Certifiable Q&A for July 27, 2001

Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.

Questions (July 27, 2001)
Answers (July 27, 2001)

This week's questions cover topics for Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure.

Questions (July 27, 2001)

Question 1
Active Directory (AD) uses primarily multiple-master replication, but certain roles lend themselves better to single-master replication. The machines that carry out these roles are known as Operations Masters. One Operations Master is responsible for updating the group-to-user references whenever you rename or change group members. What does Microsoft call this Operations Master?

  1. Domain naming master
  2. Infrastructure master
  3. PDC emulator
  4. RID master
  5. Schema master

Question 2
You're the administrator responsible for all the desktops and servers in your company's Detroit office, which has seven domain controllers (DCs). You have collected the following information about the DCs:

  • Four DCs are for sales.abccorp.com and are named SalesD1, SalesD2, SalesD3 and SalesD4
  • Two DCs are for the marketing.abccorp.com domain and are named MarketingD1 and MarketingD2
  • One DC is for the it.abccorp.com domain and is named ITD1

Using Replication Monitor, you notice that MarketingD1 and SalesD2 are direct replication partners. Which partitions replicate between MarketingD1 and SalesD2? (Choose all that apply.)

  1. Configuration partition
  2. Domain partition
  3. Infrastructure partition
  4. Schema partition
  5. Sysvol partition

Question 3
You're the administrator for a company that runs one mixed-mode domain named acme.com. Recently, you hired several dozen employees that work from home, accessing the company's network through dial-up connections. You're very concerned about an intruder breaching your network through one of these accounts. You'd like to configure a separate Lockout Policy for your remote users so that if they provide incorrect logon credentials more than twice, the system locks them out immediately and until an administrator intervenes. Under your current domain Lockout Policy, the system locks users out after five bad logon attempts and automatically unlocks the accounts after 30 minutes.

What's the best way to create a different Lockout Policy for your remote users?

  1. Create a new organizational unit (OU) called RemoteUsers, place all the remote user accounts in this OU, and configure the Lockout Policy at the OU level.
  2. Create a new site called RemoteUsers, create subnets for the site based on the IP addresses of the remote computers, and configure the Lockout Policy at the site level.
  3. Create a new domain called remote.acme.com, place all the remote user accounts in this domain, and configure the Lockout Policy at the domain level.
  4. Create a domain in a new forest and name it remote.com, place all the remote user accounts in this domain, and configure the Lockout Policy at the domain level. Create an external trust between the acme.com domain and the remote.com domain.

Answers (July 27, 2001)

Answer to Question 1
The correct answer is B—Infrastructure master. The infrastructure master is the machine that's responsible for updating group-to-user references whenever you change the members of groups. Such changes occur when you rename or move a group member that resides in a different domain. In this case, the group temporarily appears not to contain that member. The machine that holds the infrastructure master role is responsible for updating the group so that the group knows the new name or location of the member.

Each domain has just one infrastructure master, and it's important that you not assign that role to a machine that's serving as a Global Catalog (GC) server.

Answer to Question 2
The correct answers are A—Configuration partition and D—Schema partition. Each DC contains at least three full, writeable directory partition replicas:

  • Schema partition—Contains all class and attribute definitions for the forest.
  • Configuration partition—Contains replication configuration information (and other information) for the forest.
  • Domain partition—Contains all objects stored by one domain.

Each forest has one schema partition and one configuration partition. Each domain in the forest has one domain directory. A full replica of a domain's partition exists on all DCs of that domain, and a full replica of a forest's configuration and schema partitions exists on all DCs of that forest. Therefore, DCs that are replication partners but not members of the same domain replicate only their schema and configuration partitions.

Answer to Question 3
The correct answer is C—Create a new domain called remote.acme.com, place all the remote user accounts in this domain, and configure the Lockout Policy at the domain level. All DCs enforce the account policies that you have defined in the Default Domain Policy. DCs ignore password, lockout, and Kerberos policies that you define at an OU or local level. Therefore, if you want separate password, lockout, or Kerberos policies for users in your organization, you must create separate domains. Answer D lets you create separate lockout policies for the users, but it's not the best solution because administering trusts that you create manually is cumbersome.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.