CHAPTER ANSWERS: MANAGING AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 ENVIRONMENT LAB MANUAL CHAPTER ANSWERS: MANAGING AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 ENVIRONMENT LAB MANUAL 2 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER 1 INTRODUCING MICROSOFT WINDOWS SERVER 2003 CHAPTER EXERCISES Exercise 1-1: Selecting an Operating System For each of the Windows Server 2003 versions in the left column, specify which description (or descriptions) in the right column apply. ANSWER 1. d 2.
d, e 3. b, d, e 4. b, d, e 5.
a, b, c, d, e CHAPTER REVIEW QUESTIONS 1. You are planning the deployment of Windows Server 2003 computers for a department of 250 employees. The server will host the home directories and shared folders for the department, and it will serve several printers to which departmental documents are sent.
Which edition of Windows Server 2003 will provide the most cost-effective solution for the depart- ment? Explain your answer. ANSWER The Standard Edition.
It is a robust platform for file and print services in small to medium-sized enterprises or departments. 2. Which of the following versions of Windows Server 2003 require product activation?
(Select all that apply.) a. Standard Edition, retail version b. Enterprise Edition, evaluation version c.
Enterprise ... more. less.
Edition, Open License version d. Standard Edition, Volume License version 1. Web Editiona.<br><br> Supports 512 GB of memory 2. Standard Editionb. Supports eight-node server clusters 3.<br><br> Enterprise Editionc. Cannot run 16-bit Windows applications 4. Datacenter Editiond.<br><br> Supports 32-node NLB clusters 5. Datacenter Edition (64-bit)e. Supports computers with four processors CHAPTER 1INTRODUCING MICROSOFT WINDOWS SERVER 2003 3 ANSWER a and b 3.<br><br> What is the primary distinction between an Active Directory tree and an Active Directory forest? ANSWER An Active Directory tree is a group of domains that share a contiguous namespace; a forest contains domains that use different namespaces. 4.<br><br> Which of the following types of Active Directory objects are not container objects? a. User b.<br><br> Group c. Computer d. Organizational unit ANSWER a and c 5.<br><br> Which of the following is true about setup in Windows Server 2003? (Select all that apply.) a. Setup can be launched by booting from the CD.<br><br> b. Setup can be launched by booting from setup floppy disks. c.<br><br> Setup requires an Administrator password that is not blank to meet complexity requirements. d. Setup requires you to activate the product license before it installs the operating system.<br><br> ANSWER a and c CHAPTER CASE SCENARIOS Scenario 1-1: Windows Server 2003, Web Edition Capabilities You are a network administrator who has been assigned the task of deploying the Windows Server 2003 servers for your company 9s new e-commerce Web site, which is being designed by an outside consultant. The site will require four Web servers, configured as a four-node NLB cluster, and a single database server, run- ning SQL Server. The consultant 9s deployment plan calls for the use of Windows Server 2003 Web Edition on all five of the servers.<br><br> Which of the following state- ments regarding this proposed deployment is true? 1. The Web Edition is a suitable operating system for all five servers.<br><br> 4 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM 2. The Web Edition is a suitable operating system for the database server, but not for the Web servers, because it does not support NLB clusters. 3.<br><br> The Web Edition is a suitable operating system for the Web servers, but not for the database server, because it cannot run SQL Server. 4. The Web Edition is not a suitable operating system for either the database or the Web servers.<br><br> ANSWER 3 Scenario 1-2: Selecting a Windows Server 2003 Edition You are planning the deployment of Windows Server 2003 computers for a new Active Directory domain in a large corporation that includes multiple separate Active Directories maintained by each of the corporation 9s subsidiaries. The com- pany has decided to roll out Exchange Server 2003 as a unified messaging platform for all the subsidiaries and plans to use Microsoft Metadirectory Services (MMS) to synchronize appropriate properties of objects throughout the organization. Which edition of Windows Server 2003 will provide the most cost-effective solution for this deployment?<br><br> Explain your answer. ANSWER The Enterprise Edition is the most cost-effective solution that supports MMS. The Standard and Web Editions do not support MMS.<br><br> CHAPTER 2ADMINISTERING MICROSOFT WINDOWS SERVER 2003 5 CHAPTER 2 ADMINISTERING MICROSOFT WINDOWS SERVER 2003 CHAPTER REVIEW QUESTIONS 1. What is the default mode when you create a new MMC console? ANSWER The default mode for an MMC console is Author mode.<br><br> 2. Can a snap-in have focus on both the local computer and a remote com- puter simultaneously? ANSWER No.<br><br> Snap-ins can be configured to connect to the local computer or a remote com- puter, but not both simultaneously. 3. What credentials are required for administration of a remote computer using MMC?<br><br> ANSWER You must have administrative credentials on the remote computer to perform remote administration. 4. Can an existing MMC snap-in be changed from local to remote context, or must a snap-in of the same type be loaded into the console for a remote connection?<br><br> ANSWER You can change a snap-in 9s context by selecting Connect To Another Computer from the Action menu. A snap-in does not have to be reloaded to change its con- figuration. 5.<br><br> Are all of the functions in a snap-in always available for use when you are connected to a remote computer? ANSWER No, full functionality is not always available. For example, the Device Manager com- ponent in the Computer Management snap-in can be used only to view remote computer configurations, and you cannot make any changes to the remote com- puter 9s device configuration.<br><br> 6. How many simultaneous connections are possible to a terminal server running in Remote Administration mode? Why?<br><br> ANSWER Two, because the application-sharing components are not installed with Terminal Server configured in Remote Desktop mode for remote administration. 7. What tool is used to enable Remote Desktop on a server?<br><br> a. Terminal Services Manager b. Terminal Services Configuration c.<br><br> System Properties in Control Panel d. Terminal Services Licensing 6 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM ANSWER c. CHAPTER CASE SCENARIOS Scenario 2-1: Using Remote Assistance Your company has enabled Remote Assistance on each computer in the enterprise.<br><br> The company 9s sales representatives travel frequently and use laptops to perform their work while on the road. On your internal network, you use Windows Mes- senger for spontaneous communication with your clients and for Remote Assis- tance. However, you disallow Instant Messenger traffic across the Internet by closing port 1863 at the firewall.<br><br> You want to perform Remote Assistance for your remote users, but you cannot connect to them with Windows Messenger to deter- mine whether they are on line. Describe two alternative methods that traveling sales representatives can employ to send a Remote Assistance invitation to an expert in the home office. ANSWER The user can employ either of the following methods: Send an e-mail to the expert through Help And Support Tools.<br><br> When the expert accesses the link in the e-mail, the expert will be able to establish a Remote Assistance session. Create a Remote Assistance file through Help And Support Tools. E-mail the file to the expert, or have the expert access it through a file share.<br><br> When the expert accesses the link within the file, she can establish a Remote Assis- tance session. Scenario 2-2: Using Remote Desktop Connection You are trying to connect to a Windows Server 2003 server in your environment with Remote Desktop Connection, but you consistently get the following message when you attempt to connect: GT02cr14.bmp You have checked settings on the server and confirmed the following: You are a member of the Remote Desktop Users group. You are not a member of the Administrators group.