TOPIC 1 Planning & Implementing AD Infrastructure 1. dont want to affect performance of branch office DCs, need to minimize AD repl.

Across WAN: use AD Sites and Services to enable 2. HOTSPOT, which AD component to confiifure? Select NTDS under SERVER1 3. need to improve response time of app: config global catalog servers in Chicago, NY, Bonn, and Rome sites 4. plan placement of GC servers, ensure each usr logon in event of failue of single DC and WAN connex. Ensure consistency of uni. gr. memebership. 2 actions to take: config both DCs in xyz.com as gc servers+enable uni gr membership for Toronto and NY office 5. need to improve response time for usrs in NY office: config GC server in NY office 6. need to enable app on TK1 to run at high perform. Levels and continur if WAN fails, also min, WASN traffic: config at least 1 GC server in Site2 7. HOTSPOT where to put GC server(s): 1, 2 (Toronto) 5 (NY) 8. DRAG/DROP ensure each usr can logon w/o cached creedentials, have access to app if WAN fails, min WAN traffic, drag DC to correct location: DC as GC in Toronto, NY, Bonn; DCcaching in Chicago, Rome 9. which office(s) to place new GC server(s): Rio de Janeriro, New Delhi, St Petersberg 10. MainDC1/2, BranchDC1/2usrs in brach office report it takes long time to logon to ntwrk. Reduce login time for usrs in branch office: in AD Sites and Services, enable uni gr membership caching for BranchDC1 11. 2 ways to min traffic over VAN caused by logon activities: config Testking1 to be GC server+config uni gr membership caching on Testking1 12. need to improve logon perfor. For usrs in NY w/o increasing WAN traffic due to repl: config AD to cache universal groip memberships for NY office 13. HOTSPOT need to use ugm caching in Branch1 site: select NTDS Site Settings for Branch1 office in right hand pane 14. DRAG/DROP need to improve logon times for usrs in Site2, min repl. On WAN: drag ugm caching on Site2 15. need to ensure usrs in Chicago site can login faster: enable ugm caching for TK2 in AD Sites and Services 16. resolve error to create new domain: config one of the other xyz.com DC to hold all opeartions master roles 17. DRAG/DROP how many op master roles in each site? 5 role in siteTK1; 1 role in siteTK2; 2 role in siteTK3 18. 2 sols need ntwrk admin to add usr accts while ..SrvD is offline, no disruption of use acct creation after SrvD is back online: use Ntdsutil to connect to SrvA+trabsfer RID master role 19. reduce amt of wrk lost by helpdesk admins using min admin effort: ensure all helpdesk admin are connecting to PDC emulator in their domain where they perform updates to gr memberships 20. need to run adprep.exe/forstprep command: add your usr acct that has admin priviliges to Enterprise Admin gr 21. need ro resolve error to promote xyz2 to be additional DC of miami.xyz.com. 2 ways: run adprep/forestprep command on schema master of xyz.com domain+runadprep/domainprep command on infrastructure masters of xyz.com domain and miami.xyz.com domain 22. HOTSPOT where to put PDC emulator role? Server4, xyz3 23. ensure usr acct for Tess Edwards is correctly listed in Medicine Students group: transfer infrastructure role fom DC1 to DC2 in each domain 24. need to create new child domain: enter ntwrk credentials for member of Enterprise Admins group for xyz.com forst 25. need to ensure you can logon to both DCs as admin from the domain: restart DC in SafeMode, login as admin, create acct for 2nd admin, restart DC and use new acct to remove restriction on local admin acct 26. need to configure DCs so loss of data in AD is min during similar hard disk failure: config existing member server as additional DC in xyz2 27. want to ensure usrs from Singapore dont experience these delays when they log onto ntwrk from Munich: install DC for asia.fabrikam.com o Munich subnet 28. need to improve performance: create subnet for each physical location, associate each subnet with its site, and move each DC object to its site 29. need to install xyzSrvB as new DC on Barcelona site, min use of WAN: restore bacup files form system data on xyzSrvA to a folder on xyzSrvB and install AD by running dcpromo/adv command 30. need to integrate xyz3 into new AD infrastructure, want xyz3 to be additional DC of europre.xyz.com domain: demote xyz3 to Win2000 member server by running dcpromo/forceremoval command. Upgrade xyz3 to Win2003 member server. Run dcpromo to promate xyz3 to additional DC of europe.xyz.com domain

