Windows 2000 Implementation & Administration
Directory Services

You can set the software deployment options anytime after the software is deployed. In this case, you are ready to remove the software, so the option can be set as part of the uninstalling process. Note that while deployment options can be set at anytime, modifications using .mst files must be done at the time of assignment or publication. Failure to get modifications correctly deployed can result in removal of the software or reinstalling it. Auto-Install this application by file extension activation will prevent document activation, but it will not remove the software from a client. Software modification files (.mst) do not offer the uninstall option. The secedit /refreshpolicy command only refreshes security policy.

It sometimes takes a while for policy changes in the directory to show up on the computer. You can run secedit to move things along. You can also recheck policies from the domain. You may have one overriding your local policy. Remember, policy is applied first to local, then site, then domain, then organizational unit: SDOU. Importing the new template to a new database will not correct the blank effective policy. It will allow you to create a fresh start and analyze it against your existing security policy on the computer. The basic templates are for bringing a computer up to the level of a clean-install operating system. Upgraded computers don't get the full security settings of a clean-install. Once basic is on the computer, you can add the modifications your network requires. This answer does not correct the blank effective settings. Putting the settings all in the domain level GPO is totally incorrect. Ignore this solution. Effective settings will appear when you no longer have conflicts with the policy above or when policy refresh is completed.

A site link is a logical link between two or more different Active Directory sites. By establishing a bridgehead server, you are telling Active Directory which domain controllers are to be used as the contact points at each site. Active Directory then uses only those servers to distribute its information. The bridgehead server is responsible for taking the information it receives from other sites and distributing it to the other domain controllers within its site.Windows 2000 Help, Search for the articles entitled: Using preferred bridgehead servers.

You will set password policy at the domain level. Password policies are part of the Computer Configuration. Domain Controllers ignore password policies defined at the OU level. Local Policy is where Group Policy is set for Auditing, User Rights, and an assortment of Security Options such as CD-ROM access, and logon prompts. These settings are based on the computer you or an application is using. The User Configuration node does not have a place to set password policy. If you choose to apply security templates with Group Policy settings using Security Configuration and Analysis in MMC, you will choose Configure Computer Now. The Analyze Computer Now option will produce a log showing the difference between your current system settings and the template you have in the database, but it will not configure your system with security settings.

To create the shortcut, use this path: My Network Places/Entire Network/Entire Contents/Directory/. Users will right-click and select Find. The search feature on the Start menu does not display the shared folder objects. The net use \server\share command is possible, but not very flexible and it requires administrative support. You can always access shares from a UNC typed in the Run dialog box. This is not the easy way for users, however.

You must give the delegated administrator Read and Write permissions to the GPO. A new policy is created by right-clicking on the selected site in the console tree, selecting the Group Policy tab and choosing to create a new GPO. The Security Configuration and Analysis tool is not used for creating GPOs and you must give the Read and Write permissions, not Apply Group Policy. The recommended way to create a new GPO is from the Active Directory object itself, rather than creating unlinked GPO objects. Unlinked GPOs are created by right-clicking in the details pane of the All tab when browsing for Group Policy objects. You do not delegate using the NTDS Settings.

Every object that is stored in the Active Directory database is an instance of an object class. Object classes are collections of attributes. Attributes are items in the schema such as a Note field or the First Name field. An attribute can be used in more than one object class. A subclass can be created from an object class. Subclasses inherit their attributes from their parent object class and can have additional attributes added to them. For instance, a class could be created for the consultants within a company that contained an additional entry field in the user account for a regional ID. The consultants class would be a subset of the user class and would contain all of the fields normally found in the user class, plus the additional regional ID. There is no way to migrate an existing account from one class to another. If a user needs to have an account from a different class than the one they currently have, their account must be recreated using the other object class.Windows 2000 Help, Search for the article entitled: Class definitions.

It is not possible to use the SMTP transport if the domain controllers (DCs) are in the same domain, but separate sites. When DCs belong to the same domain, all the objects are replicated. Since Global Policy, for example, requires File Replication Service (FRS) which does not support SMTP, you cannot do inter-site replication over SMTP in the same domain. If the two sites circumscribe two domains, SMTP is possible since a full domain-naming context replication is not required between separate domains. RPC transport is not restricted by the site-domain relationship since File Replication Service (FRS) supports RPC.

Remote Installation Services (RIS) is used to set up new client computers remotely. When using RIS there is no need to physically visit each computer. You can install operating systems simply by connecting the computer to a network, starting the client computer, and logging on with a valid user account. In order to work properly the computer must meet Net PC or PXE standards. These standards allow for a computer to boot up on the network, often from a special ROM chip on the NIC, obtain addressing information and then contact a RIS server to begin the operating system installation.For computers that do not support the Net PC or PXE standards, a remote boot disk can be used to connect to a RIS server. The boot disk is used to simulate a PXE environment on the computer. Rbfg.exe is used to create this boot disk.Windows 2000 Help, Search for the article entitled: Remote Installation Services boot disk.

You can add multiple .mst files on the Modifications tab. The order of the list indicates the order they are applied at the software installation. Modifications are made at deployment time, not when the client activates the published or assigned software. If you get the order of the .mst files wrong, you may have to uninstall the package. The .mst files are not installed by the Windows Installer based on the software vendor's folder requirements. The Windows Installer package does not contain the .mst files. The Windows Installer package does offer a choice of default and a maximum interface displayed to the user upon software installation. The administrator makes the choice in Group Policy by accessing the property sheet of the software's deployed package. This is only a display; the order is determined by the list on the Modifications tab.

The schedule for connection objects is dependent upon the schedule of the site link object(s). The site link schedule determines how often the link is active. The NTDS Site Settings object is the source of the default schedule for intra-site replication. It is possible for administrators to use a script to manage connection object schedules to the granularity of 15 minutes. And they can turn it off from day-to-day. There is no default ADSI script. Scripting is an option for administrators who want more refinement than the schedule offers. Changes to Active Directory objects initiate replication between domain controllers using notify and pull for intra-site topology. For inter-site topology, changes occur with schedule and pull.

Objects in Active Directory have permissions assigned to them. You can allow a user to have administrative control over an object by granting them the Full Control permission.Windows 2000 Help, Search for the articles entitled: Delegating administrative control; and Delegating administration.

The MOVETREE.EXE command is used to move objects, such as user accounts, between domains. You cannot use Active Directory Users and Computers or any other Microsoft provided snap-in to move or copy objects between domains.Windows 2000 Help, Search for the articles entitled: Active Directory support tools.

Between sites, you can easily move a server object just by right-clicking on the server object in AD Sites and Services. If you physically move the server to a new site, you must also move its object. Only delete a server object if you do not plan on using the server again. A server object should be moved if the server is moved physically. The Phoenix Resource Kit is part of FastLane Technologies' Domain Reconfiguration Tool. It is used for moving domain controllers to another domain. You cannot move server objects in Active Directory by changing their attributes.

You should create a new GPO, link it to the Sales OU, and then edit the GPO to allow a Custom Setup. You should then associate an answer file with the image and ensure that the technician has both Read and Execute permissions for the answer file. You should instruct the technician to select Custom Setup from the Installation menu, which will allow the technician to define a computer name during installation. Using a custom RIS startup disk will not allow the technician to define a computer name during installation. The technician needs both Read and Execute permissions for the answer file.

The attribute line determines the order of attribute values in each user account line. You have the order correct on Jill Jones' user account line, based on the order of the attribute line. For some reason, you failed to include the cn=Users value on each user account line within the distinguished name value. This value names the destination of the user accounts. The correct DN looks like this: "cn=Jill Jones,cn=Users,dc=DomainA,dc=contoso,dc=msft." You must also list each account's values in the order specified in the attribute line. The description, distinguished name and objectClass are all in the correct order, therefore these answers are incorrect.

You can only link a GPO to an OU, not to a container. The only OU in the list is Domain Controllers. Builtin, Computers, and Users are built-in containers.

The PDC emulator is the only operations master that can be brought back online after a seizure. Since it is the most critical of the role holders to keep up and running, you can seize the role and still bring the failed DC back online later. The other two role holders can remain offline for two days without serious network implications. When you return the DC to operation, it can have all three operations master roles reinstated. Seizing the role means the target DC must do the directory replica construction itself, rather than receiving a copy of the naming context from the previous role holder during a transfer of role. The infrastructure master and the global catalog should not be on the same DC unless all DCs in the domain are global catalogs, which is not the usual case.

When you define software categories, the categories can be used in any GPO created in the same domain. The categories are not available in other domains. You use software categories to organize the way in which available programs are displayed in Add/Remove Programs.

When you enable replication of an additional attribute to the global catalog, all objects in the global catalog must be replicated again to each global catalog server. Enabling replication of the attribute forces a full synchronization.

Folder redirection policies are only applied when a user logs on, so the contents of the folder will not be moved until the next time the user logs on. Folder redirection policies allow you to define a different storage location for folders that are usually stored in a user's profile. Folders that can be managed using Folder Redirection include Application Data, My Documents, My Pictures, the Start menu, and the Desktop.

Each domain controller is represented by a server object in Active Directory. The server object is a child of a site object. If the subnet on which a domain controller resides is assigned to a site, the server object will be created in that site when a computer is promoted to a domain controller. If the subnet is not assigned to a site, the server object will be assigned to the site created by default, Default-First-Site-Name. Since the subnet of the domain controller has not been assigned to any site, the server object for the domain controller will be assigned to the site Default-First-Site-Name. (This site can be renamed.) In this configuration, 22 bits are reserved for the subnet identifier (ID). The six bits in the third octet allow you to have subnet IDs of 172.17.4.0, 172.17.8.0, etc. (with the third octet being a multiple of 4). The address assigned to the domain controller is in the subnet 172.17.28.0, which has not been assigned to a site.

