Apply Your Knowledge
The 70-294 exam tests your knowledge of the various situations that you may encounter when installing and configuring Active Directory. You need to be aware of the implications involved in modifying the schema, creating and modifying trust relationships, and employing alternate UPN suffixes. You should also know how to create and configure sites and their associated subnets, site links, and site link bridges. Finally, you should know how to create and modify intersite replication. The exercises and exam questions presented here serve to reinforce these requirements.
Note that you may encounter drag-and-drop or hot-spot questions on the exam. Due to the limitations of the printed page, we are unable to include questions of these types in the exam questions section. However, the explanations suggest the possibility of these question types where appropriate.
Exercises
To perform these exercises, you should have at least three computers, on two of which you have installed the root domain of an Active Directory forest named domain1.com, and a third domain controller on which you have installed the root domain of a second forest named domain2.com.
If you have only two computers available, you can complete exercises 3.1–3.2 and 3.4–3.8 first and then demote the domain2.com domain controller and reinstall Active Directory on this computer as a second domain controller in the domain1.com domain. Then create a second site and place this domain controller in this site, according to the exercises in Chapter 2. You can then complete exercise 3.3.
3.1 Registering and Installing the Schema Snap-In
The first two exercises involve modifying the Active Directory Schema. This exercise shows you how to register and install the Active Directory Schema snap-in. You can do this from either forest root domain controller. By default, these computers hold the role of schema master for their respective forests.
Estimated Time: 5 minutes
-
Click Start, Command Prompt.
-
Type regsvr32 schmmgmt.dll and press Enter.
-
You should receive a message informing you that the registration succeeded. Click OK and close the Command Prompt window.
-
Click Start, Run, type mmc, and then click OK.
-
Click File, Add/Remove Snap-In.
-
In the Add/Remove Snap-In dialog box, click Add.
-
In the Add Standalone Snap-In dialog box, select Active Directory Schema and then click Add.
-
Click Close to return to the Add/Remove Snap-In dialog box.
-
Click OK to add the Active Directory Schema snap-in to the blank MMC.
-
Click File, Save, and on the Save As dialog box, type Schema.msc. Click Save to save the Active Directory Schema MMC in the Administrative Tools folder.
3.2 Creating Classes and Attributes
In this exercise, you create a new attribute named Salary Level. Then you create a new class named Human Resources and add the Salary Level attribute to the Human Resources class.
Estimated Time: 10 minutes
-
The Active Directory Schema snap-in should still be open from Exercise 3.1. If not, click Start, Administrative Tools, Schema.msc.
-
In the console tree, expand Active Directory Schema to reveal the Classes and Attributes folders.
-
Right-click Attributes and select Create Attribute.
-
The Schema Object Creation dialog box warns you that creating schema objects is a permanent operation. Click Continue to create the attribute.
-
In the Create New Attribute dialog box, type the information in the following table:
In This Field
Type the Following
Common Name
SalaryLevel
LDAP Display Name
SalaryLevel
Unique X.500 Object ID
1.2.840.113556.1.4.7000.141
Description
Salary Level
Syntax
(Select Integer)
Minimum and Maximum
(Leave blank)
-
Click OK.
-
Right-click Classes and select Create Class.
-
The Schema Object Creation dialog box warns you that creating schema objects is a permanent operation. Click Continue to create the class.
-
In the Create New Schema Class dialog box, type the information in the following table:
In This Field
Type the Following
Common Name
HumanResources
LDAP Display Name
HumanResources
Unique X.500 Object ID
1.2.840.113556.1.4.7000.17
Description
Human Resources
Parent Class
(Leave blank)
Class Type
(Select Auxiliary)
-
Click Next.
-
In the next page of the Create New Schema Class dialog box, click Add under Optional.
-
In the Select Schema Object dialog box, scroll down to the SalaryLevel attribute you just created and then click OK.
-
This attribute is displayed in the Optional field of the Create New Schema Object dialog box. Click Finish.
-
To verify creation of this class and attribute, expand Classes in the details pane of the Active Directory Schema console and scroll down to locate the HumanResources class. The SalaryLevel attribute should be displayed at the top of the details pane, along with several other attributes that were automatically assigned to this class when it was created.
-
Close the Active Directory Schema console.
3.3 Creating a Forest Trust
This exercise demonstrates how to create a two-way forest trust between the two domains. It assumes that both forests are operating at the Windows Server 2003 forest functional level. You should perform this exercise from the domain1.com root domain controller.
Estimated Time: 10 minutes
-
Click Start, Administrative Tools, Active Directory Domains and Trusts.
-
In the console tree of Active Directory Domains and Trusts, right-click domain1.com and choose Properties.