31. need to allow usrs in each forest fully access resources in domains of other forest, usrs must logon between domains using Kerberos, ensure usrs can access all resources by existing usr accts: upgrade all DCs in both forests to Win2003. Raise functional level of both forests to Win2003. Create forest trustb relationship between root domains of each forest 32. ensure usrs of xyz can logonto litwareinc.com forest, y upgrade dc1.copr.xyz.com to Win2003. 2 additional courses of action: raise fundtional level of corp.xyz.com domain and east.corp.xyz.com domian to W2k native+create 1-way trust relat in which litwareinc.com forest trusts xyz.com forest 33. DRAG/DROP need to establish trust relationship between xyz.com and acme.com: forest, domain, Win2003 (xyz.com); , domain, Win2003 (asia.xyz.com); , domain, Win2003 (europe.xyz.com) 34. need to make possible to raise funstional level of domain to Win2003: start NetLogon service on DC1 35. make modifications to AD to prepare for deployments, during off peak hrs, esnure min ntwk disruption by deployment of apps in future, ensure mods dont disrupt usr access to resources: raise functional level of forest to Win2003 36. DRAG/DROP need to rename all DCs in xyz.com, min impact to ntwrk: forest (xyz.com); domain (africa.xyz.com); domain (asia.xyz.com) 37. DRAG/DROP need to rename all DCs in xyz.com, min impact to ntwrk: forest (xyz.com); Win2003 (africa.xyz.com); Win2003 (asia.xyz.com) 38. ensure usrs access resources in all domains in each forest and Internet, min admin eddort, access to resources not disrupted. 2 courses of action: raise functional level of forest to Win2003, replace existing trust relationship with 2way forest trust relationship between forest root domains+create conditional DNS forwadrers between DCs in each domain 39. asia.xyz.com domain to be removed, need to move all usr accts from asia.xyz.com to acem.com using ADMT, w/o changing logon rights and poermissions for usrs, ensure usrs in asia.xyz.com can logon on to acme.com by using current usr names and passwds: create temp 2-way external trust relationship between acme.com and asias.xyz.com 40. some usrs temporarily relocated from HK to NY, their usr accts remain in asia.contoso.com, they use UPSs to login from namerica.xyz.com, relocated usrs report slow authentication time. Need to improve authentication time: create shortcut trust relationship in which namerica.xyz.com trusts asias.contoso.com 41. allow usrs in xyz domain to access files on Server1, ensure domain admins of xyz cant grant usrs in adatum.com permissions on servers in xyz domain: create 1-way external trust relationship in which adatum.com domain trusts xyzdomain 42. achieve 1. usrs in contoso.com forest must access all resources in cpand1.com forest, 2. usrs in cpand1.com forest must access only resources on server names HRApps.contoso.com. Need to config forest trust relationships and resources on HRApps.contoso.com. 3 actions: On DC on contoso.com forest, config properties of incoing forest trust relationship to use selective authentication On DC in cpand1.com forest, config properties of incoming forest relationship to use forest-wide authentication Modify SACLs on HRApps.contoso.com to allow access to This Organization security group 43. reenable sharing of resources between northwindtraders.com and fabrikam.com: delete and recreate 2-way trust relationships between northwindtraders.com and fabrikan.com 44. 1. min trust relationships 2. usrs in each company must access file resources on file servers on other companys domain. 2 actions: create 1-way external trust relationship in which xyzSOURCE1 domain trusts acme.com domain create 1-way ext trust relat in which acme.com doamin trusts xyzACCOUNT domain 45. ensure usrs dont have accts in one of the other 2 forests, min admin effort, you upgrade every DC to Win2003. Additional action: raise functional level of each forest to Win2003+replace existing ext trust relat with 2-way forest trust relationships+create 2-way forest relationship between xyz.com and fabricam.com 46. ensure employees can logon to domain on same day accts created, repl traffic between xyz1 and xyz3 is compressed: reconfig SiteLink-1-2 include xyz1, xyz2, xyz3. Remove xyz3 from SiteLink-1-2-4 47. DRAG/DROP ensure KCC uses faster connex links when possible: 1-2:250, 1-4:50, 2-3:50, 4-3:100 48. DRAG?DROP create site links to min repl traffic over WAN. Which site link(s) should you create: 0-1 0-2 0-3 0-4 49. config site link bridges to comply with site config design:

Disable automatic site link bridging in IP object properties Remove each of sites from default site link Create new site link bridge. Add site links connecting TK1, TK2, TK3 to site link bridge 50. reduce repl traffic over ChiBoston site link: increase cost of ChiBoston site link 51. ensure usrs in Montreal office logon domain during normal ops, theyll be authenticated by DC in TKSite2. 2 sols: Create new IP subnet that includes subnet used by Montreal. Link new subnet object to TKSite2 object Create additional site for Montreal. Config site link to TKSite3 w/cost of 300. config site link to TKSite2 w/cost of 200 52. config intersite repl to comply w/TKs requirement for AD repl: config new DC in each site as a preferred bridgehead server for IP transport 53. HOTSPOT which DC(s) should y config as preferred bridgehead servers: select DC2.xyz.com and DC5.xyz.com 54. ensure failure of single DC in any site wont interfere w/ AD repl between sites. 2 ways: Config 2 DCs in each site as preferred IP bridgehead servers Config each site to have no preferred bridgehead servers 55. improve ntwk performance, config intersite repl to flow between new servers: config MainDC3 and BranchDC3 a preferred bridgehead server for IP transport 56. ensure file and print servers responsible to use requests during AD repl: config TK3 and TK4 as preferred bridgehead servers 57. ensure TK.com usrs can logon more quickly from Site3: config site link bridge that will bridge SiteLink-3-4 and SiteLink-2-4 58. ensure repl takes place only between defined preferred bridgehead srvers, w/o additional repl traffic: config TK2 and TK4 as preferred bridgehead servers 59. resolve Event ID 1311 error: config site link bridge between site links Site1 and Site3 60. HOTSPOT select appropriate node in dialogue box (Pedro): select Inter-Site Transports 61. ensure that y can replicate with other sites w/o removing or reconfiguring firewall: create VPN between yr site and site at main office 62. ensure AD repl traffic doesnt cross ntwrk connecting SiteTK3 and SiteTK4 during business hrs. Repl connecting all other AD sites must occur at least 3hrs throughout the day: config repl schedule for site link connecting SiteTK3 and SiteTK4 to replicate only during nonbusiness hrs 63. ensure changes made by AD at Site1 between 8-6pm are visible at Site3 8am next day: modify repl schedule for site link between Site1 and Site2 to replicate 9pm and 2:30am 64. delegate authority to create env to support file and rint server admin requirements. Need an OU to support delegation of authority requirements: cretae top-level OU for file/print server computer accts under each domain. 65. y decie to use delegation of authrotiy to meet need to create OU for computer accts to support deleg of authority requirements: create top-level OU names Servers under xyz.com. create separate child OU for each office under Servers. Move computer accts of all resource servers and DCs in each office to appropriate child OU for that office. Create top-level OU Desktops under xyz.com. Create separate child OU for each office under Desktops. Move computer accts for all clt computers in each office to appropriate child OU for that office 66. create OU to support delegation of authority requirements: Create top-level OU names TK_users under the TK.com domain Create separate child OU for each office under TK_Users Move usr accts of all employees in each office to child OU for that office 67. OU structure: Exhibit A 68. which OU structure: Plan A 69. DRAG/DROP Account Groups Resource Groups 70. DRAG/DROP which top-level OU(s) should y create: NY, Singapore, R&D 71. config AD to allow King perform his reponsibilities: On domain, grant King permission to manage usr objects On Dev OU, block inheritance of permissions