By default, the Group Policy console focuses on the copy of the GPO stored on the PDC emulator. This helps to ensure that changes to GPO are made in the same location and then replicated to all domain controllers. If the PDC emulator is not available, Group Policy does allow you to focus on a different domain controller.

By default, delegation will be applied to existing objects in the OU and any child OUs and to new objects that she creates in the OU and any child OUs. You can choose to limit the scope of delegation by selecting any one of a number of different subsets of the default.

A failed hard disk means the Active Directory is healthy and intact on the other domain controllers. The replication from them will restore this recovered DC to the current state of the domain. It is very important that the disk be partitioned exactly as before. Next, you will install Windows 2000 Advanced Server. Using the Backup tool, you should recover from backup media the data files you had on the primary disk. Finally, restore from backup media the distributed services. Using the Backup tool to restore distributed services is a nonauthoritative restoration. Distributed services include Active Directory, File Replication Service, Certificate Services, Distributed File System (Dfs), and system registry. They must be restored from the same backup media because they depend upon each other and you cannot allow any discrepancies in their relationship to each other. File servers, which are not replicated throughout the forest, do not have these distributed services dependencies.
If you are only restoring, for example, the system volume, it is recommended that you backup and restore the whole volume rather than selected files. It goes faster and avoids the chance that some files will be missed in the recovery. Restoring a volume is not an option when you must replace the primary hard disk of a DC, however. All wrong answers have steps are out of order or they use incorrect restore options such as restoring volumes. Please see description of restoring volumes in an earlier paragraph. "Steps out of order" means they are not in the required order listed in the correct answer.

Even if the DNS server is on a domain controller and supports dynamic updates, it must be configured to accept them. If the clients are getting DnsApi source errors, you need to check the new zone's configuration. If you suspect the zone is not transferring, you can monitor IXFR counters. Monitoring the incremental counters will take a while. You can also check Zone transfer counters. If you monitor either of these counters, you will be ignoring the DnsApi errors on the client that will lead you straight to the problem. If the added domain controller (DC) running DDNS has a network connection problem, you could use PING to confirm your suspicions. You will confirm connectivity for the new DC before you leave the data center to visit the client. But once you see the DnsApi source errors at the client's location, then you should attempt to resolve the zone configuration problem. If you specified interfaces for the added DDNS, perhaps you shut out some of your clients. This is highly unlikely, however, since multihomed adapters in a DDNS server are usually specified for down-level clients, not Windows 2000 clients. Or, interfaces may be specified when many IP addresses are used by the server and you don't want to bind to all of them. Since this configuration is planned and executed when it is needed, and since it wasn't mentioned in the scenario, it would be a very long shot to start your troubleshooting from this point.

Password and account policies are only applied to a domain, so you should link the GPO to a domain. You can configure these settings in a GPO linked to a site or OU, but the settings will only be applied to user objects in the local Security Accounts Manager (SAM) database of computers that belong to the site or OU, not to domain level user account objects. You cannot link a GPO to a built-in container such as Users.

You can allow or not allow dynamic updates and you can also specify only secure updates on Active Directory integrated zones. Both the DHCP and DDNS must be configured for dynamic updates. You must configure the DHCP server to point to the DDNS server(s), as well as configure the zones on DDNS. You can configure the server options of the DHCP server using its console. Indicate that you want to list DNS servers, and then enter their names and addresses. The SRV resource records are not the correct place to point to the DDNS server. They are on the DDNS server. NSlookup is a diagnostic command-line tool for DNS. You cannot configure DDNS to allow DHCP to find it in the Active Directory network.

You can change the script process time if you have lengthy scripts or slow connections that cause timeouts. You cannot apply Group Policy to security groups, such as WANUsers, even if the security groups are contained in an organizational unit. You can adjust the sequencing of multiple scripts to change their execution order, but this does not help script timing out problems. If your users have non-Group Policy logon scripts for user accounts, they run after Group Policy logon scripts. No time is saved by doing this.

You want a mandatory upgrade because this is core business software. You will hold off on the Accounting Department by leaving their GPO that controls software applications as it stands until after year end. If you publish software, you have the option to disable the document activation feature with the Auto-Install this application by file extension activation setting. This is not a way to control upgrades, however. The Uninstall this application when this GPO no longer applies to users or computers setting under the Deployment option is applied so that when users and computers move to another OU, the software will be automatically removed from their system. If you remove the Read and Execute permission it will affect other settings of the GPO as well.

You must store EFS folders, RIS images, and sysvol on a partition or volume that is formatted with NTFS. The Active Directory database, master copies of offline folders, and the Windows 2000 system folder can be stored on partitions or volumes formatted with FAT, FAT32, or NTFS.

The new application was assigned to the computer rather than the user. Group Policy will be applied when the computer is restarted. The user account or the computer account must belong to an organizational unit (OU) where the policy is applied or inherited from a parent. Since this policy applies to the computer, not the user, the computer account must be in the OU. A Deny set on the user's Access Control Entry (ACE) for the GPO will definitely keep him from getting the software, if it was assigned to users. Checking permissions is not the first troubleshooting action, however. If the software was assigned to a user, the user should log on to see the software in Add/Remove Programs. Since you already logged on as the user, you now try restarting the computer to see if the policy is applied. A user must have both Read and Execute permissions to the software distribution point Incidentally, you cannot use the secedit /RefreshPolicy command. It is ignored by Software Installation. The Group Policy refresh period is also ignored by Software Installation.

A secondary copy of an Active Directory-integrated zone is possible and prevents the network traffic that a domain controller or global catalog would create. Note the terminology: this is not a secondary server; there are no secondary servers in a multimaster replication topology. Giving them a Global Catalog on a portable DNS server will create too much network traffic. Giving them a portable domain controller will create too much network traffic. Folder redirection would be slow to synchronize several times a day. The trainers are not using local computers at each of their stops; they are using their own laptops.

User rights are part of the Local Policy. To avoid a GPO at a higher level affecting the special User Rights you want for these application servers, you can set a Local Policy at OU level. Even though local policies are local to a computer, they can be set by GPOs in Active Directory. They will affect the computer accounts of any container to which the GPO is applied. Using Local Computer Policy on each server to Deny Access To This Computer From the Network is incorrect because it can be overwritten by any other policy at the Site, Domain or Organizational Unit level. Setting the Local Policy for the Local Computer Policy on each server could easily be overwritten because an OU is the last policy applied. Creating a security group for applying permissions such as Deny is wrong. User Rights are not defined with permissions. Permissions are applied to objects.

The Manage Group Policy Links is a predefined task that you can delegate to a non-administrative user. There are other tasks you can choose to delegate also from this same wizard. Apply Group Policy will not give her enough permission to manage the GPO links. Administrative privilege is more power than her assignment requires. The read and write permissions can be used for administrators delegated to GPO management. Non-administrators need the Manage Group Policy Links right, which is just access to the gPLink and gPOptions attributes.

Only servers that have been promoted to domain controllers, and therefore have a directory partition requiring replication, will show up in the Servers containers of the sites as server objects. Server objects are not to be confused with computer objects that represent the computers as security principals. You do not have to create new site links when you create new sites. You create site links when you are ready to define the site topology. You do not have to move server objects into the site objects if you defined sites and subnets before you add a server as a domain controller in your Active Directory. The server objects would not be found in the computer container under any circumstance. Only computer objects would be in a computer container. If you don't make your sites before promoting the domain controllers, all server objects will by default show up in the Default-First-Site-Name. Inter-site replication can be improved if you have a complex network by adding bridgehead servers. This is a new, simple network and defining bridgehead servers will not cause the server objects to appear in the sites.

Implicit deny means the printer is accessible to only those mentioned in the security descriptor of the object. If no administrator had modified the security descriptor of the printer object, then by default John would have access as a member of Everyone. Filtering is a technique that uses the Deny permission. It refines the access to an object by explicitly denying someone access. Deny permission, filtering, and explicit deny are three different ways to describe the opposite of implicit deny. Therefore, they are all three wrong.

Since both OUs are in the same domain and there is no WAN link involved, you can safely link an existing GPO to another OU. Crossing a domain or a WAN both create network traffic and problems at the client when group policy is applied at log on. Copy to a new name is not an option for GPOs. While you can move the GPO's link to domain level, and allow both Marketing and Sales to be affected by it, it is not practical to "filter out OUs." Filtering is done by security group, and security groups can be in both OUs, so this method is an administrative nightmare. Software is a special use of Group Policy. The Software Installation provided in Windows 2000 has many advantages such as lower administrative costs and automatic repair of damaged files, so you do not want to use security groups to manage software deployment. It is possible to use security groups instead of OUs and GPOs to allow access to software installation files, but not if you are using Software Installation.

When a user shuts down a computer, the user's logoff scripts are run first and then the shutdown scripts are run. The scripts are run in the order in which they are listed in the Properties dialog box for the logoff and shutdown scripts.