<br><br> You are able to connect to share points on the Terminal Server computer, and the computer responds affirmatively to a ping. CHAPTER 2ADMINISTERING MICROSOFT WINDOWS SERVER 2003 7 What other settings should you check on the Terminal Server computer to trouble- shoot this problem? ANSWER It is likely that the Terminal Server in question is a domain controller and that the Default Domain Controllers Policy GPO has not been enabled to allow remote con- nections by the Remote Desktop Users group.<br><br> The local computer policy for domain controllers forbids nonadministrator remote connections and must be changed. The easiest way to change the local policy is to override it with a change to the Default Domain Controllers Policy GPO. 8 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER 3 MONITORING MICROSOFT WINDOWS SERVER 2003 CHAPTER REVIEW QUESTIONS 1.<br><br> You do not want data in the Security log to be overwritten, but you also do not want your Windows Server 2003 computer to stop serving the network at any time. What settings should you configure on your server? ANSWER In the Event Viewer snap-in, open the Security Properties dialog box and select the Do Not Overwrite Events (Clear Log Manually) option.<br><br> Do not enable the group pol- icy that defines the Audit: Shut Down System Immediately If Unable To Log Secu- rity Audits security option because this will shut the server down if the Security log reaches its maximum size, which will discontinue the server 9s availability to the network. You will still need to schedule a regular Security log analysis as good administrative practice, but you will not need to do so as frequently. 2.<br><br> Your goal is to monitor all your Windows Server 2003 servers so that they can be defragmented on a regular schedule, and as efficiently as possible. The disk defragmentation program that you use requires at least 20 per- cent free disk space on each volume to defragment properly. What should you do?<br><br> ANSWER Configure Performance Logs And Alerts on one computer to monitor the Logical- Disk: % Free Space counter for each computer on the network and generate an alert when the counter on any computer falls below 20 percent. Configure the alerts to send a message to the network administrator. 3.<br><br> The computer that you are using to monitor the other systems on your network is overburdened with the task, so you must lighten its monitor- ing load. What should you do to lighten the monitoring computer 9s load while maintaining as much monitored data as possible? ANSWER Decrease the sample rate at which data is recorded from the remote computers.<br><br> By decreasing the frequency of data sampling, and perhaps by staggering the log- ging times, you can maintain the greatest amount of monitoring data while reduc- ing the load on the monitoring computer. 4. You are running a database application on a computer with two proces- sors.<br><br> You want the database application to run on the second processor. How can you use Task Manager to do this? ANSWER Right-click the database application in the Applications tab, and then select Go To Process.<br><br> Right-click the process, and set the processor affinity from the context menu. CHAPTER 3MONITORING MICROSOFT WINDOWS SERVER 2003 9 5. Which of the following statements is true if System Monitor shows a value greater than 2 for the PhysicalDisk: Current Disk Queue Length counter on a non-RAID system?<br><br> a. You need more disk space. b.<br><br> You need a faster disk drive. c. You need additional information to determine whether the disk is the problem.<br><br> d. You have a memory problem, not a disk problem. ANSWER c.<br><br> A Current Disk Queue Length value of more than 2 could be the result of insuffi- cient memory that causes excessive memory paging to disk, but there is not enough information to tell from this counter value alone. 6. Which of the following logs are available using Event Viewer on a member server functioning as an application server?<br><br> (Choose all correct answers.) a. Application b. Directory Service c.<br><br> System d. Security e. File Replication Service ANSWER a, c, and d.<br><br> The other two logs are found only on domain controllers. 7. Why do System Monitor performance counters sometimes have multiple instances?<br><br> ANSWER If the computer contains more than one of the same type of component, such astwo network interface adapters, instances enable you to monitor each one independently. 8. What are two possible remedies for a disk subsystem that is the bottleneck in a server 9s performance?<br><br> ANSWER Any two of the following: Install faster hard disk drives. Install additional hard disk drives and split your data among them, reducing the I/O burden on each drive. Replace standalone drives with a RAID (redundant array of independent disks) array.<br><br> Add more disk drives to an existing RAID array. 10 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER CASE SCENARIOS Scenario 3-1: Detecting a Bottleneck You are a network administrator for Fabrikam, Inc., a high-technology company that has recently landed a lucrative government contract. As a result of the contract, the company will be undergoing a dramatic expansion over the next 12 months.<br><br> The number of users accessing the company 9s client database is expected to dou- ble, and the IT director has instructed you to determine if the database server in itscurrent configuration can keep up with the increased load, and if not, what improvements need to be made. To accomplish this task, your first course of action is to implement a plan to monitor the server for performance bottlenecks. As the first step in the plan, you establish a baseline byusing the Performance Logs And Alerts snap-in to create a counter log that tracks the values for critical counters in the Processor, Memory, PhysicalDisk, and Network Interface performance objects.<br><br> After establishing the normal operational values for the counters, what should you do next to configure the Performance console to detect a bottleneck? a. Leave the counter log running at all times and check the values of the counters at regular intervals.<br><br> b. Using System Monitor, create a graph of the same counters and configure the snap-in to sound an alarm when any counter value exceeds the max- imum baseline value. c.<br><br> In the Performance Logs And Alerts snap-in, create a series of alerts that send a message to your workstation when any baseline counter exceeds a certain value. d. In the Performance Logs And Alerts snap-in, create a trace log using the same counters as the baseline.<br><br> ANSWER c. The Alerts feature in the Performance Logs And Alerts snap-in enables you to specify values for particular performance counters and configure the program to perform an action, such as generating a message on a computer, if any counter reaches its specified value. Answer a is incorrect because although leaving the counter log running will collect the data needed to detect a bottleneck, this prac- tice can generate a significant amount of system overhead.<br><br> Answer b is incorrect because although you can monitor the values of the performance counters in real time using System Monitor, you cannot configure the snap-in to sound alarms. Answer d is incorrect because trace logs do not monitor performance counters, soyou cannot use them to detect bottlenecks. Instead, trace logs record the particular system application events that you specify.<br><br> CHAPTER 3MONITORING MICROSOFT WINDOWS SERVER 2003 11 Scenario 3-2: Eliminating a Bottleneck You are a network administrator who has been given the task of determining why the Windows Server2003 file and print server on a particular LAN is performing poorly. You must also implement a remedy for the problem. After monitoring server performance counters using the Performance console, you have determined that the network itself is the bottleneck preventing peak performance.<br><br> Which of the following solutions would enable you to achieve the goal of increasing the per- formance level of the file and print server? (Choose all correct answers.) a. Install a second network interface adapter in the server, and connect it to the same network.<br><br> b. Increase the speed of the network by replacing the 10Base-T network interface adapters in the computers on the network and the hub to which the computers are connected with 100Base-TX equipment. c.