72. prevent admins of individual divisions from additional admins in their admin group, ensure memebrs of Domain Admins group are able to manage those groups: create new OU at the same level in OU structure as the Ous of individual divisions 73. plan OU that allows delegation of admin, plan must ensure permissions can be maintained by using min admin effort: Exhibit C TOPIC 2 Managing & Maintaining AD 1. Graphic Design Institute. Must provide admins w/ ability to grant usrs access to required resources: create 2-way fort trust relationship between xyz.com and graphicdesigninstitite.com. In xyz.com, enable forest-wide authentication for graphicdesigninstitite.com. In graphicdesigninstitite.com, enable selective authentication for xyz.com 2. delete all unknown grps from membership list for domain local groups: verify all remaining trust relationships. Then delete unknown accts from domain local groups 3. crate min no of trust relationships required for usrs in child1. TK.com to access resources in both domians in contoso.com forest: create 1-way trust relationship in which contoso.com trusts child1.TK.com. create 1-way trust relationship in which child1.contoso.com trusts child1.TK.com 4. need to correct class names as quickly as possible: deactivate Application1 classes that have incorrect class names. Create the Application1 classes with correct class names 5. need to bring TK2 back into secure site as quickly as possible in order to access files: perform full format of drive on TK2. reinstall OS on TS2. remove references to TK2 from AD by using the Ntdsutil utility and ADSIEdit utility on TK1 6. ensure new usrs can logon w/their emails as logon addrs: config acme.com as additional UPN suffix for TK.com forest. Config each usr acct to use acme.com UPN suffix 7. ensure DNS suffix in system properties of each client: create new GP object and link it to Clients. Set config of primary DNS suffix to TK.com 8. ensure new notic appears correctly on all computers in ntwrk: force repl of AD between two sites 9. recover TK2 w/o affecting existing AD data: perform nonauthratative restoration of AD database 10. provide usrs in Boston ability to logon to ntwrk asap, min disruption to usrs in Toronto and Sfrancisco: restore BostonUsers OU on TKA from backup. Use Ntdustil utility to mark BostonUsers OU as authoratative. Allow repl 11. plan restore of deleted OU. 2 actions: restart DC in Directory Services Restore Mode+use Ntdsutil to perform authoratative restore op of appropriate subtree 12. usr object deleted, usr no longer logon to domain, usr object was included in most recent backup. Enable usr to logon to domain, ensure usr retains access to resources: perform authoratative restoration of AD by using most recent backup, authoratatively restore usr object that was deleted 13. provide Eric files he created before his first transfer and after his return to sales dep: rename Erics existing acct. Authoratatively restore Erics old acct 14. re-establish DC that contains current copy of AD in Minsk as quickly as possible: install AD on file and print server from restored backup files 15. need to provide OU named Projects and add 20 usr accts to Projects OU: create new OU named Projects. Move 20 usr accts from LostAndFound container to new Projects OU 16. attempt to promote DC2 to DC in TX.com, fails and get error message. Need to install new DC named DC2 in TK.com domain: use Ntdsutil to remove metadata associated w/DC2.xyz.com domain controller object from AD 17. ensure all passwds changed according to written policy: use Ntdsutil to reset passwd on eah DC for Directory Services Restore Mode 18. resore dir. db domain controller from backup, ensure AD not corrupted by restoration process: increase tombstoneLifetime by 5 19. DRAG/DROP make latest verion of logon scripts available to usrs in TelAvvi asasp: restart TK3 in Directory Services Restore Mode, use backup to restore SYSVOL folder, restart TK3 normally 20. DRAG/DROP restore AD by using bakup tapes, want to restore name resolution services first: TK1 Install Win2003 and then resstart server Restart server in Directory Services Restore Mode Perform primary restore operation of system state TK2 Install Win2003 and then resstart server Restart server in Directory Services Restore Mode

Perform nonauthratative restore operation of system state 21. ensure usrs at branch office receive Word prosessing app: force repl between DCs in main and branch office 22. ensure GPSs applied to usrs in appropriate site with min delay: config GP and AD snap-ins to connect DC in site where GPO must be applied 23. ensure new logon message appears correctly on all computers in ntwrk: force repl of AD between main office and Branch2 24. ensure execs have immediate access to ExecutiveData shared folder: use Replication Monitor to force repl between DCs in 2 sites 25. ensure usrs access to remote offices not slowed as result of repl traffic: config schedule times to overlap 26. reduce WAN traffic of AD repl on connection between Rome and Paris, ensure usrs in Rome office can logon to domain if WAN connex fails: remove global catalog server from Rome. Enable universal gr memb. Caching in Rome 27. improve response time of apps when they access resources in regional office, ensure usrs can logon w/o using cached credentials if WAN fails: on site link between each office and corresponding regional office, decrease repl interval 28. ServerTK2 is repaired and can be brought back online, want Server TK2 to hold RID master role again: reinstall Win2003 on ServerTK2. Promote Server TK2 to become DC. Transfer RID master role to Server TK2 29. restore objects in one of child domains in tk.com tree from 3-month old backup, make change to Directory Servces property on DC in one of the domains. 2 ways: use ADSIEdit on DC in tk.com+run ldp command on a DC in litwareince.com 30. config DC1.spain.tk.com so AD can restart, config server so additional space is available for data that will be added to AD db: install another harddisk in DC1.spain.tk.com. Use Ntdsutil to move database to new harddisk 31. need to logon to DC1 to complete restore operation: type admin as user name and enter passwd that y supplied during install of AD TOPIC 3 Planning & Implementing User, Computer, & Group Strategies 1. create plan for creating email groups for tk: create glocal distribution groups in each domain, make appropriate usrs from each domain memebers of global distr group in same domain, create uni distr groups, make global distr groups in each domain members of universal distr groups 2. grant PrinterSupport group only permissions it needs: make PrinterSupport group member of Print Operators gr in Built-in container 3. allow server access team t grant permission for app servers w/o granting unnecessary permissions: create Domain Local security groups that grant appropriate access to servers. Grant server access team permission to modify membership of Domain Local security groups 4. ensure usrs in Accounts OU can connect to Share1: create global security group in Domain2 5. allow Server Access Team group to grant permission for app servers w/o unnecessary permissions: create domain local groups that grant access to app servers 6. ensure all accounting usrs can access resources, restrict admins in child domains to managing access requirements for usr accts in their domain, min GC repl: create global group..., create universal groupadd both 7. create several new usr accts on DCs in Site1, ensure remote clinic can always quickly and successfully logonto domain: Add HKEY key to registry on both DCs in Site1 8. ensure only admins requires to use smart cards when working in main office, ensure remote usrs requires to use smat cards when accessing ntwrk resources: On server running Routing & Remote Access, select EAP check box and require smart card authentication+In properties of each admin acct, select Smart Card Required for Interactive Logon check box 9. ensure appropriate result occurs on each clt computer when smart card is removed w/o affecting other computers: place all computer accts for publicly accessible clt computers in Public OU 10. ensure all usrs can logon w/ smart card: use Certificate Web site to enroll each usr for smart card certificate 11. what setting should y use for Account Lockout duration: 31 12. DRAG/DROP acct lockout duration: 0 3 30 13. decide where to put test computer accts in domain, min amt of admin effort to conduct test, min impact on prod comptrs, avoid linking GPOs to multiple containers: create new OU named Test 14. DRAG/DROP config OU to support GPOs, delegating security for sales dep: Sales in middle; Accts & Computers under it

