer by using safe mode. B. Restart the computer by using a startup floppy disk, and run the fixmbr command. C. Restart the computer by using the Recovery Console. Run the disable “Data Listener” command. D. Restart the computer by using the Windows 2000 Professional CD-ROM, and select the option to repair the installation. Answer: C Explanation: The recovery console can be used to disable a network service that prevents the computer from starting. Note: The Recovery Console is a command-line interface that can be used to access a hard disk of a Windows 2000 computer system. It can be accessed from the Windows 2000 Professional installation CD-ROM and can be used to repair an installation of Windows 2000 Professional by repairing the registry or by disabling a device driver or service. To repair an installation of Windows 2000 Professional by disabling a device driver, boot the computer from the Windows 2000 Professional installation CD-ROM. On the Welcome to Setup screen, click R to open the Repair Options screen, and click C to activate the Recovery Console. If we are unsure of the name of the service or driver that is causing the problem we can type ‘listsvc’ to obtain a list of the device drivers and services that currently installed on the computer. Then use the disable “Data Listener” command to the disable the faulty service. Incorrect answers: A: The computer would probably not start in safe mode due to the faulty service. B: You cannot start the computer with a startup floppy disk. In recovery console the fixmbr command would replace the master boot record. D: Repairing the installation is unnecessary and would require more effort. Only the service must be disabled. 34.You are a network administrator for your company. All servers run Windows 2000 Server. Users in the finance department report significantly slow performance when they access a database application that is hosted on a multiprocessor server named ServerA. The application was designed for symmetric multiprocessing (SMP) and for use with Windows NT server 4.0 computers. The application runs constantly as a background application. Users do not report problems when they access the same database application running on a server named ServerB. Both servers have identical hardware. You start task manager on serverA. You view the information that is shown in the exhibit. You need to optimize performance for users in the finance department when they access the database application. What should you do? Exhibit A. Configure the application to run in a separate memory space. B. Configure the application’s process to run with high priority and with affinity for the second processor only. C. Increase the amount of physical memory and increase the size of the paging file on serverA. D. Set processor affinity for the application to allow the application to use all available processors. Answer: D Explanation: By examining the exhibit we see that 1st processor is heavily used (on the left), but the 2nd processor is far from its capacity (on the right). The likely cause of this is only using the 1st processor. We must enable it to use all available processors. Incorrect answers: A: Windows 2000 application runs in separate memory spaces by default. Only legacy 16-bit application would sometimes need to be configured to run in a separate memory space. B: The application support symmetric multiprocessing and would run faster on all available processor. C: The memory is not the problem. According the exhibit there are lot of memory available. 35.You are a network administrator for your company. A user named Marc reports a problem with his Windows 2000 Professional computer. You examine the computer and discover that it is displaying a STOP message. The documentation for Marc’s computer indicates that the computer contains a single hard disk, which is configured as a single NTFS logical volume. Marc reports that the computer was working normally until he connected a new USB digital camera to the computer. The computer installed the camera’s software drivers, and then restarted. After the computer restarted, it displayed the STOP message and Marc was not able to log on to the computer. You need to return Marc’s computer to normal operation as quickly as possible. What should you do? A. Restart the computer by using safe mode. B. Restart the computer by using the last known good configuration C. Restart the computer by using the Windows 2000 Professional CD-ROM, and select the option to repair the installation. D. Restart the computer by using the Windows 2000 Professional CD-ROM, and select the option for Recovery Console. Answer: B Explanation: We have installed a bad driver. The last known good configuration can be used since we have not have had a successful logon after the bad driver was installed. The last known good configuration requires the least administrative effort and is therefore the preferred method. It will return the state of the computer as it were when the last successful log on took place. Incorrect answers: A: Safe mode could possibly be used. It would require more effort though. C: It is unnecessary to repair the installation. This would involve a lot of work and some configuration might be lost. D: The recovery could be used to disable the device driver. It would, however not be quickest method to recover. 36.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. All servers run Windows 2000 Server. All client computers run Windows 2000 Professional. A server in the sales department has a tape backup device installed. The device functions normally by using the driver from the Windows 2000 Server CD-ROM. You install an update driver for the device that is supplied by the manufacturer. When you restart the server, you receive the following error message: “STOP: IRQL_NOT_LESS_OR_EQUAL.” You restart the server, and you receive the same error message. You need to correct the problem and return the server to normal operation. What should you do? A. Restart the server in safe mode. Create a local computer policy to enable Windows File Protection. B. Restart the server in safe mode. Log on as an administrator. In the Driver Signing Options dialog box, set File Signature Verification to Ignore. C. Restart the server by using the last known good configuration. D. Restart the server by using the Recovery console. Enable the new device driver by using the Service_system_start parameter. Answer: C Explanation: We have installed a bad driver. The last known good configuration can be used since we have not have had a successful logon after the bad driver was installed. The last known good configuration requires the least administrative effort and is therefore the preferred method. It will return the state of the computer as it were when the last successful log on took place. Incorrect answers: A: Windows File protection checks the integrity of the system files. In this scenario we have a device driver problem. Windows File protection is of no use in fixing this problem. B: We must remove the faulty driver. It is too later to configure Driver Signing