<br><br> Split the network into two separate LANs with an equal number of com- puters on each. Then install a second network interface adapter in the file and print server and connect the server to both LANs. d.<br><br> Replace the network interface adapter in the file and print server with a model that has a larger memory buffer. ANSWER b and c. Speeding up the network would enable it to carry more traffic, eliminating the bottleneck.<br><br> Alternatively, creating two LANs out of one reduces the amount of traffic on each network by half, and connecting the server to each of those net- works enables more traffic to reach the server. Answer a is incorrect because if the network itself is the bottleneck, a second connection to the same network would not enable any more traffic to reach the server, and therefore would not eliminate the bottleneck. Answer d is incorrect because when the network itself is the bottleneck, the amount of traffic actually reaching the server is limited, and buffering a larger amount of data would not eliminate the bottleneck.<br><br> 12 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER 4 BACKING UP AND RESTORINGDATA CHAPTER EXERCISE Exercise 4-2: Incremental and Differential Backups 1. If you back up your network by performing a full backup every Wednes- day at 6 p.m. and differential backups in the evening on the other six days of the week, how many jobs would be needed to completely restore a computer with a hard drive that failed on a Tuesday at noon?<br><br> ANSWER Two: the previous Wednesday 9s full backup and yesterday 9s (Monday 9s) differential. 2. If you back up your network by performing a full backup every Wednes- day at 6 p.m., how many jobs would be needed if you performed incre- mental backups in the evening of the other six days of the week and a hard drive failed on a Tuesday at noon?<br><br> ANSWER Six: the previous Wednesday 9s full backup and the incremental backups from the previous Thursday, Friday, Saturday, Sunday, and Monday, in that order. 3. For a complete restore of a computer that failed at noon on Tuesday, how many jobs would be needed if you performed full backups at 6 a.m.<br><br> every Wednesday and Saturday and incremental backups at 6 a.m. every other day? ANSWER Four: the previous Saturday 9s full backup, the incremental backups from the previ- ous Sunday and Monday, and that morning 9s incremental, in that order.<br><br> CHAPTER REVIEW QUESTIONS 1. Why is it best to perform backups when the organization is closed? ANSWER Because files are less likely to be locked open and the network is not affected by the amount of traffic that backups generate.<br><br> 2. Which of the following backup job types does not reset the archive bits on the files that it copies to the backup medium? (Choose all correct answers.) a.<br><br> Full b. Incremental c. Differential d.<br><br> Copy CHAPTER 4BACKING UP AND RESTORINGDATA 13 ANSWER c and d. 3. Which of the following tape drive devices has the greatest capacity?<br><br> a. LTO b. QIC c.<br><br> DAT d. DLT ANSWER a. 4.<br><br> Which of the following is the criterion most commonly used to filter files for backup jobs? a. Filename b.<br><br> File extension c. File attributes d. File size ANSWER c.<br><br> 5. How does an autochanger increase the overall storage capacity of a backup solution? ANSWER It increases capacity by automatically inserting and removing media from adrive.<br><br> 6. What are the three elements of the Grandfather-Father-Son media rotation system? a.<br><br> Hard disk drives, CD-ROM drives, and magnetic tape drives b. Incremental, differential, and full backup jobs c. Monthly, weekly, and daily backup jobs d.<br><br> QIC, DAT, and DLT tape drives ANSWER c. 7. Network backup devices most commonly use which drive interface?<br><br> a. IDE b. SCSI c.<br><br> USB d. Parallel port 14 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM ANSWER b. 8.<br><br> How does Windows Backup verify the data written to the backup medium? ANSWER By performing a bit-by-bit comparison of the backup medium with the original source data. 9.<br><br> When you restart the computer in Directory Services Restore Mode, what logon must you use? Why? ANSWER When you restart the computer in Directory Services Restore Mode, you must logon as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator 9s name and password.<br><br> This is because Active Directory is offline and account verification cannot occur. The SAM accounts database is used to control access to Active Directory while Active Directory is offline. You specified this password when you set up Active Directory.<br><br> CHAPTER CASE SCENARIO You are designing a backup solution for your company network. To make it easier to back up valuable company data, you have supplied each of the network 9s 125 users with a home folder on a shared server drive and have instructed the users to store all their data files in their home folder. You have also created disk quotas granting each user a maximum of 1 GB of storage space.<br><br> Because of this arrangement, you will be backing up only the network servers, not user workstations. In addition to the file servers hosting the users 9 home folders, there are also six Web servers, each with a 40-GB drive containing the home page files, a database server with an 80-GB drive hosting approximately 10 GB of database files, and an e-mail server with 25 GB of mail archives. Based on this information, answer the following questions: 1.<br><br> What is the approximate total amount of regularly changing data that you might have to back up each day? a. 60 GB b.<br><br> 160 GB c. 360 GB d. 480 GB ANSWER b.<br><br> One GB each for 125 users plus 10 GB of database files plus 25 GB of e-mail files equals 160 GB. The Web server home page files are not included because they typically do not change. CHAPTER 4BACKING UP AND RESTORINGDATA 15 2.<br><br> Assuming that you decide to perform a weekly full backup and daily incremental backups, approximately how much data from the six Web servers can you expect to find on each incremental backup tape? Explain your answer. ANSWER Almost none, because the data used to host Internet sites on Web servers typi- cally does not change.<br><br> 3. Based on the information shown earlier in Table 4-1, which type of mag- netic tape drive would best be suited for this network, assuming that you want to use only a single tape for your daily incremental backups? a.<br><br> DLT b. 8 mm c. QIC d.<br><br> DAT ANSWER a, because DLT drives can hold up to 160 GB on a single tape. 16 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER 5 MAINTAINING THE OPERATING SYSTEM CHAPTER REVIEW QUESTIONS 1. You are configuring a Software Update Services infrastructure using the loose parent/child topology.<br><br> One server is synchronizing metadata and con- tent from Windows Update. Other servers (one in each site) are synchroniz- ing content from the parent SUS server. Which of the following steps is required to complete the SUS infrastructure?<br><br> (Choose all correct answers.) a. Configure Automatic Updates clients using Control Panel on each system. b.<br><br> Configure GPOs to direct clients to the SUS server in their sites. c. Configure a manual content distribution point.<br><br> d. Approve updates using the SUS administration page on the child servers. ANSWER b and d.<br><br> Answer a is incorrect because you cannot configure Automatic Updates to use an alternative server from Control Panel. Answer c is incorrect because a manual content distribution point is not necessary for this topology. 2.<br><br> You are configuring SUS for a group of Web servers. You want the Web serv- ers to update themselves nightly based on a list of approved updates on your SUS server. However, once in a while an administrator is logged on, performing late-night maintenance on a Web server, and you do not want the update installation and potential restart to interfere with those tasks.<br><br> What Windows Update policy configuration should you use in this scenario? a. Notify For Download And Notify For Install b.<br><br> Auto Download And Notify For Install c. Auto Download And Schedule The Install d. Auto Download And Install Immediately ANSWER c.