15. Bonn office hires Sophie as LAN admin. Sophie needs to create child Ous for Bonnwhich permissions should y grant: Read All Properties, List Contents 16. DRAG/DROP ensure appropriate teams granted app permissions: GPO Make usrs members of Group Policy Creator Owners ---Support Staff Assign Allow-ReadgPlink Assign Allow-ReadgPOptions 16. config delegation of GPOs as defined by written security policy, ensure y dont remove more permissions than needed from BranchOffice Admins group: modify perissionsso group is denied permissions 17. delegate Peter and Mary control over only objects they are responsible for: On Sales OU, grant Peter right 18. enable junior managers perform assigned admin tasks, not affect existing permissions: On Managers OU, block inheritance of permissions. Copy all existing permissions 19. config permissions for helpdesk employees as defined by written domain admin policy: Assign Help Desk global group right to reset passwds in OU named EmployeesOU 20. HOTSHOT Corp_Users OU (select 3 boxes) 21. ensure records servers adhere to security requirements: create new OU under Servers OU 22. OUs CSV, need to place usr accts in correct OUs in quickest time: create script that reads CSV and uses ADSI to moce usr accts to correct OUs Topic 4 Planning & Implementing Group Policy 1. ensure admin tools can be installed by Group Policy for all usrs with accts in IT Users OU w/o increasing admni privileges of any usrs: change security filtering on Install Admin Tools GPO to grant SrvDeskGrp security gr ability to apply GPO 2. 1. ensure GPO applies to all usr accts that are member of Precessors group 2. prevent GPO from applying to any usr acct member of Accountants hr 3. prevent GPO from applying to any usr acct member of Management gr, unless its also member of Processors gr: modify DACLmodify DACLmodify DACL 3. allow all usrs in PBUsers OU to remove programs by using Add or Remove Programs in Ctrl Panel: create new GPO that disables Remove Add or Remove Programs setting. Link GPO to PBUsers OU 4. ensure correct login script applied to IT staff usrs based on group membership and site location: create GPOs create a script 5. HOTSPOT where should y link the GPO: research.tk.com domain select Domain Group policy 6. 2 actions for 1. usrs run MS Office apps 2. CRM Users able to run CRM app 3. all usrs prevented from running unauthorized software: reorder GPOs+add MS Office apps 7. need to apply GPO settings immediately: On the test computer, run gpupdate/force 8. limit disk space usage on TK1 to 2GB/usr, no limit for admins: create GPO linked to CompanyUsersOU. In GPO, enable size limit on usr profiles 9. ensure My Documents folder for each usr is stored and maintained on usrs clt computer w/o affecting other policies. 2 ways: change redirectionRun gpupgrade command on Server1+In the GPO, change %USERPROFILE% 10. DRAG/DROP Domain Usr Accts Support OU enablesDisable registry editing tools disablesDisable registry editing tools Prevent use of offline files folder 11. resrict desktop features and admin tools for all usrs except admin usr in each branch office, y create GPO that applies desktop restrictions: link GPO to each branch offices UserAcconts OU. Filter GPO on admin usrs acct for each branch office, so usr acct does not apply to new GPO 12. on new disk create new shared folder named SYSVOL in same location as previous SYSVOL folder. Config ntwrk so usr and computer settings will be applied to all usrs: In SYSVOL folder cretae folder named tk.com+In Policies folder, create folder for each GPO. Name folder by using GUID of each GPO+use AD Users and Computers to open each GPO. Change at least one setting in each GPO before closing it 13. plan to apply ServerSecurity GPO to File Servers OU w/o desktop utilties installing on servers when usrs logon to nterk: config ServerSecurity GPO to enable Loopback policy