now. The harm has already been done. D: 37.You are a domain administrator for A. Datum Corporation. The company's network consists of three domains, as shown in the exhibit. You are responsible for the sandiego.adatum.com domain. The sandiego.adatum.com domain contains users accounts for 50 of the employees in the finance department. Recently, a shared folder named FinanceA was created in the sandiego.adatum.com domain. FinanceA can be accessed by only those 50 employees. FinanceA contains forms that are used by the 50 employees. You are instructed to create a group on your domain controllers that will allow finance users whose user accounts are in global from the other domains to access FiannceA. You must accomplish this goal while minimizing replication overhead. What should you do? Exhibit A. Create a global group. Add the appropriate groups from the other domains to the global group. Assign the global group permissions for FinanceA. B. Create a domain local group. Add the appropriate groups from the other domains to the domain local group. Assign the domain local group permissions to the FinanceA. C. Create a universal group. Add the appropriate groups from the other domains to the universal group. Assign the universal group permissions for FinanceA. D. Create a distribution group. Add the appropriate groups from the other domains to the distribution group. Assign the distribution group permissions for FinanceA. Answer: B Explanation: The preferred Microsoft solution is: 1. Assign appropriate permissions to a domain local group. In this scenario the domain local group is assigned permissions to the FinanceA share. 2. Add the appropriate groups from the other domain (and the current domain) to the domain local group. Incorrect answers: A: A global group can only contain USER accounts, computer accounts, and global groups from the same domain. A global group cannot contain global groups from other domains. C: Creating a universal group, assigning the appropriate permission the universal, and adding the appropriate global groups from the other domains would work. This would not be the best solution though since changes in the universal group would have to be replicated between the domains. A domain local group is local in scope and would not have to be replicated to the other domains. D: A distribution group is only used by applications, not by Windows 2000. A distribution group cannot be used to configure permissions. 38.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. The domain contains four Windows 2000 Domain controllers. The relevant portion of your network is configured as shown in the exhibit. The domain controller named DC1 is a multihomed computer that provides DNS and DHCP services for the company intranet and only DHCP services for a secure network used by the software development department. DC01 does not route between the two networks. The computers in the software development department are not members of the domain. Exhibit DC01 hosts an Active Directory integrated DNS zone. DC01 is configured as shown in the following table: You discover that Active Directory replication intermittently fails between DC01 and the other domain controllers. When this occurs, you receive the following error message: “RPC server is unavailable.”There is no consistent pattern to the replication failures. The other domain controllers do not experience this problem when replicating to each other. You need to ensure that replication occurs normally between all domain controllers. What should you do? A. In the TCP/IP properties for NIC1 on DC01, disable dynamic DNS registration. Remove all A (host) records from the DNS zone for DC01 for the address 172.30.23.1. Remove the address 172.30.23.1 from the Interfaces tab in the properties for DC01 in the DNS console. B. In the TCP/IP properties for NIC2 on DC01, disable dynamic DNS registration. Remove all A (host) records from the DNS zone for DC01 for the address 192.168.1.1. Remove the address 192.168.1.1 from the Interfaces tab in the properties for DC01 in the DNS console. C. In the TCP/IP properties for NIC1 on DC01, disable dynamic DNS registration. Remove all A (host) records from the DNS zone for DC01 for the address 192.168.1.1. Disable round robin functionality on DC01. Disable recursive queries on DC01. D. In the TCP/IP properties for NIC2 on DC01, disable dynamic DNS registration. Remove all A (host) records from the DNS zone for DC01 for the address 172.30.23.1. Disable round robin functionality on DC01. Disable recursive queries on DC01. Answer: B Explanation: The DNS server should only be configured for NIC1, which is connected to the domain. DC01 should not provide DNS services for the development subnet on NIC2. We must remove all host records for DC01 for the address 192.168.1.1. Then we have to remove the address 192.168.1.1 from the interfaces. This will disable DNS on NIC2, or in other words make DC01 only listen for DNS on NIC1. Note: The error RPC Server is Unavailable can occur when: •? The RPC service may not be started. •? You are unable to resolve a DNS or NetBIOS name. This is the problem in this scenario. We are sometimes unable to resolve a DNS name. This occurs because there are incorrect host records where DC01 has the IP address 192.168.1.1, in the DNS zone. Computers who try to connect to DC01 with the IP address 192.168.1.1 will not be able to connect to DC01. •? An RPC channel cannot be established. Reference: Troubleshooting "RPC Server is Unavailable" in Windows (Q224370) Incorrect answers: A: Removing NIC1 as a DNS interface would disable DNS on NIC1, the domain interface. We must disable DNS on NIC2 instead. C: NIC2 must be removed from the interfaces not NIC1. D: We most remove the address 192.168.1.1. from the Interfaces. Disabling round robin would not disable DNS on NIC2. 39.You are the desktop administrator for your company. The company is migrating from a Windows NT 4.0 domain in to a new Windows 2000 Domain. As part of the migration, you are removing Windows NT workstation 4.0 computer accounts from the Windows NT domain and adding them to a Windows 2000 Active Directory domain. You add 10 Windows NT workstation computer accounts to the Active Directory domain. When you attempt to add another Windows NT workstation computer account to the Active Directory domain, you receive the following error message: “The machine account for this computer either does not exist or is unavailable.” You need to be able to add Windows NT workstation computer accounts to the Windows 2000 Active Directory domain. What should you do? A. Configure a DNS server for the Windows NT workstation computers that have not been added to the Active Directory domain. B. Delete from the Windows NT domain the computer accounts for the Windows NT workstation computers that have not been added to the Active Directory domain. C. Ask the domain administrator to assign you the Allow-Create Computer objects permission for the Computers container. D. Ask the domain administrator to assign you the Allow-Create Computer objects permission for the Domain Controllers container. Answer: C Explanation: This error message occurs after you have joined 10 computers to the domain from a Windows NT 4.0 computer. In order to work around this problem you could either pre-create computer accounts in the Active Directory, or (like in this answer) assign Create Computer objects permissions on the Computers container for the user. Reference: Domain Users Cannot Join Workstation or Server to a Domain (Q251335) Incorrect answers: A: This is not a name resolution problem. B: Deleting the computer accounts in the old Windows NT domain will not help. D: The permission must be assigned to the Computer Container, not the Domain Controllers container. 