Help with 070-217

Hi
I am pursuing my MCSE exams, at present 217, could someone answer these
questions for me.

NO.1 You are the network administrator for the research department of your
company. The network contains 25,000 computers. The network contains a
single Windows 2000 domain named research.contoso.com. The research
department has three Windows 2000 Server computers that are configured as
domain controllers. The domain controllers are also configured as DNS
servers that that host an Active Directory-integrated zone for the domain.
There are 450 Windows 2000 Professional client computers. All of the
computers in the Research domain are configured to contact the domain
controllers in the Research domain for name resolution.
UNIX BIND servers resolve all addresses on the Internet and the company
intranet. The Internet domain name for the company is contoso.com.
The central DNS administrators do not allow iterative queries from internal
DNS servers on the network. You disable iterative queries on DNS servers in
the research department. After taking these steps, you notice that research
department computers no longer resolve Web addresses or domain names on the
Internet. You are able to successfully ping several Internet addresses by IP
address.
You need to ensure that the Research computers can resolve Web addresses on
the Internet by fully qualified domain name (FQDN). What should you do?
A.Configure the domain controllers to forward recursive queries to the UNIX
BIND servers.
B.Configure the research.contoso.com domain to notify the UNIX BIND servers
of DNS record changes.
C.Ask the UNIX BIND administrator to configure your DNS servers as secondary
name servers for the contoso.com domain.
D.Ask the UNIX BIND administrator to create NS records for the
research.contoso.com domain that point to the domain controllers of the
Research domain.

NO.2 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The network contains three Windows 2000
Server computers that are configured as domain controllers. The network also
contains 400 Windows 2000 Professional client computers that are configured
as domain members and 100 Windows 2000 Professional client computers that
are configured in workgroups of between 5 and 10 systems. All IP addresses
are statically configured.
Each domain controller is configured as a DNS server that hosts an Active
Directory integrated zone. The Active Directory integrated zone allows
secure updates. The Active Directory Installation Wizard installed DNS
automatically.
A Windows 2000 client computer user reports that she cannot connect to the
share on one of the Windows 2000 Professional computers by computer name.
You examine the DNS server and discover that only the A (host) records of
the Windows 2000 Professional client computers that are domain members are
in the DNS zone.
You need to ensure that all client computers can connect to shares on other
computers by computer name. What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A.Configure the Active Directory integrated zone so that Yes is selected for
the Allow dynamic updates setting. Run the ipconfig/registerdns command on
all Windows 2000 Professional client computers.
B.Configure the Active Directory integrated zone so that No is selected for
the Allow dynamic updates settings. Run the ipconfig/registerdns command on
all Windows 2000 Professional client computer.
C.Add the IP addresses for each non-domain member Windows 2000 Professional
client computer to the Name Servers tab of the DNS zone Properties page.
D.Add the IP addresses for each non-domain member Windows 2000 Professional
client computer to the DNS zone for the domain.
E.Add the IP addresses for each non-domain member Windows 2000 Professional
client computer to the Zone Transfers tab of the DNS zone Properties page
Notify window.

NO.3 You are the network administrator for your company. The network
consists of a Windows NT 4.0 domain. The network contains Windows NT 4.0
Server computers and Windows 2000 Professional client computers. All
computers are members of the domain.
One Windows NT 4.0 Server computer named ServerA runs DNS, which supports
SRV (service) records. ServerA hosts only the contoso.com domain. ServerA is
the only DNS server that supports the contoso.com domain and cannot
supported by a different DNS server.
You are installing a Windows 2000 domain to perform a migration from your
Windows NT 4.0 domain. During the promotion, you specify ServerA to host the
new domain named nwtraders.com. When attempting to use ServerA as the DNS
server, you receive an error stating that the DNS server that handles
nwtraders.com could not be contacted.
You cancel the installation of Active Directory on this server. You verify
that ServerA is accessible from the server that is being promoted to support
the Active Directory domain.
At installation, you need to designate ServerA as the DNS server for the new
Windows 2000 domain. What should you do?
A.Install the Microsoft Directory Services client on ServerA.
B.Upgrade ServerA to Windows 2000 Server, and then reinstall DNS.
C.Add a new zone and resource records to ServerA for nwtraders.msft.
D.Configure ServerA to be a domain controller.