-
Select the Trusts tab of the Domain1.com Properties dialog box and then click New Trust to start the New Trust Wizard.
-
On the Welcome to the New Trust Wizard page, click Next.
-
On the Trust Name page, type domain2.com and then click Next.
-
On the Trust Type page, select Forest Trust and then click Next.
-
On the Direction of Trust page, select Two-Way and then click Next.
-
On the Sides of Trust page, select Both This Domain and the Specified Domain and then click Next.
-
On the User Name and Password page, type the name and password of an account that is a member of the Domain Admins group in the domain2.com forest. Unless you have changed it, this is the original administrator account created when installing Active Directory.
-
On the Outgoing Trust Authentication Level—Local Domain page, choose Selective Authentication and then click Next.
-
On the Outgoing Trust Authentication Level—Specified Domain page, choose Selective Authentication and then click Next.
-
On the Trust Selections Complete page, review the choices you have made to make sure they are correct. If necessary, click Back and make any needed corrections. When the choices are correct, click Next to create the trust.
-
On the Trust Creation Complete Page, click Next.
-
On the Confirm Outgoing Trust page, click Yes, Confirm the Outgoing Trust and then click Next.
-
On the Confirm Incoming Trust page, click Yes, Confirm the Incoming Trust and then click Next.
-
When the Completing the New Trust Wizard page appears, click Finish to return to the Trusts tab of the domain1.com domain's Properties dialog box. The trust with the domain2.com domain should appear as both outgoing and incoming, with a trust type of External and a transitivity of No.
3.4 Validating a Forest Trust
In this exercise, you validate the trust you just completed in Exercise 3.3. You should perform this exercise from the domain2.com root domain controller.
Estimated Time: 5 minutes
-
Click Start, Administrative Tools, Active Directory Domains and Trusts.
-
In the console tree, right-click domain2.com and choose Properties.
-
Select the Trusts tab of the Domain2.com Properties dialog box. domain1.com should appear in the two fields of this dialog box.
-
Under Domains Trusted by This Domain (Outgoing Trusts), select domain1.com and click Properties.
-
On the Domain1.com Properties dialog box, click Validate.
-
You are asked whether you want to validate the incoming direction of trust. Click Yes, Validate the Incoming Trust, type the username and password of an account that is a member of the Domain Admins group for domain1.com, and then click OK.
-
You should receive a confirmation message. Click OK.
-
Click OK to close the Domain1.com Properties dialog box.
-
Back in the Domain2.com Properties dialog box, select domain1.com under Domains That Trust This Domain (Incoming Trusts).
-
Repeat steps 5–8 to validate the incoming trust.
3.5 Testing a Forest Trust
In this exercise, you attempt to access the domain2.com forest from the domain1.com forest. You should perform this exercise from the domain1.com root domain controller.
Estimated Time: 5 minutes
-
Click Start, Run, type \\server (where server is the name of the domain2.com domain controller), and press Enter.
-
Were you able to reach the other server? Why or why not?
_____________________________________________________
_____________________________________________________
_____________________________________________________
-
Click OK to close the message box.
3.6 Changing the Authentication Scope
In this exercise, you change the authentication scope of the trust relationship you just created. You can perform this exercise from either domain controller.
Estimated Time: 5 minutes
-
If the Properties dialog box for your domain is not visible, right-click the domain name in the console tree of Active Directory Domains and Trusts and choose Properties.
-
In the Domains Trusted by This Domain (Outgoing Trusts) field, select the name of the other domain and click Properties.
-
Select the Authentication tab of the Properties dialog box.
-
Select Domain-Wide Authentication and then click OK.
-
Repeat steps 2 and 3 for the Domains That Trust This Domain (Incoming Trusts) field. Note that the authentication level has already changed to domainwide.
-
Click OK to close the domain's Properties dialog box.
3.7 Testing a Forest Trust
In this exercise, you repeat exercise 3.6 to attempt access to the other forest. You should perform this exercise from the domain1.com root domain controller.
Estimated Time: 5 minutes
-
Click Start, Run, type \\server (where server is the name of the domain2.com domain controller), and press Enter.
-
Were you able to reach the other server? Why or why not?
_____________________________________________________
_____________________________________________________
_____________________________________________________
-
Click OK to close the message box.
3.8 Creating and Configuring Sites
In this exercise, you rename the default site and create a second site. You then move a domain controller and add subnets to the site.
Estimated Time: 15 minutes
-
Log on as an administrator.
-
Click Start, Administrative Tools, Active Directory Sites and Services.
-
In the console tree, expand the Sites folder.
-
Right-click Default-First-Site-Name and click Rename.
-
Type Head Office as the name of this site.
-
Right-click Sites and choose New Site.
-
Type Factory as the name of this site, select the default site link, and then click OK.