40.You are the administrator of an organizational Unit (OU) named New York. The New York OU contains OUs named Operations, Accounting, and Executive. You create a software deployment Group Policy Object that assigns an application named CorpFinance. You link the GPO to the New York OU. Users in the Operations OU report that the CorpFinance application shortcut does not appear on their Start menus. Users in the Accounting and Executive OUs report that the shortcut appears on their Start menus. You need to ensure that the CorpFinance application shortcut appears on the Start menu for every user in the New York OU. What should you do? A. Modify the GPO so that CorpFinance is published instead of assigned. B. Modify the permissions on the CorpFinance installation package so that members of the Operations OU have the Change permission. C. Configure the Operations OU to not block policy inheritance. D. Configure the GPO to use the basic installation user interface. Answer: C Explanation: The GPO is not applied to the Operations OU. Apparently the Operations OU blocks policy inheritance. Incorrect answers: A: The application has correctly been chosen to be assigned, not published. Assigned applications appear in the Start menu, while published applications must be manually installed. B: The users should only have Read permission, not Change permissions, on the installation package. Only administrators should have change permission on the distribution folder. If this were a file permission problem the users in the Operations OU would get an error message indicating this problem when they started their computers. D: The installation user interface worked for users in the Accounting and the Executive OUs so there is nothing wrong with the installation user interface or the installation package. 41.You are a network administrator for your company. You need to create a Group Policy Object that requires user accounts to have a minimum password length of seven characters. All of the Active Directory user accounts are in the MN Organizational Unit (OU). Under the computer configuration, you create a GPO named PasswordGPO that requires a minimum of seven characters, and you link this GPO to the MN OU. After you link the GPO, you find out that users can create passwords that are only one character in length. You need to ensure that all users in the MN OU are required to have a minimum password length of seven characters. What should you do? A. Remove the GPO link on the MN OU for PasswordGPO. At the domain level, add a link to the PasswordGPO, and ensure that the GPO has the highest priority. B. Create a new GPO and link it to the MN OU. Configure the password requirement for this GPO to be minimum of seven characters, and make the GPO the highest priority. C. Run the Secedit/refreshpolicy machine_policy/enforce command on the domain controller on which you created the GPO. D. Run the Secedit/refreshpolicy user_policy/enforce command on the domain controller on which you created the GPO. Answer: A Explanation: Password policies can only be applied at domain level. They cannot be applied to an OU. We must link the PasswordGPO at the Domain level. Incorrect answers: B: Password policies can only be applied at domain level. They cannot be applied to an OU. C: Password policies can only be applied at domain level. The GPO must be linked at the domain level. D: Password policies can only be applied at domain level. The GPO must be linked at the domain level. 42.You are a network administrator for your company. All user accounts and groups are in the New York organizational unit (OU). The user accounts of the help desk personnel are members of the Helpdesk group. You need to allow the Helpdesk group to manage group memberships, including creating and managing new groups. However, you need to ensure that help desk personnel cannot create or modify user objects. What should you do? A. Under the New York OU, create two new OUs and name them NY Users and NY groups. Move all user accounts to the NY Users OU, and move all groups to the NY groups OU. Modify the Active Directory permissions for the New York OU by assigning the Helpdesk group the Allow-Full Control permission. B. Under the New York OU, create two new OUs and name them NY Users and NY Groups. Move all user accounts to the NY Users OU, and move all groups to the NY groups OU. Modify the Active Directory permissions for the NY Groups OU by assigning the Helpdesk group the Allow-Full Control permission. C. Run the Delegation of Control wizard on the New York OU. Delegate the Modify the membership of a group task to the Helpdesk group. D. Run the Delegation of Control wizard on the New York OU. Delegate the Create, delete, and manage groups task to the Helpdesk group. Answer: D Explanation: The Create, delete, and mange group right would allow the Helpdesk group to manage groups in the OU. They would be able to create new groups. Incorrect answers: A: Giving the Helpdesk group Full Control permission to the New York would allow them to create and modify user objects in the New York OU and in the child OUs. B: Assigning Full Control permission on an OU to the Helpdesk group would allow them to create and modify user objects in this OU. C: The Helpdesk group must be able to create new groups. The Modify the membership of the group right is not enough. 