<br><br> You want the Web servers to update themselves, so you must schedule the installation of updates. However, an administrator always has the option to can- cel the installation. 3.<br><br> You want all network clients to download and install updates automati- cally during night hours, and you have configured scheduled installation behavior for Automatic Updates. However, you discover that some users are turning off their machines at night and updates are not being applied. Which group policy enables you to correct this situation without chang- ing the installation schedule?<br><br> CHAPTER 5MAINTAINING THE OPERATING SYSTEM 17 a. Specify Intranet Microsoft Update Service Location b. No Auto-Restart For Scheduled Automatic Updates Installations c.<br><br> Reschedule Automatic Updates Scheduled Installations d. Configure Automatic Updates ANSWER c. Updates are automatically downloaded using background processes and idle bandwidth, but the installation is triggered by the specified schedule.<br><br> If a com- puter is turned off at the installation time, it waits until the next scheduled date and time. Enabling this policy causes Automatic Updates to start update instal- lation 1 to 60 minutes after system startup. 4.<br><br> What command should you use to unpack the single-file download of a service pack? a. Setup.exe -u b.<br><br> Update.exe -x c. Update.msi d. Servicepackname .exe 3x ANSWER d.<br><br> 5. What are the valid licensing modes in Windows Server 2003? (Choose all correct answers.) a.<br><br> Per User b. Per Server c. Per Seat d.<br><br> Per Device or Per User ANSWER b and d. 6. You are hiring a team to tackle a software development project.<br><br> There will be three shifts of six programmers. Each programmer uses four computers to develop and test the software, which authenticate against a Windows Server 2003 computer. What is the minimum number of CALs required if the servers involved are in Per Device or Per User licensing mode?<br><br> a. 6 b. 4 c.<br><br> 18 d. 24 ANSWER c. If you were to license based on devices, there are six times four devices, or 24 devices.<br><br> It will be more cost effective to license based on the number of users, which is 18. 18 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM 7. What tool enables you to identify the site license server for your site?<br><br> a. Active Directory Domains And Trusts b. Licensing tool in Control Panel c.<br><br> Active Directory Sites And Services d. DNS ANSWER c. 8.<br><br> You manage the network for a team of 500 telephone sales representa- tives. You have 550 licenses configured in Per Device or Per User licens- ing mode. A new campaign is launched, and you will hire another shift of 500 reps.<br><br> What do you need to do to most effectively manage license tracking and compliance? a. Revoke the licenses from the existing clients.<br><br> b. Delete the existing licenses, and then add 500 licenses. c.<br><br> Create license groups. d. Convert to Per Server licensing.<br><br> ANSWER c. License groups enable users working at different times to share a single CAL. If you do not use license groups, you must purchase a separate CAL for each user.<br><br> CHAPTER CASE SCENARIOS Scenario 5-1: Deploying Microsoft SUS You are the systems administrator for a medium-sized organization that is consid- ering implementing SUS on all WindowsXP Professional workstations and Win- dows Server 2003 systems companywide. Before the companywide rollout can proceed, a pilot program will be implemented. You have been assigned a lab with 10 WindowsXP Professional workstations, a Windows Server 2003 member server running SUS, a Windows Server 2003 domain controller, and a standalone Win- dows Server 2003 system.<br><br> You want to configure all of the computers except the SUS server to automatically connect to the SUS server each morning at 7 A . M . to download and install new updates.<br><br> Which of the following steps should you take to accomplish this goal? (Choose all correct answers.) a. Use the Automatic Updates tab in the System Properties dialog box on every WindowsXP Professional workstation computer to set the update server to the address of the SUS server.<br><br> Set the WindowsXP workstations to automatically download and install updates at 7 A . M . each day.<br><br> b. Use the Automatic Updates tab in the System Properties dialog box on each Windows Server 2003 system except the SUS server to set the update server to the address of the SUS server. Set these servers to automatically download and install updates at 7 A .<br><br> M . each day. CHAPTER 5MAINTAINING THE OPERATING SYSTEM 19 c.<br><br> Place the Windows XP Professional workstations and the Windows Server 2003 domain controller in a separate OU named SUStest. Edit a GPO 9s Windows Update properties for the SUStest OU, specifying the address ofthe update server as the SUS server in the Specify Intranet Microsoft Update Service Location policy. Set Configure Automatic Updates Policy to Automatic Download And Schedule The Install, and set the scheduled install day to Every Day and the time to 7 A .<br><br> M . Apply this GPO to the SUStest OU. d.<br><br> On the standalone Windows Server 2003 system, edit the local GPO 9s Windows Update properties, specifying the address of the update server as the SUS server in the Specify Intranet Microsoft Update Service Loca- tion policy. Set Configure Automatic Updates Policy to Automatic Down- load And Schedule The Install, and set the scheduled install day to Every Day and the time to 7 A . M .<br><br> Apply this GPO to the SUStest OU. e. On the SUS server, edit the local GPO 9s Windows Update properties, specifying the address of the update server as the SUS server in the Spec- ify Intranet Microsoft Update Service Location policy.<br><br> Set Configure Auto- matic Updates Policy to Automatic Download And Schedule The Install, and set the scheduled install day to Every Day and the time to 7 A . M . Applythis GPO to the SUStest OU.<br><br> ANSWER c and d. Answers a and b are incorrect because Windows XP and Windows Server 2003 computers cannot be configured to contact an alternate update server using the System console. Answer e is incorrect because the SUS server cannot be configured to update from itself; it must still download updates from Microsoft 9s Web site.<br><br> Scenario 5-2: Deploying a Service Pack Fred is the systems administrator for an academic department at the local uni- versity. The department has 40 Windows XP Professional workstations and 2 Windows Server 2003 servers. One of these servers is configured as a domain controller, the other as a file and print server.<br><br> All department computers are mem- bers of a single Windows Server 2003 domain. Microsoft has recently released a service pack for Windows XP and, after testing it, Fred feels confident enough to deploy it to the Windows XP Professional workstations in his department. He extracts the service pack to a directory on the file server called \\Fileshare\ newsrvpk.<br><br> Which of the following methods can he use to install the service pack on all Windows XP Professional workstations? (Choose all correct answers.) a. He can visit each Windows XP Professional workstation and manually install the service pack from the file share.<br><br> b. He can create a group called Xpwkstn and put all the Windows XP Profes- sional workstation computer accounts in this group. He can then create a GPO in which he sets up a new package in the Computer Configuration\ Software Settings node using the location of the service pack .msi file on the \\Fileshare\newsrvpk share.<br><br> In the Deploy Software dialog box, he should select Assign, and then apply this GPO to the Xpwkstn group. 20 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM c. He can create a group called Xpusrs and put all who use Windows XP Professional workstations in this group.<br><br> He can then create a GPO in which he sets up a new package in the Computer Configuration\Software Settings node using the location of the service pack .msi file on the \\Fileshare\newsrvpk share. In the Deploy Software dialog box, he should select Assign, and then apply this GPO to the Xpusrs group. d.