You can add more than one site to a site link if all are connected by an ATM backbone or leased lines where the sites are physically close, such as in an urban area. The cost is the same for site links. When costs of site links are different, a site link bridge makes sense because it creates a smaller network definition. It is easier to maintain because you do not have site links between all points. A site link bridge is what you would typically configure for a WAN. In this scenario, however, there is a specialized provider in an urban environment and adding more than one site to a site link makes an easier configuration. Creating three site links is not the recommended way to configure the network. Two site links and a bridge is easier to maintain because you do not have site links between all points. Creating a third link using SMTP is just as cumbersome as three site links using IP.

If your DNS servers are directory-integrated, configuring notification on the primary DNS server is not necessary; zone transfer is automatic. In a multimaster replication system, all DNS servers are primary. When you use Windows NT servers to host the secondary DNS servers, you must specify which servers get zone changes. SOA records do not point to secondary DNS servers. Configuring is done on the zone using the Zone Transfers tab on the dynamic DNS server. There, you list the secondary servers that you want notified. You do not use SOA records on the secondary DNS servers to point do the primary DNS server. Configuring is done on the zone using the Zone Transfers tab on the dynamic DNS server. There, you list the secondary servers that you want notified. Additionally, you must configure the secondary name servers for a zone to contact a specific master name server when requesting updates. You can select the servers that will participate in zone transfers, but this will not implement the DNS notification required for NT 4.0 servers.

When the domain controller in a site looks for the global catalog and cannot find one, the error message that a DC could not be found is displayed. This is because the LSA requires a global catalog check during a user's log on to learn if the user belongs to universal groups. Replicating a new global catalog across the slow WAN is one way to get a copy. You could also transport the DC to a better connection to get a copy of the global catalog. The WAN link may be down. The client should have looked remotely for a global catalog. If a domain controller cannot find a site global catalog (GC), it will look remotely. The GC does not have to be in the same domain since all contain partial partitions. You do not have to disable the global catalog on the NTDS Settings object. If you remove the server object, you will have to recreate it. If you plan to reinstate it later, you should simply remove the NTDS Settings object, which Active Directory will automatically recreate when a domain controller is brought online. It is not possible to reboot and choose cached credentials. They are managed by the system.

GPOs are linked to Active Directory objects. They can be unlinked without being deleted from Active Directory as an object. Microsoft recommends that you control GPOs at the site level and not link existing GPOs to the site. Those who have control of these linked GPOs can influence policy at this level. While it is possible to remove the GPOs permanently, it is not a good procedure in this scenario. Since the GPOs that you do not want at site level were created as unlinked GPOs, they are corporate property. Unlinked GPOs generally are created in enterprise environments with broader use than one Active Directory object. They may be currently linked to other objects in the Active Directory, or they may be requested at a later time for another object. These GPOs can remain as objects of Active Directory, and they will not set policy at site level as long as they are unlinked to any sites. You should not manage existing GPOs linked at site by permissions only. They should be unlinked from the site. The danger of site-linked GPOs is that anyone with the proper permissions gets unintended power throughout the site. Since these GPOs were created as unlinked, they could get their security principals and permissions set elsewhere and still affect the site. Your goal is to have only a GPO linked to the site that you can properly restrict since one at site level is so powerful. Security principals are users and groups (also computers and services but not for GPO permissions).
The Everyone group applies to anyone who can reach a resource, not just those authenticated by your Active Directory. You filter with security groups by putting the Deny permission on Apply Group Policy. Since this answer also uses permissions instead of unlinking the unwanted GPOs, please see an earlier paragraph for details. You should not manage existing GPOs linked at site by permissions only. They should be unlinked from the site. Security principals are users and groups (also computers and services but not for GPO permissions). The whole danger of site-linked GPOs is that anyone with the proper permissions gets unintended power throughout the site. Since these GPOs were created as unlinked, they may get their security principals and permissions set elsewhere. Certainly, it is not a controlled environment. Your goal is to have only a GPO linked to the site that you can properly restrict since one at site level is so powerful. The Everyone group applies to anyone who can reach a resource, not just those authenticated by your Active Directory. You filter with security groups the Deny permission on Apply Group Policy. This answer also uses permissions instead of unlinking the unwanted GPOs. See earlier paragraph for details.

When you change the schedule on a connection object that is owned by (created by) the Knowledge Consistency Checker, it will allow you to do it, but will revert back to its own schedule the next time. To make the desired schedule change last, you must create your own connection object, which will be owned by you, the administrator. If you have high performance servers at each site, you can leverage their bandwidth to improve the exchange of directory information by making them bridgehead servers. This will not, however, modify the schedule. Since the default schedule is every 3 hours, (which is effectively a half workday), you need to reduce the interval between replications by hours, not speed. While it is true that SMTP transport protocol basically ignores schedules because it is asynchronous, you cannot use SMTP within the same domain for site replication. It is supported only for domain controllers of different domains. Transitive routing with a site link bridge will not shorten the interval between replications of an Active Directory instantiation.

Typing in the name of the RIS server that computer object is to use on the Host Server dialog box is how to restrict a client's access of the remote installation. When the network service boot request starts, the prestaged computer information in Active Directory is used to route the client. The network service boot request is initiated by the PXE boot. Using a VB Script to list the RIS servers available will not correctly route the client to the intended RIS server. Instead, clients are routed to the RIS server based on their prestaged computer account information in Active Directory. Listing the subnet addresses in the Host Server dialog box that the server will answer is not a correct solution. Clients will be identified only if their prestaged computer account is in the Active Directory. Custom setup is primarily used for prestaged computers that will be installed by a technician rather than the end user. A user's available setup options are set in the RIS group policy settings. Custom setup will not provide the correct RIS server for the client's request.

The Administration Tools can be installed on a Windows 2000 Professional computer that will use the MMC console. You can install the tools using the adminpak.msi file distributed on the Server or Advanced Server CD-ROM. Delegation of Active Directory objects is possible once the console administrator has at least Read permission for the console file you created for her. A taskpad is used for nonadministrative users to do simple tasks like change passwords. Your junior administrator has three OUs to manage; for this she needs a console. The integrated local management interface (ILMI) is a set of functions in ATM technology that allows exchange of configuration data. It is not necessary for remote administration of Active Directory objects. Audit tracking through local policy on the administrator's machine is desirable but not necessary.

The consultant will create the independent GPOs, so make him a member of the Group Policy Creator Owners group. Since the consultant is not required to link GPOs, you would not delegate that permission. You can use local administrators to do this task based on the GPOs they require. Creating independent GPOs is usually only done in large corporations, as in this example. The recommended way for most companies to apply policy is to create GPOs directly on the site, domain or OU object in Active Directory. It is useless to remove the consultant from all groups that manage GPOs because the Creator Owners group allows it regardless of other group denials. The Group Policy Admins group does not give the proper level of authority; Group Policy Creator Owners group does.

The software patch will be applied the next time that a user logs on and invokes the application. An application cannot be published to a computer, so the patch will not be applied when the computer is started.

If users can make changes to the policy, their influence is now at the site level instead of the domain level. Note: You don't have to physically change the link. The GPLink attribute contains the distinguished name of the group policy container object that is linked to the directory container. This is a one-to-many construct, which is why you can link one GPO to many sites, domains, or organizational units. The ADSI Editor lets you view and edit the group policy container attributes. ADSI stands for Active Directory Service Interfaces, a programming feature. The Group Policy Container object has an attribute GPC-File-Sys-Path, which lists the UNC path of the policy. It is also called the fault-tolerant path. The individual policy is identified by its GUID in the UNC. Of course, this in no way protects the policy attached to a site from users who have read and write privileges. You do not have to manage the NTFS settings on the folder that replicates to all domain controllers. This is not related at all to managing access to GPOs at site level. The \%systemroot%\Sysvol\ folder is replicated to other domain controllers by the File Replication Service. The group policy container objects are replicated by the Directory Replication Agent (DRA). The two do not always synchronize exactly, and so you can force replication with Replication Monitor. However, this option is unrelated to protecting the policy from users who have read and write permissions to the GPO.

Manual connections can upset the KCC environment, so choose carefully before you decide to step into the KCC's territory. Be sure to configure the connection object from the source DC to the target DC (a pull). Be sure that the partner DCs have the same naming contexts. When the failed DC is put back online, you will want to remove this manual channel and let the KCC restore the original topology. The Netdiag.exe tool is for troubleshooting network problems. While you can connect to DC with this tool, you cannot create a replication channel with it. You do not move the server object to trigger a new replication topology; instead, you create connection objects if you want manual management. The Replication Administrator is much like the MMC's Active Directory Sites and Services. The /unreplicated switch will show you just the failed DCs, but it won't fix them.

You must format a partition or volume with NTFS to be used for the shared system volume (sysvol). By default, the shared system volume is located in the folder, but it can be stored in a separate location. Information in sysvol is replicated to all domain controllers by the File Replication Service (FRS). The Active Directory database and log files do not need to be stored on an NTFS partition or volume, but Microsoft recommends that you do store them on an NTFS partition or volume. You do not have to install the DNS service on that computer, but you must have a DNS server that supports service (SRV) records available on the network.

It is best to set up your zone and configure it as a dynamic zone on a Windows 2000 server other than the one destined to become the first domain controller of your Active Directory domain. Then, when you do run dcpromo on the first domain controller configured, it will not prompt you to install DNS. You can set up your dynamic DNS server on a Windows 2000 member server. It does not have to be on a domain controller. This answer is wrong because it will put DNS on the domain controller created with dcpromo. The first domain controller of your domain has operations masters roles to process. It is better to put the dynamic DNS server on another computer. Nslookup is a troubleshooting tool for DNS. It cannot be used to import zones from non-Windows servers. Instead, it allows you to examine the status of the DNS service and perform zone transfers, among other things. You can view and add resource records to the zone and you can change the zone type to dynamic using the DNS console. However, you do not change the zone type to dynamic by modifying the Start of Authority record.