-
Repeat steps 6 and 7, specifying Branch Office as the name of this site.
-
Expand the Inter-Site Transports folder, right-click IP, and choose New Site Link.
-
Type Remote as the name of this site link, add Head Office and Branch Office to this link, and then click OK.
-
Expand the Head Office site and then expand the Servers folder.
-
Right-click the Server2 server and choose Move.
-
In the Move Server dialog box, select the Branch Office site and then click OK.
-
Right-click the Subnets folder and choose New Subnet.
-
In the New Object—Subnet dialog box, type 192.168.1.0 in the Address box and 255.255.255.0 in the Mask box. Select Head Office as the site object for the subnet and then click OK.
-
Repeat step 15, specifying an address and subnet mask of 192.168.2.0 and 255.255.255.0 for the Factory site.
-
Repeat step 15 again, this time specifying an address and mask of 192.168.3.0 and 255.255.255.0 for the Branch Office site.
-
In the Inter-Site Transports folder, right-click IP and choose Properties.
-
In the IP Properties dialog box, clear the Bridge All Site Links check box and then click OK.
-
Back in the Inter-Site Transports folder, right-click IP and choose New Site Link Bridge.
-
In the New Site Link Bridge dialog box, type Branch Office as the name of the site link bridge. Select the default link and the Remote link and then click OK.
-
In the console tree, right-click Server1 and choose Properties.
-
In the Server1 Properties dialog box, click IP, click Add, and then click OK. This makes Server1 a preferred bridgehead server for the IP transport protocol.
-
Repeat steps 22 and 23 with the Server2 server.
-
Close Active Directory Sites and Services.
3.9 Configuring Intersite Replication Properties
Because intersite replication can take up a large fraction of bandwidth on a slow link, you can modify certain properties of intersite replication. In this exercise, you configure a two-hour interval for IP intersite replication and then specify that intersite replication will not take place during daytime (8 a.m. to 6 p.m.) hours. You also set the site link cost to 25.
Estimated Time: 5 minutes
-
Click Start, Administrative Tools, Active Directory Sites and Services.
-
If necessary, expand the Sites folder in the console tree to locate the Inter-Site Transports folder.
-
Expand this folder and click IP. The details pane displays a site link named DEFAULTIPSITELINK.
-
Right-click this link and choose Properties.
-
On the General tab of the site link's Properties dialog box, type 120 in the text box labeled Replicate Every and then click Apply.
-
Click Change Schedule to display the Schedule for DEFAULTIPSITELINK dialog box.
-
Select the time interval of Monday 8:00 a.m. to Friday 6:00 p.m., select Replication Not Available, and then click OK.
-
Back on the General tab of the site link's Properties dialog box, type 25 in the Cost text box and then click OK.
-
The cost and replication values you configured are displayed in the details pane of the Active Directory Sites and Services snap-in. Close this snap-in.
Exam Questions
-
Evan has upgraded his company's Windows NT 4.0 domains to Windows Server 2003 and has consolidated two previous domains into a single domain that contains all 900 users and their computers. The previous domains represented two offices that have an ISDN link between them.
Evan sets up two sites, one for each office, and configures a site link to use SMTP for replicating between the offices. However, the domain controllers in the two offices are unable to replicate with each other. What does Evan need to do?
A.
Install Internet Information Services (IIS) on a domain controller at each site, and configure IIS as an SMTP server.
B.
Install an enterprise certification authority (CA).
C.
Install a faster link such as a T1.
D.
Use IP replication rather than SMTP replication.
- Dorothy is a domain administrator for a large engineering company that operates a Windows Server 2003 forest with three domains. Her company has just acquired a Canadian subsidiary, which operates a single domain Windows 2000 forest. The two companies will be working together on future projects involving continentwide locations, so she recommended to management that a forest trust be created between the companies' forests. Working from a domain controller in her company, Dorothy accesses the New Trust Wizard and enters the name of the Canadian company's domain. She discovers that the option to create a forest trust is unavailable. What needs to be done so that she can create a forest trust?
A.
Ask an administrator of the Canadian company to provide her with a user account in that company's domain.
B.
Ask an administrator of the Canadian company to add her domain user account to that company's Enterprise Admins group.
C.
Ask an administrator of the Canadian company to upgrade its domain to the Windows Server 2003 functional level.
D.
Dorothy should create a shortcut trust instead.
- John is creating a new site in his company's network; this site represents a branch office that the company is setting up. He opens the Active Directory Sites and Services console and accesses the New Object—Site dialog box. What additional piece of information does he need to specify?
A.
He needs to specify one or more subnets in the site.
B.
He needs to specify the name of a domain controller to be placed in the site.
C.