43.You are an administrator of your company's single Windows 2000 Domain. The domain contains 10 departmental organizational unit (OUs). Each OU is controlled by a separate administrative group. During a routine security audit, you discover that the local Administrators groups on member servers contain users who are not administrators. You want to ensure that the local Administrators group on every server contains only valid administrator accounts from the appropriate department. What should you do? A. Configure Group Policy for each OU to specify the appropriate membership for the local Administrators group on the servers in that OU. B. Configure Group Policy for the domain to specify the appropriate membership for the local Administrators group on the servers in that OU. C. Configure Group Policy for the default Domain Controller OU to specify the appropriate membership for the local Administrators group on the servers in that OU. D. In each OU, create a new child OU that contains all of the appropriate Administrator user accounts for that OU. Configure Group Policy for each new child OU to specify the appropriate membership for the local Administrators group on the servers in that OU.. Answer: D Explanation: We must make the configuration at OU level, since we have to specify the appropriate local administrators for each OU. We do it by: 1. Create a new child OU for each departmental OU. 2. Add all the user accounts that should be member of the local Administrator group of the department to the new child OU. 3. Create a GPO for each new child OU that restricts the membership of the Local Administrators account to the members of the child OU. Note: Domain controllers don’t have any local administrators group. Only member servers or stand-alone servers have local administrator groups. Incorrect answers: A: We must collect the users that are allowed to be local Administrators in some way. We could put them in a group or in an OU and the let GPO use this group or OU to restrict the membership of the local Administrators account. B: We cannot create a GPO at domain level that restricts membership to the local Administrators group for administrators of the corresponding OU. C: We are interested in the member servers not the domain controllers since the domain controllers don’t have a local administrator group. We cannot use the default Domain Controller OU. 44.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. The domain has an Organizational unit (OU) structure, as shown in the exhibit. All user accounts are created in the Corp OU. All user accounts are members of a CorpUsers group that is located in the Corp OU. All user accounts are also members of department-specific groups that are located in the departmental OUs. Each department has its own administrative staff, which is responsible for creating computer accounts, troubleshooting user and computer problems, and performing general system maintenance. Departmental administrators are members of groups named Admins located in the departmental OUs. Departmental administrators have been delegated full control of their OUs. All Computer accounts are located in their appropriate departmental OUs. Group Policy Objects are configured as shown in the following table: The departmental administrators report that they cannot access Control Panel to the Run command on their own computers or when they attempt to correct problems on users’ computers. The departmental administrators require access to the restricted tools. What should you do? Exhibit A. Disable the No Override option for the Users GPO. B. Enable the No Override option for the Department Admins GPO. C. Select Block Policy inheritance in the Group Policy properties for each child OU. D. Change the Group Policy processing order to ensure that the Department Admins GPO is processed last. E. Assign the Deny-Apply Group Policy permissions to the various Admins groups for the Users GPO. Answer: E Explanation: The departmental administrators are also users. The User GPO will be applied to them as well. This is the reason for the problem. By denying the Apply Group Policy permissions on the Users GPO for the Departmental Administrators the Users GPO would not be applied to them. Incorrect answers: A: Disabling the No Override option for the Users GPO would be a bad idea. Then the Departmental Administrators could override these settings for the local users. B: The No Override option applied Departmental Admins GPO would have no effect since no settings are configured for this GPO. C: The No Override option at the CORP OU will override the Block Policy inheritance at the departmental OUs. D: Changing the order in which the GPOs are applied would not change matters. The Users GPO would still be applied the Departmental Administrators. 45.You are a network administrator for your company. The help desk manager reports that the help desk is receiving a large number of requests from sales representatives who need to have their passwords reset. The help desk manager asks you to delegate this task to someone other than help desk personnel. The user accounts of all sales representatives are in the sales Users organizational unit. The user accounts of all sales managers are in the Sales Manager OU and are members of the Sales Managers group. You decide to allow the Sales managers to reset the passwords for their sales representatives when necessary. You need to configure Active Directory without compromising overall network security. What should you do to allow the members of the Sales Managers group to reset passwords for the sales representatives? A. Run the Delegation of Control wizard at the domain level and delegate the Create, Delete, and manage user accounts task to the Sales Managers group. B. Run the Delegation of Control wizard on the Sales Users OU and delegate the Create, Delete, and manage user accounts task to the Sales Managers group. C. Run the Delegation of Control wizard on the Sales Users OU and delegate the Reset passwords on user accounts task to the Sales Managers group. D. Run the Delegation of Control wizard at the domain level and delegate the Reset passwords on user accounts task to the Sales Managers group. Answer: C Explanation: The managers must be given the Reset passwords on user accounts right on the Sales OU. This will allows the managers to reset passwords only for the sales representatives. Incorrect answers: A: The managers should not be allowed to create and delete user accounts. B: The managers should not be allowed to create and delete user accounts. D: The managers don’t need to be able to reset passwords throughout the domain. They only need to reset passwords of the users accounts in the Sales OU. 46.You are a domain administrator for your company. You are installing a Windows 2000 Server computer named ServerA and 25 Windows 2000 Professional computers in a new branch office. You want to enable the client computers in the branch office to access the Internet as needed. You have a dial-up account with a local Internet service provider (ISP). You want to reduce connection charges from your ISP. Therefore, you want the connection to be active only when internet resources are requested. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Attach a modem to ServerA and create a dial-up connection to the ISP. B. Attach a modem to one of the Windows 2000 Professional computers and create a dial-up connection to the ISP. C. Configure the modem to use software handshaking. D. Configure the modem to use hardware handshaking. E. Configure the dial-up connection to enable on-demand dialing. F. Configure the dial-up connection to enable Internet Connection Sharing. G. Configure the client computers in the branch office to enable Internet Connection Sharing. Answer: A, E, F Explanation: It is easy to configure ICS: 1. Attach a modem to the computer which will be used as the ICS computer. Use a Windows 2000 server to support more than 10 simultaneous users. 2. Create a dial-up connection to ISP. 3. Enable on-demand dialing if you only want to stay online when there is activity on the connection. 