<br><br> He can create an OU called Xpwkstn and put all the Windows XP Profes- sional workstation computer accounts in this OU. He can then create a GPO in which he sets up a new package in the Computer Configuration\ Software Settings node using the location of the service pack .msi file on the \\Fileshare\newsrvpk share. In the Deploy Software dialog box, he should select Assign, and then apply this GPO to the Xpwkstn OU.<br><br> ANSWER a and d. Although answer a is correct, it is a slow and inefficient solution. Answer d is better because the installation package added to the GPO will be inherited by all of the computers in the OU to which the GPO is applied.<br><br> Answers b and c are incorrect because you cannot apply a GPO to a group object and because service packs must be applied to computers, not users. CHAPTER 6WORKING WITH USER ACCOUNTS 21 CHAPTER 6 WORKING WITH USER ACCOUNTS CHAPTER REVIEW QUESTIONS 1. You are using the Active Directory Users And Computers console to configure user objects in your domain, and you are able to change the address and telephone number properties of the user object representing yourself.<br><br> However, the New User command is unavailable to you. What is the most likely explanation? ANSWER You do not have sufficient permissions to create a user object in the container.<br><br> The snap-in 9s commands adjust to reflect your administrative capabilities. If you do not have the right to create an object, the New command is unavailable. 2.<br><br> Which of the following properties can be configured simultaneously on more than one user object? a. Password Never Expires b.<br><br> Direct Reports c. User Must Change Password At Next Logon d. Last Name e.<br><br> Logon Hours f. Computer Restrictions (Logon Workstations) g. User Logon Name h.<br><br> Title ANSWER a, c, e, f, h. 3. Of the three methods for creating multiple user objects discussed in this chapter, which method would be most efficient for generating 100 new user objects, all with identical Profile Path, Home Folder, Title, WebPage, Company, Department, and Manager settings?<br><br> ANSWER Dsadd.exe is the most efficient method because you can enter one command line that includes all the parameters. By leaving the UserDN parameter empty, you canenter the users 9 distinguished names one at a time in the command console. A user object template does not enable you to configure options including Title, Telephone Number, and Web Page.<br><br> Generating a comma-delimited text file for usewith Csvde.exe would be time-consuming, by comparison, and would be overkill, particularly when so many parameters are identical. 4. What variable can be used with the Dsadd.exe and Dsmod.exe program commands to create user-specific home folders and profile folders?<br><br> 22 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM a. %Username% b. $Username$ c.<br><br> CN=Username d. <Username> ANSWER b. 5.<br><br> How do you make a roaming profile mandatory? a. Configure the permissions on the folder 9s Security property sheet to deny write permission.<br><br> b. Configure the permissions on the folders Sharing property sheet to allow only read permission. c.<br><br> Modify the attributes of the profile folder to specify the Read Only attribute. d. Rename Ntuser.dat to Ntuser.man.<br><br> ANSWER d. 6. What is the difference between a local user profile and a roaming user profile?<br><br> ANSWER A local user profile is stored on the computer to which the user logs on. A roaming user profile is stored on a domain server and is copied to the client computer to which the user logs on. 7.<br><br> What do you do to ensure that a user on a computer running Windows Server 2003 has a roaming user profile? ANSWER Create a shared folder on a network server. Then, on the Profile tab in the user object 9s Properties dialog box, specify a path to the shared folder on the server.<br><br> The next time the user logs on, the roaming user profile is created. 8. You have enabled the Password Must Meet Complexity Requirements in your domain.<br><br> Describe the requirements for passwords and when those requirements will take effect. ANSWER The password must not be based on the user 9s account name and must contain at least six characters, with at least one character from three of these four cat- egories: uppercase, lowercase, Arabic numerals, and nonalphanumeric characters. The requirements will take effect immediately for all new accounts.<br><br> Existing accounts will be affected when they next change their passwords. CHAPTER 6WORKING WITH USER ACCOUNTS 23 CHAPTER CASE SCENARIOS Scenario 6-1: Configuring User Object Properties You are creating a number of user objects for a team of your organization 9s temporary workers. They will work daily from 9 a.m.<br><br> to 5 p.m. on a contract that is scheduled to begin in one month and end two months later. They will not work outside of that schedule.<br><br> Which of the following properties should you configure initially to ensure maximum security for the objects? 1. Password 2.<br><br> Logon Hours 3. Account Expires 4. Store Password Using Reversible Encryption 5.<br><br> Account Is Trusted For Delegation 6. User Must Change Password At Next Logon 7. Account Is Disabled 8.<br><br> Password Never Expires ANSWER a, b, c, f, g. Scenario 6-2: Managing Account Lockouts A user has forgotten his or her password and attempts to log on several times withan incorrect password. Eventually, the user receives a logon message indicat- ing that the account is either disabled or locked out.<br><br> The message suggests that theuser contact an administrator. What must the administrator do? 1.<br><br> Delete the user object and recreate it. 2. Rename the user object.<br><br> 3. Enable the user object. 4.<br><br> Unlock the user object. 5. Reset the password for the user object.<br><br> ANSWER d and e. Although the logon message text in Windows 2000 and other previous operating system versions indicates that the account is disabled, the account is actually locked. Windows Server 2003 displays an accurate message that the account is, in fact, locked out.<br><br> However, you can recognize the problem by examin- ing what caused the message: a user forgot his or her password. You must unlock the account and reset the password. 24 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM CHAPTER 7 WORKING WITH GROUPS CHAPTER REVIEW QUESTIONS 1.<br><br> What type of domain group is most like the local group on a member server? How are they alike? ANSWER Domain local groups in a Windows Server 2003 mixed or interim domain are limited to the domain controller on which they reside.<br><br> This is very similar to the way local groups on a member server are limited to the computers on which they reside. Unless the domain functional level is raised to Windows 2000 native or Windows Server 2003, the domain local groups cannot be used for permission assignment on any servers in the domain other than the domain controllers. 2.<br><br> In a domain running in Windows Server 2003 domain functional level, what security principals can be a member of a global group? (Choose all correct answers.) a. Users b.<br><br> Computers c. Universal groups d. Global groups ANSWER a, b, and d.<br><br> 3. In the properties of a group, which tab do you access to add users to thegroup? ANSWER You use the Members tab to add members to the group.<br><br> 4. You want to nest the IT Administrators group responsible for the Sales group inside the Sales group so that its members will have access to the same resources (set by permissions in an ACL) as the Sales group. From the Properties page of the IT Administrators group, what tab do you access to make this setting?<br><br> ANSWER You use the Member Of tab to add the IT Administrators group to the Sales group. 5. If your environment consists of two domains, one Windows Server 2003 and one Windows NT 4, what group scopes can you use for assigning permissions on any resource on any domain member computer?<br><br> ANSWER In a Windows Server 2003 interim domain functional level domain, which is what you must be running to support a Windows NT 4 domain, you can use only global groups as security principals. Domain local groups are useful only on the domain controllers in the Windows Server 2003 domain, and you cannot use universal groups as secu- rity groups in a Windows Server 2003 interim domain functional level domain. CHAPTER 7WORKING WITH GROUPS 25 6.