14. prevent call center usrs from changing config of call center computers w/o restricting usrs in other parts of TK from making changes to computers outside call center: place all usr accts in OU named Call Center Users. Create GPO that includes appropriate restrictions in User Config section. Link GPO to Call Center Users OU 15. config 5 computers to access public Websites w/o running other apps. 2 ways: create GPO and link to domain. Config usr settings in GPO to allow only IE. Config GPO to apply only to Restricted User Acct+create GPO and link to Restricted Computer OU. Config usr settings on GPO to allow only IE to run. Config computer settings in GPO to enable loopback mode 16. HOTSPOT ensure any manager loggin to computer in call center receives normal, unrestricted desktop: select Registry processing: Disabled 17. for all usrs and admins, MY Documents folder redirected to shared folder on file server named TK1, each usr allowed max 2GB on Server1: create GPO linked to CompanyUSers OU. In GPO, enable size limit on usr profile 18. ensure Desktop tab and Screen Saver tab are disabled (for usr Tess): move Hide Screen Saverlower 19. policy requires no portable computer left unattended and logged onto ntwrk unless protected by passwd, usrs not allowed to override. Need to config ntwrk so portable computers comply w/ written requirement: create GPO password-protected screen saveruse WMI filter to query for hardware chassis 20. config GPO to apply only to Win2k Pro computers. 2 ways: create WMI filter+create WMI filter 21. 1. some sec. settigs apply to all Web and db servers 2. some to nonprod servers 3. some to prod servers only and must not be overriden. Create OU to support GPO: create top-level OU named Serverscreate 2 child OUs named Nonproduction and Production 22. TK plans to use GPO to centrally apply all security to resource server computersneed to create an OU to support GPO: create top-level OU named Servers under texas.tk.com 23. easiest way to disable SMTP and Telnet disabled on servers: use gpedit.msc to create GPO to set startup type of unnecessary services to Disabled 24. ensure admin tools installed on clt computers used by service desk usrs: link Admin Tools GPO to ServiceDesk OU 25. 2 actions to restore Default Domain Policy and Default Domain Controllers Policy GPO for test domain to settings used in prod forest: backup Default Domain Policy and Default+Import Default Domain 26. ensure all usrs in DocProcessing OU can sucessfully run graphics app: instruct usrs who report problem install app by using Add Remove Programs in Control Panel 27. deploy accounting app to all usrs in Sales and Accts receivables OUs, dont want app to usr accts in Accts Payable OU, graphics app deploy to all usrs in Accounts Payable OU: create GPO named Accounting Software and link to Sales OU 28. use GPO to distribute app, app in .msi file in shared folder, usrs report they dont have app installed, clt computers have Evnt ID 102: allow usrs Allow-Read permission for .msi file 29. sales dep report app not installed on clt computers, need to install app in sales dep: modify GPO so app is assigned to usr accts 30. config GPOs to install either graphics app based on usr choice: publish both apps with file extension activation 31. config ntwk so apps available to usrs when they connect to TK1, ensure usrs cant run app not assigned to them: install all required software on TK1. use NTFS permissions to control which sec groups can access which apps 32. HOTSPOT select check boxes: Assign Uninstall this app when it falls out of scope of management Install this app at logon Basic 33. config GPO to install app, create gr Pilot Users in FinanceOU, make pilot usr accts memebrs of PilotUsers gr which are also in Finance OU. Need to allow onlt pilot usrs to test app: assign PilotUsers gr Allow-Read and AllowApply 34. several days later, usrs report new app not installed on their clt coputers, ensure app installed: instruct usrs restart their clt computers 35. admin installs app on no of computers by runni9ng Setup.exeusrs try to run new app, they cant do so, ensure all usrs can run new app, unauthorized app cant run: create hash value 36. implement tech to lower cost of deploying usr app, min usr down time: config GPO to assign apps to usr accts 37. plan smart card access for usrs who have admin responsibilities: enroll each usrs admin acct for smart card cert 38. ensure David can use marketing app: on Davids computerdownload most recent CRL 39. HOTSHOT folder redirection: select Basic Redirect everyones folder to same location + Create folder for each usr under root path 40. ensure usrs in TK2 have their folders redirected: create new GPO that disables Group Policy slow link