4. Enable Internet Connection Sharing on the dial-up connection. This is just a checkbox that must be selected. 5. Make sure that the (ICS) clients on the local network are enabled for DHCP. This is the default in all Windows version since Windows 95. Incorrect answers: B: Only a maximum of 10 computers can simultaneously be connected to a specific shared source on a Windows 2000 Professional computer. There are 25 client computers and one server on the network so this could restrict the number of users that access the internet. C: As long as the modem is able to communicate with the ISP the ICS would function with or without software handshaking. D: As long as the modem is able to communicate with the ISP the ICS would function with or without hardware handshaking. G: Internet sharing should be enabled on the ICS server computer not at the client computers. The client computers just have to be enabled as DHCP clients. 47.You are a domain administrator for your company. The network consists of a single Active Directory domain and contains a Windows 2000 Server computer named ServerA. ServerA has Routing and Remote Access installed. Employees use ServerA to connect to the corporate network by using a dial-up connection. The remote access policy for ServerA change frequently. The company is hiring 200 new employees who will work remotely. You need to add four Windows 2000 Server computers with Routing and Remote access installed so that the new employees can dial in to the network. You want to configure all of these Routing and Remote Access servers to use the same remote access policies. You want to configure and maintain the remote access policies with the least amount of administrative effort. What should you do? A. Add the new Routing and Remote access server to the domain. Place the remote access policies on ServerA. B. Promote ServerA to a domain controller in the domain. Add the new Routing and Remote Access Server as members of the domain. C. Install the Internet Authentication Service (IAS) on ServerA. Configure the new Routing and Remote Access servers to use serverA for authentication requests. D. Create a new domain controller named ServerB. Install the Internet Authentication Server (IAS) on ServerB. Configure the new Routing and Remote access servers to use serverB for authentication requests. Answer: C Explanation: IAS provides connection authentication, authorization, and accounting for dial-up and virtual private network (VPN) remote access and for router-to-router connections. We want to configure IAS with the least administrative effort. Setting up IAS in this scenario is not hard: 1. Install the Internet Authentication service on ServerA. 2. Configure the other four RRAS computers to use RADIUS authentication and specify that ServerA should be used for authentication. Incorrect answers: A: To centralize the administration of several RRAS servers an IAS server is needed. B: To centralize the administration of several RRAS servers an IAS server is needed. D: Installing a new domain controller with IAS would provide redundancy for the Active Directory and would offload some work from the Domain Controller. However it would require more administrative effort than simply installing IAS on the existing domain controller ServerA. In this scenario the requirement is to accomplish the goal with the least amount of administrative effort. 48.You are a domain administrator for your company. You are installing a network in a new branch office. The network contains two Windows 2000 Server computers and 10 Windows 2000 Professional computers. A Windows 2000 Server computer named ServerA provides DHCP service for the network. You are installing a new Windows 2000 Server computer named ServerC. You have a dial-up account with a local Internet service provider (ISP). You connect a 56-Kbps modem to ServerC. You want to use serverC to provide shared access to the internet. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Install the WinSock proxy client on ServerC. B. Install the WinSock proxy client on all of the client computers. C. Install the DNS service on ServerC. D. Install internet connection sharing on ServerC. E. Uninstall the DHCP service on serverA. F. Create a dial-up connection on ServerC and configure the connection with the ISP account information. Answer: D, E, F Explanation: We configure the network for ICS with the following steps: 1. Uninstall the DHCP service on serverA. (E) ICS includes a DHCP allocator which functions as a mini-DHCP server. ICS cannot function on a network which has a DHCP server running. 2. Create a dial-up connection on ServerC. Configure the connection with the ISP account information. 3. Enable ICS on ServerC. This step is accomplished by a simple click in a checkbox. Incorrect answers: A: Wins Proxy client is not required for setting up ICS. B: Wins Proxy client is not required for setting up ICS. C: ICS doesn’t require DNS. In fact ICS would not function on a network where a DNS server is running. 49.You are a domain administrator for your company. The network consists of a single Active Directory domain. The network contains 15 Windows 2000 Server computers and 150 Windows 2000 Professional computers. A server named ServerA has Routing and Remote Access Installed and is configured for incoming dial-up connections. You install Windows 2000 Professional on a home computer named Home1. You create a new PPP dial- up connection to connect to ServerA. You configure the connection to use both of the external modems on Home1 and to use Multilink. You start the dial-up connection administrator connect to ServerA. You notice that only one of the modems is connected to serverA. What should you do? A. Configure the dial-up connection on Home1 to use SLIP. B. Configure ServerA to accept Multilink dial-up connections. C. Replace the modems on ServerA with new modems that support SLIP D. Replace the modems on Home1 with new modems that support Multilink. Answer: B Explanation: Multilink must be enabled both at the dial-up client and at the RRAS server. Incorrect answers: A: SLIP is an old legacy protocol mostly used to connect to UNIX remote access servers. Windows 2000 Server doesn’t allow SLIP for in-coming connections. C: SLIP is a communication protocol. Modems transmit electronic signals and they don’t have to be compatible in any way with high-level communication protocols like SLIP. D: Multilink is supported in the operating system. The modems functions as usual and doesn’t have to meet any special requirements to be used in multilink connections. 