NO.4 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The domain contains Windows 2000 Server
computers and Windows 2000 Professional client computers.
All of the client computer accounts the locaed in a top-level organizational
unit (OU) named Clients. You use a Group Policy object (GPO) named
SecureClient, which is linked to the Clients OU, to secure the Windows 2000
Professional client computers.
You place one of the client computers in the lobby for guests. You create a
top-level OU named Lobby and move the client computer account into it. You
create a GPO named LobbyGPO and link it to the Lobby OU. LobbyGPO restricts
the start menu, desktop, and Control Panel features.
You need to ensure that the restrictions in LobbyGPO are applied to all
users who log on to the client computer that is located in the lobby. What
should you do?
A.Configure LobbyGPO with the No override setting.
B.Configure SecureClient with the No override setting.
C.Configure LobbyGPO to enable User Group Policy loopback processing mode in
replace mode.
D.Configure SecureClient to enable User Group Policy loopback processing
mode in replace mode.

NO.5 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The network contains two Windows 2000
Server computers that are configured as domain controllers named ServerA and
ServerB.
ServerA has two disk volumes named C and D. the operation system files and
all Active Directory files are located on the C volume, which is a 4GB
volume. Volume D is a 25GB volume.
Each company department is represented by a separate organizational unit
(OU). Each OU contains all user and group accounts for that department. The
marketing department has 500 users and computers.
While you are working at ServerA, your manager instructs you delete the
Marketing OU. Prior to deleting this OU, you need to ensure that the
Marketing OU and its accounts can be recovered if necessary.
What should you do?
A.Run the dcdiag/s:ServerA command.
B.Back up the System State data on ServerA.
C.Export the registry of either domain controller to backup media.
D.Start ServerA by using the Directory Service Restore Mode option and make
a backup copy of the ntds.dit file.
E.Start ServerA by using the Directory Service Restore Mode option and use
the Ntdsutil utility to move the database to the D volume.

NO.6 The domain administrator delegates full control to you for the
Accounting OU. You are also given the ability to create Group Policy. The
Block Policy inheritance setting is enabled on the Accounting OU.
You need to track local logon activities for all of the computers in the
department. You want to perform this task with the least amount of
administrative effort.
Which two actions should you take? (Each correct answer presents part of the
solution. Choose two)
A.Review the security log of each computer in the Accounting OU.
B.Review the system log of each computer in the Accounting OU.
C.Create a new Group Policy object (GPO) and configure the Audit logon
events setting by selecting both the Success and the failure check boxes.
Link the policy to the Accounting OU.
D.Create a new Group Policy object (GPO) and configure the Audit account
logon events setting by selecting both the Success and the Failure check
boxes. Ask the Domain Administrator to link the policy to the domain.
E.Create a new Group Policy object (GPO) and enable the Security policy
processing setting. Link the policy to the Accounting OU.
F.Create a new Group Policy object (GPO) and enable the Security policy
processing setting. Ask the domain Administrator to link the policy to the
domain.

NO.7 You are the network administrator for the research department of your
company. The network consists of a Windows 2000 domain. The research
department has a Windows 2000 file server named ServerA. All local storage
on ServerA uses NTFS. The research department also has 300 Windows
Professional computers.
All of the computer accounts for the research department are in an
organizational unit (OU) named Research. You have full control over the
Research OU and the ability to create Group Policy. The Research OU blocks
policy inheritance.
Confidential data is stored on ServerA in a folder named Focus1 and shared
as Focus1. You need to track all attempts to access the Focus1 folder on
ServerA.
Which two actions should you take? (Each correct answer presents part of the
solution. Choose two.)
A.Ask the domain administrator to enable the Audit object access setting on
the Domain Security Policy for the domain.
B.Create a new GPO that enables the Audit process tracking setting. Link
that policy to the Research OU.
C.Configure the Local Security Policy of ServerA to enable the Audit object
access setting.
D.Configure the Focus1 system access control list (SACL) so that the
Everyone group has Success: List Folder/Read Date and Failure: List
Folder/Read Data permission.
E.Configure the share permissions on Focus1 so that the Everyone group has
Allow: Change permission.