Clear the Allow inheritable permissions box on the Photo shared folder's security tab is correct. By choosing to copy the permissions, you can see (and use) what access was available before you started modifying. Only your modified settings apply to the Photo shared folder once you clear the box. If you don't clear the Allow inheritable permissions, you will not be able to restrict access as you wish. Renaming the Photo shared folder with the $ keeps users from seeing it, but if they ever learn the share name, it is no longer limited to the two photographers. You cannot move the Photo folder to a new organizational unit (OU). The Photo shared folder does not become a published shared folder because the parent folder is published.
Since the Photo shared folder is not a published shared folder, there is no object for it in Active Directory to move. You cannot set the Block Inheritance on the organizational unit (OU) where the published shared folder exists to limit access to the Photo shared folder. As mentioned earlier, shared folders in a parent published folder do not acquire published status in Active Directory. The inheritance concept does not apply. When Block Inheritance is used properly, it is applied to an OU so that settings from above do not flow down. In this wrong answer, the block was placed on the OU that contains the published shared folder, as though inheritance flowed up instead of down.

You should edit the default Domain Controllers policy, since the project manager must log on locally to the computer you promoted to a domain controller. If multiple GPOs apply to an object in Active Directory, the order in which the GPOs are applied is: the local policy, the GPO linked to the site, the GPO linked to the domain, and then the GPO linked to an OU. If an OU is a child of another OU, the GPO linked to the parent is applied first and then the GPO linked to the child OU is applied.

You are auditing each domain controller in the domain when you enable auditing in the domain-level GPO. For member servers, stand-alone servers, or Windows 2000 Professional computers, you must enable auditing locally as described in the scenario for Group Policy. Or, you can use the Computer Management locally. Auditing only the domain controller where you are interactively working is incorrect. Use the Local Policy, Audit settings in the GPO applied at domain level. Auditing only the PDC emulator is much like auditing on the domain controller interactively because the PDC emulator is a domain controller. So, this answer is wrong. Auditing can indeed be implemented from a domain-level GPO, but only for domain controllers of that domain.

If you do not change the NTDS Settings object to reflect the new site, the Knowledge Consistency Checker (KCC) continues to use the information about the original site. Until you fix this, replication will go across the slow links that sites normally prevent. The new subnet address in the TCP/IP configuration will not define the DC as belonging to the new site. The Knowledge Consistency Checker (KCC) gets its information from the Active Directory's NTDS Settings object. It does not detect sites by physical location. The dynamic DNS plays no role at all in the replication topology of Active Directory.

Sometimes it takes the Knowledge Consistency Checker a while (overnight) to build all the necessary connection objects. The DOMMAP tool checks replication topology, and also site and domain relationships. The Application Deployment Diagnosis tool, or addiag.exe, provides information on software installed on a computer enabled with Intellimirror Software Installation and Maintenance. The Netcons tools is a GUI tool that works like the command line net use command. It monitors and displays network connections. It does not create new connection objects for the Active Directory.

The computer is prestaged for the reinstallation because the computer account already existed. The user can install an image on a prestaged client if they have both read and write permissions for all properties of their computer object. It is important that the permissions are set for the computer object itself and not for its container. Basic applications may be part of the RIPrep image. If the user requires other applications, it will be necessary to have software installation Group Policy in place for that user. This may be published or assigned software policy. The roaming profile means there is a network copy of the user's profile that can be downloaded when disaster takes the local copy. Folder Redirection for the My Documents folder is the minimum. You could also include the Start Menu, Desktop, and Application Data folders.
Application Data may be required if the user's software requires special data, such as special dictionaries, to run. Offline files are not part of the configuration because you need to use a roaming profile for the user. Using both offline folders and roaming profile is not recommended. The user does not need rights to Log On As A Service. In fact, this is a security risk you should never take. This right is granted to services that run under an account other than the LocalSystem account. By default, this right is granted to no one.

You should configure the primary DNS zone to allow dynamic updates. A zone is not configured by default to accept dynamic updates. You do not need to convert the primary zone to an Active Directory-integrated zone. A zone that is Active-Directory integrated is stored in Active Directory and replicated to all domain controllers. If a zone is configured to accept dynamic updates, you can force the records to be registered by using the command ipconfig /registerdns. The computer can be a DHCP client, but it does not have to be.

Only the security group which can apply the GPO for software distribution will see it on their desktop, Start/Programs, document activation, or in their Add/Remove Programs, depending on your configuration for distribution type. Now administrators can monitor how deployment is going without a burden of support overwhelming them. Not all software can meter the number of users who have accessed the software from a distribution point. While it is true that the SDP is a shared folder, you cannot control the number of users who install it by controlling the shared folder. Administrators' permissions for an SDP folder are Read and Write. For users who will install the software the permission is Read and Execute. You should also hide the share using $. The GPO is linked to the user or computer accounts OUs, not to the SDP.

Restore to the same location is only required if you are restoring system state data other than boot files or registry keys. In this scenario, you are restoring Active Directory, so the same location is required. If the tape is older than the Tombstone life of Active Directory objects, the APIs will reject the data as out of date. You cannot restore to a different location because you are restoring Active Directory. Only boot files or registry keys can be restored to a different location. Log on must be someone in Local Administrators group for system state data. Log on must be interactive at the DC receiving the restoration. System state data includes Registry, Active Directory, (if it is a DC), Sysvol (if it is a DC), COM+ Class Registration Database, and boot files. Because log on must be someone from the Local Administrators group, the Domain Admins group does not qualify. Because log on must be someone from the Local Administrators group, the Backup Operators group does not qualify. The Advanced Restore option of Ntbackup is used for replicated data sets such as Sysvol.

While you add the application to a GPO, from the Properties dialog box, choose the Modifications tab and add one or more .mst files. Transform files is another name for .mst files. Before the software has been deployed, you can modify the GPO. You may not make changes (for example, on the client computer) using the GPO after deployment. If changes are necessary, you will have to visit each client computer.
Category assignment is for classifying software into categories that help users find the application they want to install from Add/Remove Programs. The Categories tab can be seen from within any organizational unit (OU). The file name extension prioritization on the File Extensions tab in the GPO is a place for listing the order of applications that will be called during document activation. While you are prioritizing the extensions, you do not configure software modifications.

In an Active Directory network, the audit policy is set with a Group Policy object (GPO) on the organizational unit (OU) that contains the member servers and computers running Windows 2000 Professional. A member server's or workstation's audit policy is implemented using local group policy on each computer. Domain Controller auditing is set using the domain controllers OU. Even though a local group policy is the proper place to implement the auditing for this member server, a domain policy in the GPO may override the local implementation. Either it will have to be changed, or you will be unable to implement the policy as you wish.
Implementing the member server's (or Windows 2000 Professional computer's) policy is done for the individual computer; the audit policy is set using the domain level GPO. Setting the Object access or the Directory service access event categories are only required when you want to audit files, folders, printers, or specific Active Directory objects, respectively. The Privilege use event category is for user rights on the system, not for monitoring a member server's system events.

After you join a forest, specify file locations on the Database and Log Locations page. Microsoft recommends that you put the Active Directory database, NTDS.dit, on a separate hard drive than the Active Directory log file for performance benefits. Both files, by default, are installed in the systemroot\NTDS folder unless you specify a new location. The New Domain Name page is where you specify the full DNS name for a new domain, which is specified during the first server installation.
The File Locations verification is one of the checks that the Active Directory installation wizard automatically makes before files are actually installed. It checks to see that the database, log file and SYSVOL will be on an NTFS volume and that there is enough room. The User Interface verification is one of the checks that the Active Directory installation wizard automatically makes before files are actually installed. It assures that someone with administrative privileges is doing the installation. At this time it also checks the status of the current installation: first time, previous, or removal.

Any host IP address in the subnet range can be used when defining a new subnet for a site because the address plus the bits-masked identify the subnet. Your subnet identifiers are 192.110.248.64/26 and 192.110.248.128/26. To calculate which IP addresses will work: 192 in the first octet tells you it is a C address (192-223). The /26 bits-masked notation tells you that two bits were borrowed from the last octet for the subnet. (8+8+8+2=26) The value of the least significant of the borrowed bits is 64. The value of the most significant borrowed bit is 128. Since there are six bits left for host addresses, calculate 2^6-2=62.
In a class C address, the host range of addresses for a subnet is calculated by adding one to the least significant bit value (64+1=65) and by adding the total number of hosts possible to the least significant bit value (64+62=126). Continue doing this for each bit borrowed to identify all possible host addresses. In this case, one more was borrowed with a value of 128 (128+1=129) and (128+62=190). Therefore, all host addresses must be in the range 65-126 and 129-190. 127 and 191 are not valid entries to identify the site subnet.

When you are auditing files, you must first set the Audit Object Access. The files are selected from Windows Explorer, and the DACL and SACL are specified for each. DACL is the Discretionary Access Control List. SACL is the Security Access Control List. Auditing is not enabled in the GPO by setting it on each computer account object in the Active Directory Users and Computers snap-in. Auditing of files can be enabled by using Computer Management. It is not set with the Audit Directory Service Access event category, however. Instead it is set with Audit Object Access. Selecting the files, choosing all events relating to their files, and auditing both Successful and Failed events is incorrect. Such broad selection will create an enormous security log. You must prudently select the users and events to audit and log.