50.You are the administrator of a Windows 2000 Server computer that runs terminal Services. A user named Marc uses Terminal services to connect to the server in order to run a custom Windows-based application that is installed on the server. The application takes two hours to generate a sales report. Marc reports that he can connect to the server and log on, run the application, and start the report. However, his Terminal Services client disconnects from the server before the report is complete. When Marc attempts to reconnect to the server, he discovers that the application is no longer running. You need to ensure that Marc’s computer can remain connected to the server long enough for the application to complete the sales report. You do not want to affect how other users use the server. What should you do? A. In Terminal services Manager, shadow Marc’s session after Marc has been connected to the server for 20 minutes, and troubleshooting the problem. B. In Active Directory Users and Computers, modify Marc’s user account by specifying a maximum Terminal Services disconnect time of three hours. C. In Active Directory Users and Computers, modify Marc’s user account by specifying a maximum Terminal Services idle time of three hours. D. In Terminal Services Configuration, modify the RDP-TCP connections by setting the maximum idle time to three hours. Answer: C Explanation: Many Terminal server settings can be set on the Sessions tab of the Account Properties Dialog box in Active Directory Users and Computers. The Idle session limit can be set to three hours. This would allow Marc’s session to finish the report before the Terminal Services connection disconnects. The Idle session limit setting specifies the maximum time a session can remain idle. Incorrect answers: A: Shadowing allows you to remotely control an active session of another user. You can either view or actively control the session. If you choose to actively control a user's session, you will be able to input keyboard and mouse actions to the session. This would not keep the computer connected to the terminal server though. B: The Maximum Disconnection Time option specifies the maximum time a session can remain disconnected. But we want Marc’s computer to be connected to the computer so that the report can be produced. D: The RDP-connections cannot be used to configure the duration of a connection for a specific user. Note: The Remote Desktop Protocol (RDP) is designed to provide remote display and input capabilities over network connections for Windows-based applications running on a server. Reference: Explanation of RDP-TCP Permissions in Windows 2000 (Q243554) 51.You are a network administrator for Contoso Pharmaceuticals. The network contains three Windows 2000 Server computers, which run the DNS server service, and two UNIX BIND-based DNS servers. The Windows 2000 DNS servers are domain controllers for a single domain named ad.contoso.com. The DNS zone type for ad.contoso.com is Active Directory integrated. The zone is configured with default refresh and expire intervals and default zone transfer properties. Windows 2000 Server computers in the domain are configured to dynamically register with the Windows 2000 DNS servers. However, all Windows 2000 Professional and UNIX computers are configured to use the BIND-based DNS servers for name resolution. You create secondary zones for ad.contoso.com n each of the BIND-based DNS servers, and you configure the ad.contoso.com domain controllers as the master DNS servers. When you inspect the secondary zone on the BIND-based DNS servers the next day, there are no records in the zone. You need to ensure that the secondary zones on the BIND-based DNS servers include up-to-date DNS records. What should you do? A. On one of the domain controllers, select the Allow zone transfers check box in the properties for the zone. B. On one of the domain controllers, increase the expire interval for the ad.contoso.com zone to two days. C. On one of the domain controllers, change the zone type for ad.contoso.com to standard primary. On the remainder of the domain controllers, change the zone type to standard secondary. D. On each of the domain controllers, assign the Pre-Windows 2000 Compatible Access group the Allow-Read permission for the ad.contoso.com zone. Answer: C Explanation: BIND DNS servers do not support Active Directory integrated zones. They are limited to primary and secondary zones. We must change zone types from the Active Directory integrated zones to standard secondary on all Windows 2000 DNS server except one, and to standard primary on one of the Windows 2000 DNS servers. Incorrect answers: A: The default zone transfer setting is to allow zone transfers to any DNS server. BIND DNS servers cannot be integrated with Windows 2000 DNS servers that use Active Directory integrated zones. B: The expire interval is used by other DNS servers configured to load and host the zone to determine when zone data expires if not renewed. But the DNS are not able to receive DNS zones from the Active Directory DNS zones on the Windows 2000 DNS servers. D: The Pre-Windows 2000 Compatible Access is mainly used to integrate Windows NT 4.0 RAS with Windows 2000 RRAS. The UNIX BIND DNS servers would not gain access to the Active Directory DNS zones as members of this group. Reference: HOW TO: Add Users to the Pre-Windows 2000 Compatible Access Group (Q303973) 52.You are a network administrator for your company. The network consists of a single Windows 2000 Domain. All client computers run Windows 2000 Professional and are members of the domain. Client computers in the research department and the graphics department are new and have clean installs of Windows 2000 Professional. Client computers in the other departments have been upgraded from Windows NT workstation 4.0 to Windows 2000 Professional.. The domain contains an organizational unit (OU) hierarchy, as shown in the exhibit. You want to ensure that all upgraded computers have the same security configuration as the computers that have the clean installs. You also want to ensure that all client computers have strong password policies applied, and that an administrator is required to unlock locked user accounts for the research department and the human resources (HR) department. You create a Group Policy Object named DefaultSec, which applies security setting that are required for all users and computers. You create a second GPO named HiSec, which has the security setting that are required by the HR and the Research departments. Both GPOs use custom security templates. You import the Basicwk.inf security template in to the Default Domain GPO How should you link the GPOs to the OUs? Exhibit To answer click the select and place button, and then drag the appropriate Group Policy Object to the appropriate department OU. Note that GPOs can be used more than once. SELECT AND PLAC A. Click to see Answer Answer: A Comments: The Default Domain Policy GPO is applied to the domain by definition and will not have to be applied to any OU. The DefaultSec GPO should be applied to all users and computers so we apply it highest possible OU, we link it to the Corp OU. The HiSec GPO should only be applied to the Research and HR departments so we link to the Research OU and to the HR OU. 53.You are the administrator for your company's intranet web site. The web site is hosted on a Windows 2000 Server computer. You need to install a new web server component that will be used with a new web site that is in development. The new component is an ISAPI-based application. You install the component in a virtual directory named COMMON and