NO.8 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The domain contains Windows 2000 Server
computers and Windows 2000 Professional client computers. All domain
controllers are in the default Domain Controllers organizational unit (OU).
The company written security policy requires that all domain users¡¯
passwords meet the following minimum requirements:
At least six characters in length
20-day minimum age
35-day maximum age
12-password memory
One of the branch offices has two Windows 2000 domain controllers. All users
located in the branch office must be forced to use a 10-character password.
What should you do?
A.Modify the Default Domain Policy Group Policy object (GPO) so that the
minimum password length is 10
B.Modify the Default Domain Controllers Policy Group Policy object (GPO) so
that the minimum password length is 10.
C.Create a new OU named SecureDCs under the domain. Create a new Group
Policy object (GPO) and link it to the SecureDCs OU. Change the minimum
password length to 10 in the new GPO. Move both domain controller computer
objects into the SecureDCs OU.
D.Create a new OU named SecureDCs under the Domain Controllers OU. Create a
new GPO and link it to the SecureDCs OU. Change the minimum password length
to 10 in the new GPO. Move both domain controller computer objects in to the
SecureDCs OU.

NO.9 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The domain contains Windows 2000 Server
computers and windows 2000 Professional client computers. All of the user
accounts are in an organizational unit (OU) named Employees and all of the
computer accounts are in an OU named Workstations.
You have a new software application that needs to be installed on demand
from users. You do not want to give users administrative privilege on their
computers. You create a Microsoft Installation (MSI) package for the
software application.
What should you do next?
A.Create a new Group Policy object (GPO) and link it to the Workstations OU.
Configure the computer configuration portion of the GPO to assign the MSI
package.
B.Create a new Group Policy object (GPO) and link it to the Employees OU.
Configure the user configuration portion of the GPO to assign the MSI
package.
C.Create a share on a NTFS 5.0 volume and configure it for automatic
caching. Place the MSI package in the shared folder. Grant users Allow: Full
Control permission to the shared folder. Map a drive to the shared folder
for each user.
D.Create a share on a NTFS 5.0 volume and configure the share as a
Distributed File System (DFS) link. Place the MSI package in the shared
folder. Grant users Allow: Full Control permission to the shared folder. Map
a drive to the DFS share for each user.

NO.10 You add a new domain controller named GC01 to your network to take the
place of the existing global catalog server. You also enable GC01 as a
global catalog. You want to use GC00, the original server, as a domain
controller, but not as a global catalog server for the domain. You want to
increase disk space on GC00.
What should you do? (Choose all that apply.)
A.Use Active Directory Sites and Services.
Select the NTDS Settings object for the GC00 server to clear the Global
Catalog check box.
B.On the GC00 server, run the Ntdsutil utility to defragment Active
Directory.
C.On the GC00 server, reinstall Windows 2000.
D.On the GC01 server, run the Ntdsutil utility to enable the global catalog
server option.

NO.11 You are the network administrator for your company. The network
consists of a Windows 2000 domain. The network contains Windows 2000 Server
computers and Windows 2000 Professional client computers. All of the servers
and client computers are domain members.
The domain has three top-level organizational units (OUs) named Sales_users,
Groups, and Client_computers. All non-default user, group, and computer
accounts are located in their respective OUs.
During a review of the security log for one of the domain controllers, you
discover that a user named Bruno has modified multiple groups. Bruno should
not have the ability to modify any non-default group.
What should you do?
A.Modify the Groups OU to give Bruno¡¯s user account Denny: Write properties
permission to all group accounts.
B.Modify the Sales_users OU to give Bruno¡¯s user account Deny: Write
properties permission to all group accounts.
C.Run the delegation wizard for the Groups OU and give Bruno¡¯s user account
Allow: Read permission to all group accounts.
D.Run the delegation wizard for the Sales_users OU and give Bruno¡¯s user
account Allow: Read permission to all group accounts.