Use the Deny permission to remove a permission that a user otherwise gained by membership in a group. This technique is called a filter. For example, a user should not have permissions that are given to him by group membership. He needs to be in the group and the group does need permissions. Your correct alternative is to deny that one user permission. You do not block permissions with a Deny. You block Group Policy at the organizational unit, domain, or site object. The Deny is used as a filter, not as a block to resources. System files are protected with NTFS, not with Active Directory objects' security descriptors. You cannot limit membership to a Universal group with Deny. For example, if a user is a member of a Global Group that is nested in a Universal group, you don't limit his membership. What you do is Deny him access where the Universal group membership allows him access.

You perform an authoritative restore to restore a deleted Active Directory object. You can use the Recovery Console to restore Windows 2000 system files. You can use the Restore utility to restore encrypted files if they have been saved using the Backup utility in Windows 2000. Whether DNS is standard or directory-integrated, it has more than one copy of its zones. Authoritative restores are not done on DNS zones.

A parent configuration will not be inherited by the child if the child setting is conflicting. A parent setting never nullifies a child setting. If the child setting is configured, but not in conflict with the parent setting, then both are used. A child setting is disabled only if the child has no setting and the parent setting is disabled. If a child setting is configured, but the parent is not configured, the child setting stands.

The source of all attribute names is the Active Directory schema. Make sure you are using the correct names and spellings before you build the LDIF file for account modifications. If an LDIF file's line begins with a #, it is merely a comment line. The LDIF file's first line specifies the sequence of lines for each user account in the LDIF file. In other words, it defines the order you are going to list the attributes and their values for each user account. That's what you are going to verify by examining the schema. The enumprop command dumps all properties set on any directory service object. In this incorrect answer, the UNC path is improperly used. The enumprop requires the LDAP-PATH. Here is the correct syntax: enumprop [options] LDAP-PATH. The LDAP-PATH is contained in double quotes.

You can keep everyone but administrators from adding jobs to the Task Scheduler by setting it at domain level. Since your non-administrative students need to add jobs, exempt them from the policy by filtering it with a security group that only contains the students as members. The Enabled Disable New Task Creation policy does not prevent administrators from creating new tasks, either remotely or with the At.exe command. Therefore, you don't have to filter the built-in administrator's groups from the policy. Since there is the same policy in both User and Computer Configurations, you can set both, or only one. Just be aware that Computer Configuration takes precedence if you have two different policies set. Creating the policy to Enable the Disable New Task Creation and setting it on the domain controllers OU and the computers container is wrong. Policies cannot be set on containers. They are set on domain, site or organizational units.

The role of an Operations Master is transferred by starting with the target domain if you are moving the relative ID master or the PDC emulator or the infrastructure master. All three are transferred from the Active Directory Users and Computers console, target domain node. The domain naming master is transferred using the Active Directory Domains and Trusts console, target domain controller node. The schema master role is transferred by using the Active Directory Schema snap-in console. No roles are transferred from the Domain Controllers area of the Active Directory Users and Computers.

You are using the OUs to create a visibility to only photographers, which is why the folders are in a child OU under both the Sales OU of DomainA and the Marketing OU of DomainB. You can manage the shared folders on these two domains with OUs that are different in each domain. Yet you still provide access to the resources to a functional group such as photographers, which are in both domains. You must be a member of Enterprise Admins to structure OUs across the forest. If you create an organizational unit (OU) at DomainA's root for the photographers, all files would be in DomainA instead of both domains. Most of the time the photographers use the folders in their own domain. You can create a universal group for the photographers, but it isn't necessary. Instead, you can nest the global groups in the domain local groups on each domain. Placing the shared folders in OUs at the roots of DomainA and DomainB does not complement how the photographers's accounts are managed. Sites are physical topologies created to manage replication on the network, not as containers for administratively managing resources. They can be used as containers for Group Policy, however, if they exist already. A Group Policy for specific users, such as photographers, is not appropriate at site level.

When a client broadcasts a request for service, you want only the RIS server that knows about this computer account through prestaging to respond. When you are prestaging a computer, you can also select a specific RIS server. This will provide load-balancing and better management of network traffiD. Verify Server will check out your RIS services and settings. It will not detect that another domain is being serviced by another RIS server within the same broadcast segment. To use the DHCP scopes to distinguish between the two RIS server's response requirements is incorrect because the DHCP server has no means for mapping its scopes to two RIS servers. You do not separate RIS servers by domain by using permissions and security groups. Very close to that concept, however, is managing the various images on a single RIS server with permissions. Setting up permissions on the image subfolders will limit the number of images a user or security group can select from.

Set the No Override on the three DomainB GPO links is correct. In order to prevent other group policies from modifying the domain level policies, remember the processing order SDOU (or LSDOU if you have local policy on your computers). No Override is applied to a GPO link and is used to assure the flow of inheritance. Administrators in OUs below could effectively block inheritance or modify the policy from above by putting a Deny on it. No Override is not applied to GPOs. Block Policy Inheritance is applied to the site, domain, or OU. Block stops the flow of inheritance. Since domains do not have a parent/child hierarchy in the inheritance flow, you do not need to protect a child domain in the Active Directory tree from a parent's policy. A domain is a boundary. OUs do have a parent/child hierarchy in the inheritance flow: the parent OU policy influences the child OU policy. You do not Block Policy Inheritance at the GPO. You block at SDOU (Site, Domain, Organizational Unit). You do not set No Override on GPOs, so it would be wrong to set on the first GPO in precedence linked to this container list.

You should assign the software to the computer so that it will install when the computer starts up, or it will wait until it is safe to do so. If you assign to the user, the software will install when the user initiates it from the Start menu or desktop icon. The software installation can also be initiated if the user double-clicks a file that has been associated with the software by its extension type. This software installation is called document activation. Memory tip: assigned software is advertised. Remember the two As. Publish to the computer is not an option. Software is only published to users. Memory tip: software is published to people using Add/Remove Programs. Remember the three Ps. If you publish to the user, the software is available to the user from the Add/Remove Programs utility in Control Panel. The user has the option of when to initiate the installation. Document activation is also possible. The user may initiate the upgrade with other software running that will interfere. Even though no local registry changes are made on the user's computer, the file extensions that the software associates with are registered with Active Directory.

Use the SDCHECK.EXE to check on an Active Directory object such as a published shared folder. It will report on both the inheritance of ACLs and on their replication between domains. Use Event Viewer, File Replication Service log if you want to know when the directory partitions are replicated. Use GPRESULT.EXE to report on the Group Policy for the current user and computer. It will tell you which GPOs are in effect. It will not give you granular information on them, however. DSACLS.EXE is the equivalent to the Security tab on Active Directory snap-in tools. Therefore, it does not give you the results of such settings; instead, it helps you manage ACL settings.

To enable a target folder location for a security group, you must choose the Advanced option on the Target tab's setting drop-down menu. Selecting the Basic option on the Target tab's setting allows you to put everyone's redirected folders in the same location. The Setting tab has options for the behavior of folder redirection, such as permissions, but it has no options for storing redirected folders by security group. The share's subfolder in Explorer will not allow you the option to store Redirected Folders.

Permissions set explicitly on the object itself will stay with the object. A moved object drops the inherited permissions from its old organizational unit and inherits those of its new parent. The GUID is unique in the forest, so it will not change for an object moved to a new organizational unit.

The computers have to be online; the operation is over the network The computers are identified in the command line by domain name and computer name. OU containers have no bearing on the move. Netdom builds the new account in the target directory for you, prestaging isn't necessary. The GUID goes with the computer anyway. Prestaging is setting up computer accounts in Active Directory before Remote Installation Service installs the computer's operating system. Netdom will handle domains or trusts. The target domain can be an NT domain as well as Windows 2000.

You must authorize the DHCP server and the RIS server in Active Directory before their services can start. You must have a DHCP proxy on a router if there is indeed one between the RIS server and the client. The rbfg.exe utility is probably the current version since it comes on the Windows 2000 CD-ROM. Updates will be available in the future through http://www.microsoft.com/windows, Windows Update and Service and Feature Pack updates. "Probably" is a valid measure when you are troubleshooting. You should focus on the more likely component problems before you investigate the unlikely but possible components. TFTPD resides on the RIS server not the client and it downloads Startrom.com, which is a small bootstrap program. RIS times out if it does not get a packet from DHCP, but RIS will not detect a slow link.

While the GUID is usually in the BIOS and/or on the outside case, it is not necessary for IT staff to type these into Active Directory. Microsoft is encouraging OEMs to provide the file to customers. A VB script and a spreadsheet will do the operation. The Custom Setup Option lets an IT professional override the automatic computer naming in Active Directory and also place the new installed computer in the container of choice. The Custom Setup Option is part of pre-install, not prestage operations. Contracting a hardware vendor to preinstall the operating system and applications will not expedite the prestaging of computer accounts in Active Directory. It is an alternate method to prestaging and RIS installation. While the riprep.sif is a part of the remote installation services, it does not handle the GUIDs. The .sif files are unattended setup answer files created to provide custom answers during deployment. Both CD-based images and RIPrep images use .sif files. A CD-based image can have multiple answer files; a RIPrep image can have one. The PXE-based remote-boot technology cannot read the BIOS. Even if it could, it would not be prestaged in Active Directory before the client requested services.