configure the Read, Script, and Execute permissions. When the developers test their applications by using the new component, they receive an error message stating that the component could not be started. You want to ensure that the new component functions properly on the web site. What should you do? A. Configure the intranet web site to remove the default application. B. Configure the COMMON virtual directory to run with low application protection. C. Configure the COMMON virtual directory to run with high application protection. D. Configure the Execute permission on the intranet web site to enable Scripts only. E. Configure the Execute permission on the intranet web site to enable Scripts and Executables. Answer: E Explanation: ISAPI applications are executables not scripts. The Execute permission on the intranet web site must be configured to enable Scripts and Executables, not Scripts only. Steps: 1. Open the Internet Services Manager 2. Right-click on the Virtual Directory and select Properties 3. Change the Execute Permissions option to Scripts and Executables. Note: ISAPI (Internet Server Application Programming Interface) is an API for writing extensions to web servers. It was originally developed by Process Software, and adopted by Microsoft as its standard server API. It complements or replaces the Common Gateway Interface (CGI), the standard interprocess protocol for writing extensions to web servers. Incorrect answers: A: If you remove the default you must specify a new application. The Execute permission must be changed to Scripts and Executables. B: When a virtual directory is running in the IIS Process (Low Application Protection) IIS runs as SYSTEM and then impersonates the Anonymous User. This wouldn’t allowed the ISAPI application to be run. C: High application protection prevents in Impersonation. It wouldn’t allow the ISAPI based to run. D: The Execute permission on the intranet web site must be configure to enable Scripts and Executables, not Scripts only. ISAPI applications are executables not scripts. 54.You are a network administrator for your company. To meet the requirement of the company's new password policy, you must configure a minimum length of eight characters for new network passwords. On a domain controller named DC01, you modify the Default Domain Group Policy Object (GPO). You test the new configuration on your Windows 2000 Professional computer. You can still create two- character password. You need to ensure that the password policy changes are immediately enforced for all users in the domain. What should you do? A. On DC01, run the Secedit/refreshpolicy machine_policy/enforce command. B. On DC01, run the Secedit/refreshpolicy user_policy/enforce command. C. Create a new GPO and configure the password policy. Link the new GPO to the organizational unit (OU) that contains all user accounts. D. Create a new GPO and configure the password policy. Link the new GPO to the organizational unit (OU) that contains all computer accounts. Answer: B Explanation: The secedit /refreshpolicy user_policy /enforce command immediately applies the GPO for all the appropriate users. Here it applies to all users in the domain, since the GPO is the Default Domain Group Policy object. Note: Windows 2000 Domain Controllers refresh to other Windows 2000 Domain Controllers at 5 minute intervals. Non-DC Windows 2000 computers are refreshed every 90 minutes. Reference: Using SECEDIT to Force a Group Policy Refresh Immediately (Q227302) Incorrect answers: A: The requirement is to apply the password policy for all users. C: Password polices must be applied at the Domain level, not at OU level. D: Password polices must be applied at the Domain level, not at OU level. 55.You are an enterprise administrator for Trey Research, a company that is based in Los Angeles. The network consists of three Windows 2000 domains in two sites, as shown in the exhibit. Exhibit Trey Research anticipates company growth of up to 200 percent during the next 12 months, and plans to add as many as three new sites and four new child domains to the network during that time. Company IT policy dictates that user account and password security policy settings must be applied consistently to all users throughout the company. You configure the Group Policy Object to the treyresearch.com domain as shown in the following table: Accounts locked out after three bad logon attempts. Administrator must unlock locked user accounts. Minimum password length is eight characters. Passwords must meet complexity requirements. Minimum password age is 27 days. Maximum password age is 30 days. Remember last 12 passwords. (None selected) You later discover that the settings that defined in the Enterprise security GPO are being applied to users located in only the treyresearch.com domain. You need to ensure that these settings are applied to all users in the company. What should you do? A. Delete the Default Domain GPO in the child domains. B. Enable the No Override option for the Enterprise Security GPO. C. Create a new site that contains all domains, and link the Enterprise Security GPO to the site. D. Create and link new GPOs in the child domains with the same settings as in the root domain. Answer: B Explanation: The Enterprise Security GPO is an Account policy. Domain User Account policies can only be applied at domain level. Active Directory only allows one domain account policy and that account policy must be applied to the root domain of the domain tree. Apparently the child domains have some policy that is preventing the Enterprise security GPO from being applied. We must override these settings to enforce the Enterprise Security Account policy throughout the child domains. Note 1: Account policy contains Password policy, Account policy, and Kerberos policy. Note 2: A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace: a child domain name always includes the complete parent domain name. The exhibit of this scenario is an example of a domain tree. Reference: Configuring Account Policies in Active Directory (Q255550). Domain Security Policy in Windows 2000 (Q221930) Incorrect answers: A: It is possible to delete the Default Domain GPO in the child domains. This would not, however solve the problem. C: For domain accounts there can only be one account policy in a domain: the Default Domain Policy. Domain account policies cannot be applied to sites. D: Active Directory only allows one domain account policy and that account policy must be applied to the root domain of the domain tree. 56.You are the administrator of a Windows 2000 Server computer named ServerA. You install Terminal Services on serverA in remote administration mode. You use Terminal Services to administer ServerA for four months. After four months, you reinstall Terminal Services in application server mode. You install and configure eight user applications on ServerA, and the users in your company being connecting to serverA by using Terminal services client software. Three months later, users report that they cannot connect to ServerA. You discover that you cannot