<br><br> Which of the following group scope modifications are not permitted? (Choose all correct answers.) a. Global to universal b.<br><br> Domain local to universal c. Universal to global d. Domain local to local e.<br><br> Global to domain local ANSWER d and e. 7. What tool do you use to create local groups on a Windows 2000 com- puter that is not a domain controller?<br><br> ANSWER The Local Users And Groups snap-in for MMC. 8. You are attempting to delete a global security group in the Active Direc- tory Users And Computers console, and the console will not let you com- plete the task.<br><br> Which of the following could be causes of the failure? (Choose all correct answers.) a. There are still members in the group.<br><br> b. One of the group 9s members has the group set as its primary group. c.<br><br> You do not have the proper permissions for the container in which the group is located. d. You cannot delete global groups from the Active Directory Users And Computers console.<br><br> ANSWER b and c. 9. Why shouldn 9t you use local groups on a computer after it becomes a member of a domain?<br><br> ANSWER Local groups do not appear in Active Directory, and you must administer local groups separately for each computer. CHAPTER CASE SCENARIOS Scenario 7-1: Using Group Scopes You are the administrator of a Windows Server 2003 domain that is currently running at the Windows 2000 mixed domain functional level. Your Windows 2003 domain, contoso.com, has an external trust established with a Windows NT 4 domain, contoso_north, which makes contoso_north a trusted domain.<br><br> You are planning the use of groups in your domain and need to determine what group 26 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM scopescan be used in any domain in your forest. What group scope can be used in this context as a security principal? a.<br><br> Domain local b. Global c. Universal d.<br><br> Domain local with a nested global group ANSWER b. Global groups are available for permission assignment in any ACL in the forest. Answer a is incorrect because domain local groups are available for use only as security principals on domain controllers in the Windows Server 2003 domain, contoso.com.<br><br> Answer c is incorrect because universal groups are available only as distribution groups, not security groups, in the Windows 2000 mixed functional level. Answer d is incorrect because domain local groups, at this functional level, are available only on domain controllers in the contoso.com domain, regardless of other groups that they might contain. The nested global group, however, is available for permission assignment.<br><br> Scenario 7-2: Creating Groups Using Dsadd.exe You are a network administrator who is building an Active Directory on a new network for a company called Fabrikam, Inc., and you have to create user objects for the 75 users in the Inside Sales department. You have already created the fabrikam.com domain and an OU called Inside Sales for this purpose. The human resources department has provided you with a list of the users 9 names and has instructed you to create the account names by using the first initial and the last name.<br><br> Each user object must also have the value Inside Sales in the Department property and Fabrikam, Inc. in the Company property. Using the first name in the list, Mark Lee, as an example, which of the following command-line formats would enable you to create the 75 user objects, with the required property values?<br><br> a. dsadd "Mark Lee" 3company "Fabrikam, Inc." 3dept "Inside Sales" b. dsadd user CN=Mark Lee,CN=Inside Sales,DC=fabrikam,DC=com 3company Fabrikam, Inc.<br><br> 3dept Inside Sales c. dsadd 3company "Fabrikam, Inc." 3dept "Inside Sales" "CN=Mark Lee,CN=Inside Sales,DC=fabrikam,DC=com" d. dsadd user "CN=Mark Lee,CN=Inside Sales,DC=fabrikam,DC=com" 3company "Fabrikam, Inc." 3dept "Inside Sales" ANSWER d.<br><br> Answer a is incorrect because the user command is missing and because theuser 9s name is not expressed in distinguished name (DN) format. Answer b is incorrect because the command-line variables containing spaces are not surrounded by quotation marks. Answer c is incorrect because the user command is missing and because the -company and -dept parameters appear before the DN.<br><br> CHAPTER 8WORKING WITH COMPUTER ACCOUNTS 27 CHAPTER 8 WORKING WITH COMPUTER ACCOUNTS CHAPTER REVIEW QUESTIONS 1. What are the minimum group memberships necessary to create a Win- dows Server 2003 computer account in an OU in a domain? Consider all steps of the process, and assume that the computer object for the system does not yet exist in Active Directory.<br><br> (Choose all correct answers.) a. Domain Admins b. Enterprise Admins c.<br><br> Administrators on a domain controller d. Account Operators on a domain controller e. Server Operators on a domain controller f.<br><br> Account Operators on the computer g. Server Operators on the computer h. Administrators on the computer ANSWER d and h.<br><br> Account Operators on a domain controller are assigned the minimum permissions necessary to create a computer object in the domain. You must be amember of the local Administrators group on the server to change its domain membership. 2.<br><br> Which of the following command-line tools can create a computer object in Active Directory? a. Dsmod.exe b.<br><br> Dsrm.exe c. Netdom.exe d. Dsadd.exe e.<br><br> Net.exe ANSWER c and d. 3. Which of the following Windows platforms are capable of joining to a computer object in an Active Directory domain?<br><br> a. Windows 95 b. Windows NT 4 c.<br><br> Windows 98 d. Windows 2000 e. Windows Me 28 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM f.<br><br> Windows XP g. Windows Server 2003 ANSWER b, d, f, and g. 4.<br><br> When you open the Properties dialog box for a computer object in the Active Directory Users And Computers console, you discover that no properties are displayed in the Operating System tab. What causes theseproperties to be absent? ANSWER A computer has not joined the domain using that object.<br><br> When a system joins the domain, it populates the properties shown in the Operating System tab. 5. After a period of expansion, your company created a second domain.<br><br> Last weekend, a number of machines that had been in your domain were moved to the new domain. When you open Active Directory Users And Computers, the objects for those machines are still in your domain and are displayed with a red X icon. What is the most appropriate course of action?<br><br> a. Enable the objects b. Disable the objects c.<br><br> Reset the objects d. Delete the objects ANSWER d. When the machines were removed from the domain, their accounts were not deleted, probably due to permissions settings.<br><br> The machines now belong to another domain. These objects are no longer necessary. 6.<br><br> A user reports that during a logon attempt, he received a message stating that the computer cannot contact the domain because the domain con- troller is down or the computer account might be missing. You open Active Directory Users And Computers and discover that the account for that computer is missing. What steps should you take?<br><br> ANSWER Create a computer account, disjoin the user 9s computer from the domain, and then rejoin it to the domain. 7. A user reports that during a logon attempt, he received a message stating that the computer cannot contact the domain because the domain con- troller is down or the computer account might be missing.<br><br> You open Active Directory Users And Computers and see that the computer 9s account appears normal. What steps should you take? ANSWER Reset the computer account, disjoin the computer from the domain, and then rejoin it to the domain.<br><br> CHAPTER 8WORKING WITH COMPUTER ACCOUNTS 29 CHAPTER CASE SCENARIOS Scenario 8-1: Resetting a Computer Object In your Windows Server 2003 domain contoso.com, you have a computer object for a member server called Pserver01 in an OU called Pservers. This object represents a print server that has been offline for a lengthy period and is not communicating with other computers in the domain to accept print jobs. You have determined that the password on this computer 9s account within the domain needs to be reset.<br><br> Which command can you issue to correctly reset the computer account? a. dsmod CN=pserver01,CN=PSERVERS,DC=contoso,DC=com 3reset b.