Password rules can only be applied at the domain level, so you should create a new domain that is a child of the existing domain. Since the password schemes differ, you need a separate domain rather than a new site or an OU in the existing domain. Another reason to create a separate domain is that the computers at the manufacturing facility run the Japanese version of Windows 2000 and are managed by local administrators. You do not need to create a new domain in a new tree in the same forest because there is no need to maintain a separate Internet presence for the new facility.

You must make her a member of europe.contoso.msft\Administrators so she can administer the domain controllers in that domain. Since the group Administrators is a local group rather than a domain local group, you must also make her a member of paris.europe.contoso.msft\Administrators so she can manage the server Paris. You should not make her a member of europe.contoso.msft\Domain Admins or contoso.msft\Enterprise Admins because being a member of these groups would give her administrative authority more extensive than required. You should not make her a member of contoso.msft\Domain Admins because this group does not by default have any administrative authority in the domain europe.contoso.msft.

You should have a global catalog server in each site to optimize logons and Active Directory searches. In a single native-mode domain, each domain controller has a full copy of the domain partition, so it is able to verify membership in universal groups. In a multiple domain environment, it is especially important to have a Global Catalog server in each site, because only Global Catalog servers are able to verify the universal groups to which an account belongs.

All you need to do is create site links with costs based on link speed (A-C and C-D and B-C), turn on the transitive site link feature for IP transport, and let the KCC manage the topology. There is no compelling reason given in this scenario for creating site link bridges. Some reasons for creating site link bridges are when a network is not fully routed or when there is a need to avoid certain paths. The interval setting for the BC link of 180 is the default. This action does not create a network topology. Changing the interval to a greater number will reduce the frequency that replication goes across a slow WAN link.

You can set the RIS servers to respond only to clients that are prestaged in Active Directory. By using this setting, other types of remote installation servers can continue working while you begin a Windows 2000 Active Directory remote installation service. This setting also increases the security of your network. If you use the Do Not Respond To Unknown Client Computers, you must make it available by also using the Respond to Client Computers Requesting Service setting. The RIS server should support coexistence of multiple-vendor installation servers along with the option to respond only to clients that are known. This will assure the RIS server's protocols aren't in conflict with other remote-boot protocols. You may have to segment off the other vendors' servers on the network if the two software settings (the right answers) on your RIS server don't isolate them successfully. The administrator can set the default Active Directory location where computer accounts will be created during installation.
However, this setting will not allow RIS to work side-by-side with remote installation servers from other vendors. The Available operating system images option lets the RIS server offer a variety of options to the client for types of installation. It will not enable the RIS server to work seamlessly with other vendors' remote installation servers. Restricting the users by security group who can remotely install from the RIS server helps guide users to the appropriate image for their installation. It is not a means of working RIS installations alongside other vendors' remote installation services.

A user's profile contains their environmental information such as their desktop settings, mapped drives, etc. By default this is stored on their local workstation. In order for them to receive the same desktop settings regardless of the computer they log in at, they must have a roaming user profile configured in their user account properties.When a user with a roaming user profile logs on to a computer, Windows 2000 will download the user's profile information and apply it to the machine they are logging in at. When the user logs out, any changes made by the user to their profile will be copied back and saved on the server that holds the user's roaming profile. The next time the user logs in, their profile will download and they will receive the same desktop and environment they had the last time they logged off. A mandatory roaming user profile does not save any changes made to it by the user. Mandatory profiles are often used to enforce company policies when users log on. Mandatory profiles are created by changing the ntuser file's extension from .dat to .man in the user's profile.Windows 2000 Help, Search for the article entitled: User profiles overview.

Remote Installation Services (RIS) uses images and answer files to install Windows 2000 Professional remotely. The Client Installation wizard supports two types of operating system images: the Compact Disc (CD)-based install and the Remote Installation Preparation (RIPrep) image based install. You use RIPrep when you need to install additional applications on the computer during installation by using RIS. The RIPrep option can also be used to configure client settings such as mapped network drives and printers.You do not have to use RIS to push out images with applications already installed. You can use a default image (such as the CD-based image covered below) and another product that is designed to push out application installation such as Microsoft's Systems Management Server (SMS) product. You could also use Group Policy to push out or make applications available to users after the operating system has been installed.The CD-based option is the equivalent of setting up a client from the Windows 2000 Professional CD. All of the source files from the CD reside on and are used from a share on the RIS server.
The unattended installation process uses Setup Information Files (.sif files) to store the configuration settings for the installation image. These are basically unattended installation answer files that are used by RIS. By using .sif files, you can create multiple installation options that are associated with an image, including the CD-based image. By using this file you can customize which components and options are installed and how they are configured during installation just as you would be able to do if you were performing the setup manually and selecting items from a list on the screen. For instance you can use this file to specify which protocols to install. You can also use it to set options such as the display.Finally, you can provide users with a description of the image that will help them when they are trying to decide which image to download and install onto their system. When users boot their computers, log on and choose the automatic setup option, they will see a list of operating system installations that they can choose from.Windows 2000 Help, Search for the articles entitled: Installation options; and Advanced settings for installation images.

You are replacing a failed domain controller with a new one. Because of this there is no reason to do any fancy backup or restore operations. You are not trying to make the new computer into an exact copy of the failed domain controller, just install a new domain controller as a replacement.Because the failed computer did not hold any operation master roles, you simply need to install Windows 2000 server on the new computer and run dcpromo.exe. This will launch the Active Directory installation wizard. In the wizard, make this new computer an additional domain controller for an existing domain. When you do this it will initiate a transfer of all Active Directory objects from an existing domain controller. When it is finished, it will hold a full Active Directory replica for the domain.Windows 2000 Help, Search for the article entitled: To install a domain controller.

Zone transfers can be forced to happen immediately from a Secondary DNS server. Select Start => Programs => Administrative Tools => DNS. From the DNS management console, expand your server object and Forward Lookup Zones. Select the Secondary zone and then click on "Transfer from master" from the Action menu.Windows 2000 Help, Search for the articles entitled: To initiate a zone transfer at a secondary server.

By default, Windows 2000 clients use DNS to locate Domain Controllers. The first thing to check in this case is to see if the appropriate service records were added to DNS. Among other things, service (SRV) records help Windows 2000 computers locate Domain Controllers and Active Directory.Windows 2000 Help, Search for the article entitled: Active Directory clients.

Group policy is commonly applied at the site, domain, organizational unit (OU), or local computer level. There are several different types of scripts available with Windows 2000. Computers and users can both have scripts. Computers have a startup script that is applied when they startup and applies to all users of the computer. Users have a logon script that is applied when they log in and applies only to them. The best way to apply logon scripts to users in a specific OU is to create a GPO, associate the logon script with it, and assign it to the OU where the user accounts reside.Windows 2000 Help, Search for the articles entitled: Scripts; and Local Group Policy.15

It is possible that the filter for the Find is set to exclude printers. From Active Directory Users and Computers, highlight the domain. From the View menu, select Filter Options and be sure that all objects can be viewed or that Printers are one of the objects that can be viewed. Printers that are installed on networks are automatically published to the Active Directory. Printer permissions by default allow Everyone to print. Administrators do not have to set permissions on the OU. Clearing the box on Block Inheritance so group policies are inherited will not resolve a Viewing problem.

The OUs for administering resources are based on related function. The Research OU can hold objects representing graduate students, professors, groups of professors and graduate students, their shared directories, their computers and printers. The LibaryStacks OU can hold objects representing librarians, assistants, groups of librarians and assistants, their computers and printers. The Kiosks OU can hold the books catalog database, the kiosks hardware, and nested groups populated with the LibraryStacks OU groups and Research OU groups. You want the Kiosks OU to have the books catalog database resource because all users are in the other two OUs and all users will have some level of access to the database. The kiosks hardware, which is shared by all individuals of the Graduate school, should be in the Kiosks OU. The LibraryStacks OU and the Research OU have resources available only to their own OU. If you had only a Research OU and a LibraryStacks OU, you could put the books catalog database in the LibraryStacks OU. Group populations would not reflect how these resources are actually being shared, however. In other words, it would be confusing. For example, if the horticulture department was later given access to the kiosks, this unrelated department would have groups nested in the LibraryStacks Domain Local groups instead of directly in the Kiosks Domain Local groups, which relates to the function they are given permission to do. A domain's high level OU structure based on resources, such as Databases OU or Shared Folders OU, is not conventional. It is acceptable to have an OU for common printers, however. A domain's high level OU structure based individuals' jobs, such as Librarians OU and Professors OU, is not conventional. It is acceptable to have an OU for common printers, however.

A user's environment, such as the start menu, shortcuts, and registry settings, are all readied without the software actually getting upgraded until the user initiates it by loading the software or by clicking on a file with that software's extension. The user's software does not start an automatic upgrade upon a user log on. A computer with the software installed does not necessarily get an upgrade. The upgrade occurs only if the user it was assigned to triggers the upgrade by accessing the software on his desktop or his start menu, or by clicking on a file with an associated extension. If every computer the user logs onto will get the upgrade, the user could see a lot of upgrades.

Using prestaging of computer accounts and limiting the administrators and authorizing the RIS servers is all you can do. The PXE-based remote boot ROM sequence and the transmission of packets are not secured. The prestaged computer accounts are created in Active Directory and the RIS server is configured to only service known clients. Using Group Policy to limit access to each image subdirectory is not a way to improve security of the remote installation environment. It is not even the correct way to set permissions for the images on the RIS server. Using Group Policy to limit access to the template subdirectory under each image subdirectory with permissions is the proper way to manage the choice of images a user may select from when performing the remote installation. It is not the way to manage security for the installation process. That is done with prestaged computer accounts. Putting the operating system images in a share folder is not the correct way to manage access of the images. Instead, use prestaged computer accounts on the RIS servers.