41. display of logon banner waring unauthroized use. 2 actions: create GPOLink GPO to domain+create system policy file in Ntconfig.pol.. 42. DRAG/DROP link GPOs: tk.com GPO2, Accounting GPO3, Accounts Payable GPO4 43. ensure complex passwd policy applied to Accounting OU: modify Default Domain Policy GPO 44. usrs creating simple passwdsensure TKs passwd requirements enforced: delete Passwd Policies GPO. Edit Default Domain Policy GPO 45. implement secure passwd protection for accts located in research.tk.com: config Default Policy GPO of research.tk.com 46. ensure members of server support team can logon locally to only file and print servers and app servers: create GPOLink GPO to ServersOU 47. deploy and refresh custom security settings on routine basis, also verify custom sec settings during audits: create custom IPSec policy and assign it by Group Policy 48. ensure usrs can logon to domain only by current passwd: config Default Domain Policy GPO to prevent logon attempts that use cached credentials 49. ensure membership of HRManagers gr in ach app server is as secure as possible: create GPO configs restricted 50. DRAG/DROP ensure usr profiles and GPO settings apply to usr acct will apply whereever usr logs on to ntwk: wait for remote -- Enabled Group Policy slow link Enabled Allow Cross-Forest -- Enabled 51. DRAG/DROP drag GPOs GP1 triangle GP4 circle 52. DRAG/DROP Assign install at Logon Portable Assign On Demand Desktop 53. need to config GPO so app installed on managers computers: Modify permissions on GPO by selecting AllowApply Group Policy 54. ensure new tx app installed on computers Term services: Modify GPOunder Computer Configuration 55. create security group and assign this group the Allow-Read permission for shared folder that has .msi file. 2 additional actions: make all usrs of app memebrs of security gr+create GPO that assigns app to usrs 56. install app on all clt computers in domain, not servers: Use gpedit.msc to create GPO ao assign app to computersConfig permissions on GPO 57. DRAG/DROP Passwrd GPO tk.com Software GPO Accounting 58.

SIMs 39 Questions including 5 Sim These are the sim questions: - Create a child domain. - Prohibit access to control panel , etc.

- Deploy applications using GPO - Bruno/Schema - Modify the Active Directory site and subnets topology 1. Schema object: a bit horrified at first as regsvr32 schmmgmt.dll was not registered at Run, but soon find out that schema admin was available from Administrator menu. 2. Add a new domain in a new forest: very easy 3. Correct a site and subnet topology: I think it was exactly the same as the question from Sim 7 in TK: very easy, though a bit confused at first as I could not make a new subnet. But soon realised that I can just edit an existing subnet location to a correct ones. Also you have to change the location of servers as well. Very easy ( if you want to know the steps in detail, please let me know) 4. GPO policy for sales: easy peasy 5. GPO policy to assign an application. Basically you go to administrator tool, and then go to Active directory schema. Go to classes and modify a object according to a requirement in the question. One is to disable it, and another one is to choose show objects of this class while browsing. I also got 39 Questions including 5 Sims These are the sim questions I received: - Create a new domain (TK Sim 3) EASY - Prohibit access to control panel , etc. (TK Sim 11) EASY - Deploy applications using GPO (TK Sim 10) EASY - Bruno/Schema EASY - Modify the Active Directory site and subnets topology EASY Sims: 1. Schema object: a bit horrified at first as regsvr32 schmmgmt.dll was not registered at Run, but soon find out that schema admin was available from Administrator menu. 2. Add a new domain in a new forest: very easy 3. Correct a site and subnet topology: I think it was exactly the same as the question from Sim 7 in TK: very easy, though a bit confused at first as I could not make a new subnet. But soon realised that I can just edit an existing subnet location to a correct ones. Also you have to change the location of servers as well. Very easy ( if you want to know the steps in detail, please let me know) 4. GPO policy for sales: easy peasy 5. GPO policy to assign an application. Sim7 from 294 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named TestKing.com. The company has a main office and two branch offices. Due to a recent reorganization within the company, your Active Directory Site topology no longer reflects the current network infrastructure as shown in the following exhibit. ( ***MISSING***) You need to modify the Active Directory site and subnets topology to reflect the current network infrastructure. What should you do?