He needs to specify the licensing computer for the site.
D.
He needs to specify the site link to which the site will belong.
- Peter is configuring replication for his company, which operates two offices, one in Dallas and the other in Atlanta. The company has a 1.5Mbps T1 link, a 128Kbps ISDN link, and a 56Kbps dial-up link between the two sites. Which of the following site link cost values should he configure for the three links?
A.
50 for the T1 link, 100 for the ISDN link, and 200 for the dial-up link.
B.
50 for the T1 link, 100 for the dial-up link, and 200 for the ISDN link.
C.
50 for the dial-up link, 100 for the ISDN link, and 200 for the T1 link.
D.
50 for the ISDN link, 100 for the dial-up link, and 200 for the T1 link.
- Paul works for a state department of transportation that has just awarded a contract to a construction company to build a new highway linking the two largest cities in the state. The state government operates an Active Directory forest, within which the department of transportation operates a single child domain. The construction company operates a single domain Windows 2000 network. To build the highway, engineers at the construction company need access to resources at the department of transportation. What should Paul do to grant this access?
A.
Create a one-way external trust in which the department of transportation domain trusts the construction company domain.
B.
Create a one-way external trust in which the construction company domain trusts the department of transportation domain.
C.
Create a two-way external trust in which the two domains involved trust each other.
D.
Create a forest trust in which the construction company domain trusts the department of transportation domain.
Kristin is a domain administrator for a company that has a Manhattan head office and two upstate remote offices. Users in the remote offices are complaining that the links are slow, so she checks the utilization of the links and discovers that they are running at 100% capacity. Checking further, Kristin discovers that nearly all the traffic on the links is Active Directory replication.
On checking the replication schedule, Kristin discovers that replication should be taking place only once every six hours. What else should she be checking?
A.
The Ignore Schedule option
B.
The Replication Not Available option
C.
The Force Replication option
D.
How many new users have been added at the various sites in the past few days
- Mark is the senior network administrator of a high-tech company whose head office is in Boston. The company also operates branch offices in Dallas, Rio de Janeiro, Paris, and Winnipeg. Previously, the company operated five separate domains, one for each city in which it has an office. When Mark upgraded the network to Windows Server 2003, he consolidated the entire network into a single domain and created sites for each city. Each office has its own domain controllers and separate subnet configurations. After receiving several complaints about slow data transfer rates, Mark realized there was an extreme amount of replication traffic, so he checked Active Directory Sites and Services. Which of the following is the most likely reason for this amount of replication traffic?
A.
The branch office sites are missing bridgehead servers.
B.
All domain controllers are located in the Default-First-Site-Name site. Mark needs to move them to their respective sites.
C.
The site links are using RPC over IP for replication. Mark needs to reconfigure them to use SMTP.
D.
The replication topology is improperly configured. Mark needs to run the Knowledge Consistency Checker to alleviate this problem.
-
Fred is a network administrator for a large company that has just acquired a smaller company. Both companies have operated their own Active Directory domains. Senior management has decided that they want to combine the two domains into a single domain with a series of OUs and several sites. The Active Directory schema in the smaller company contains several definitions that are not present in the schema of the large company, and Fred needs to extend the schema to include attributes taken from the old schema.
Which of the following needs must Fred define for attributes being added to the schema?
A.
He can add new attributes only at installation time. An attribute definition includes a name, a unique object identifier (OID), a unique security ID (SID), a syntax that defines the type of data the attribute can hold, and optional range limits.
B.
He can add new attributes only during replication. An attribute definition includes a name, a unique OID, a syntax that defines the type of data the attribute can hold, and optional range limits.
C.
He can add new attributes at any time. An attribute definition includes a name, a unique OID, a syntax that defines the type of data the attribute can hold, and optional range limits.
D.
He can add new attributes at any time. An attribute definition includes a name, a nonunique OID, a unique SID, a syntax that defines the type of data the attribute can hold, and optional range limits.
-
Maria is an enterprise administrator for an East Coast manufacturing company that has just merged with a similar company operating on the West Coast. She has configured external trusts between several domains in each forest, for which employees need access. These trusts all used domainwide authentication. Because management in her company wanted to keep the domain structure confidential, she had configured a UPN suffix of corp and configured all user accounts to use this suffix. An administrator in the other forest also configured a UPN suffix of corp for users in that forest.
However, users were unable to access resources in the other forest, although they could access other domains in their own forest. Which two of the following would enable users to access resources to both forests?
A.
Maria needs to re-create the trust relationship as a forest trust.
B.
Maria needs to change the domainwide authentication scope to selective authentication.
C.
Users need to specify the domain in the other forest to which they want to log on.
D.
Maria should change the UPN suffix in use in her forest.