If you disable the Tools Menu:Disable...., the users cannot modify cache size, proxy settings and default home page from inside Internet Explorer. However, you must also set the Internet Control Panel, Disable the Advanced Page or users can make changes from the Control Panel. The Internet Control Panel, Disable the Connections Page policy setting removes the Connections tab and prevents users from seeing or changing the connections and proxy settings. This will not prevent users from modifying corporate settings for cache size, proxy settings and default home page. Disabling the changing of Proxy Settings and Auto-Proxy scripts do not correctly modify policy as described for your corporate goals.

When John was denied Apply Group Policy as a member of Domain Admins, he was also denied Apply Group Policy for the published software. His membership in the Consultants group will not override the Deny set on the Domain Admins access control entry (ACE). Administrators can remove the Authenticated Users group instead of Deny the Apply Group Policy so that Administrators can avoid the password change rule. But, they must create at the same time a new group that includes everyone but administrators. If the Authenticated Users group had been removed with no replacement, many users would be calling, not just John! Published software is, to the contrary, applied to users, not computers. If the GPO at the domain level did not deny John Apply Group Policy, he would get the published software. A GPO at the OU level will not cut off the inherited GPO settings from the domain level unless Block Inheritance is applied. If the GPO at domain level did not deny John Apply Group Policy, he would get the published software. A GPO at OU level will not cut off the inherited GPO settings from domain level unless Block Inheritance is applied.

Even though Marc has been denied the ability to Create All Child Objects, he can still view the permissions for the OU and change the attributes of the OU. He can view the permissions because MFG has Read permission. He can change the attributes because SUPPLIES has Write permission. When a user or a group to which a user belongs is denied a specific permission, the permissions other than that permission are still effective. The standard Read and Write permissions do not provide the ability to change permissions or delegate access to an object.

The DRA Inbound Values (DN Only)/Sec shows how many of the object property values from inbound replication partners per second are Distinguished Names (DN). The new user accounts all have Distinguished Names values that reference other objects groups. This can be a lot of replication for the domain controllers. It may be the cause of the latency. DRA Inbound Properties Applied/Sec refers to inbound replication as a result of reconciliation logic. We are only looking for those that apply to distinguished names. DRA Inbound Objects Filtered/Sec is the number of objects received by a domain controller that did not have to be applied. (This DC already knows about them.) Our problem is to find updates that must be applied to the database. DRA Inbound Bytes Total/Sec is the total of inbound bytes received per second. It does not look at distinguished name values specifically.

A shared folder where all software distribution points are located is required for Group Policy software installation. A Windows Installer package includes the .msi file and the software installation files, along with associated product files about the software. When users are assigned or published the software, they cannot install it without the Read and Execute permissions. Copying .mst files may not be necessary if no modifications are required for this application, so this step is not always required. Deployment options, such as configuring the Uninstall, can be done after the deployment. It is not necessary before clients can access the installation, so this step is not always required.

The /26 symbol in the subnet names indicates how many bits are masked. In this case 8+8+8+2=26, so two bits of the final octet have been masked for the subnet. Starting with the most significant masked bit, with a value of 128, add the second most significant masked bit, 64, to get a sum of 192 for the final octet. In the first octet, all eight bits are masked for a value of 255. The second and third octets are also 8 bits, thus 255 for each.

The correct answer is Enable the "Do not detect slow network connections" setting and Disable or clear configuration for "Slow network connection time-out for user profiles." The next Group Policy refresh will make the correction on the branch office computers. Client refreshes by default are every 90 minutes, with random adjustments to prevent everyone hitting the domain controllers at the same time. In Windows 2000, editing the branch office computers' registry settings is no longer necessary to recover from registry tattoos that were caused by System Policy in the NT and Windows 9.x systems. The default threshold is already 500 kbps for IP connections in the Slow Link Detection policy. You don't need to change it based on actions taken in the scenario details. Unlinking the GPO at the branch office's site is an incorrect choice because it is unclear whether the GPO is strictly for managing slow link detection. Probably the GPO for the branch office linked at site level has other policies prescribed.

You have the option of configuring the Orlando locations as one site or three separate ones. The link speed of 512 Kb is the lowest allowable network connection speed for combining subnets, which means including them in the same site. You can use other criteria to help you decide how to allocate subnets and sites. Since this is a medium to small network, based on the fact it has only four locations, the network bandwidth is adequate for making one or three sites. Other criteria that may impact the bandwidth are replication traffic, user log on, and client directory queries. You will definitely make the Springs branch office a separate site with its own subnet because of the slow WAN link and its domain controller. You are not required to separate the three Orlando locations based on the link speed. Since it is a borderline speed, however, you should look at other criteria to help you decide how to allocate subnets and sites. Do not make all locations one site. WAN link speed is a problem. You are not required to make all Orlando locations separate sites. Refer to the earlier paragraph on Orlando's options.

By default, the Group Policy console focuses on the copy of the GPO stored on the PDC emulator. This helps to ensure that changes to the Group Policy Template (GPT) portion of a GPO, which resides in Sysvol, are made in the same location and then replicated to all domain controllers. If the PDC emulator is not available, Group Policy does allow you to focus on a different domain controller.

The consultant is the Creator Owner of the GPOs, and as such, has Full Control. Only the members of the Domain Admins of the domain where GPOs are linked have edit permissions. A domain is a security boundary. At this transfer of responsibility from consultant to you the administrator, no GPOs have been linked. Enterprise Admins can edit the GPOs. Users who have been delegated control to manage group policy links at the domain or the site level do not have edit permissions of the GPOs, even if the GPOs are later linked to the these domains or sites.

Ntdsutil should be run instead of allowing the computer to restart. When you restore a missing OU, you should restore Active Directory to its original location. This is a true statement. However, it is not the step you missed. You will not get an opportunity to type authoritative restore unless you use the ntdsutil. There is no opportunity at the prompt to restart the computer. You can run dsastat if you need diagnostics run on the Active Directory. This is not the step you should take, however.

When the RIS server does not respond, the client computer will timeout and display the error message referenced in the scenario. Since other clients are receiving the CIW, you can look for client problems: the version of the PXE ROM or RIS service support. Look at the Active Directory to see if the prestaging was done on a RIS server that is offline, not yet authorized, or no BINL service started. If the DHCP-based packets cannot get through a router located between the RIS server and the client, then the RIS server cannot respond to the client. The RIS server initially uses DHCP-based packets to communicate with the client. The failure to get packets through the router is not causing the error message that the client received. The client did receive an IP address from the DHCP server. The client then attempted to contact the RIS server. The error occurred at this point. The TFTP daemon will not act until the RIS server and client are communicating, which is the point of failure in this scenario. Startrom.com is the bootstrap program that displays the F12 prompt to the user.

You add a global catalog server by enabling it using the NTDS Settings Properties sheet for the targeted domain controller. You put global catalogs near the user accounts to improve logon performance. You do not add global catalogs from the Services icon in the Control Panel. Avoid putting a global catalog on every domain controller. One per site is recommended. Load balance is not a justification for putting them on every domain controller. Moving the global catalog to the Chicago site is ineffective because you need one in both sites.

The DHCP Management, also an MMC snap-in, is where you Manage Authorized Servers. The Domain Security Policy, in Administrative Tools, is not available as a snap-in for MMC. But from Administrative Tools, the utility allows you to make the same Security Settings such as Public Key Policies, Account Policies, and Local Policies, as you are accustomed to using for other computer accounts with the snap-in for MMC. The Routing and Remote Access, also an MMC snap-in, manages multiprotocol routing, remote access, virtual private networks. For individual servers it manages remote access policies, ports, logs, etc. The Server Extensions Administrator is not an MMC snap-in. It contains, for example, FrontPage Extension.

Using Find in Active Directory Users and Computers after selecting the domain makes administering the account easy because you can modify the object's properties once you find it. If you select the Entire Directory option, you will be searching the Global Catalog. Start, Search, For people... does not lead to the user account properties. It displays contact-type information that can be edited. Using the organizational units (OUs) that contain the user accounts usually does facilitate administration. The number of accounts and the reason you are modifying them, however, may incorporate many OUs. This could become labor intensive if the OU is not the defining organizer for the accounts that need modification. In this scenario, length of service is the definer. You can use an import file, such as LDIF format, to modify or delete objects' attribute values in Active Directory. Therefore, you can automate such modifications with a batch file. The scenario requires an administrator's assistant doing the job. A correct answer must provide for the task difficulty. Setting up an LDIF format import file assumes programming skills.

Keep an eye on Event Viewer as you verify the promotion of a server to a domain controller. It will reveal such things as misconfigured subnets, a failed site link, or the inability to find the SRV records that should be registered with the DNS. Checking the DNS snap-in for SRV records is a necessary part of verification, but will not show installation errors. Checking Explorer for domain controller-related files will not indicate installation errors. Net share is good for verifying that clients can use shared resources, but will not display errors of the installation. DSAStat is a good tool for showing the differences of directory information on DCs.

You should set View All Records in the Event Viewer console because the View, Filter... option may be set. If it is, you will not see the system and logon events. Once you have set policy with a GPO and you have enabled logging, the events should be viewable. The Security Settings for Event Logs will control your event logs but not change how you view them in the Event Viewer. Once you turn off the View, Filter in the Event Viewer console, you will see that the log on events were being recorded all along. Audit Policy for all domain controllers is set at the domain level with a GPO, not in the Local Computer Policy. You do not have to be a member of Domain Admins to view the logs. You only have to have an account in the Administrators group. No registry settings are necessary for viewing the security logs; however, the Event Viewer is the only way to view them.