NO.12 You are the network administrator for your company. The network
consists of a Windows 2000 Active Directory domain named contoso.com. The
network contains two Windows 2000 Server computers that are configured as
domain controllers. The network also contains 400 Windows 2000 Professional
client computers.
The research and marketing departments each have a separate top-level
organizational unit (OU) that contains all user and group accounts for that
department. These OUs named Research and Marketing, respectively.
A group named Research_Users has all of the research user accounts as
members. The Marketing_Users group as all of the marketing user accounts as
members. The Research_Users group is a member of the local Administrators
group of each research computer.
During a security audit, you notice that a few marketing user accounts are
members of the local Administrators group on research department computer.
You want to prevent research users from giving permanent administrative
permissions for their computers to users from other departments. You want to
ensure that only Domain Administrators and research users are the permanent
administrators of research department computer.
What should you do?
A.Delete the Research_Users group. Add each research user account to the
local Administrators group of each computer in the Research OU.
B.Create a new Group Policy object (GPO) and link it to the Research OU.
Configure the policy to add a group named Administrators in the Restricted
Groups policy. Add Marketing_Users as members of this group.
C.Create a new Group Policy object (GPO) and link it to the Research OU.
Configure the policy to add a group named Administrators in the Restricted
Groups policy. Add Domain Administrators and Research_Users as members of
this group.
D.Create a new local group on each research department computer named
Research_local. Add Research_Users to the Research_Local group. Add the
localdefault Administrator account to the Research_Local group.
E.Crete a new local group on each research department computer named
Research_local. Add the local default Administrator account to the
Research_local group. Tell research users to log on as the local default
Administrator.


NO.13 You are the network administrator for your company. The network
consists of a Windows 2000 domain named nwtraders.com. The network contains
Windows 2000 Server computers, Windows NT 4.0 Server computers and Windows
NT 4.0 Workstation client computers. All computers are members of the
domain.
All domain controllers run Windows 2000 Server. One Windows 2000 Server
computer named ServerA runs DNS and hosts the nwtraders.com domain as a
standard primary zone. The nwtraders.com zone on ServerA does not support
dynamic updates.
You discover that your DNS server has been compromised. Users report that
they cannot gain access to all network resources. You investigate DNS and
discover that some of the records were removed and that the DNS backup files
were deleted. The DNS structure is shown in the following graphic. (Click
the Exhibit button.)
You need to fix DNS and allow users to access network resources again. What
should you do?
A.Run the ipconfig/registerdns command on all domain controllers.
B.Run the net stop dns command. Then run the net start dns command.
C.Copy the netlogon.dns file from one of the domain controllers to ServerA.
D.Create the _msdcs folder, structure, and SRV (service) records in DNS on
ServerA.

NO.14 You are the network administrator for your company. The network
consists of a Windows 2000 domain named contoso.com. The network contains
Windows 2000 Server computers and Windows 2000 Professional client
computers. One of the servers is named ServerA and is domain controller.
ServerA runs DNS and contains the Active Directory integrated zone for
contoso.com. An application needs to resolve fully qualified domain names
(FQDNs) from an IP address by using DNS.
You want to ensure that records are automatically configured in DNS.
Want should you do?
A.Run the netdiag/fix command on ServerA.
B.Run the dcdiag/fix command on ServerA.
C.Configure the contoso.com zone to allow dynamic updates.
D.Create a reverse lookup zone that allows dynamic updates.

NO.15 You are a network administrator for your company. The network consists
of a Windows 2000 domain. There are three departments in your company:
research, marketing, and production.
Each department has a separate organizational unit (OU) in the domain. Each
OU contains all user and group accounts for that department. The marketing
department has two subordinate offices named Telemarketing and Sales.
The Telemarketing and the Sales offices have different administrative needs.
Telemarketing users and computers must inherit all of the Group Policy
settings that apply to the Marketing OU. Sales users and computers must not
inherit Group Policy settings that apply to the marketing OU.
All of the users and computers assigned to Telemarketing and Sales must
inherit all Group Policy settings for the domain. Your manager does not want
you to configure an administrative structure that requires the use of the
Block Policy inheritance setting.
You need to configure Active Directory to support the administrative needs o
f the Telemarketing and Sales offices. Which two actions should you take?
A.Create a child domain named Sales that is subordinate to contoso.com.
B.Create a child domain named Telemarketing that is subordinate to
contoso.com.
C.Create an OU named Sales that is subordinate to the Marketing OU.
D.Create an OU named Telemarketing that is subordinate to the Marketing OU.
E.Create a top-level OU named Sales in the contoso.com domain.
F.Create a top-level OU named Telemarketing in the contoso.com domain.


.