connect to ServerA by using an administrator user account. You verify that serverA is running properly and is connected to the network. You need to ensure that users and administrators can connect to ServerA. What should you do? A. Modify the default Terminal Services user properties so that all domain user accounts have permission to connect to Terminal Services. B. In Terminal Services Configuration, delete and re-create the default RDP-RCP connection C. Install and configure a Terminal Services Licensing server on your network. Configure ServerA to use the new licensing server. D. Ask a domain administrator to relocate ServerA’s computer account into an Organizational Unit (OU) named AuthorizedTerminalServer. Answer: C Explanation: Terminal Services administration mode doesn’t require any licensing. Terminal Services application server mode requires licensing. You are allowed to run Terminal Services in application server mode for 90 days without using any license. If you have not enabled the license service when this period ends, your Windows 2000 Terminal Services will fail to operate. This is what happened in the scenario. After a Terminal Services Licensing server has been set up and you have obtained a new license the Terminal Server would start to run again. Incorrect answers: A: This is a licensing problem, not a permissions problem. The server has been running for 3 months without any permission problems. B: This is a licensing problem, not a Remote Desktop Protocol (RDP) protocol problem. The server has been running for 3 months without any problems. D: To make the Terminal Server run you must set up a license for it. The 90 day trial period is over. 57.You are the administrator of four Windows 2000 Server computers in the sales department. Each server has a single Pentium III-600 processor, 192 MB of RAM, and a single 30-GB hard disk. All computers have 100-Mbps network adapter cards. Users in the sales department report that when they attempt to access files or submit print jobs to a server named ServerA, performance becomes very slow. You use system Monitor to monitor ServerA and discover the information that is shown in the following table: O You need to improve the performance of ServerA for the users in the sales department. What should you do? A. Upgrade or replace the RAM in the server. B. Upgrade or replace the hard disk in the server. C. Upgrade or replace the processor in the server. D. Upgrade or replace the network adapter card in the server. Answer: B Explanation: The single counter is indicating a performance problem is the Avg. Disk sec/Transfer counter. The value of this counter indicates that average disk transfer time is 2.231 seconds. A value below 0.3 would indicate normal behavior. There might be some physical problem with the hard disk and it should be replaced. Incorrect answers: A: An average Pages/Sec with 20 or above (here 5.657) would indicate that the system would require more memory. C: The processor is not overloaded. The processor would be overloaded if the average % Processor Time counter is over 85% (here 20%) or when the Processor Queue Length consistently has a value of 4 or above. D: There is no indication of any problems with the Network Interface card. The Server:Bytes Total/sec counter shows the number of bytes the server has sent to and received from the network. An average value of 12.787 is normal. The Network Interface:Bytes Total/sec how busy the network interface card is. An average value 241 is normal. 58.You are a network administrator for your company. The network consists of a single network subnet. The network contains a Windows 2000 Server computer named serverA, which runs the DNS server service. All client computers run Windows 2000 Professional, and they are configured with static IP addresses. The client computers are configured to use ServerA for DNS name resolution. Another administrator, named Peter, installs Windows 2000 Server on a new computer named ServerB. He installs the DNS server service and the DHCP server service on ServerB. Peter configures the DHCP server to issue dynamic IP addresses to client computers.. He also configured the DHCP server to configure client computers to use ServerB for DNS name resolution. You reconfigure all client computers to use DHCP to obtain IP addressing information, and you uninstall the DNS server service from ServerA. All users now report that they cannot access any network resources by name. You need to ensure that users can access network resources by name. What should you do? A. Configure the DNS server on ServerB to include a static A (host) record that contains the name and IP address of ServerA. B. Run the ipconfig/registerdns command on each client computer. C. Delete the Hosts file on each client computer. D. Reconfigure each client computer to remove ServerA’s IP address from the list of DNS servers and to obtain a list of DNS servers automatically. Answer: D Explanation: On the clients we have changed the TCP/IP configuration so that the IP address and network mask are to be received dynamically instead of a static configuration as earlier. We must also change TCP/IP configuration on the clients to Obtain DNS server address automatically. The clients are still configured to use the old DNS server at ServerA. Incorrect answers: A: There would be no point in adding a host record for the ServerA at the DNS serverB. The DNS service has been uninstalled on ServerA. B: The clients are still to use, the now nonexistent, DNS ServerA. The clients would try register at ServerA when they run the ipconfig/registerdns command. C: Deleting the hosts file, which doesn’t seem to be used, would not change the basic problem: the clients must be configured to use ServerB as DNS server. 59.You are a network administrator for your company. The network is configured as shown in the Network exhibit. You view the system log of FT01 and notice a large number of identical warning messages that state the following: “The redirector was unable to initialize security context or query context attributes.” The IP properties for FP01 are shown in the IP Properties exhibit. Exhibit Exhibit You need to prevent these warning message form occurring. What should you do? A. Configure the default gateway for FP01 to 192.168.1.254 B. Configure the default gateway for FP01 to 192.168.2.1 C. Configure the primary DNS server for FP01 to 192.168.1.15 D. Configure the primary DNS server for FP01 to 192.168.3.15 Answer: A Explanation: The error message indicates a security problem. FP01 cannot connect to a Domain Controller. FP01 is not able to communicate with the domain controller (or the remote DNS server), which is located in the remote network in London. In order for computers to access resources outside their local segment the Default Gateway setting must be configured. The Default Gateway IP address should be set the IP address of the local interface of the Router; in this scenario it should be set to 192.168.1.254 on FP01. Incorrect answers: B: The IP address 192.168.2.1 corresponds to the external interface on the Rout