You can analyze the results of applying new policy changes by loading the new template into a database using the Security Configuration and Analysis snap-in. When you analyze the template against the computer's current security settings, you can later see in text output what will happen if you go live with the new settings. Use the red flags to show you where policy conflicts. In the Security Configuration and Analysis snap-in, creating a new database and importing the template you prepared is only step one. You should also Analyze Computer Now to get a comparison of the two. If you import the template into the Group Policy on the target container, you will be taking the security changes live, rather than analyzing them against current security settings. Exporting the Group Policy Object for the target computer to a security template saves the current security settings of the computer. Later, if you want to return to original settings, you can easily apply the template to a basic configuration. This answer is wrong in the second sentence: importing the new template into a production computer is too risky. You should use the Security Configuration and Analysis tool for comparing actual with planned.

DHCP, running on a domain controller and registering A (Host) records on behalf of down-level clients, can take ownership of the computers' names of any clients who are registering their own records. If later the DHCP server is down, an alternate DHCP would be unable to update the record because it is owned by the first DHCP server. A default setting for secure updates could cause stale records in this situation.To get around the problem of ownership, a new group named DNS Update Proxy allows members to create objects with no security. When every DHCP server is a member of this group, the A records they register for down-level clients no longer have ownership problems. This solution does allow security holes, however. The clients, who are configured to always attempt secure dynamic update, received an additional registry setting that sets the UpdateSecurityLevel entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlServices\Tcpip\Parameters subkey with a value of 256. DHCP servers do not require a registry setting in order to accept secure dynamic updates only. The Authenticated Users group has Create permission by default for zone objects such as dnsNode and dnsZone. The dnsNode is the container object in Active Directory when a zone is directory-integrated. The dnsNode has an object for every unique name in the zone and for every record mapped to the object's name a value. The dnsNode is a leaf. An administrator is not required to set permissions on these for the users to have secure dynamic updates.

As a rule of thumb, give the KCC 6 hours to create the replication topology. Use the Event Viewer to watch its progress. If you move the server objects at the end of the day, all should be well by the next workday. If possible, create the sites before you promote the servers to DCs. They will get their server objects located in the correct site as they are promoted.

You must assign each IP subnet to only one site. You can assign multiple IP subnets to a site. You define a site based on the type of connectivity between subnets. If the communication between two subnets is over a reliable, high-speed link, such as a Local Area Network (LAN) connection, those subnets can be assigned to a single site. A connection object is the representation of a replication path from one domain controller to another. Connection objects are created and managed by the Knowledge Consistency Checker (KCC). You can create connection objects manually, but you generally do not need to do so. Each domain controller is represented by a server object in Active Directory. The server object is a child of a site object. If the subnet on which a domain controller resides is assigned to a site, the server object will be created in that site when a computer is promoted to a domain controller. If the subnet is not assigned to a site, the server object will be assigned to the site created by default, Default-First-Site-Name. You can move a server object from one site to another. It is a good practice to insure that the server object is in the correct site, but this is not a mandatory step.

Password rules are only applied at the domain level, so you should implement a single domain with an OU for each department. The administrator in each department can then create a GPO to implement software installation policies and link the GPO to the department's OU. A GPO is not inherited from a parent domain by child domains, so you should not create a child domain for each department. You should not create a separate tree for each department, since you want to link the GPO that defines password rules to one Active Directory object.

You set the schedule for replication between sites by configuring the schedule defined for the site link objects. A single site link can connect more than two sites. SMTP can only be used between sites to replicate information from one domain to another domain, not between domain controllers in the same domain. In each site, a bridgehead server is responsible for replicating data to another site. The bridgehead server is a domain controller. If there is more than one domain in a site from which data must be replicated, there must be a bridgehead server for each domain.

A domain-based message queuing network that publishes network services in a Windows 2000 network is administered with the Active Directory Sites and Services snap-in in the MsmqServices node. A Global Catalog server is required for each site in the message queuing network. You do not have to publish network services for a message queuing network from the Global Catalog server, though. You are not required to administer the publication from a Message Queuing server. You are not required to administer the publication from an Application server.

The domain-level GPO to "Restrict users..." will exclude everyone. This is the first step. In the domain level GPO's ACL, you can exempt Domain Admins and Enterprise Admins from the policy by setting Deny permission to Apply Group Policy. Now everyone but administrators is excluded. This is the second step. You can create a group for student helpers in Admins2 OU. Down in the child OU named Admins2 are some student helpers who will be using the MMC snap-ins. Your third step is to filter them out of the domain-level policy with a security group named AAdmins and set Deny on the Apply Group Policy. This work is necessary because they do not have Domain Admins privileges. If you don't filter the AAdmins security group, they will inherit policy "Restrict users to the explicitly permitted list of snap-ins. Giving the student helpers who are in the AAdmins group Read and Write permissions to the GPO will not give them the required filter (Deny on Apply Group Policy) that is required. The filter exempts them from the domain level GPO, enable "Restrict users to the explicitly permitted list of snap-ins." Linking the domain-level GPO at Admins2 level is duplicating policy instead of using security groups to filter. Adding administrative assistants to a group named AAdmins at domain level is inappropriate grouping. The members belong in an OU, so create the group at that level.

Domain Local groups and Global groups must be empty to move. If they contain members, they will go to the LostandFound container. When you move a computer object to another domain, its join information stays behind. You should use NETDOM to move computer objects so that join information won't remain in the LostandFound container. It is valid to move empty Domain Local groups. It is valid to move an OU containing objects, printers, for example. Universal groups with members can be moved to another domain within the same forest.

Use Local Computer Counters is the setting that allows the console to work on other computers instead of the one you were on when you created it. Setting the Trace Logs to a nonsystem provider for activities external to the system is required when you want Performance Logs and Alerts to record events from the nonsystem provider when they occur, not continuously. This is not a required setting for a System Monitor console used by many domain controllers. Examples of nonsystem providers are Kerberos or NetLogon. Both counter and trace logs can log manually on demand or by a schedule for Performance Logs and Alerts. It will be defined by an administrator. This is not a required setting for a System Monitor console used by many domain controllers. A limited list of counters to select from in the console is not a valid configuration. Only interactively can the administrator Select Counters From List.

For decentralizing the administrative tasks, the geographic OUs will align personnel in a given locality. To organize OUs by business line would be cumbersome. While it is possible to put all glass operations under an administrative structure, their work load would be across four states. The point of this scenario is that IT administrative tasks can be delegated through OUs, and this structure does not impact the business hierarchy; users do not have to know about OU structure. Therefore, create OU structure to make it easier on IT administration. To organize by functional role is also cumbersome. It is appropriate to create OUs by function at a lower level of the OU hierarchy. In other words, first by geographical location, then by business line, then by function.

You should rename the Default-First-Site-Name and add the remaining sites. When all remaining domain controllers are added to the domain, each new server's IP address will cause it to be added to the proper site because of the defined subnet. DNS does not manage site assignment. TCP/IP configuration verification is checking for the presence of the TCP/IP protocol, the availability of the DHCP service or an installed IP address. It is also checking the validity of the server's DNS resolver configuration if this is the first server of the domain. The SRV records exist in the DNS server for each service, but sites are not one of the services. When you are adding SRV records, you do not have to create a new _Service field. Instead, you put a value in the _Service field for each new SRV record. The SRV record using ldap.tcp.._sites.dc._msdcs allows a client to find a domain controller in the specified site and domain. This is a required registration for domain controllers.

Shared folders must be published in a domain or OU. Right-click the object, select New and Shared Folder. The dialog box will ask you for the UNC name. User accounts and computer accounts can only be added in Active Directory Users and Computers if you are adding them to a domain. They don't need to be published if you are working in a domain. Network printers are also automatically published when they are installed.

Active Directory will install as a new domain. If you do not want the PDC of your resource domain to create a new domain, either as a new tree in an existing forest or as a child domain of your first domain, then you must begin by demoting the PDC to a backup domain controller (BDC). Active Directory is not an option if you are upgrading a PDC. As a demoted PDC, you can upgrade the BDC to Windows 2000 with the option of installing Active Directory and making the server an additional domain controller in your new domain. You also have the option of making a BDC a member server in which case you do not install Active Directory. Member server is only an option if you demote the PDC, however. The Active Directory installation wizard will check for a unique NetBIOS domain name during the verification. The wizard will indeed let you install Active Directory on an upgraded PDC because you may wish to create a new child domain or the first domain in a new tree in your existing forest.

Active Directory will install as a new domain. If you do not want the PDC of your resource domain to create a new domain, either as a new tree in an existing forest or as a child domain of your first domain, then you must begin by demoting the PDC to a backup domain controller (BDC). Active Directory is not an option if you are upgrading a PDC. As a demoted PDC, you can upgrade the BDC to Windows 2000 with the option of installing Active Directory and making the server an additional domain controller in your new domain. You also have the option of making a BDC a member server in which case you do not install Active Directory. Member server is only an option if you demote the PDC, however. The Active Directory installation wizard will check for a unique NetBIOS domain name during the verification. The wizard will indeed let you install Active Directory on an upgraded PDC because you may wish to create a new child domain or the first domain in a new tree in your existing forest.