<br><br> dsmod computer pserver01.contoso.com 3reset c. dsmod contoso\pserver01 3reset d. dsmod computer CN=pserver01,CN=PSERVERS,DC=contoso,DC=com 3reset ANSWER d.<br><br> Answer a is incorrect because, although it has the correct DN syntax, it is miss- ing the computer keyword. Answer b is incorrect because the command does not list the computer to be reset with the correct DN syntax. Answer c is incorrect because it omits the computer keyword and fails to use the correct DN syntax.<br><br> Scenario 8-2: Computer Object Troubleshooting After a consultant performs maintenance on the computers in the east branch office over the weekend, users complain of trouble logging on. You examine the event log on one of the branch office computers and discover the follow- ing entry: Gt08cr01.bmp 30 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM There seems to be a problem with the computer account. Specify which of the following steps you should perform to correct the problem, in the correct order.<br><br> a. Delete the computer accounts. b.<br><br> Reset the user accounts. c. Join the computers to a workgroup.<br><br> d. Disable the computer accounts. e.<br><br> Reset the computer accounts. f. Enable the computer accounts.<br><br> g. Create new computer accounts. h.<br><br> Join the computers to the domain. ANSWER e, c, and h. Resetting the computer object and then removing the computer from the domain and rejoining it will most likely return the computer to normal function.<br><br> CHAPTER 9SHARING FILE SYSTEM RESOURCES 31 CHAPTER 9 SHARING FILE SYSTEM RESOURCES CHAPTER REVIEW QUESTIONS 1. Which of the following tools enables you to create a share on a remote server? (Choose all correct answers.) a.<br><br> A custom MMC console containing the Shared Folders snap-in b. Windows Explorer running on the local machine, connected to the remote computer 9s ADMIN$ share c. Net.exe d.<br><br> The Computer Management console ANSWER a and d. Answers b and c are incorrect because Windows Explorer and Net.exe can administer only local shares. 2.<br><br> A folder is shared on a FAT volume. The Project Managers group is given the Allow Full Control permission. The Project Engineers group is given the Allow Read permission.<br><br> Julie initially belongs to the Project Engineers group. Later, she is promoted and is added to the Project Managers group. What are her effective permissions for the folder after the promotion?<br><br> ANSWER Full Control. 3. A folder is shared on an NTFS volume, with the default share permis- sions.<br><br> The Project Managers group is given the Allow Full Control NTFS permission. Julie, a member of the Project Managers group, calls to report problems creating files in the folder. Why can 9t Julie create files?<br><br> ANSWER The default share permission in Windows Server 2003 grants only the Read per- mission to the Everyone special identity. Even though Julie has the Full Control NTFS permission, her actions are still restricted by the Read share permission. 4.<br><br> What are the minimum NTFS permissions required to allow users to open documents and run programs stored in a shared folder? a. Full Control b.<br><br> Modify c. Write d. Read & Execute e.<br><br> List Folder Contents ANSWER d. 32 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM 5. Bill complains that he is unable to access the spreadsheet document con- taining the departmental budget.<br><br> You open the Security tab for the docu- ment, and you find that all permissions for the document are inherited from its parent folder. The Deny Read permission is assigned to a group called Acctg3, of which Bill is a member. Which of the following methods would enable Bill to access the plan?<br><br> (Choose all correct answers.) a. Modify the permissions on the parent folder by adding the permis- sion Bill:Allow Full Control. b.<br><br> Modify the permissions on the parent folder by adding the permission Bill:Allow Read. c. Modify the permissions on the spreadsheet document by adding the permission Bill:Allow Read.<br><br> d. Modify the permissions on the spreadsheet document by deselecting Allow Inheritable Permissions, selecting Copy, and removing the Deny permission. e.<br><br> Modify the permissions on the spreadsheet document by deselecting Allow Inheritable Permissions, selecting Copy, and adding the per- mission Bill:Allow Full Control. f. Remove Bill from the group that is assigned the Deny permission.<br><br> ANSWER c, d, and f. Answers a and b are incorrect because denied inherited permissions take precedence over allowed inherited permissions. Answer e is incorrect because denied explicit permissions take precedence over allowed explicit permissions, and copying the permissions from the parent to the child makes them explicit.<br><br> 6. You want to ensure the highest level of security for your corporate IIS intranet server without the added infrastructure of certificate services. The goal is to provide authentication that is transparent to users and to allow you to secure intranet resources with the group accounts existing in Active Directory.<br><br> All users are within the corporate firewall. Which of the following authentication methods should you choose? a.<br><br> Anonymous Access b. Basic Authentication c. .NET Passport Authentication d.<br><br> Integrated Windows Authentication ANSWER d. Answer a is incorrect because anonymous access provides no security. Answer b is incorrect because basic authentication transmits passwords in clear text, providing inadequate security.<br><br> Answer c is incorrect because .NET Passport authentication isn 9t transparent to users. 7. You are configuring share permissions for a shared folder on a file server.<br><br> You want all Authenticated Users to be able to save files to the folder, read all files in the folder, and modify or delete files that they own. What are the minimum permissions that you need to set on the shared folder to achieve your objective? (Choose all correct answers.) CHAPTER 9SHARING FILE SYSTEM RESOURCES 33 a.<br><br> Authenticated Users: Full Control b. Authenticated Users: Read c. Creator Owner: Change d.<br><br> Creator Owner: Read ANSWER b and c. Answer a is incorrect because giving the Authenticated Users special identity the Full Control permission would enable them to modify or delete any files in the folder, which is more than is required. Answer d is incorrect because granting the Read permission to the Creator Owner special identity would not allow users to create or modify any files in the folder, which does not satisfy the requirements.<br><br> CHAPTER CASE SCENARIOS Scenario 9-1: Web Server Publishing The content files for your corporate Web server are currently stored on the drive D of a Windows Server 2003 computer with IIS installed. The server is called Web1 and its URL is http://intranet.contoso.com . You have been instructed to create anIIS solution that will enable the human resources department to publish docu- ments containing company benefit and policy information from its own server.<br><br> Youhave also been told that the URL to access the HR information should be http://intranet.contoso.com/hr . What must you do to fulfill the instructions? a.<br><br> Install IIS on the HR server. b. Create a new Web site on Web1 called hr.<br><br> c. Install the FTP service on Web1. d.<br><br> Create a virtual directory on Web1 with the alias hr. ANSWER d. Answer a is incorrect because installing another IIS server would require you to use a different URL.<br><br> Answer b is incorrect because you want the HR information tobe part of the original http://intranet.contoso.com site. Answer c is incorrect because an FTP site cannot use an http:// URL. Scenario 9-2: Configuring Share Permissions Acctg01 is a file server running Windows Server 2003 that is used by the accounting department to provide timesheet and expense report forms for employees.<br><br> You are the network administrator responsible for configuring the share permissions on the file system shares, which must meet the following requirements: Employee-specific forms are stored in the Forms folder, which is shared using the name Forms. These forms must be accessible by all employees. 34 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM Only Authenticated Users can access the forms.