- Gwen's company has just merged operations with a former competitor. Both companies operate Windows Server 2003 Active Directory forests, each of which has three domains in a single tree. Managers at the second company would like to keep their operations as separate as possible; however, employees whose user accounts are in various domains of both forests need access to resources in all domains. What should Gwen do to enable access to the other forest with the least amount of effort?
A.
She should create a shortcut trust between child domains of the two forests.
B.
She should create a forest trust between the two forests.
C.
She should create an external trust between child domains of the two forests.
D.
She should inform her manager that the other company's forest should be reconfigured as a second tree in her company's forest.
-
Roberta works for a company that has just opened a branch office in a neighboring city that is connected with a 128Kbps ISDN link. Her manager has requested that replication take place at least once a day during the daytime. However, the line is expected to be close to 90% utilized during the day, but only about 40% utilized during night hours.
She needs to ensure that replication does not use too much bandwidth during the day, but that at night it will provide sufficient bandwidth to complete any synchronization. Which of the following should Roberta do to complete this request with the least amount of effort?
A.
Create two site links: one available only at night with the default replication interval and the other available only during the day with a replication interval of 6 hours.
B.
Create two site links: one available only at night with the default replication interval and the other available only from noon to 1 p.m. also with the default replication interval.
C.
Create two site links: one available only at night with the default cost and replication interval and one available only during the day with a site link cost of 500.
D.
Create one site link, available only at night with the default cost and replication interval. Once a day, force replication manually.
E.
Create one site link with the default cost and replication interval. Configure this link to be available from noon to 1 p.m. and also during the nighttime hours.
-
Nancy is the network administrator for a company that operates a single domain Active Directory network encompassing three sites located in Cleveland, Nashville, and Columbus. The Cleveland and Nashville sites have three domain controllers, and Columbus has one domain controller. If the domain controller at Columbus were to fail, Nancy would like Active Directory traffic from this site to be processed at the Cleveland site rather than the Nashville site.
Which of the following is the best method for Nancy to accomplish this task?
A.
She should eliminate the site link between Columbus and Nashville.
B.
She should create a site link bridge between Columbus and Cleveland.
C.
She should place the domain controller at Columbus in the same site as the Cleveland domain controllers.
D.
She should configure the site link cost of the link between Columbus and Cleveland to be lower than that of the link between Columbus and Nashville.
-
A junior administrator in your company named Rick has just created a new one-way outgoing trust relationship between your company's domain and a supplier's domain. The purpose of this trust is to enable sales associates to place orders online with the suppliers so that they do not have to fax the orders. However, sales associates complain that they cannot access the supplier's domain. What should you do to enable access, while keeping resources in your company's domain secure?
A.
In the trust's Properties dialog box, change the authentication scope of the trust from selective authentication to domainwide.
B.
In the trust's Properties dialog box, change the direction of the trust from outgoing to incoming.
C.
Remove the trust relationship and create a new one-way incoming trust relationship.
D.
Remove the trust relationship and create a new two-way trust relationship.
-
Linda works for a company that operates an Active Directory forest consisting of a single domain named examcram.com. The domain contains four sites representing the cities in which the company does business.
Linda is training a junior administrator named Julio, who will be responsible for ensuring that the site links are properly bridged. To which container in the Active Directory Sites and Services snap-in should Linda assign permissions for Julio?
A.
Sites
B.
Inter-Site Transports
C.
Subnets
D.
Each of the sites to be contained in the bridge
- In the past few weeks, your company's help desk has been receiving complaints from users whose accounts are in the USA.marketing.quepublishing.com domain; they complain that it is difficult to remember the appropriate domain name when logging on. In response to this problem, you create a new UPN suffix named quepublishing so that users should be able to log on with a name like user@quepublishing. However, users complain that they are unable to log on with this type of name. What do you need to do?
A.
Enable name suffix routing for the USA.marketing.quepublishing.com domain.
B.
In the properties of each affected user account, specify quepublishing as the UPN suffix in use.
C.
In the properties of each affected user account, append @quepublishing to the user's logon name.
D.
Delete and re-create each user's account, specifying quepublishing as the UPN suffix to be used.
-
Phil's company has just merged with a competitor. Both companies operate Windows Server 2003 forests, each consisting of a single domain. Phil configures a two-way external trust relationship between the two domains so that users in each domain can access shared folders in the other domain, which is managed by Gertrude. He creates a group in his domain and adds users who need access to Gertrude's domain to this group. Gertrude also creates a group in her domain and adds users who need access to Phil's domain to this group. Both administrators configure the appropriate NTFS permissions for files and folders that need to be accessed.