Firstly on the exhibit there is a site and subnets shown. Go to Active directory site and service 1. Go to Subnets: you will see the list of subnets=> go to properties, and go to site, and change the site location to the right one( accoring to the exhibit). Correct the rest of subnets for a right locations. 2. Go to each server and click right. Move them to a right location according to the exhibit.

39 questions with 5 simulations: simulations with schema (thanks igor7 and farkhod) testking v31 sims on: sim9 use dcpromo to create a child domain on existing tree sim 11 delegate on AD sim 12 modify GPO's sim 14 trusts Sims: 1) Creating a domain controller 2) Organizing site structure + subnets 3) Restricting user access through group policy (Control Panel, Network Connections etc) 4) Assigning a software with GPO to an OU. 5) The unfamous schema editing sim. (entity,dataobject) - create child domain - delegate control for passwordAdmin - delete and create trust relationship - inactive entity class on AD schema manage - edit GPO about lock down client on sale ou

The Sims is: 1.Simulation #9 TK is OK, but one step is missed. The wizard prompts us to configure DNS for new domain. In question not says if DNS is already configured. So when prompted we need to chose "Install and configure DNS on this computer, and set this computer to use this DNS server as its preferred DNS server"

2.Simulation #11 TK is OK, no comments. 3.Simulation #12. TK is OK, no comments. 4.Simulation #14 TK is OK, no comments. 5.Simulation About Classes in AD Schema I posted answer for this question in this topic. My answer is absolutely right. Little correction: We don't need register the Schmmgmt.dll library, - Active Directory Schema.mmc is already in Administrative tools list. Bruno user account is in Users OU. As usual, Tk provides a number of incorrect answers. In this topic xyzzy, ptunguz and others discussed about incorrect answers in TK v.31. I had two question in my exam that not correctly answered by TK... Q. 6/103 I'm agreeing with xyzzy, correct answer A&E and my chose in exam was A&E!! Q. 3/385 Correct answer is A and I chose A in exam! In additional in exam was one new question: You are a network administrator for TailSpin Toys. The company has a main office and one branch office. All client computers run Windows XP Professional. The network consist of a single Active Directory forest that contains a single domain named Tailspintoys.com. The forest has two sites named MainOffice and BranchOffice. The organization unit (OU) structure is shown in the exhibit.

A written company policy requires different Group Policy objects (GPOs) to be linked to the various OUs. All of the users in the BranchOffice site require a specific application. You create a new GPO named and configure it to assign the required application to all users in the BranchUsers OU. A special project suddenly requires two users who normally work in the MainOffice site to take their portable computers to work in the BranchOffice site. When the users log on to the network at the branch office, the required application is not automatically installed on the two portable computers. The application must not be installed on any of the other computers in the main office. You must also ensure that settings that are currently applied to the two users remain in effect. What should you do? A.Move the two user account from the MainOfficeUsers OU to the BtanchUsers OU. B.Move computer accounts for the two users from the MainOfficeClients OU to the BranchClients OU. C.Link the BranchApps GPO to the MainOffice site. D.Link the BranchApps GPO to the BranchOffice site. The correct answer for this question is D.

In this question, we need edit the properties of two schema class in the "Active Directory Schema.msc" - dataObject and entity. dataObject, - we need to enable "Show objects of this class while browsing" and "Class is active" entity, - we need disable both those options. 1. Press Start button > Programs > Administrative tools > Active Directory Schema.mmc. Note: If Schema.mmc not appear in a list, we need first register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll. Press OK. We should receive a success confirmation. 2. Double click on Active Directory Schema.mmc > went to dataObject schema class > right click > Properties 3. In General tab insure, that "Show objects of this class while browsing" and "Class is active" are enabled. (You need put V in appropriate checkbox.) 4. In Schema.mmc went to entity schema class and uncheck the both "Show objects of this class while browsing" and "Class is active" 5. We know, that only Enterprise Admins group and Schema Admin group has permission to make changes in Active Directory Schema, so we need ensure that Bruno is member of Schema Admin group I have met with two new sim one is let you deactive one old schema object then let the new object appear in AD,in the end you need add one man in schema admins group. second sim is about site link ,you need recognize the company site topology:main,east,west,in site and services you need move server in right site and reassign right subnet to their site.

one sim need to notify:that is assign software to sales computer through GPOs,testking let us create new GPO1,in the real test it's already exist and link to sales computer OU so you just only to edit it.

Tk 70-294 V31 Incorrect Answers, Indentify incorrect answers http://www.sadikhov.com/forum/index.php?showtopic=51088&hl=Tk+70-294+V31+Incorrect+Answers