<br><br> Employees can upload completed forms to a folder called Forms\Reports \ username that is shared as username . Users must be able to read their own forms, but not forms submitted by other users. Supervisor-specific forms are stored in the Forms\Supervisors folder, which is shared using the name Supervisors.<br><br> These forms must be acces- sible only by members of the Supervisors global group. To accomplish these goals, you have created the share permission assignments shown in the following table: Assuming that the NTFS permissions for all of the folders are set to Authenticated Users 3 Modify, which of the following requirements have you met with your permission assignments? (Choose all correct answers.) a.<br><br> All employees can download their forms. b. All employees can upload completed forms to their folders.<br><br> c. Employees can read only their own submitted forms. d.<br><br> Only Authenticated Users can download forms. e. Only Supervisors can download Supervisor-specific forms.<br><br> ANSWER a, b, and d. Answer a is correct because all employees can access their forms through the Forms share as part of the Everyone special identity. Answer b is cor- rect because the Change permission enables all employees to access their own user folders.<br><br> Answer d is correct because in Windows Server 2003, by default the Everyone group does not contain the Anonymous Logon special identity. Answer c is incorrect because although the change permission on each username folder restricts access through the individual user share, any user can navigate to any individual folder through the Forms shared folder. In the same way, answer e is incorrect because users can navigate to the Supervisors folder through the formsshare.<br><br> Shared Folder Share Permissions Forms Everyone: Allow Read SupervisorsSupervisors: Allow Read Usernameusername : Allow Change CHAPTER 10WORKING WITH PRINTERS 35 CHAPTER 10 WORKING WITH PRINTERS CHAPTER REVIEW QUESTIONS 1. You are installing a printer on a client computer. The printer will connect to a logical printer installed on a Windows Server 2003 print server.<br><br> What type or types of information could you provide to set up the printer? (Choose all correct answers.) a. A TCP/IP printer port b.<br><br> The physical printer 9s manufacturer and model c. The URL to the printer on the print server d. The UNC path to the printer share e.<br><br> A printer driver ANSWER c and d. When you add a network printer, you can search for the printer in Active Directory, enter the UNC or URL to the printer, or browse for the printer. When you connect to the printer, the model is specified by the shared logical printer, and the driver is downloaded automatically.<br><br> 2. One of your networked printers is not working properly, and you want to prevent users from sending print jobs to the logical printer serving that device. What do you do?<br><br> a. Stop sharing the printer b. Remove the printer from Active Directory c.<br><br> Change the printer port d. Rename the share ANSWER a. If you stop sharing the printer, users will no longer be able to use the print device.<br><br> You can use the Sharing tab in the printer 9s Properties dialog box to stop sharing the printer. 3. You are administering a Windows Server 2003 computer configured as a print server.<br><br> You want to perform maintenance on a physical printer con- nected to the print server. There are several documents in the print queue. You want to prevent the documents from being printed to the printer, but you don 9t want users to have to resubmit the documents to the printer.<br><br> What is the best approach to take? a. Open the printer 9s Properties dialog box, select the Sharing tab, and select the Do Not Share This Printer option.<br><br> b. Open the printer 9s Properties dialog box, and, in the Ports tab, select a port that is not associated with a print device. c.<br><br> Open the print queue window, select the first document, and then select Pause from the Document window. Repeat the process for each document. 36 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM d.<br><br> Open the print queue window, and select Pause Printing from the Printer menu. ANSWER d. When you select the Pause Printing option, the documents remain in the print queue until you resume printing.<br><br> This option applies to all documents in the queue. 4. You are administering a WindowsServer 2003 computer configured as a print server.<br><br> Users in the Marketing group complain that they cannot print documents using a printer on the server. You view the permissions in the printer 9s Properties dialog box. The Marketing group is allowed Manage Documents permission.<br><br> Why can 9t the users print to the printer? a. The Everyone group must be granted the Manage Documents permission.<br><br> b. The Administrators group must be granted the Manage Printers permission. c.<br><br> The Marketing group must be granted the Print permission. d. The Marketing group must be granted the Manage Printers permission.<br><br> ANSWER c. The Print permission allows users to send documents to the printer; the Manage Documents permission does not. 5.<br><br> You are setting up a printer pool on a WindowsServer 2003 computer. The printer pool contains three print devices, all identical. You open the Properties dialog box for the printer and select the Enable Printer Pooling option in the Ports tab.<br><br> What must you do next? a. Configure the LPT1 port to support three printers.<br><br> b. Select or create the ports mapped to the three printers. c.<br><br> In the Device Settings tab, configure the installable options to support two additional print devices. d. In the Advanced tab, configure the priority for each print device so that printing is distributed among the three print devices.<br><br> ANSWER b. Printer pooling is configured from the Ports tab of the printer 9s Properties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then select or create the ports corresponding to printers that will be part of the pool.<br><br> 6. A Windows 2003 Server is configured as a print server. In the middle of the workday, the printer fuse fails and must be replaced.<br><br> Users have already submitted jobs to the printer, which uses IP address 192.168.1.81. An identical printer uses address 192.168.1.217, and it is supported by other logical printers on the server. What actions do you take so that users 9 jobs can be printed without resubmission?<br><br> (Choose all correct answers.) CHAPTER 10WORKING WITH PRINTERS 37 a. In the failed printer 9s Properties dialog box, select Enable Printer Pooling. b.<br><br> In the failed printer 9s Properties dialog box, click Add Port. c. In the Printers And Faxes folder, right-click the failed printer and select Use Offline.<br><br> d. In the failed printer 9s Properties dialog box, select the port 192.168.1.217. ANSWER d.<br><br> Because the other printer is already supported by logical printers on the server, there is no need to add a new port. 7. Which of the following approaches gives you the clearest picture of printer utilization, allowing you to understand the consumption of printer toner and paper?<br><br> a. Configure auditing for a logical printer, and audit for successful use of the Print permission by the Everyone system group. b.<br><br> Export the System log to a comma-delimited text file, and use Microsoft Excel to analyze spooler events. c. Configure a performance log, and monitor the Total Pages Printed counter for each logical printer.<br><br> d. Configure a performance log, and monitor the Jobs counter for each logical counter. ANSWER c.<br><br> The Total Pages Printed counter gives the clearest picture of printer toner and paper consumption because such consumption is most closely associated with the number of pages printed, not the number of jobs printed. The spooler and object access events logged in the System and Security logs will most likely be unhelpful in this task. CHAPTER CASE SCENARIOS Scenario 10-1: Updating Printer Drivers The marketing department is complaining about print quality on its shared printer, which is called MarketingPrinter.<br><br> When users print from their Windows XP desk- tops using Microsoft Office applications, documents print perfectly. But when they print from Adobe applications, the documents do not