The next week, users in Phil's domain start calling the help desk, wondering why they cannot access the shared information in Gertrude's domain. Users in Gertrude's domain have no problems accessing resources in Phil's domain. Which of the following is the most likely reason for this access failure?
A.
The authentication scope of Phil's domain is set to domainwide authentication. Phil should set the scope to selective authentication.
B.
The authentication scope of Phil's domain is set to selective authentication. Phil should set the scope to domainwide authentication.
C.
The authentication scope of Gertrude's domain is set to domainwide authentication. Gertrude should set the scope to selective authentication.
D.
The authentication scope of Gertrude's domain is set to selective authentication. Gertrude should set the scope to domainwide authentication.
- Barry's company is expanding its North American operations to Europe. To accommodate the new operations, he needs to add several objects and attributes to the schema. His manager has added his user account to the Schema Admins group for this purpose. Working from a branch office domain controller, Barry attempts to locate the Active Directory Schema snap-in. He calls the help desk and asks to be given the appropriate permission to access this snap-in, but is told that this is not a permissions issue. Which two of the following does Barry need to do to access this snap-in?
A.
He must first register the Schema snap-in by using the regsvr32 command from the Run dialog box.
B.
He should contact the help desk manager because he has received incorrect advice from the support technician. He needs to belong to both the Schema Admins and Enterprise Admins groups to access this snap-in.
C.
He needs to install the Active Directory Schema snap-in to a new MMC console.
D.
He needs to go to the schema master computer to modify the schema. Because the domain controller he is working from does not have this snap-in, it must not be the schema master.
- In the process of upgrading their network from Windows NT 4.0 to Windows Server 2003, administrators at a western clothing outfitters company consolidated two domains representing office locations in Denver and Billings into a single domain. The two locations are connected with a dedicated ISDN line. Joanne, a junior administrator, created sites for both locations and assigned the domain controllers to their respective sites while working from the Denver location. The next week, users at Billings started complaining about slow logon and resource access. What should Joanne do to speed up access?
A.
Configure replication between Denver and Billings to take place only at off-peak times.
B.
Assign the subnet containing computers located in Billings to the Billings site.
C.
Add an explicit UPN suffix for the users in the Billings site.
D.
Obtain approval from management to upgrade the ISDN line to a T1 line.
Answers to Exercises
3.5 Testing a Forest Trust
- No. You cannot reach the other server because you configured the authentication scope as selective authentication. This setting requires a specific granting of access to the required server, which you did not configure.
3.7 Testing a Forest Trust
- Yes. You are now able to reach the other server because the authentication scope is now set to domainwide. This setting allows access to all resources according to NTFS permissions that may have been configured for specific files and folders.
Answers to Exam Questions
- D. The problem with SMTP replication in this instance is that SMTP cannot be used to replicate the domain partition between domain controllers in the same domain, only the schema, configuration, and application partitions. To replicate the domain partition, Evan must configure replication to use RPC over IP. It is true that SMTP replication requires an enterprise CA to work; however, just installing the CA would not allow replication of the domain partition. Therefore, answer B is incorrect (however, it would be correct if the two sites were in different domains). The SMTP packets can be sent directly between the domain controllers without the need for mail servers; therefore, answer A is incorrect. Installing a faster link such as a T1 will not help; therefore, answer C is incorrect. See the section "Configuring Replication Schedules."
- C. To create a forest trust, both forests must be operating at the Windows Server 2003 functional level. Therefore, the Canadian company needs to upgrade its domain controllers to Windows Server 2003 and then raise the domain and forest functional levels. This is not an issue of domain accounts or membership in the Enterprise Admins group. Therefore, answers A and B are wrong. A shortcut trust connects two child domains in the same forest, not different forests. Therefore, answer D is wrong. Note that Dorothy could instead create external trusts between the domains involved; however, this option was not offered. See the section "Establishing Trust Relationships."
- D. The New Object—Site dialog box asks for the name of the site and the site link object. John should perform all the other tasks later; however, he cannot specify these tasks from this dialog box. Therefore, answers A, B, and C are wrong. See the section "Creating Sites."
- A. The site link cost is a value that determines which link will be given priority in replication. The KCC uses this information to determine the optimum link to be used during replication. When available, it uses the link with the lowest cost. Therefore, Peter should assign the lowest cost to the T1 line, the next higher cost to the ISDN line, and the highest cost to the dial-up link. Consequently answers, B, C, and D are incorrect. Note that a question similar to this may appear as a drag-and-drop question in which you must drag the correct costs to the various site links on a network diagram. See the section "Configuring Site Link Costs."
- A. In this scenario, engineers at the construction company need access to resources at the department of transportation domain. Therefore, the department of transportation domain needs to trust the construction company domain. Employees of the department of transportation do not need access to the construction company domain. Therefore, the construction company domain does not need to trust the department of transportation domain, and answers B and C are wrong. Other domains in the government do not need to participate in the trust relationship; therefore, answer D is wrong. See the section "Interforest Trust Relationships."
- A. If the Ignore Schedules check box is selected, replication can take place at any time of the day or night, and the configured schedule is ignored. Kristin needs to clear this check box so that the schedule is followed. She can use the Replication Not Available option if she does not want replication to take place at certain times. Because she does want replication to take place at six-hour intervals, she does not need this option, and answer B is incorrect. There is no Force Replication option. Therefore, answer C is incorrect. Even if a large number of users have been added recently, the replication traffic should not tie up the link to that extent. Therefore, answer D is incorrect. See the section "Configuring Replication Schedules."
- B. By default, all the domain controllers are placed in the Default-First-Site-Name site, and Mark needs to move them to the proper sites. The process of merely creating the sites and assigning the subnets to the sites is insufficient. When new sites are established, the Inter-site Topology Generator (ISTG) automatically creates bridgehead servers, so answer A is wrong. SMTP is used to replicate schema and configuration partitions only between domains, and is not used within domains, so answer C is wrong. The Knowledge Consistency Checker (KCC) automatically creates and manages the intersite replication topology and does not need to be manually run, so answer D is wrong. See the section "Active Directory Site Topology."
- C. After registering and installing the Schema snap-in, a member of the Schema Admins group can add new attributes to the schema at any time, not just when it is installed or during replication. Therefore, answers A and B are wrong. Attributes are used to define the properties of objects—for example, the "last name" property of a user object. The attribute requires a unique OID, a descriptive name, a syntax that defines the type of data the attribute can hold including a minimum and maximum value, and optional range limits. The attribute definition does not include a unique SID. Therefore, answer D is wrong. See the section "Managing Schema Modifications."
- C and D. When more than one forest uses the same UPN suffix, users can use it only to log on to a domain in the same forest. Therefore, they were unable to log on to a domain in the other forest. As it stands, users can log on to the other forest if the domain name is selected in the Log On to Windows dialog box. Alternately, one of the administrators can change the UPN suffix in use. It does not matter whether an external or forest trust relationship is in use if the UPN suffix is the same; therefore, answer A is incorrect. This is not a matter of authentication scope; domainwide authentication should work here. Therefore, answer B is incorrect. See the section "Adding or Removing a UPN Suffix."
- B. The purpose of a forest trust is to create transitive trust relationships between all domains of the forests involved. In this scenario, because employees need access to more than one domain in the other company's forest, it is best to create a forest trust. Gwen could create external trusts between various child domains; however, this approach would take far more administrative effort. Therefore, answer C is wrong. A shortcut trust is a shortened path between two child domains in the same forest and is not used between domains in different forests. Therefore, answer A is wrong. There is no need to reconfigure the other company's forest as a second tree in her company's forest. Therefore, answer D is wrong. See the section "Interforest Trust Relationships."
- E. Roberta needs only to configure one site link. She should click the Change Schedule button on the Properties dialog box, and specify that replication be available from noon to 1 p.m. and also during nighttime hours. This enables her to meet both the requirement for at least one replication during the day and the need for complete overnight synchronization. By allowing the daytime link to replicate only between noon and 1 p.m., she has selected a time when traffic would likely be lower. If she were to set a six-hour daytime replication interval, replication would take place sometime during the day; however, she does not need more than one daytime replication. Therefore, answer A is wrong. Roberta could also configure two site links with two distinct replication schedules. However, this would take more effort than creating a single link, so answer B is wrong. Site link costs do not influence replication intervals; they only enable the KCC to select the optimum link. Therefore, answer C is wrong. Roberta could manually force replication once a day; however, doing so takes daily effort. Therefore, answer D is wrong. See the section "Configuring Replication Schedules."
D. The site link cost determines the preferential replication path (in this case, Columbus to Cleveland). Replication traffic proceeds over this link if possible, and over the higher cost link (in this case, Nashville) if a server at the other link cannot satisfy the request that has been made.
It is important for intersite replication traffic to have all possible links available so that any queries or other traffic can proceed optimally. Therefore, answer A is wrong. A site link bridge consists of two or more links with one site in common, across which intersite replication traffic can take place. The cost of the site link bridge is equal to the sum of the costs of the individual links in the bridge. This would not help with the current scenario. Therefore, answer B is wrong. Placing the Columbus domain controller in the same site as the Cleveland domain controller would direct preferential replication between these two cities, but unless a very high speed link were available, the high replication frequency could overwhelm the link. Therefore, answer C is wrong. See the section "Configuring Site Link Costs."
- C. In this scenario, Rick created a trust relationship in the wrong direction. You have to delete and re-create the trust because it is not possible to reverse the direction of the trust relationship from the Properties dialog box of the trust. Therefore, answer B is wrong. Changing the authentication scope of the trust does not help. Therefore, answer A is wrong. Creating a two-way trust is not necessary; doing so reduces security because employees of the supplier company could then access your domain. Therefore, answer D is wrong. For more information, see the section "Managing Trust Relationships."
- B. Linda needs to assign Julio permissions on the Inter-Site Transports container. This container is the location from which you can manage all aspects of intersite transport, including use of the IP and SMTP transport protocols, site links, site link bridges, replication schedules, and so on. None of the other locations provide an option for creating site link bridges, so answers A, C, and D are incorrect. Note that on the exam, a question similar to this might be presented in the form of a hot-spot graphic in which you must select the required location from the Active Directory Sites and Services snap-in. See the section "Site Link Bridges."
- B. By adding a UPN suffix, you can simplify logon procedures for all users in the forest. It is helpful for users with long child domain names, such as in this example. However, for the users to log on with the added UPN suffix, you need to specify the UPN suffix in the Account tab of the user's Properties dialog box in Active Directory Users and Computers. Name suffix routing is used in routing authentication requests between forests connected by a forest trust. Therefore, answer A is wrong. You cannot simply add the UPN suffix to the user's logon name; therefore, answer C is wrong. You do not need to delete and re-create any user accounts. Therefore, answer D is wrong. See the section "Adding or Removing a UPN Suffix."
- D. The authentication scope controls how access is granted to resources in the trusting domain. Domainwide authentication allows users from the trusted domain to access all resources in the local domain. Selective authentication does not create any default access to resources; you must grant access to each server that users need to access. In this case, Gertrude's domain is the trusting domain, and because its authentication scope was set to selective, users from Phil's domain were unable to reach her domain. She needs either to grant specific access to required resources or to reset the authentication scope to domainwide. If Phil's domain were set to selective authentication, users in Gertrude's domain would be unable to access resources in Phil's domain. Therefore, answer B is incorrect. Because domainwide authentication allows users to access all resources, answers A and C are incorrect. See the section "Managing Trust Relationships."
- A and C. By default, the Active Directory Schema snap-in is not present when a domain controller is installed, so Barry has to install it. First, he needs to register the Schema snap-in by using the regsvr32 command from the Run dialog box. He cannot install this snap-in until he performs this step. This extra step is an additional security measure because of the importance of schema modifications. Barry does not need to belong to the Enterprise Admins group to access the Schema snap-in. Therefore, answer B is wrong. He does not need to be at the schema master because he can connect to it from another computer. Therefore, answer D is wrong. See the section "Managing Schema Modifications."
- B. When Joanne upgraded the domains to Windows Server 2003 and Active Directory, creating a single domain from the two domains that previously existed, initially all objects in the directory from both locations were assigned to the first site. When she created a site for the Billings location, by default no subnets were assigned to it; consequently, client computers and member servers in Billings thought they were in the Denver site, and all authentication and resource access traffic went across the ISDN link to Denver. If Joanne assigns the Billings subnet to its site, this traffic is handled locally for all resources in its site. This is not a replication issue; therefore, answer A is incorrect. Explicit UPNs are used to simplify logon procedures in a multidomain forest. They are not needed in a single-domain operation; therefore, answer C is incorrect. Because this is an issue of traffic unnecessarily routed over the slow link, there is no need for a faster link such as a T1. Therefore, answer D is incorrect. See the section "Configuring Site Boundaries."
Suggested Readings and Resources
- Microsoft Corporation. "Active Directory Collection" http://technet2.microsoft.com/WindowsServer/en/library/6f8a7c80-45fc-4916-80d9-16e6d46241f91033.mspx?mfr=true.
- Microsoft Corporation. "Active Directory Replication over Firewalls." http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx.
- Microsoft Corporation. "How Active Directory Replication Works." http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true.
- Microsoft Corporation. "Multiple Forest Considerations." http://download.microsoft.com/download/0/2/6/026ee2e2-e06d-4660-b9db-6926fd200ed9/Multiforest_White_Paper.doc.
- Microsoft Corporation. "Overview of Active Directory Federation Services in Windows Server 2003 R2." http://download.microsoft.com/download/d/8/2/d827e89e-760a-40e5-a69a-4e75723998c5/ADFS_Overview.doc.
- Microsoft Corporation. "Step-by-Step Guide to Using Active Directory Schema and Display Specifiers." http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx.
- Microsoft Corporation. "Trust Types." http://technet2.microsoft.com/WindowsServer/en/Library/116d34e5-5615-4fb8-a8ef-47b94c294b581033.mspx?mfr=true.